diff --git a/.gitignore b/.gitignore index 338cd4c..3f75c1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-core-10.5.9.tar.gz +SOURCES/pki-core-10.5.16.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 3f8ae0b..f4cf1b7 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -0ff09fabe2616e54a0a6a71d7af7cc09679b2054 SOURCES/pki-core-10.5.9.tar.gz +1430dcca4dd3be3df8029a0e4ea13ef84880c6a8 SOURCES/pki-core-10.5.16.tar.gz diff --git a/SOURCES/pki-core-10.5.9-alpha.patch b/SOURCES/pki-core-10.5.9-alpha.patch deleted file mode 100644 index f805723..0000000 --- a/SOURCES/pki-core-10.5.9-alpha.patch +++ /dev/null @@ -1,1535 +0,0 @@ -From 2d40c57887f7801f2ab0a8065b3b471bb7eafe80 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 19 Jun 2018 15:21:54 -0700 -Subject: [PATCH 1/7] Ticket 3037 CMC SharedToken SubjectDN default - -This patch adds proper subjectDN to CMC requests authenticated via ShardToken. -Specifically, the AuthTokenSubjectNameDefault profile default is added to -the default CMC profiles that authenticates via SharedToken. -Code were added to ensure that the proper subjectDN retrieved from the -mapped user entry is added to the AuthToken for such utilization. - -Fixes https://pagure.io/dogtagpki/issue/3037 - -Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc ---- - .../ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 4 ++-- - .../netscape/certsrv/authentication/ISharedToken.java | 2 +- - .../com/netscape/cms/authentication/SharedSecret.java | 17 ++++++++++++++--- - .../com/netscape/cms/profile/common/EnrollProfile.java | 12 ++++++++++-- - .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 1 + - 6 files changed, 30 insertions(+), 10 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index d0a3c25..144c05c 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -13,8 +13,8 @@ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 - policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint - policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=.* --policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= - policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index 6b2da33..bdcdc24 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -12,9 +12,9 @@ policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 - policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* - policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=.* --policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= - policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -index 761c344..13f2286 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -+++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -@@ -28,7 +28,7 @@ import com.netscape.certsrv.base.EBaseException; - public interface ISharedToken { - - // support for id_cmc_identification -- public char[] getSharedToken(String identification) -+ public char[] getSharedToken(String identification, IAuthToken authToken) - throws EBaseException; - - public char[] getSharedToken(PKIData cmcData) -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index 1a3d877..e304b74 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -33,6 +33,7 @@ import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.EInvalidCredentials; - import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -@@ -233,18 +234,25 @@ public class SharedSecret extends DirBasedAuthentication - } - - /** -- * getSharedToken(String identification) provides -+ * getSharedToken(String identification, IAuthToken authToken) provides - * support for id_cmc_identification shared secret based enrollment - * -+ * @param identification maps to the uid in user's ldap record -+ * @param authToken the IAuthToken that will be filled with the DN -+ * in user's ldap record -+ * - * Note: caller should clear the memory for the returned token - * after each use - */ -- public char[] getSharedToken(String identification) -+ public char[] getSharedToken(String identification, IAuthToken authToken) - throws EBaseException { -- String method = "SharedSecret.getSharedToken(String identification): "; -+ String method = "SharedSecret.getSharedToken(String identification, IAuthToken authToken): "; - String msg = ""; - CMS.debug(method + "begins."); - -+ if ((identification == null) || (authToken == null)) { -+ throw new EBaseException(method + "paramsters identification or authToken cannot be null"); -+ } - LDAPConnection shrTokLdapConnection = null; - LDAPSearchResults res = null; - LDAPEntry entry = null; -@@ -287,6 +295,9 @@ public class SharedSecret extends DirBasedAuthentication - throw new EBaseException(msg); - } - -+ CMS.debug(method + "found user ldap entry: userdn = " + userdn); -+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); -+ - res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mShrTokAttr }, false); - if (res != null && res.hasMoreElements()) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index caa466c..929e629 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -1412,10 +1412,14 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); - sharedSecretFound = false; - } -+ -+ IAuthToken authToken = (IAuthToken) -+ context.get(SessionContext.AUTH_TOKEN); -+ - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - - if (ident_string != null) { -- sharedSecret = tokenClass.getSharedToken(ident_string); -+ sharedSecret = tokenClass.getSharedToken(ident_string, authToken); - } else { - sharedSecret = tokenClass.getSharedToken(mCMCData); - } -@@ -1709,12 +1713,16 @@ public abstract class EnrollProfile extends BasicProfile - signedAuditLogger.log(auditMessage); - return false; - } -+ -+ IAuthToken authToken = (IAuthToken) -+ sessionContext.get(SessionContext.AUTH_TOKEN); -+ - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - - char[] token = null; - if (ident_string != null) { - auditAttemptedCred = ident_string; -- token = tokenClass.getSharedToken(ident_string); -+ token = tokenClass.getSharedToken(ident_string, authToken); - } else - token = tokenClass.getSharedToken(mCMCData); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 7d75e31..f469a66 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -446,6 +446,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - // authentication success - if (authToken != null) { - auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -+ context.put(SessionContext.AUTH_TOKEN, authToken); - } - } catch (EBaseException e) { - CMCOutputTemplate template = new CMCOutputTemplate(); --- -1.8.3.1 - - -From 2a228b4a8e1af920e577d007be87291831c635d5 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 20 Jun 2018 18:59:28 -0700 -Subject: [PATCH 2/7] Ticket 2920 Part2 of SharedToken Audit - -This patch addresses the issue that the original audit message for failure -got overwritten for SharedToken. - -fixes https://pagure.io/dogtagpki/issue/2920 - -Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4 ---- - .../netscape/cms/authentication/SharedSecret.java | 5 ++ - .../def/CMCUserSignedSubjectNameDefault.java | 7 ++- - .../cms/servlet/common/CMCOutputTemplate.java | 9 ++-- - .../servlet/profile/ProfileSubmitCMCServlet.java | 63 ++++++++++++++-------- - 4 files changed, 57 insertions(+), 27 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index e304b74..5ebc213 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -406,6 +406,11 @@ public class SharedSecret extends DirBasedAuthentication - String method = "SharedSecret.getSharedToken(BigInteger serial): "; - String msg = ""; - -+ if (serial == null) { -+ throw new EBaseException(method + "paramster serial cannot be null"); -+ } -+ CMS.debug(method + serial.toString()); -+ - ICertRecord record = null; - try { - record = certRepository.readCertificateRecord(serial); -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -index a0816ea..f1810b0 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -@@ -137,12 +137,17 @@ public class CMCUserSignedSubjectNameDefault extends EnrollDefault { - String msg = ""; - CMS.debug(method + "begins"); - -- String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); - if (info == null) { - msg = method + "info null"; - CMS.debug(msg); - throw new EProfileException(msg); - } -+ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (signingUserSerial == null) { -+ msg = method + "signing user serial not found; request was unsigned?"; -+ CMS.debug(msg); -+ throw new EProfileException(msg); -+ } - - CertificateSubjectName certSN = null; - try { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index a0a946d..154cd33 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -1103,14 +1103,15 @@ public class CMCOutputTemplate { - - char[] sharedSecret = null; - try { -- sharedSecret = tokenClass.getSharedToken(revokeSerial); -+ sharedSecret = tokenClass.getSharedToken(revokeSerial); - } catch (Exception eShrTok) { -- CMS.debug("CMCOutputTemplate: " + eShrTok.toString()); -+ msg = "CMCOutputTemplate: " + eShrTok.toString(); - } - - if (sharedSecret == null) { -- msg = " shared secret not found"; -- CMS.debug(method + msg); -+ if (msg.equals("")) // don't overwrite the msg -+ msg = " shared secret not found"; -+ CMS.debug(msg); - audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index f469a66..12fd294 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -533,10 +533,16 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } -+ -+ String errorCode = null; -+ String errorReason = null; -+ String auditRequesterID = ILogger.UNIDENTIFIED; -+ - try { - reqs = profile.createRequests(ctx, locale); - } catch (ECMCBadMessageCheckException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -547,9 +553,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_MESSAGE_CHECK, s); -- return; - } catch (ECMCBadIdentityException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -560,9 +566,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_IDENTITY, s); -- return; - } catch (ECMCPopFailedException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -573,9 +579,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.POP_FAILED, s); -- return; - } catch (ECMCBadRequestException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -586,9 +592,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_REQUEST, s); -- return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -599,9 +605,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -- return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -612,7 +618,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -- return; -+ } -+ -+ if (errorReason != null) { -+ audit(CertRequestProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_REJECTION, -+ errorReason)); -+ return; - } - - TaggedAttribute attr = -@@ -684,13 +698,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } - -- String errorCode = null; -- String errorReason = null; -- - /////////////////////////////////////////////// - // populate request - /////////////////////////////////////////////// - for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) { -+ auditRequesterID = auditRequesterID(reqs[k]); - // adding parameters to request - setInputsIntoRequest(request, profile, reqs[k]); - -@@ -769,7 +781,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - profile.populateInput(ctx, reqs[k]); - profile.populate(reqs[k]); - } catch (ECMCPopFailedException e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -780,9 +793,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.POP_FAILED, s); -- return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -793,9 +806,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_REQUEST, s); -- return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - // throw new IOException("Profile " + profileId + - // " cannot populate"); - CMCOutputTemplate template = new CMCOutputTemplate(); -@@ -808,12 +821,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -+ } -+ -+ if (errorReason != null) { -+ audit(CertRequestProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_REJECTION, -+ errorReason)); - return; - } - } //for - -- String auditRequesterID = ILogger.UNIDENTIFIED; -- - try { - /////////////////////////////////////////////// - // submit request --- -1.8.3.1 - - -From a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 15 Jun 2018 00:28:43 +1000 -Subject: [PATCH 3/7] IPAddressName: fix construction from String - -The IPAddressName(String) constructor (the non-netmask case) was -broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it, -and rename one of the helper methods to clarify its behaviour. - -Fixes: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea ---- - base/util/src/netscape/security/x509/IPAddressName.java | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index a343a5f..b227af0 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -76,7 +76,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) - */ - public IPAddressName(String s, String netmask) { -- address = initAddress(true, s); -+ address = parseAddress(true, s); - if (address.length == IPv4_LEN * 2) - fillIPv4Address(netmask, address, address.length / 2); - else -@@ -90,7 +90,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param mask a CIDR netmask - */ - public IPAddressName(String s, CIDRNetmask mask) { -- address = initAddress(true, s); -+ address = parseAddress(true, s); - mask.write(ByteBuffer.wrap( - address, address.length / 2, address.length / 2)); - } -@@ -102,7 +102,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x - */ - public IPAddressName(String s) { -- initAddress(false, s); -+ address = parseAddress(false, s); - } - - /** -@@ -113,7 +113,7 @@ public class IPAddressName implements GeneralNameInterface { - * @return byte[] of length 4 or 16 if withNetmask == false, - * or length 8 or 32 if withNetmask == true. - */ -- private static byte[] initAddress(boolean withNetmask, String s) { -+ private static byte[] parseAddress(boolean withNetmask, String s) { - if (s.indexOf(':') != -1) { - byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; - fillIPv6Address(s, address, 0); --- -1.8.3.1 - - -From 1f5e857759cb822093cdc20125fa4d0990432356 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 25 Jun 2018 16:46:36 -0700 -Subject: [PATCH 4/7] Ticket 3003 AuditVerify failure due to line breaks - -This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks -in audit entry from running pki ca-user-cert-add which would cause AuditVerify -to fail. (note: adding user cert via the java console does not have such issue) - -fixes https://pagure.io/dogtagpki/issue/3003 - -Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9 ---- - .../com/netscape/certsrv/logging/event/ConfigRoleEvent.java | 3 ++- - base/util/src/com/netscape/cmsutil/util/Utils.java | 12 +++++++++++- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -index cc5f0b7..0ac71a8 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -@@ -18,6 +18,7 @@ - package com.netscape.certsrv.logging.event; - - import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.cmsutil.util.Utils; - - public class ConfigRoleEvent extends SignedAuditEvent { - -@@ -35,6 +36,6 @@ public class ConfigRoleEvent extends SignedAuditEvent { - - setAttribute("SubjectID", subjectID); - setAttribute("Outcome", outcome); -- setAttribute("ParamNameValPairs", params); -+ setAttribute("ParamNameValPairs", Utils.normalizeString(params, true /*keep space*/)); - } - } -diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java -index 5ff78ad..9d0f9eb 100644 ---- a/base/util/src/com/netscape/cmsutil/util/Utils.java -+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java -@@ -336,15 +336,24 @@ public class Utils { - * Normalize B64 input String - * - * @pram string base-64 string -+ * @param keepspace a boolean variable to control whether to keep spaces or not - * @return normalized string - */ - public static String normalizeString(String string) { -+ return normalizeString(string, false /*keepSpace*/); -+ } -+ -+ public static String normalizeString(String string, Boolean keepSpace) { - if (string == null) { - return string; - } - - StringBuffer sb = new StringBuffer(); -- StringTokenizer st = new StringTokenizer(string, "\r\n "); -+ StringTokenizer st = null; -+ if (keepSpace) -+ st = new StringTokenizer(string, "\r\n"); -+ else -+ st = new StringTokenizer(string, "\r\n "); - - while (st.hasMoreTokens()) { - String nextLine = st.nextToken(); -@@ -353,4 +362,5 @@ public class Utils { - } - return sb.toString(); - } -+ - } --- -1.8.3.1 - - -From cf1b83ed6e7be07636c3deac770d586433d80f9e Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 26 Jun 2018 15:16:53 -0700 -Subject: [PATCH 5/7] Ticket 2992 CMC Simple request profiles and CMCResponse - to support simple response - -This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018. - -In addition, CMCResponse has been improved to handle CMC simple response. - -fixes https://pagure.io/dogtagpki/issue/2992 - -Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a ---- - .../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 6 +-- - base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 6 +-- - .../src/com/netscape/cmstools/CMCResponse.java | 46 +++++++++++++--------- - 3 files changed, 34 insertions(+), 24 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -index 64a6ad9..8df3576 100644 ---- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -@@ -1,11 +1,11 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the CMC simple certificate request with agent authentication. - enable=true - enableBy=admin - name=Simple CMC Enrollment Request for User Certificate - visible=false --auth.instance_id= -+auth.instance_id=AgentCertAuth - input.list=i1 --input.i1.class_id=cmcCertReqInputImpl -+input.i1.class_id=certReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -index 0628a36..a55873f 100644 ---- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -@@ -1,11 +1,11 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the CMC Simple certificate request with agent authentication. - enable=true - enableBy=admin - name=Simple CMC Enrollment Request for User Certificate - visible=false --auth.instance_id= -+auth.instance_id=AgentCertAuth - input.list=i1 --input.i1.class_id=cmcCertReqInputImpl -+input.i1.class_id=certReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -index 945f09f..5d4f6c6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -@@ -82,14 +82,20 @@ public class CMCResponse { - - public Collection getStatusInfos() throws IOException, InvalidBERException { - -- Collection list = new ArrayList<>(); -- -- // assume full CMC response -- - SignedData signedData = (SignedData) contentInfo.getInterpretedContent(); - EncapsulatedContentInfo eci = signedData.getContentInfo(); - -+ Collection list = new ArrayList<>(); -+ - OCTET_STRING content = eci.getContent(); -+ if (content == null) { -+ System.out.println("CMC Simple Response."); -+ // No EncapsulatedContentInfo content; Assume simple response; -+ return null; -+ } -+ // assume full CMC response -+ System.out.println("CMC Full Response."); -+ - ByteArrayInputStream is = new ByteArrayInputStream(content.toByteArray()); - ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(is); - -@@ -166,8 +172,10 @@ public class CMCResponse { - System.out.println("Invalid CMC Response Format"); - } - -- if (!ci.hasContent()) -+ if (!ci.hasContent()) { -+ // No EncapsulatedContentInfo content; Assume simple response - return; -+ } - - OCTET_STRING content1 = ci.getContent(); - ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray()); -@@ -371,23 +379,25 @@ public class CMCResponse { - - // terminate if any of the statuses is not a SUCCESS - Collection statusInfos = response.getStatusInfos(); -- for (CMCStatusInfoV2 statusInfo : statusInfos) { -+ if (statusInfos != null) { // full response -+ for (CMCStatusInfoV2 statusInfo : statusInfos) { - -- int status = statusInfo.getStatus(); -- if (status == CMCStatusInfoV2.SUCCESS) { -- continue; -- } -+ int status = statusInfo.getStatus(); -+ if (status == CMCStatusInfoV2.SUCCESS) { -+ continue; -+ } - -- SEQUENCE bodyList = statusInfo.getBodyList(); -+ SEQUENCE bodyList = statusInfo.getBodyList(); - -- Collection list = new ArrayList<>(); -- for (int i = 0; i < bodyList.size(); i++) { -- INTEGER n = (INTEGER) bodyList.elementAt(i); -- list.add(n); -- } -+ Collection list = new ArrayList<>(); -+ for (int i = 0; i < bodyList.size(); i++) { -+ INTEGER n = (INTEGER) bodyList.elementAt(i); -+ list.add(n); -+ } - -- System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); -- System.exit(1); -+ System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); -+ System.exit(1); -+ } - } - - // export PKCS #7 if requested --- -1.8.3.1 - - -From 3ad054342a08719cd80c618c2aa260210b418113 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 27 Jun 2018 15:04:57 -0700 -Subject: [PATCH 6/7] Ticket #2959 Address pkispawn ECC profile overrides - -This patch enables proper ECC profiles to be automatically applied during -pkispawn. - -This patch would eliminate the need for the workaround documented here: -http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround - -The idea is to use the % replacement strings as part of the profile names -in the default.cfg file for pkispawn, -and change the profile names to mach the format. So for example: - -%(pki_admin_key_type)AdminCert.profile - -would either be translated to rsaAdminCert.profile or eccAdminCert.profile -depending on the value in pki_admin_key_type - -All 6 relevant profiles have been renamed per new convention. - -fixes https://pagure.io/dogtagpki/issue/2959 - -Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95 ---- - base/ca/shared/conf/ECadminCert.profile | 39 -------------------------- - base/ca/shared/conf/ECserverCert.profile | 39 -------------------------- - base/ca/shared/conf/ECsubsystemCert.profile | 39 -------------------------- - base/ca/shared/conf/adminCert.profile | 39 -------------------------- - base/ca/shared/conf/eccAdminCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/eccServerCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/eccSubsystemCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/rsaAdminCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/rsaServerCert.profile | 41 ++++++++++++++++++++++++++++ - base/ca/shared/conf/rsaSubsystemCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/serverCert.profile | 41 ---------------------------- - base/ca/shared/conf/subsystemCert.profile | 39 -------------------------- - base/server/etc/default.cfg | 6 ++-- - 13 files changed, 239 insertions(+), 239 deletions(-) - delete mode 100644 base/ca/shared/conf/ECadminCert.profile - delete mode 100644 base/ca/shared/conf/ECserverCert.profile - delete mode 100644 base/ca/shared/conf/ECsubsystemCert.profile - delete mode 100644 base/ca/shared/conf/adminCert.profile - create mode 100644 base/ca/shared/conf/eccAdminCert.profile - create mode 100644 base/ca/shared/conf/eccServerCert.profile - create mode 100644 base/ca/shared/conf/eccSubsystemCert.profile - create mode 100644 base/ca/shared/conf/rsaAdminCert.profile - create mode 100644 base/ca/shared/conf/rsaServerCert.profile - create mode 100644 base/ca/shared/conf/rsaSubsystemCert.profile - delete mode 100644 base/ca/shared/conf/serverCert.profile - delete mode 100644 base/ca/shared/conf/subsystemCert.profile - -diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile -deleted file mode 100644 -index 46d157a..0000000 ---- a/base/ca/shared/conf/ECadminCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Admin Certificate --# --id=adminCert.profile --name=All Purpose admin cert with ECC keys Profile --description=This profile creates an administrator's certificate with ECC keys --profileIDMapping=caAdminCert --profileSetIDMapping=adminCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile -deleted file mode 100644 -index 8c679f7..0000000 ---- a/base/ca/shared/conf/ECserverCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# ECC Server Certificate --# --id=serverCert.profile --name=All Purpose SSL server cert with ECC keys Profile --description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers --profileIDMapping=caECServerCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile -deleted file mode 100644 -index d11dabb..0000000 ---- a/base/ca/shared/conf/ECsubsystemCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# ECC Subsystem Certificate --# --id=subsystemCert.profile --name=Subsystem cert with ECC keys Profile --description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients --profileIDMapping=caECSubsystemCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile -deleted file mode 100644 -index 5e84d74..0000000 ---- a/base/ca/shared/conf/adminCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Server Certificate --# --id=adminCert.profile --name=All Purpose admin server cert Profile --description=This profile creates an administrator's certificate --profileIDMapping=caAdminCert --profileSetIDMapping=adminCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile -new file mode 100644 -index 0000000..46d157a ---- /dev/null -+++ b/base/ca/shared/conf/eccAdminCert.profile -@@ -0,0 +1,39 @@ -+# -+# Admin Certificate -+# -+id=adminCert.profile -+name=All Purpose admin cert with ECC keys Profile -+description=This profile creates an administrator's certificate with ECC keys -+profileIDMapping=caAdminCert -+profileSetIDMapping=adminCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile -new file mode 100644 -index 0000000..8c679f7 ---- /dev/null -+++ b/base/ca/shared/conf/eccServerCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Server Certificate -+# -+id=serverCert.profile -+name=All Purpose SSL server cert with ECC keys Profile -+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers -+profileIDMapping=caECServerCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -diff --git a/base/ca/shared/conf/eccSubsystemCert.profile b/base/ca/shared/conf/eccSubsystemCert.profile -new file mode 100644 -index 0000000..d11dabb ---- /dev/null -+++ b/base/ca/shared/conf/eccSubsystemCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Subsystem Certificate -+# -+id=subsystemCert.profile -+name=Subsystem cert with ECC keys Profile -+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients -+profileIDMapping=caECSubsystemCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile -new file mode 100644 -index 0000000..5e84d74 ---- /dev/null -+++ b/base/ca/shared/conf/rsaAdminCert.profile -@@ -0,0 +1,39 @@ -+# -+# Server Certificate -+# -+id=adminCert.profile -+name=All Purpose admin server cert Profile -+description=This profile creates an administrator's certificate -+profileIDMapping=caAdminCert -+profileSetIDMapping=adminCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/rsaServerCert.profile b/base/ca/shared/conf/rsaServerCert.profile -new file mode 100644 -index 0000000..e740760 ---- /dev/null -+++ b/base/ca/shared/conf/rsaServerCert.profile -@@ -0,0 +1,41 @@ -+# -+# Server Certificate -+# -+id=serverCert.profile -+name=All Purpose SSL server cert Profile -+description=This profile creates an SSL server certificate that is valid for SSL servers -+profileIDMapping=caServerCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7,8 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault -+8.default.name=Copy Common Name to Subjec Alternative Name Extension -diff --git a/base/ca/shared/conf/rsaSubsystemCert.profile b/base/ca/shared/conf/rsaSubsystemCert.profile -new file mode 100644 -index 0000000..fa8f84e ---- /dev/null -+++ b/base/ca/shared/conf/rsaSubsystemCert.profile -@@ -0,0 +1,39 @@ -+# -+# Subsystem Certificate -+# -+id=subsystemCert.profile -+name=All Purpose SSL server cert Profile -+description=This profile creates a subsystem certificate that is valid for SSL client -+profileIDMapping=caSubsystemCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile -deleted file mode 100644 -index e740760..0000000 ---- a/base/ca/shared/conf/serverCert.profile -+++ /dev/null -@@ -1,41 +0,0 @@ --# --# Server Certificate --# --id=serverCert.profile --name=All Purpose SSL server cert Profile --description=This profile creates an SSL server certificate that is valid for SSL servers --profileIDMapping=caServerCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7,8 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 --8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault --8.default.name=Copy Common Name to Subjec Alternative Name Extension -diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile -deleted file mode 100644 -index fa8f84e..0000000 ---- a/base/ca/shared/conf/subsystemCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Subsystem Certificate --# --id=subsystemCert.profile --name=All Purpose SSL server cert Profile --description=This profile creates a subsystem certificate that is valid for SSL client --profileIDMapping=caSubsystemCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index e727648..c575e68 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -400,12 +400,12 @@ pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt - pki_source_profiles=/usr/share/pki/ca/profiles - pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf - pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg --pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile -+pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile - pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile - pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile - pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile --pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile --pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile -+pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile -+pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile - pki_subsystem_emails_path=%(pki_subsystem_path)s/emails - pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles - --- -1.8.3.1 - - -From 2a9c2022d39e293269c49d806fa142992bef8abd Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 12 Jun 2018 11:47:57 -0700 -Subject: [PATCH 7/7] Ticket 2865 X500Name.directoryStringEncodingOrder - overridden by CSR encoding - -This patch allows profile to have control over whether to override the subjectDN -encoding in the CSR with the encoding set by the system. - -New parameter in profile: -policyset..<#>.default.params.useSysEncoding=true - -where "true" means to override the subjectdn with the system default order or -the order set by X500Name.directoryStringEncodingOrder in CS.cfg - -by default, without useSysEncoding in profile, it is treated as false. - -fixes https://pagure.io/dogtagpki/issue/2865 - -Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1 ---- - .../cms/profile/def/UserSubjectNameDefault.java | 83 +++++++++++++++++----- - base/server/cmsbundle/src/UserMessages.properties | 1 + - .../netscape/cmscore/cert/X500NameSubsystem.java | 7 +- - 3 files changed, 72 insertions(+), 19 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -index 9064bc1..636b045 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -@@ -44,9 +44,11 @@ import com.netscape.certsrv.request.IRequest; - public class UserSubjectNameDefault extends EnrollDefault { - - public static final String VAL_NAME = "name"; -+ public static final String CONFIG_USE_SYS_ENCODING = "useSysEncoding"; - - public UserSubjectNameDefault() { - super(); -+ addConfigName(CONFIG_USE_SYS_ENCODING); - addValueName(VAL_NAME); - } - -@@ -55,6 +57,16 @@ public class UserSubjectNameDefault extends EnrollDefault { - super.init(profile, config); - } - -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ if (name.equals(CONFIG_USE_SYS_ENCODING)) { -+ return new Descriptor(IDescriptor.BOOLEAN, null, -+ "false", -+ CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_USE_SYS_ENCODING")); -+ } else { -+ return null; -+ } -+ } -+ - public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(VAL_NAME)) { - return new Descriptor(IDescriptor.STRING, null, null, -@@ -64,52 +76,79 @@ public class UserSubjectNameDefault extends EnrollDefault { - } - } - -- public void setValue(String name, Locale locale, -- X509CertInfo info, String value) -- throws EPropertyException { -- if (name == null) { -- throw new EPropertyException(CMS.getUserMessage( -- locale, "CMS_INVALID_PROPERTY", name)); -- } -- if (name.equals(VAL_NAME)) { -+ private X500Name getX500Name(X509CertInfo info, String value) { -+ String method = "UserSubjectNameDefault: getX500Name: "; - X500Name x500name = null; -+ /* -+ * useSysEencoding default is false -+ * To change that, add the following in the affected profile: -+ * policyset..<#>.default.params.useSysEncoding=true -+ */ -+ boolean useSysEncoding = getConfigBoolean(CONFIG_USE_SYS_ENCODING); -+ CMS.debug(method + -+ "use system encoding: " + useSysEncoding); - - try { -- x500name = new X500Name(value); -+ if (value != null) -+ x500name = new X500Name(value); - -+ // oldName is what comes with the CSR - CertificateSubjectName oldName = info.getSubjectObj(); - if (oldName != null) { -+ CMS.debug(method + "subjectDN exists in CSR. "); -+ } else { -+ CMS.debug(method + "subjectDN does not exist in CSR. "); -+ } -+ if ((useSysEncoding == false) && (oldName != null)) { - /* If the canonical string representations of - * existing Subject DN and new DN are equal, - * keep the old name so that the attribute - * encodings are preserved. */ - X500Name oldX500name = oldName.getX500Name(); - if (x500name.toString().equals(oldX500name.toString())) { -- CMS.debug( -- "UserSubjectNameDefault: setValue: " -+ CMS.debug( method - + "new Subject DN has same string representation " - + "as current value; retaining current value." - ); - x500name = oldX500name; - } else { -- CMS.debug( -- "UserSubjectNameDefault: setValue: " -+ CMS.debug(method - + "replacing current value `" + oldX500name.toString() + "` " - + "with new value `" + x500name.toString() + "`" - ); - } - } - } catch (IOException e) { -- CMS.debug(e.toString()); -+ CMS.debug(method + e.toString()); - // failed to build x500 name - } -- CMS.debug("UserSubjectNameDefault: setValue name=" + x500name); -+ return x500name; -+ } -+ -+ public void setValue(String name, Locale locale, -+ X509CertInfo info, String value) -+ throws EPropertyException { -+ String method = "UserSubjectNameDefault: setValue: "; -+ if (name == null) { -+ CMS.debug(name + "name null"); -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ CMS.debug(method + "name = " + name); -+ if (value != null) -+ CMS.debug(method + "value = " + value); -+ else -+ CMS.debug(method + "value = null"); -+ -+ if (name.equals(VAL_NAME)) { -+ X500Name x500name = getX500Name(info, value); -+ CMS.debug(method + "setting name=" + x500name); - try { - info.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(x500name)); - } catch (Exception e) { - // failed to insert subject name -- CMS.debug("UserSubjectNameDefault: setValue " + e.toString()); -+ CMS.debug(method + e.toString()); - throw new EPropertyException(CMS.getUserMessage( - locale, "CMS_INVALID_PROPERTY", name)); - } -@@ -155,9 +194,17 @@ public class UserSubjectNameDefault extends EnrollDefault { - throws EProfileException { - // authenticate the subject name and populate it - // to the certinfo -+ CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( -+ IEnrollProfile.REQUEST_SUBJECT_NAME); - try { -- info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName( -- IEnrollProfile.REQUEST_SUBJECT_NAME)); -+ info.set(X509CertInfo.SUBJECT, req_sbj); -+ -+ // see if the encoding needs changing -+ X500Name x500name = getX500Name(info, req_sbj.toString()); -+ if (x500name != null) { -+ info.set(X509CertInfo.SUBJECT, -+ new CertificateSubjectName(x500name)); -+ } - } catch (Exception e) { - // failed to insert subject name - CMS.debug("UserSubjectNameDefault: populate " + e.toString()); -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index 9c324f5..208632d 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -754,6 +754,7 @@ CMS_PROFILE_ENCODING_ERROR=Error in BER encoding - CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key - CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys - CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests -+CMS_PROFILE_CONFIG_USE_SYS_ENCODING=Use subject DN encoding from system-defined order - CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0} - CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation. - CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0} -diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -index 7accf2b..f1b3eb6 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -@@ -185,10 +185,15 @@ public class X500NameSubsystem implements ISubsystem { - */ - private void setDirStrEncodingOrder() - throws EBaseException { -+ String method = "X500NameSubsystem: setDirStrEncodingOrder: "; - String order = mConfig.getString(PROP_DIR_STR_ENCODING_ORDER, null); - -- if (order == null || order.length() == 0) // nothing. -+ if (order == null || order.length() == 0) { // nothing. -+ CMS.debug(method + "X500Name.directoryStringEncodingOrder not specified in config; Using default order in DirStrConverter."); - return; -+ } -+ CMS.debug(method + "X500Name.directoryStringEncodingOrder specified in config: " + order); -+ - StringTokenizer toker = new StringTokenizer(order, ", \t"); - int numTokens = toker.countTokens(); - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.9-batch-1.0.patch b/SOURCES/pki-core-10.5.9-batch-1.0.patch deleted file mode 100644 index d17d9e5..0000000 --- a/SOURCES/pki-core-10.5.9-batch-1.0.patch +++ /dev/null @@ -1,3161 +0,0 @@ -From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001 -From: John Magne -Date: Fri, 19 Oct 2018 19:23:37 -0400 -Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of - pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely. - ---- - .../netscape/cms/servlet/csadmin/GetStatus.java | 48 ++++++++++++++++++++++ - 1 file changed, 48 insertions(+) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -index 1d2d0e6..338e26b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -@@ -18,6 +18,7 @@ - package com.netscape.cms.servlet.csadmin; - - import java.io.IOException; -+import java.io.FileInputStream; - import java.util.Locale; - - import javax.servlet.ServletConfig; -@@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.base.UserInfo; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cmsutil.xml.XMLObject; -+import org.apache.commons.io.IOUtils; -+import org.apache.commons.lang.StringUtils; - - public class GetStatus extends CMSServlet { - -@@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet { - * - */ - private static final long serialVersionUID = -2852842030221659847L; -+ // File below will be a member of a pki theme package. -+ private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION"; - - public GetStatus() { - super(); -@@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet { - xmlObj.addItemToContainer(root, "Type", type); - xmlObj.addItemToContainer(root, "Status", status); - xmlObj.addItemToContainer(root, "Version", version); -+ // File below will be a member of a pki theme package. -+ String productVersion = getProductVersion(productVersionFILE); -+ -+ if(!StringUtils.isEmpty(productVersion)) { -+ xmlObj.addItemToContainer(root,"ProductVersion", productVersion); -+ } -+ - byte[] cb = xmlObj.toByteArray(); - - outputResult(httpResp, "application/xml", cb); -@@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet { - return locale; - } - -+ /** -+ * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION -+ * exists. -+ * -+ * Caller only cares if there is a string or not, exceptions handled here. -+ */ -+ private String getProductVersion(String versionFilePathName) { -+ String version = null; -+ FileInputStream inputStream = null; -+ -+ if(StringUtils.isEmpty(versionFilePathName)) { -+ CMS.debug("Missing product version file path!"); -+ return null; -+ } -+ -+ try { -+ inputStream = new FileInputStream(versionFilePathName); -+ String contents = IOUtils.toString(inputStream); -+ -+ if(contents != null) { -+ CMS.debug("Returning product version: " + version); -+ version = contents.trim(); -+ } -+ } catch (Exception e) { -+ CMS.debug("Failed to read product version String. " + e); -+ } -+ finally { -+ if(inputStream != null) { -+ try { -+ inputStream.close(); -+ } catch (IOException e) { -+ } -+ } -+ } -+ return version; -+ } - } --- -1.8.3.1 - - -From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 14 Sep 2018 19:19:23 -0600 -Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder - overridden by CSR encoding - -https://pagure.io/dogtagpki/issue/2865 coverity fixes -(cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72) ---- - .../netscape/cms/profile/def/UserSubjectNameDefault.java | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -index 636b045..459735e 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -@@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault { - * keep the old name so that the attribute - * encodings are preserved. */ - X500Name oldX500name = oldName.getX500Name(); -- if (x500name.toString().equals(oldX500name.toString())) { -+ if (x500name == null) { -+ CMS.debug( method -+ + "new Subject DN is null; " -+ + "retaining current value." -+ ); -+ x500name = oldX500name; -+ } else if (x500name.toString().equals(oldX500name.toString())) { - CMS.debug( method - + "new Subject DN has same string representation " - + "as current value; retaining current value." -@@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault { - // to the certinfo - CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( - IEnrollProfile.REQUEST_SUBJECT_NAME); -+ if (req_sbj == null) { -+ // failed to retrieve subject name -+ CMS.debug("UserSubjectNameDefault: populate req_sbj is null"); -+ throw new EProfileException(CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); -+ } - try { - info.set(X509CertInfo.SUBJECT, req_sbj); - --- -1.8.3.1 - - -From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 22 Aug 2018 18:12:06 -0700 -Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client - -This patch provides code for ticket 2879, adding audit events for CS when - acting as a TLS client. - -For a running CS system, there are two cases when this happens: -1. When one CS subsystem is talking to another CS subsystem - In this case: HttpClient is used -2. When a CS subsystem is talking to an ldap syste - In this case: PKISocketFactory is used - -Events added are: - - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE - - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS - - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED - -https://pagure.io/dogtagpki/issue/2879 - -Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8 -(cherry picked from commit add6813cb15673d604f05173585101a6e56745ca) ---- - base/ca/shared/conf/CS.cfg | 4 +- - .../event/ClientAccessSessionEstablishEvent.java | 74 +++++++ - .../event/ClientAccessSessionTerminatedEvent.java | 53 +++++ - base/kra/shared/conf/CS.cfg | 4 +- - base/ocsp/shared/conf/CS.cfg | 4 +- - .../cms/publish/publishers/OCSPPublisher.java | 4 + - .../dogtagpki/server/PKIClientSocketListener.java | 230 +++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 20 ++ - .../cmscore/connector/HttpConnFactory.java | 6 + - .../netscape/cmscore/connector/HttpConnection.java | 42 ++++ - .../netscape/cmscore/connector/HttpConnector.java | 10 + - .../com/netscape/cmscore/connector/Resender.java | 8 +- - .../cmscore/ldapconn/PKISocketFactory.java | 9 +- - base/tks/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/cmsutil/http/HttpClient.java | 14 ++ - .../netscape/cmsutil/http/JssSSLSocketFactory.java | 8 + - 16 files changed, 484 insertions(+), 10 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java - create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 92504ff..4cef240 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG -+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java -new file mode 100644 -index 0000000..f54641a ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java -@@ -0,0 +1,74 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.SignedAuditEvent; -+ -+public class ClientAccessSessionEstablishEvent extends SignedAuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"; -+ -+ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE = -+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"; -+ -+ public ClientAccessSessionEstablishEvent(String messageID) { -+ super(messageID); -+ } -+ -+ public static ClientAccessSessionEstablishEvent createSuccessEvent( -+ String clientHost, -+ String serverHost, -+ String serverPort, -+ String subjectID) { -+ -+ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( -+ CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS); -+ -+ event.setAttribute("ClientHost", clientHost); -+ event.setAttribute("ServerHost", serverHost); -+ event.setAttribute("ServerPort", serverPort); -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.SUCCESS); -+ -+ return event; -+ } -+ -+ public static ClientAccessSessionEstablishEvent createFailureEvent( -+ String clientHost, -+ String serverHost, -+ String serverPort, -+ String subjectID, -+ String info) { -+ -+ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( -+ CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE); -+ -+ event.setAttribute("ClientHost", clientHost); -+ event.setAttribute("ServerHost", serverHost); -+ event.setAttribute("ServerPort", serverPort); -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.FAILURE); -+ event.setAttribute("Info", info); -+ -+ return event; -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java -new file mode 100644 -index 0000000..cad0c97 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java -@@ -0,0 +1,53 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.SignedAuditEvent; -+ -+public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String CLIENT_ACCESS_SESSION_TERMINATED = -+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED"; -+ -+ public ClientAccessSessionTerminatedEvent(String messageID) { -+ super(messageID); -+ } -+ -+ public static ClientAccessSessionTerminatedEvent createEvent( -+ String clientHost, -+ String serverHost, -+ String serverPort, -+ String subjectID, -+ String info) { -+ -+ ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent( -+ CLIENT_ACCESS_SESSION_TERMINATED); -+ -+ event.setAttribute("ClientHost", clientHost); -+ event.setAttribute("ServerHost", serverHost); -+ event.setAttribute("ServerPort", serverPort); -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.SUCCESS); -+ event.setAttribute("Info", info); -+ -+ return event; -+ } -+} -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 878e5f8..6108576 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL -+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL - log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) - log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) -diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg -index b412e5e..d2e5256 100644 ---- a/base/ocsp/shared/conf/CS.cfg -+++ b/base/ocsp/shared/conf/CS.cfg -@@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL -+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java -index 11d44b8..d15523e 100644 ---- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java -+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java -@@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest; - import com.netscape.cmsutil.http.JssSSLSocketFactory; - import com.netscape.cmsutil.util.Utils; - -+import org.dogtagpki.server.PKIClientSocketListener; -+ - import netscape.ldap.LDAPConnection; - - /** -@@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo { - - Socket socket = null; - JssSSLSocketFactory factory; -+ PKIClientSocketListener sockListener = new PKIClientSocketListener(); - - if (mClientAuthEnabled) { - factory = new JssSSLSocketFactory(mNickname); - } else { - factory = new JssSSLSocketFactory(); - } -+ factory.addSocketListener(sockListener); - - if (mHost != null && mHost.indexOf(' ') != -1) { - // support failover hosts configuration -diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java -new file mode 100644 -index 0000000..dc49908 ---- /dev/null -+++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java -@@ -0,0 +1,230 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package org.dogtagpki.server; -+ -+import java.lang.Integer; -+import java.net.InetAddress; -+import java.security.Principal; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.WeakHashMap; -+ -+import org.mozilla.jss.crypto.X509Certificate; -+import org.mozilla.jss.ssl.SSLAlertDescription; -+import org.mozilla.jss.ssl.SSLAlertEvent; -+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; -+import org.mozilla.jss.ssl.SSLSecurityStatus; -+import org.mozilla.jss.ssl.SSLSocket; -+import org.mozilla.jss.ssl.SSLSocketListener; -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ -+import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; -+import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent; -+import com.netscape.cms.logging.SignedAuditLogger; -+import com.netscape.certsrv.apps.CMS; -+ -+public class PKIClientSocketListener implements SSLSocketListener { -+ -+ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); -+ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); -+ -+ /** -+ * The socketInfos map is a storage for socket information that may not be available -+ * after the socket has been closed such as client IP address and subject ID. The -+ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be -+ * garbage-collected since there is no guarantee that socket will be closed with an -+ * SSL alert for a proper map entry removal. -+ */ -+ Map> socketInfos = new WeakHashMap<>(); -+ -+ @Override -+ public void alertReceived(SSLAlertEvent event) { -+ String method = "PKIClientSocketListener.alertReceived: "; -+CMS.debug(method + "begins"); -+ try { -+ SSLSocket socket = event.getSocket(); -+ -+ InetAddress serverAddress = socket.getInetAddress(); -+ InetAddress clientAddress = socket.getLocalAddress(); -+ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -+ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -+ String serverPort = Integer.toString(socket.getPort()); -+ -+ SSLSecurityStatus status = socket.getStatus(); -+/* -+ X509Certificate peerCertificate = status.getPeerCertificate(); -+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -+ String subjectID = subjectDN == null ? "" : subjectDN.toString(); -+*/ -+String subjectID = "SYSTEM"; -+ -+ int description = event.getDescription(); -+ String reason = SSLAlertDescription.valueOf(description).toString(); -+ -+ logger.debug("SSL alert received:"); -+ logger.debug(" - reason: " + reason); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); -+ -+ -+ signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent( -+ clientIP, -+ serverIP, -+ serverPort, -+ subjectID, -+ reason)); -+ -+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); -+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); -+ -+ } catch (Exception e) { -+ logger.error(e.getMessage(), e); -+ } -+ } -+ -+ @Override -+ public void alertSent(SSLAlertEvent event) { -+ String method = "PKIClientSocketListener.alertSent: "; -+CMS.debug(method + "begins"); -+ try { -+ SSLSocket socket = event.getSocket(); -+ -+ int description = event.getDescription(); -+CMS.debug(method + "got description:"+ description); -+ String reason = SSLAlertDescription.valueOf(description).toString(); -+CMS.debug(method + "got reason:"+ reason); -+ -+ SignedAuditEvent auditEvent; -+ String clientIP; -+ String serverIP; -+ String serverPort; -+ String subjectID; -+ -+ if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { -+ -+ // get socket info from socketInfos map since socket has been closed -+ Map info = socketInfos.get(socket); -+ clientIP = (String)info.get("clientIP"); -+ serverIP = (String)info.get("serverIP"); -+ serverPort = (String)info.get("serverPort"); -+ subjectID = (String)info.get("subjectID"); -+ -+ auditEvent = ClientAccessSessionTerminatedEvent.createEvent( -+ clientIP, -+ serverIP, -+ serverPort, -+ subjectID, -+ reason); -+ -+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); -+ CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason); -+ -+ } else { -+ -+ // get socket info from the socket itself -+ InetAddress serverAddress = socket.getInetAddress(); -+ InetAddress clientAddress = socket.getLocalAddress(); -+ -+ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -+ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -+ serverPort = Integer.toString(socket.getPort()); -+ -+ SSLSecurityStatus status = socket.getStatus(); -+/* -+ X509Certificate peerCertificate = status.getPeerCertificate(); -+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -+ subjectID = subjectDN == null ? "" : subjectDN.toString(); -+*/ -+subjectID = "SYSTEM"; -+ -+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( -+ clientIP, -+ serverIP, -+ serverPort, -+ subjectID, -+ reason); -+ -+ } -+ -+ logger.debug("SSL alert sent:"); -+ logger.debug(" - reason: " + reason); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); -+ -+ signedAuditLogger.log(auditEvent); -+ -+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"); -+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); -+ -+ } catch (Exception e) { -+ logger.error(e.getMessage(), e); -+ } -+ } -+ -+ @Override -+ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { -+ String method = "PKIClientSocketListener.handshakeCompleted: "; -+CMS.debug(method + "begins"); -+ try { -+ SSLSocket socket = event.getSocket(); -+ -+ InetAddress serverAddress = socket.getInetAddress(); -+ InetAddress clientAddress = socket.getLocalAddress(); -+ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -+ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -+ String serverPort = Integer.toString(socket.getPort()); -+ -+ SSLSecurityStatus status = socket.getStatus(); -+/* -+ X509Certificate peerCertificate = status.getPeerCertificate(); -+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -+ String subjectID = subjectDN == null ? "" : subjectDN.toString(); -+*/ -+String subjectID = "SYSTEM"; -+ -+ logger.debug("Handshake completed:"); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); -+ -+ // store socket info in socketInfos map -+ Map info = new HashMap<>(); -+ info.put("clientIP", clientIP); -+ info.put("serverIP", serverIP); -+ info.put("serverPort", serverPort); -+ info.put("subjectID", subjectID); -+ socketInfos.put(socket, info); -+ -+ signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent( -+ clientIP, -+ serverIP, -+ serverPort, -+ subjectID)); -+ -+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"); -+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort); -+ -+ } catch (Exception e) { -+ logger.error(e.getMessage(), e); -+ } -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index d534506..a8a8deb 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ - LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ - :[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated - -+# -+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE -+# access session failed to establish when Certificate System acts as client -+# -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client -+# -+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS -+# - used when access session was established successfully when -+# Certificate System acts as client -+# -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client -+# -+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED -+# - used when access session was terminated when Certificate System acts as client -+# -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client -+ - - ########################### - #Unselectable signedAudit Events -diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java -index 47f5e61..e4f92b4 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java -@@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.cmsutil.http.JssSSLSocketFactory; - import com.netscape.cmsutil.net.ISocketFactory; - -+import org.dogtagpki.server.PKIClientSocketListener; -+ - /** - * Factory for getting HTTP Connections to a HTTPO server - */ -@@ -127,6 +129,10 @@ public class HttpConnFactory { - - try { - ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers); -+ PKIClientSocketListener sockListener = new PKIClientSocketListener() -+; -+ JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory; -+ factory.addSocketListener(sockListener); - - if (mTimeout == 0) { - retConn = CMS.getHttpConnection(mDest, tFactory); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java -index fbd3268..649fa80 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java -@@ -18,7 +18,10 @@ - package com.netscape.cmscore.connector; - - import java.io.IOException; -+import java.lang.Integer; - import java.net.InetSocketAddress; -+import java.net.InetAddress; -+import java.net.UnknownHostException; - import java.util.ArrayList; - import java.util.List; - -@@ -28,14 +31,24 @@ import com.netscape.certsrv.connector.IHttpConnection; - import com.netscape.certsrv.connector.IPKIMessage; - import com.netscape.certsrv.connector.IRemoteAuthority; - import com.netscape.certsrv.connector.IRequestEncoder; -+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; -+import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.cms.logging.SignedAuditLogger; - import com.netscape.cmscore.util.Debug; - import com.netscape.cmsutil.http.HttpClient; - import com.netscape.cmsutil.http.HttpRequest; - import com.netscape.cmsutil.http.HttpResponse; - import com.netscape.cmsutil.net.ISocketFactory; - -+import org.dogtagpki.server.PKIClientSocketListener; -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ - public class HttpConnection implements IHttpConnection { - -+ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); -+ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); -+ - protected IRemoteAuthority mDest = null; - protected HttpRequest mHttpreq = new HttpRequest(); - protected IRequestEncoder mReqEncoder = null; -@@ -43,12 +56,18 @@ public class HttpConnection implements IHttpConnection { - - int timeout = 0; - List targets; -+ String localIP = "localhost"; - - public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, - int timeout // seconds - ) { - - CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout); -+ try { -+ localIP = InetAddress.getLocalHost().getHostAddress(); -+ } catch (UnknownHostException e) { -+ // default to "localhost"; -+ } - - mDest = dest; - mReqEncoder = new HttpRequestEncoder(); -@@ -118,6 +137,7 @@ public class HttpConnection implements IHttpConnection { - void connect() throws IOException { - - IOException exception = null; -+ SignedAuditEvent auditEvent; - - // try all targets - for (InetSocketAddress target : targets) { -@@ -136,6 +156,14 @@ public class HttpConnection implements IHttpConnection { - } catch (IOException e) { - exception = e; - CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e); -+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( -+ localIP, -+ hostname, -+ Integer.toString(port), -+ "SYSTEM", -+ "connect:" +e.toString()); -+ signedAuditLogger.log(auditEvent); -+ - // try the next target immediately - } - } -@@ -229,6 +257,13 @@ public class HttpConnection implements IHttpConnection { - - HttpResponse resp = null; - boolean reconnected = false; -+ SignedAuditEvent auditEvent; -+ String localIP = "localhost"; -+ try { -+ localIP = InetAddress.getLocalHost().getHostAddress(); -+ } catch (UnknownHostException e) { -+ // default to "localhost"; -+ } - - if (getRequestURI() == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest")); -@@ -266,6 +301,13 @@ public class HttpConnection implements IHttpConnection { - resp = mHttpClient.send(mHttpreq); - - } catch (IOException e) { -+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( -+ localIP, -+ mHttpClient.getHost(), -+ mHttpClient.getPort(), -+ "SYSTEM", -+ "send:" +e.toString()); -+ signedAuditLogger.log(auditEvent); - - CMS.debug(e); - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java -index 398becc..0588bf4 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java -@@ -35,6 +35,8 @@ import com.netscape.cmsutil.http.HttpResponse; - import com.netscape.cmsutil.http.JssSSLSocketFactory; - import com.netscape.cmsutil.net.ISocketFactory; - -+import org.dogtagpki.server.PKIClientSocketListener; -+ - public class HttpConnector implements IConnector { - protected IAuthority mSource = null; - protected IRemoteAuthority mDest = null; -@@ -55,8 +57,12 @@ public class HttpConnector implements IConnector { - mTimeout = 0; - mSource = source; - mDest = dest; -+ PKIClientSocketListener sockListener = new PKIClientSocketListener(); - mFactory = new JssSSLSocketFactory(nickName, clientCiphers); - -+ JssSSLSocketFactory factory = (JssSSLSocketFactory)mFactory; -+ factory.addSocketListener(sockListener); -+ - int minConns = config.getInteger("minHttpConns", 1); - int maxConns = config.getInteger("maxHttpConns", 15); - -@@ -82,8 +88,12 @@ public class HttpConnector implements IConnector { - mSource = source; - mDest = dest; - mTimeout = timeout; -+ PKIClientSocketListener sockListener = new PKIClientSocketListener(); - mFactory = new JssSSLSocketFactory(nickName, clientCiphers); - -+ JssSSLSocketFactory factory = (JssSSLSocketFactory) mFactory; -+ factory.addSocketListener(sockListener); -+ - int minConns = config.getInteger("minHttpConns", 1); - int maxConns = config.getInteger("maxHttpConns", 15); - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java -index e6d9ced..cc73077 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java -@@ -39,6 +39,8 @@ import com.netscape.certsrv.request.RequestStatus; - import com.netscape.cmscore.util.Debug; - import com.netscape.cmsutil.http.JssSSLSocketFactory; - -+import org.dogtagpki.server.PKIClientSocketListener; -+ - /** - * Resend requests at intervals to the server to check if it's been completed. - * Default interval is 5 minutes. -@@ -127,7 +129,11 @@ public class Resender implements IResender { - - if (! connected) { - CMS.debug("Connecting ..."); -- mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers)); -+ PKIClientSocketListener sockListener = new PKIClientSocketListener(); -+ JssSSLSocketFactory factory = new JssSSLSocketFactory(mNickName, mClientCiphers); -+ factory.addSocketListener(sockListener); -+ -+ mConn = new HttpConnection(mDest, factory); - initRequests(); - connected = true; - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java -index d0c23ed..e9f28c9 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java -@@ -35,6 +35,8 @@ import com.netscape.certsrv.base.IConfigStore; - import netscape.ldap.LDAPException; - import netscape.ldap.LDAPSSLSocketFactoryExt; - -+import org.dogtagpki.server.PKIClientSocketListener; -+ - /** - * Uses HCL ssl socket. - * -@@ -46,6 +48,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { - private String mClientAuthCertNickname; - private boolean mClientAuth; - private boolean keepAlive; -+ PKIClientSocketListener sockListener = null; - - public PKISocketFactory() { - init(); -@@ -67,6 +70,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { - IConfigStore cs = CMS.getConfigStore(); - keepAlive = cs.getBoolean("tcp.keepAlive", true); - CMS.debug("TCP Keep-Alive: " + keepAlive); -+ sockListener = new PKIClientSocketListener(); - - } catch (Exception e) { - CMS.debug(e); -@@ -75,6 +79,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { - } - - public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException { -+ String method = "ldapconn/PKISocketFactory.makeSSLSocket: "; -+ CMS.debug(method + "begins"); - - /* - * let inherit TLS range and cipher settings -@@ -100,6 +106,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { - s.setUseClientMode(true); - s.enableV2CompatibleHello(false); - -+ s.addSocketListener(sockListener); -+ - SSLHandshakeCompletedListener listener = null; - - listener = new ClientHandshakeCB(this); -@@ -119,7 +127,6 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { - } - - public Socket makeSocket(String host, int port) throws LDAPException { -- - Socket s = null; - - try { -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index e9bf03e..60a3355 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -208,11 +208,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL -+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java -index db042a7..2204e19 100644 ---- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java -+++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java -@@ -46,6 +46,9 @@ public class HttpClient { - protected BufferedReader mBufferedReader = null; - protected SSLCertificateApprovalCallback mCertApprovalCallback = null; - protected boolean mConnected = false; -+ // for auditing purposes -+ protected String mHost; -+ protected String mPort; - - public HttpClient() { - } -@@ -63,6 +66,9 @@ public class HttpClient { - int timeout // milliseconds - ) throws IOException { - -+ mHost = host; -+ mPort = Integer.toString(port); -+ - if (mFactory != null) { - if (mCertApprovalCallback == null) { - mSocket = mFactory.makeSocket(host, port, timeout); -@@ -149,6 +155,14 @@ public class HttpClient { - return mSocket; - } - -+ public String getHost() { -+ return mHost; -+ } -+ -+ public String getPort() { -+ return mPort; -+ } -+ - /** - * unit test - */ -diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -index eaed821..0d176ad 100644 ---- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -@@ -27,6 +27,7 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback; - import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; - import org.mozilla.jss.ssl.SSLHandshakeCompletedListener; - import org.mozilla.jss.ssl.SSLSocket; -+import org.mozilla.jss.ssl.SSLSocketListener; - - import com.netscape.cmsutil.net.ISocketFactory; - import com.netscape.cmsutil.crypto.CryptoUtil; -@@ -40,6 +41,7 @@ public class JssSSLSocketFactory implements ISocketFactory { - private String mClientAuthCertNickname = null; - private String mClientCiphers = null; - private SSLSocket s = null; -+ private SSLSocketListener sockListener = null; - - public JssSSLSocketFactory() { - } -@@ -83,6 +85,8 @@ public class JssSSLSocketFactory implements ISocketFactory { - - listener = new ClientHandshakeCB(this); - s.addHandshakeCompletedListener(listener); -+ if (this.sockListener != null) -+ s.addSocketListener(this.sockListener); - - if (mClientAuthCertNickname != null) { - // 052799 setClientCertNickname does not -@@ -131,6 +135,10 @@ public class JssSSLSocketFactory implements ISocketFactory { - return s; - } - -+ public void addSocketListener(SSLSocketListener sl) { -+ this.sockListener = sl; -+ } -+ - public void log(int level, String msg) { - } - --- -1.8.3.1 - - -From 44030bf381dc868e64c0e80d112bce72a626e8fb Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 31 Aug 2018 08:52:22 -0700 -Subject: [PATCH 09/19] Ticket2960 add SHA384 ciphers and cleanup profiles - -Note: this is a 2nd attempt as the first attempt was reverted due to -"breakage" of post-checkin-enablement of the IPA CI, which is -speculated to have used a server cert as a client cert which violated -one of the very essence of the "profile cleanup" part of the original -patch; As a compromise, the clientAuth bit was added back to all -non-CMC *server* profiles so the patch will pass the IPA CI. -The revised patch has been adquately tested in addition to passing -the IPA CI. - -This patch adds SHA384 ciphers to the cipher lists (RSA & EC) - -CryptoUtil.java contains changes to clientECCiphers: - - RSA ciphers comemented out - - SHA384 ciphers are added but RSA ones commented out - -Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed. - -In addition, a few cleanups are done: -- all MD2, MD5 from allowed signing key algs from profiles -- server profiles: - * removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles - * fixed a couple KU's (RSA vs EC) that had true/false flipped -- caCMCkraStorageCert.cfg - * removed EKU (funny it had clientAuth) -- caCMCkraTransportCert.cfg - * removed EKU (funny it had clientAuth) -- base/ca/shared/conf/eccServerCert.profile - * added the missing CommonNameToSANDefault - -Tested with the following: -- installation of an RSA CA and a KRA (strip down to only SHA384 ciphers) - * performed successful agent access - * tested key archival -- installation of an EC CA (strip down to only SHA384 ciphers) - * performed successful agent access - * tested an agent-signed CMC request and submitted/issued successfully - using HttpClient - -The above tests showed: -- The SHA384 ciphers work out of box -- The TLS server and client profiles changes did not break any TLS connections. -- The KRA storage and transport profile changes did not break anything. - -fixes https://pagure.io/dogtagpki/issue/2960 - -Change-Id: Ia41dfbcec972cb18752b50056f29edf61cb3ce61 -(cherry picked from commit 97e290663f29d5b2c5afab18e4a7c90af05c874c) ---- - base/ca/shared/conf/CS.cfg | 2 +- - base/ca/shared/conf/eccAdminCert.profile | 2 +- - base/ca/shared/conf/eccServerCert.profile | 4 +++- - base/ca/shared/conf/rsaAdminCert.profile | 2 +- - base/ca/shared/profiles/ca/AdminCert.cfg | 6 +++--- - base/ca/shared/profiles/ca/ECAdminCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caAdminCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 8 +------- - base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 8 +------- - base/ca/shared/profiles/ca/caCMCserverCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCrossSignedCACert.cfg | 2 +- - base/ca/shared/profiles/ca/caDirBasedDualCert.cfg | 8 ++++---- - base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caDualCert.cfg | 6 +++--- - base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caECAdminCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECDirUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECDualCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg | 2 +- - base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caECUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caEncUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 2 +- - base/ca/shared/profiles/ca/caInstallCACert.cfg | 2 +- - base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +- - base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg | 2 +- - base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 2 +- - base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 2 +- - base/ca/shared/profiles/ca/caJarSigningCert.cfg | 2 +- - base/ca/shared/profiles/ca/caOtherCert.cfg | 2 +- - base/ca/shared/profiles/ca/caRACert.cfg | 2 +- - base/ca/shared/profiles/ca/caRARouterCert.cfg | 2 +- - base/ca/shared/profiles/ca/caRAagentCert.cfg | 2 +- - base/ca/shared/profiles/ca/caRAserverCert.cfg | 12 ++++++++---- - base/ca/shared/profiles/ca/caRouterCert.cfg | 2 +- - base/ca/shared/profiles/ca/caSigningUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caStorageCert.cfg | 10 ++-------- - base/ca/shared/profiles/ca/caTPSCert.cfg | 2 +- - base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 2 +- - base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 2 +- - .../netscape/cms/profile/common/CACertCAEnrollProfile.java | 2 +- - .../src/com/netscape/cms/profile/def/SigningAlgDefault.java | 2 +- - base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++-- - base/server/share/conf/ciphers.info | 4 ++-- - base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++-- - 56 files changed, 103 insertions(+), 102 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 6b39b0a..4cef240 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= - ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] - ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA - ca.ocsp_signing.tokenname=internal --ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC -+ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC - ca.publish.createOwnDNEntry=false - ca.publish.queue.enable=true - ca.publish.queue.maxNumberOfThreads=3 -diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile -index 46d157a..219944a 100644 ---- a/base/ca/shared/conf/eccAdminCert.profile -+++ b/base/ca/shared/conf/eccAdminCert.profile -@@ -26,7 +26,7 @@ list=2,4,5,6,7 - 6.default.params.keyUsageCritical=true - 6.default.params.keyUsageDigitalSignature=true - 6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageDataEncipherment=false - 6.default.params.keyUsageKeyEncipherment=false - 6.default.params.keyUsageKeyAgreement=true - 6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile -index 8c679f7..d990e77 100644 ---- a/base/ca/shared/conf/eccServerCert.profile -+++ b/base/ca/shared/conf/eccServerCert.profile -@@ -6,7 +6,7 @@ name=All Purpose SSL server cert with ECC keys Profile - description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers - profileIDMapping=caECServerCert - profileSetIDMapping=serverCertSet --list=2,4,5,6,7 -+list=2,4,5,6,7,8 - 2.default.class=com.netscape.cms.profile.def.ValidityDefault - 2.default.name=Validity Default - 2.default.params.range=720 -@@ -37,3 +37,5 @@ list=2,4,5,6,7 - 7.default.name=Extended Key Usage Extension Default - 7.default.params.exKeyUsageCritical=false - 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault -+8.default.name=copy CN to SAN Default -diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile -index 5e84d74..7b3668c 100644 ---- a/base/ca/shared/conf/rsaAdminCert.profile -+++ b/base/ca/shared/conf/rsaAdminCert.profile -@@ -26,7 +26,7 @@ list=2,4,5,6,7 - 6.default.params.keyUsageCritical=true - 6.default.params.keyUsageDigitalSignature=true - 6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageDataEncipherment=false - 6.default.params.keyUsageKeyEncipherment=true - 6.default.params.keyUsageKeyAgreement=false - 6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg -index 7879614..18cbc2f 100644 ---- a/base/ca/shared/profiles/ca/AdminCert.cfg -+++ b/base/ca/shared/profiles/ca/AdminCert.cfg -@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.adminCertSet.6.constraint.params.keyUsageCritical=true - policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default - policyset.adminCertSet.6.default.params.keyUsageCritical=true - policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false - policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -@@ -80,7 +80,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false - policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.adminCertSet.8.constraint.name=No Constraint --policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.adminCertSet.8.default.name=Signing Alg - policyset.adminCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg -index e00022e..38562a6 100644 ---- a/base/ca/shared/profiles/ca/ECAdminCert.cfg -+++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg -@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.adminCertSet.6.constraint.params.keyUsageCritical=true - policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default - policyset.adminCertSet.6.default.params.keyUsageCritical=true - policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg -index 86a3b11..6598677 100644 ---- a/base/ca/shared/profiles/ca/caAdminCert.cfg -+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg -@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.adminCertSet.6.constraint.params.keyUsageCritical=true - policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default - policyset.adminCertSet.6.default.params.keyUsageCritical=true - policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false - policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg -index 5608373..cc65afc 100644 ---- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg -+++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg -@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -index b7b4881..226c05c 100644 ---- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -index 53b0c4d..68c59fb 100644 ---- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint - policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl - policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default - policyset.serverCertSet.7.default.params.exKeyUsageCritical=false --policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint - policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -index df47758..657b98e 100644 ---- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false - policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -index 1c2630d..908f584 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=drmStorageCertSet --policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 -+policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 - policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint - policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* -@@ -71,12 +71,6 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false - policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false - policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false --policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl --policyset.drmStorageCertSet.7.constraint.name=No Constraint --policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl --policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default --policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false --policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.drmStorageCertSet.9.constraint.name=No Constraint - policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -index 3d00408..628253d 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=transportCertSet --policyset.transportCertSet.list=1,2,3,4,5,6,7,8 -+policyset.transportCertSet.list=1,2,3,4,5,6,8 - policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.transportCertSet.1.constraint.name=Subject Name Constraint - policyset.transportCertSet.1.constraint.params.pattern=CN=.* -@@ -71,12 +71,6 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false - policyset.transportCertSet.6.default.params.keyUsageCrlSign=false - policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false --policyset.transportCertSet.7.constraint.class_id=noConstraintImpl --policyset.transportCertSet.7.constraint.name=No Constraint --policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl --policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default --policyset.transportCertSet.7.default.params.exKeyUsageCritical=false --policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.transportCertSet.8.constraint.name=No Constraint - policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -index 9ad9fac..628fc50 100644 ---- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint - policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl - policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default - policyset.serverCertSet.7.default.params.exKeyUsageCritical=false --policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint - policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg -index 8fafbdf..efc35a3 100644 ---- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg -+++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg -@@ -76,7 +76,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default - policyset.caCertSet.8.default.params.critical=false - policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caCertSet.9.constraint.name=No Constraint --policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.caCertSet.9.default.name=Signing Alg - policyset.caCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg -index 3f34684..ac761c9 100644 ---- a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg -@@ -1,6 +1,6 @@ - desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. - visible=true --enable=true -+enable=false - enableBy=admin - name=Directory-authenticated User Signing & Encryption Certificates Enrollment - auth.instance_id=UserDirEnrollment -@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.encryptionCertSet.9.constraint.name=No Constraint --policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC - policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.encryptionCertSet.9.default.name=Signing Alg - policyset.encryptionCertSet.9.default.params.signingAlg=- -@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.signingCertSet.9.constraint.name=No Constraint --policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC - policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.signingCertSet.9.default.name=Signing Alg - policyset.signingCertSet.9.default.params.signingAlg=- --policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg -index af2b5e5..f9e24b9 100644 ---- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg -@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg -index 0b7f6b7..2e90d97 100644 ---- a/base/ca/shared/profiles/ca/caDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg -@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg -index 87036d1..c5cf168 100644 ---- a/base/ca/shared/profiles/ca/caDualCert.cfg -+++ b/base/ca/shared/profiles/ca/caDualCert.cfg -@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.encryptionCertSet.9.constraint.name=No Constraint --policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.encryptionCertSet.9.default.name=Signing Alg - policyset.encryptionCertSet.9.default.params.signingAlg=- -@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.signingCertSet.9.constraint.name=No Constraint --policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.signingCertSet.9.default.name=Signing Alg - policyset.signingCertSet.9.default.params.signingAlg=- --policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg -index 7d61b36..e25b4bb 100644 ---- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg -@@ -88,7 +88,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg -index d57bae1..84cab82 100644 ---- a/base/ca/shared/profiles/ca/caECAdminCert.cfg -+++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg -@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.adminCertSet.6.constraint.params.keyUsageCritical=true - policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default - policyset.adminCertSet.6.default.params.keyUsageCritical=true - policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg -index 4143102..7b33de6 100644 ---- a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg -@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.userCertSet.6.constraint.params.keyUsageCritical=true - policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default - policyset.userCertSet.6.default.params.keyUsageCritical=true - policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -index b65999e..11eafa7 100644 ---- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.userCertSet.6.constraint.params.keyUsageCritical=true - policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default - policyset.userCertSet.6.default.params.keyUsageCritical=true - policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg -index 0a56caf..663aa13 100644 ---- a/base/ca/shared/profiles/ca/caECDualCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDualCert.cfg -@@ -161,8 +161,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.signingCertSet.9.constraint.name=No Constraint --policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.signingCertSet.9.default.name=Signing Alg - policyset.signingCertSet.9.default.params.signingAlg=- --policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index 48e6499..b3cc471 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -48,7 +48,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -60,7 +60,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -index b24cb03..822e96b 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -@@ -51,7 +51,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -63,7 +63,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -index e7b60ee..5a817df 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -@@ -59,7 +59,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -71,7 +71,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -index 8580544..24d61ca 100644 ---- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint - policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl - policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default - policyset.serverCertSet.7.default.params.exKeyUsageCritical=false --policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint - policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -index 8df3576..3d072a2 100644 ---- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg -index a6bf04a..dda7282 100644 ---- a/base/ca/shared/profiles/ca/caECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECUserCert.cfg -@@ -59,7 +59,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.userCertSet.6.constraint.params.keyUsageCritical=true - policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -71,7 +71,7 @@ policyset.userCertSet.6.default.name=Key Usage Default - policyset.userCertSet.6.default.params.keyUsageCritical=true - policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false - policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false -diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg -index 07e78f9..c166b28 100644 ---- a/base/ca/shared/profiles/ca/caEncUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg -@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.encryptionCertSet.9.constraint.name=No Constraint --policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.encryptionCertSet.9.default.name=Signing Alg - policyset.encryptionCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg -index 9603758..42d802e 100644 ---- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg -+++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg -index 7bdb180..ba942d7 100644 ---- a/base/ca/shared/profiles/ca/caInstallCACert.cfg -+++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg -@@ -80,7 +80,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default - policyset.caCertSet.8.default.params.critical=false - policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caCertSet.9.constraint.name=No Constraint --policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.caCertSet.9.default.name=Signing Alg - policyset.caCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg -index 5acc174..60d560d 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg -@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false - policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.drmStorageCertSet.9.constraint.name=No Constraint --policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.drmStorageCertSet.9.default.name=Signing Alg - policyset.drmStorageCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg -index 8788f94..982c868 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg -@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension - policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false - policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.ocspCertSet.9.constraint.name=No Constraint --policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.ocspCertSet.9.default.name=Signing Alg - policyset.ocspCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -index de3c2a5..25538e7 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint - policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl - policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default - policyset.serverCertSet.7.default.params.exKeyUsageCritical=false --policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint - policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg -index 9f7680a..bdc69bc 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg -@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false - policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.transportCertSet.8.constraint.name=No Constraint --policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.transportCertSet.8.default.name=Signing Alg - policyset.transportCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg -index f5f5e62..8aea48d 100644 ---- a/base/ca/shared/profiles/ca/caJarSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg -@@ -80,7 +80,7 @@ policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false - policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false - policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl - policyset.caJarSigningSet.6.constraint.name=No Constraint --policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl - policyset.caJarSigningSet.6.default.name=Signing Alg - policyset.caJarSigningSet.6.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg -index e5cf627..5b8f50e 100644 ---- a/base/ca/shared/profiles/ca/caOtherCert.cfg -+++ b/base/ca/shared/profiles/ca/caOtherCert.cfg -@@ -79,7 +79,7 @@ policyset.otherCertSet.7.default.params.exKeyUsageCritical=false - policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.otherCertSet.8.constraint.name=No Constraint --policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.otherCertSet.8.default.name=Signing Alg - policyset.otherCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg -index 9774566..fb1199e 100644 ---- a/base/ca/shared/profiles/ca/caRACert.cfg -+++ b/base/ca/shared/profiles/ca/caRACert.cfg -@@ -79,7 +79,7 @@ policyset.raCertSet.7.default.params.exKeyUsageCritical=false - policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.raCertSet.8.constraint.name=No Constraint --policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.raCertSet.8.default.name=Signing Alg - policyset.raCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg -index 05b3a72..c504285 100644 ---- a/base/ca/shared/profiles/ca/caRARouterCert.cfg -+++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg -index 2199b26..db22f90 100644 ---- a/base/ca/shared/profiles/ca/caRAagentCert.cfg -+++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg -@@ -89,7 +89,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg -index 3a6cefa..e2406b4 100644 ---- a/base/ca/shared/profiles/ca/caRAserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=CN=.* -@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -79,7 +79,11 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.9.constraint.name=No Constraint -+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.9.default.name=copy CN to SAN Default -diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg -index 3364675..b306102 100644 ---- a/base/ca/shared/profiles/ca/caRouterCert.cfg -+++ b/base/ca/shared/profiles/ca/caRouterCert.cfg -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg -index f197ffa..7fac691 100644 ---- a/base/ca/shared/profiles/ca/caSigningUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg -@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.signingCertSet.9.constraint.name=No Constraint --policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.signingCertSet.9.default.name=Signing Alg - policyset.signingCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -index a55873f..6987061 100644 ---- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg -index c8e7205..62d6968 100644 ---- a/base/ca/shared/profiles/ca/caStorageCert.cfg -+++ b/base/ca/shared/profiles/ca/caStorageCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=drmStorageCertSet --policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 -+policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 - policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint - policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* -@@ -71,15 +71,9 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false - policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false - policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false --policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl --policyset.drmStorageCertSet.7.constraint.name=No Constraint --policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl --policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default --policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false --policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.drmStorageCertSet.9.constraint.name=No Constraint --policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.drmStorageCertSet.9.default.name=Signing Alg - policyset.drmStorageCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg -index 82a217a..4f98512 100644 ---- a/base/ca/shared/profiles/ca/caTPSCert.cfg -+++ b/base/ca/shared/profiles/ca/caTPSCert.cfg -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg -index 43caf26..ef8ab5f 100644 ---- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg -+++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg -@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 - policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg -index 9164dac..62bc40c 100644 ---- a/base/ca/shared/profiles/ca/caUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caUserCert.cfg -@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg -index 43b6e85..81fc027 100644 ---- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg -+++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg -@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java -index 1ae2f08..c4f2d6b 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java -@@ -76,7 +76,7 @@ public class CACertCAEnrollProfile extends CAEnrollProfile - IConfigStore defConfig4 = def4.getConfigStore(); - defConfig4.putString("params.signingAlg", "-"); - defConfig4.putString("params.signingAlgsAllowed", -- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); -+ "SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); - - // extensions - IProfilePolicy policy5 = -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java -index 81ad58c..97f221e 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java -@@ -46,7 +46,7 @@ public class SigningAlgDefault extends EnrollDefault { - - public static final String VAL_ALGORITHM = "signingAlg"; - public static final String DEF_CONFIG_ALGORITHMS = -- "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA"; -+ "-,SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA"; - - public SigningAlgDefault() { - super(); -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 53296fc..3e0c9d2 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -1152,7 +1152,9 @@ class PKIConfigParser: - "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ -- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" -+ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - else: - self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ - "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ -@@ -1186,7 +1188,11 @@ class PKIConfigParser: - "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA" -+ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ -+ "-TLS_RSA_WITH_AES_256_GCM_SHA384" - - if self.deployer.architecture == 64: - self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( -diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info -index 44c6e4b..e51bffd 100644 ---- a/base/server/share/conf/ciphers.info -+++ b/base/server/share/conf/ciphers.info -@@ -123,8 +123,8 @@ - # - ## - # For RSA servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" - # - # - # For ECC servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index d3036f3..c1688e4 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -188,13 +188,21 @@ public class CryptoUtil { - public static final int LINE_COUNT = 76; - - static public final Integer[] clientECCiphers = { -+/* - SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -+*/ - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -- SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+// SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -+/* -+ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -+ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -+*/ - }; - static public List clientECCipherList = new ArrayList(Arrays.asList(clientECCiphers)); - --- -1.8.3.1 - - -From 992d97189bbcfff3427b1dcc752f6588da25e496 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 31 Aug 2018 17:08:30 -0700 -Subject: [PATCH 10/19] Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS - mode - -This patch disables the TLS_RSA_* ciphers by default because they do not work -with HSMs in FIPS mode. -ciphers.info is also updated to reflect the changes. - -fixes https://pagure.io/dogtagpki/issue/3027 - -Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 -(cherry picked from commit 908514da63dd9364df0f17810d9d41bfb5c596d5) ---- - .../python/pki/server/deployment/pkiparser.py | 12 ++-- - base/server/share/conf/ciphers.info | 70 ++++++++-------------- - 2 files changed, 31 insertions(+), 51 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 3e0c9d2..2397f43 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -1130,7 +1130,7 @@ class PKIConfigParser: - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ - "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ -+ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ - "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -@@ -1146,7 +1146,7 @@ class PKIConfigParser: - "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ - "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ -@@ -1183,12 +1183,12 @@ class PKIConfigParser: - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ -- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ -+ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ -+ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ -diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info -index e51bffd..bbb3cf1 100644 ---- a/base/server/share/conf/ciphers.info -+++ b/base/server/share/conf/ciphers.info -@@ -26,17 +26,6 @@ - # suited for the type of the server installed. Changes can be made to - # suit each site's needs. - # --# Although TLS1.2 ciphers (SHA256) are preferred, many older clients --# do not support them. For example, the following "preferred modern" --# ciphers are on by default, and by simply limiting the --# sslVersionRange* parameters, they can be turned off. --# --# TLS_RSA_WITH_AES_128_CBC_SHA256, --# TLS_RSA_WITH_AES_256_CBC_SHA256, --# TLS_RSA_WITH_AES_128_GCM_SHA256, --# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, --# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --# - # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, - # which, while provide added security to the already secure and adequate - # TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. -@@ -62,25 +51,6 @@ - # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - # --# The following somewhat weaker ciphers (in CBC mode), though --# adequate for the CS operations, can be turned off if so desired: --# --# TLS_RSA_WITH_AES_128_CBC_SHA, --# TLS_RSA_WITH_AES_256_CBC_SHA, --# --# Note: In an EC CS server setup, you will see by default that the --# following RSA ciphers are left on. Those are used for --# installation where the actual systems certs have not yet been --# created, and a temporary RSA ssl server cert is at play. --# --# Those can be turned off manually by sites. --# --# TLS_RSA_WITH_AES_256_CBC_SHA256, --# TLS_RSA_WITH_AES_128_GCM_SHA256 --# --# These ciphers might be removed by the installation script in --# some future release. --# - # For RHEL 7.5 or greater: - # - # * all '3DES' ciphers have been disabled, -@@ -98,33 +68,43 @@ - # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -+# +TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, - # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - # +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, --# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, --# +TLS_RSA_WITH_AES_128_CBC_SHA256, --# +TLS_RSA_WITH_AES_256_CBC_SHA256, --# +TLS_RSA_WITH_AES_128_CBC_SHA, --# +TLS_RSA_WITH_AES_256_CBC_SHA --# --# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, --# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain --# enabled in order to talk to the LDAP server --# during pkispawn installation/configuration. -+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -+# +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - # Default ciphers enabled for ECC servers: - # - # +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, --# +TLS_RSA_WITH_AES_256_CBC_SHA, - # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, --# +TLS_RSA_WITH_AES_256_CBC_SHA256, - # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, --# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -+# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -+# +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -+# -+# For RHEL 7.6 or greater: -+# -+# The following ciphers do not work with HSM in FIPS mode, and -+# are therefore disabled by default. -+# -+# TLS_RSA_WITH_AES_256_CBC_SHA, -+# TLS_RSA_WITH_AES_128_CBC_SHA, -+# TLS_RSA_WITH_AES_128_CBC_SHA256, -+# TLS_RSA_WITH_AES_256_CBC_SHA256, -+# TLS_RSA_WITH_AES_128_GCM_SHA256, -+# TLS_RSA_WITH_AES_256_GCM_SHA384 -+# -+# note: -+# * They are currently not preferred in TLS 1.2 -+# * They are deprecated in TLS 1.3 - # - ## - # For RSA servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" - # - # - # For ECC servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" --- -1.8.3.1 - - -From 5385791f72c5fab901aa38cbc31fd2fd9af269bf Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 18 Sep 2018 16:13:29 -0700 -Subject: [PATCH 11/19] Bug1628410 CMC: add config to allow non-clientAuth - -This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg -to allow agents to bypass clientAuth requirement in CMCAuth. -Default value for cmc.bypassClientAuth is false. - -In addition, CMC enrollment profile caCMCUserCert "visible" value is -set to false. - -fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410 - -Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc -(cherry picked from commit 19120d14941b5964a728ab06b0406be3ddeff5d4) ---- - base/ca/shared/profiles/ca/caCMCUserCert.cfg | 2 +- - .../com/netscape/cms/authentication/CMCAuth.java | 50 +++++++++++++--------- - 2 files changed, 30 insertions(+), 22 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -index 657b98e..1f990f2 100644 ---- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. --visible=true -+visible=false - enable=true - enableBy=admin - auth.instance_id=CMCAuth -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 9b6a819..98d5e29 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -127,6 +127,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - /* authentication plug-in configuration store */ - private IConfigStore mConfig; -+ private boolean mBypassClientAuth = false; - private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; - private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; -@@ -213,6 +214,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - mName = name; - mImplName = implName; - mConfig = config; -+ mBypassClientAuth = -+ CMS.getConfigStore().getBoolean("cmc.bypassClientAuth", false); - - log(ILogger.LL_INFO, "Initialization complete!"); - } -@@ -882,28 +885,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - X509Certificate clientCert = - (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); - if (clientCert == null) { -- // createAuditSubjectFromCert(auditContext, x509Certs[0]); -- msg = "missing SSL client authentication certificate;"; -- CMS.debug(method + msg); -- s.close(); -- throw new EMissingCredential( -- CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); -- } -- netscape.security.x509.X500Name clientPrincipal = -- (X500Name) clientCert.getSubjectDN(); -- -- netscape.security.x509.X500Name cmcPrincipal = -- (X500Name) x509Certs[0].getSubjectDN(); -- -- // check ssl client cert against cmc signer -- if (!clientPrincipal.equals(cmcPrincipal)) { -- msg = "SSL client authentication certificate and CMC signer do not match"; -- CMS.debug(method + msg); -- s.close(); -- throw new EInvalidCredentials( -- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -+ if (mBypassClientAuth) { -+ msg = "missing SSL client authentication certificate; allowed"; -+ CMS.debug(method + msg); -+ } else { -+ msg = "missing SSL client authentication certificate;"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EMissingCredential( -+ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); -+ } - } else { -- CMS.debug(method + "ssl client cert principal and cmc signer principal match"); -+ netscape.security.x509.X500Name clientPrincipal = -+ (X500Name) clientCert.getSubjectDN(); -+ -+ netscape.security.x509.X500Name cmcPrincipal = -+ (X500Name) x509Certs[0].getSubjectDN(); -+ -+ // check ssl client cert against cmc signer -+ if (!clientPrincipal.equals(cmcPrincipal)) { -+ msg = "SSL client authentication certificate and CMC signer do not match"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EInvalidCredentials( -+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -+ } else { -+ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); -+ } - } - - PublicKey signKey = cert.getPublicKey(); --- -1.8.3.1 - - -From b53d4f5f135432d6bc25b4bc0def1ea4b44705a4 Mon Sep 17 00:00:00 2001 -From: Dinesh Prasanth M K -Date: Mon, 1 Oct 2018 16:25:08 -0400 -Subject: [PATCH 12/19] Fixes password leak of Auth plugins to Audit Logs (#57) - -* Auth plugin adds `(sensitive)` instead of plain passwords -to AuditLogs -* Added generic `isSensitive()` to identify Passwords before logging - -Signed-off-by: Dinesh Prasanth M K - -(cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1) ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 30 ++++++++++++++++++++++ - .../netscape/cms/servlet/admin/AdminServlet.java | 18 ++----------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 21 +-------------- - .../netscape/cms/servlet/csadmin/BaseServlet.java | 15 +---------- - .../cms/servlet/processors/CAProcessor.java | 16 +----------- - .../servlet/profile/ProfileSubmitCMCServlet.java | 17 ++---------- - 6 files changed, 37 insertions(+), 80 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index d04223f..0bf186e 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -1672,6 +1672,36 @@ public final class CMS { - } - - /** -+ * Check whether the string is contains password -+ * -+ * @param name key string -+ * @return whether key is a password or not -+ */ -+ public static boolean isSensitive(String name) { -+ return (name.startsWith("__") || -+ name.endsWith("password") || -+ name.endsWith("passwd") || -+ name.endsWith("pwd") || -+ name.equalsIgnoreCase("admin_password_again") || -+ name.equalsIgnoreCase("directoryManagerPwd") || -+ name.equalsIgnoreCase("bindpassword") || -+ name.equalsIgnoreCase("bindpwd") || -+ name.equalsIgnoreCase("passwd") || -+ name.equalsIgnoreCase("password") || -+ name.equalsIgnoreCase("pin") || -+ name.equalsIgnoreCase("pwd") || -+ name.equalsIgnoreCase("pwdagain") || -+ name.equalsIgnoreCase("uPasswd") || -+ name.equalsIgnoreCase("PASSWORD_CACHE_ADD") || -+ name.startsWith("p12Password") || -+ name.equalsIgnoreCase("host_challenge") || -+ name.equalsIgnoreCase("card_challenge") || -+ name.equalsIgnoreCase("card_cryptogram") || -+ name.equalsIgnoreCase("drm_trans_desKey") || -+ name.equalsIgnoreCase("cert_request")); -+ } -+ -+ /** - * Main driver to start CMS. - */ - public static void main(String[] args) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 2b8cec7..ed5393b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -203,21 +203,7 @@ public class AdminServlet extends HttpServlet { - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed -- if (pn.startsWith("__") || -- pn.endsWith("password") || -- pn.endsWith("passwd") || -- pn.endsWith("pwd") || -- pn.equalsIgnoreCase("admin_password_again") || -- pn.equalsIgnoreCase("directoryManagerPwd") || -- pn.equalsIgnoreCase("bindpassword") || -- pn.equalsIgnoreCase("bindpwd") || -- pn.equalsIgnoreCase("passwd") || -- pn.equalsIgnoreCase("password") || -- pn.equalsIgnoreCase("pin") || -- pn.equalsIgnoreCase("pwd") || -- pn.equalsIgnoreCase("pwdagain") || -- pn.equalsIgnoreCase("uPasswd") || -- pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { -+ if (CMS.isSensitive(pn)) { - CMS.debug("AdminServlet::service() param name='" + pn + - "' value='(sensitive)'"); - } else { -@@ -992,7 +978,7 @@ public class AdminServlet extends HttpServlet { - if (name.equals(Constants.RS_ID)) continue; - - String value = null; -- if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) -+ if (CMS.isSensitive(name)) - value = "(sensitive)"; - else - value = req.getParameter(name); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index f18db1a..0c65702 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -403,26 +403,7 @@ public abstract class CMSServlet extends HttpServlet { - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed -- if (pn.startsWith("__") || -- pn.endsWith("password") || -- pn.endsWith("passwd") || -- pn.endsWith("pwd") || -- pn.equalsIgnoreCase("admin_password_again") || -- pn.equalsIgnoreCase("directoryManagerPwd") || -- pn.equalsIgnoreCase("bindpassword") || -- pn.equalsIgnoreCase("bindpwd") || -- pn.equalsIgnoreCase("passwd") || -- pn.equalsIgnoreCase("password") || -- pn.equalsIgnoreCase("pin") || -- pn.equalsIgnoreCase("pwd") || -- pn.equalsIgnoreCase("pwdagain") || -- pn.startsWith("p12Password") || -- pn.equalsIgnoreCase("uPasswd") || -- pn.equalsIgnoreCase("host_challenge") || -- pn.equalsIgnoreCase("card_challenge") || -- pn.equalsIgnoreCase("card_cryptogram") || -- pn.equalsIgnoreCase("drm_trans_desKey") || -- pn.equalsIgnoreCase("cert_request")) { -+ if (CMS.isSensitive(pn)) { - CMS.debug("CMSServlet::service() param name='" + pn + - "' value='(sensitive)'"); - } else { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java -index 3b3ae40..70922dc 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java -@@ -70,20 +70,7 @@ public class BaseServlet extends VelocityServlet { - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed -- if (pn.startsWith("__") || -- pn.endsWith("password") || -- pn.endsWith("passwd") || -- pn.endsWith("pwd") || -- pn.equalsIgnoreCase("admin_password_again") || -- pn.equalsIgnoreCase("directoryManagerPwd") || -- pn.equalsIgnoreCase("bindpassword") || -- pn.equalsIgnoreCase("bindpwd") || -- pn.equalsIgnoreCase("passwd") || -- pn.equalsIgnoreCase("password") || -- pn.equalsIgnoreCase("pin") || -- pn.equalsIgnoreCase("pwd") || -- pn.equalsIgnoreCase("pwdagain") || -- pn.equalsIgnoreCase("uPasswd")) { -+ if (CMS.isSensitive(pn)) { - CMS.debug("BaseServlet::service() param name='" + pn + - "' value='(sensitive)'"); - } else { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 62b4242..f732c4d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -258,21 +258,7 @@ public class CAProcessor extends Processor { - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed -- if (paramName.startsWith("__") || -- paramName.endsWith("password") || -- paramName.endsWith("passwd") || -- paramName.endsWith("pwd") || -- paramName.equalsIgnoreCase("admin_password_again") || -- paramName.equalsIgnoreCase("directoryManagerPwd") || -- paramName.equalsIgnoreCase("bindpassword") || -- paramName.equalsIgnoreCase("bindpwd") || -- paramName.equalsIgnoreCase("passwd") || -- paramName.equalsIgnoreCase("password") || -- paramName.equalsIgnoreCase("pin") || -- paramName.equalsIgnoreCase("pwd") || -- paramName.equalsIgnoreCase("pwdagain") || -- paramName.equalsIgnoreCase("uPasswd") || -- paramName.equalsIgnoreCase("cert_request")) { -+ if (CMS.isSensitive(paramName)) { - CMS.debug("CAProcessor: - " + paramName + ": (sensitive)"); - } else { - CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue()); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 03e94a8..81a2f2a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -47,9 +47,9 @@ import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthEvent; - import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; --import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.ECMCBadIdentityException; - import com.netscape.certsrv.profile.ECMCBadMessageCheckException; - import com.netscape.certsrv.profile.ECMCBadRequestException; -@@ -306,20 +306,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed -- if (paramName.startsWith("__") || -- paramName.endsWith("password") || -- paramName.endsWith("passwd") || -- paramName.endsWith("pwd") || -- paramName.equalsIgnoreCase("admin_password_again") || -- paramName.equalsIgnoreCase("directoryManagerPwd") || -- paramName.equalsIgnoreCase("bindpassword") || -- paramName.equalsIgnoreCase("bindpwd") || -- paramName.equalsIgnoreCase("passwd") || -- paramName.equalsIgnoreCase("password") || -- paramName.equalsIgnoreCase("pin") || -- paramName.equalsIgnoreCase("pwd") || -- paramName.equalsIgnoreCase("pwdagain") || -- paramName.equalsIgnoreCase("uPasswd")) { -+ if (CMS.isSensitive(paramName)) { - CMS.debug("ProfileSubmitCMCServlet Input Parameter " + - paramName + "='(sensitive)'"); - } else { --- -1.8.3.1 - - -From 4041f30e683307eb96140c8b81e48e62c2e7c34a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 28 Aug 2018 23:08:13 +0200 -Subject: [PATCH 13/19] Fixed CA signing cert importation - -The pki_ca_signing_cert_path param has been modified to have -an empty value by default. - -The import_ca_signing_cert() has been modified such that if -the param is not specified, it will return silently. If the -param contains an invalid path, the method will fail. If the -param contains a valid path to the CA signing cert, the cert -will be imported into the NSS database. - -https://pagure.io/dogtagpki/issue/3040 - -Change-Id: Idde1850744391162495599067c840c47ef47de69 -(cherry picked from commit a4f5b17ee96adf79391f9def6e04bb239a779cbe) ---- - base/server/etc/default.cfg | 2 +- - base/server/man/man5/pki_default.cfg.5 | 2 +- - .../pki/server/deployment/scriptlets/configuration.py | 19 ++++++++++--------- - 3 files changed, 12 insertions(+), 11 deletions(-) - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index 0f348ee..b92cca7 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -94,7 +94,7 @@ pki_ca_port=%(pki_security_domain_https_port)s - pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA - - # DEPRECATED: Use 'pki_ca_signing_cert_path' instead. --pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert -+pki_external_ca_cert_path= - pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s - - pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 -diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 -index fe3cdc7..afdcbfb 100644 ---- a/base/server/man/man5/pki_default.cfg.5 -+++ b/base/server/man/man5/pki_default.cfg.5 -@@ -413,7 +413,7 @@ Required for the second step of a stand-alone PKI process. This is the location - .PP - .B pki_ca_signing_cert_path - .IP --Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/external_ca_chain.cert'. -+Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to empty. - .PP - .B pki_external_admin_cert_path - .IP -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index fd043a8..1b62445 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -395,15 +395,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - self.import_system_cert_request(deployer, subsystem, 'subsystem') - self.import_system_cert_request(deployer, subsystem, 'sslserver') - -- def import_ca_signing_cert(self, deployer, nssdb, subsystem): -+ def import_ca_signing_cert(self, deployer, nssdb): - - param = 'pki_ca_signing_cert_path' - cert_file = deployer.mdict.get(param) -- if not cert_file or not os.path.exists(cert_file): -- if subsystem.name == 'ca': -- raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) -- else: -- return -+ -+ if not cert_file: -+ return -+ -+ if not os.path.exists(cert_file): -+ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) - - nickname = deployer.mdict['pki_ca_signing_nickname'] - -@@ -593,14 +594,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - def import_system_certs(self, deployer, nssdb, subsystem): - - if subsystem.name == 'ca': -- self.import_ca_signing_cert(deployer, nssdb, subsystem) -+ self.import_ca_signing_cert(deployer, nssdb) - self.import_ca_ocsp_signing_cert(deployer, nssdb) - - if subsystem.name == 'kra': - # Always import cert chain into internal token. - internal_nssdb = subsystem.instance.open_nssdb() - try: -- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) -+ self.import_ca_signing_cert(deployer, internal_nssdb) - finally: - internal_nssdb.close() - -@@ -612,7 +613,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Always import cert chain into internal token. - internal_nssdb = subsystem.instance.open_nssdb() - try: -- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) -+ self.import_ca_signing_cert(deployer, internal_nssdb) - finally: - internal_nssdb.close() - --- -1.8.3.1 - - -From 6fbffb076caea906381e47bc1b6cae9da9892ae4 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 23 Oct 2018 03:31:33 +0200 -Subject: [PATCH 14/19] Fixed password prompt in pki CLI - -The pki CLI has been modified not to throw an exception when the -user specifies a username without any password. The CLI will then -prompt for a password. - -https://pagure.io/dogtagpki/issue/2840 -(cherry picked from commit b1bda0a1e7baca575561c08e78d93ae7c7160738) ---- - base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 711625a..50e5b75 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -378,9 +378,6 @@ public class MainCLI extends CLI { - - if (passwordFile != null && password != null) { - throw new Exception("The '-W' and '-w' options are mutually exclusive."); -- -- } else if (passwordFile == null && password == null) { -- throw new Exception("Missing user password."); - } - } - --- -1.8.3.1 - - -From 60ad482668db175f297e55a947f55021871ce348 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 Oct 2018 18:21:52 +0200 -Subject: [PATCH 16/19] Added CMSEngine.disableSubsystem() - -The code that calls pki-server subsystem-disable in -SelfTestSubsystem has been moved into CMSEngine.disableSubsystem(). - -https://pagure.io/dogtagpki/issue/3070 -(cherry picked from commit d5b119cdf3693680d5d1518b4b21b436d442708b) ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ - .../src/com/netscape/cmscore/apps/CMSEngine.java | 24 +++++++++++++++++++++ - .../cmscore/selftests/SelfTestSubsystem.java | 25 +++++----------------- - 3 files changed, 33 insertions(+), 20 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index 0bf186e..b6b74e6 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -145,6 +145,10 @@ public final class CMS { - _engine = engine; - } - -+ public static ICMSEngine getCMSEngine() { -+ return _engine; -+ } -+ - /** - * This method is used for unit tests. It allows the underlying _engine - * to be stubbed out. -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index eaf57fa..2c953cc 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -2042,6 +2042,30 @@ public class CMSEngine implements ICMSEngine { - - } - -+ public void disableSubsystem() { -+ -+ String name = mConfig.get("cs.type"); -+ String subsystemID = name.toLowerCase(); -+ -+ CMS.debug("CMSEngine: Disabling " + name + " subsystem"); -+ -+ try { -+ ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceId, subsystemID); -+ CMS.debug("Command: " + String.join(" ", pb.command())); -+ -+ Process process = pb.inheritIO().start(); -+ int rc = process.waitFor(); -+ -+ if (rc != 0) { -+ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem. RC: " + rc); -+ } -+ -+ } catch (Exception e) { -+ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem: " + e.getMessage()); -+ CMS.debug(e); -+ } -+ } -+ - /** - * shuts down a subsystem list in reverse order. - */ -diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -index 98b53c7..9ed4f8a 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.selftests.ISelfTest; - import com.netscape.certsrv.selftests.ISelfTestSubsystem; - import com.netscape.cms.logging.Logger; - import com.netscape.cms.logging.SignedAuditLogger; -+import com.netscape.cmscore.apps.CMSEngine; - - ////////////////////// - // class definition // -@@ -1832,29 +1833,13 @@ public class SelfTestSubsystem - - audit(auditMessage); - -- CMS.debug("SelfTestSubsystem.startup(): shutdown server"); -+ CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); -+ CMS.debug(e); - -- // shutdown the system gracefully - CMS.shutdown(); - -- IConfigStore cs = CMS.getConfigStore(); -- String instanceID = cs.get("instanceId"); -- String subsystemID = cs.get("cs.type").toLowerCase(); -- -- System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); -- -- try { -- ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); -- Process process = pb.inheritIO().start(); -- int rc = process.waitFor(); -- -- if (rc != 0) { -- System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); -- } -- -- } catch (Exception e2) { -- e.printStackTrace(); -- } -+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); -+ engine.disableSubsystem(); - } - } - --- -1.8.3.1 - - -From 83e911b75bb887bc4f3bf36fc9709401e54b7443 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 Oct 2018 18:22:24 +0200 -Subject: [PATCH 17/19] Fixed subsystem shutdown on selftest failures - -The code that handles selftest failures have been modified -to call CMSEngine.disableSubsystem() to undeploy the web -application. Once undeployed, the web application will no -longer accept client requests, then Tomcat will execute -CMSStartServlet.destroy() which will eventually shutdown -the subsystem. - -https://pagure.io/dogtagpki/issue/3070 -(cherry picked from commit 7c3711c786ba90fe29b7450530dd8372d5839fcd) ---- - .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 7 ++++--- - .../src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 9 ++++----- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index 59a5d62..633b13d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -73,6 +73,7 @@ import com.netscape.certsrv.selftests.ESelfTestException; - import com.netscape.certsrv.selftests.ISelfTest; - import com.netscape.certsrv.selftests.ISelfTestSubsystem; - import com.netscape.certsrv.tks.ITKSAuthority; -+import com.netscape.cmscore.apps.CMSEngine; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; - import com.netscape.cmsutil.util.Utils; -@@ -3194,10 +3195,10 @@ public final class CMSAdminServlet extends AdminServlet { - + "\n"; - sendResponse(ERROR, content, null, resp); - -- CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); -+ CMS.debug("CMSAdminServlet: Disabling subsystem due to selftest failure: " + e.getMessage()); - -- // shutdown the system gracefully -- CMS.shutdown(); -+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); -+ engine.disableSubsystem(); - - return; - } else { -diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -index 9ed4f8a..8ce9a58 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -@@ -537,10 +537,11 @@ public class SelfTestSubsystem - "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", - instanceFullName)); - -- CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); -+ CMS.debug("SelfTestSubsystem: Disabling subsystem due to selftest failure: " + e.getMessage()); -+ CMS.debug(e); - -- // shutdown the system gracefully -- CMS.shutdown(); -+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); -+ engine.disableSubsystem(); - - return; - } -@@ -1836,8 +1837,6 @@ public class SelfTestSubsystem - CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); - CMS.debug(e); - -- CMS.shutdown(); -- - CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); - engine.disableSubsystem(); - } --- -1.8.3.1 - - -From 81710f32fb9c269f2795b3272b3765a542299eb6 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 Oct 2018 18:23:09 +0200 -Subject: [PATCH 18/19] Fixed signed audit logging failure handling - -The code that handles signed audit logging failures has been -modified to call CMSEngine.disableSubsystem() to undeploy the -web application. Once undeployed, the web application will no -longer accept client requests, then Tomcat will execute -CMSStartServlet.destroy() which will eventually shutdown the -subsystem. - -https://pagure.io/dogtagpki/issue/3070 -(cherry picked from commit 5e7d7b972f14d65781909f6dfee4ad1e7ecb801a) ---- - .../cms/src/com/netscape/cms/logging/LogFile.java | 17 ++++------------- - 1 file changed, 4 insertions(+), 13 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index b04f70d..a4a691b 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -79,6 +79,7 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogSource; - import com.netscape.certsrv.logging.SignedAuditEvent; - import com.netscape.certsrv.logging.SystemEvent; -+import com.netscape.cmscore.apps.CMSEngine; - import com.netscape.cmsutil.util.Utils; - - import netscape.ldap.client.JDAPAVA; -@@ -422,20 +423,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - // synchronized. We just want to avoid an infinite loop. - mInSignedAuditLogFailureMode = true; - -- // Block all new incoming requests -- if (CMS.areRequestsDisabled() == false) { -- // XXX is this a race condition? -- CMS.disableRequests(); -- } -- -- // Terminate all requests in process -- CMS.terminateRequests(); -- -- // Call graceful shutdown of the CMS server -- // Call force shutdown to get added functionality of -- // making sure to kill the web server. -+ CMS.debug("LogFile: Disabling subsystem due to signed logging failure"); - -- CMS.forceShutdown(); -+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); -+ engine.disableSubsystem(); - } - } - --- -1.8.3.1 - - -From bd2b3117334ce0e638bf309a591a0eeb6390253f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 Oct 2018 04:03:49 +0200 -Subject: [PATCH 19/19] Added doc on signed audit logging failures - -https://pagure.io/dogtagpki/issue/3070 -(cherry picked from commit 54c1b9b04625de6f3493e5d28979a740b31e63b3) ---- - docs/admin/Signed_Audit_Logging_Failures.md | 88 +++++++++++++++++++++++++++++ - 1 file changed, 88 insertions(+) - create mode 100644 docs/admin/Signed_Audit_Logging_Failures.md - -diff --git a/docs/admin/Signed_Audit_Logging_Failures.md b/docs/admin/Signed_Audit_Logging_Failures.md -new file mode 100644 -index 0000000..17cc3bd ---- /dev/null -+++ b/docs/admin/Signed_Audit_Logging_Failures.md -@@ -0,0 +1,88 @@ -+Signed Audit Logging Failures -+============================= -+ -+## Overview -+ -+If a PKI subsystem is unable to write signed audit log to disk, -+the subsystem will automatically shutdown to prevent it from -+receiving and executing additional operations that cannot be -+logged. -+ -+This situation may happen when the disk is full. In that case -+the admin will need to provide additional disk space, then restart -+the subsystem. -+ -+Note: auto-shutdown will only work if audit signing is enabled. -+ -+## Verifying Auto-Shutdown -+ -+To verify auto-shutdown on a CA instance, prepare a small -+partition and assign the proper permissions: -+ -+``` -+$ mkdir -p /tmp/audit -+$ mount -t tmpfs -o size=2M,mode=0755 tmpfs /tmp/audit -+$ chown pkiuser:pkiuser /tmp/audit -+$ semanage fcontext -a -t pki_tomcat_log_t /tmp/audit -+$ restorecon -vR /tmp/audit -+``` -+ -+Edit /etc/pki/pki-tomcat/ca/CS.cfg to enable audit signing -+and configure it to store the logs in the above partition: -+ -+``` -+log.instance.SignedAudit.logSigning=true -+log.instance.SignedAudit.fileName=/tmp/audit/ca_audit -+``` -+ -+Restart the server: -+ -+``` -+$ systemctl restart pki-tomcatd@pki-tomcat.service -+``` -+ -+Create a big file to fill up the partition: -+ -+``` -+$ dd if=/dev/zero of=/tmp/audit/bigfile bs=1M count=2 -+``` -+ -+Execute some operations to generate audit logs, for example: -+ -+``` -+$ pki ca-cert-find -+``` -+ -+When the partition becomes full, the server will no longer able -+to write the signed audit log into the partition, so it will -+generate the following message in console or systemd journal -+(assuming the journal is stored in a different partition that -+is not full): -+ -+``` -+Failed to flush log "/tmp/audit/ca_audit", error: No space left on device -+``` -+ -+Then the CA subsystem will shutdown automatically. The server itself -+will still be running and accepting connections, but all requests -+going to the CA subsystem will fail. -+ -+To resolve the issue, create more space in the partition by -+removing the big file: -+ -+``` -+$ rm -f /tmp/audit/bigfile -+``` -+ -+Then re-enable the CA subsystem with the following command: -+ -+``` -+$ pki-server subsystem-enable -i pki-tomcat ca -+``` -+ -+or by restarting the server: -+ -+``` -+$ systemctl restart pki-tomcatd@pki-tomcat.service -+``` -+ --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.9-batch-2.0.patch b/SOURCES/pki-core-10.5.9-batch-2.0.patch deleted file mode 100644 index 31837d3..0000000 --- a/SOURCES/pki-core-10.5.9-batch-2.0.patch +++ /dev/null @@ -1,3528 +0,0 @@ -From 9c24a655511c911c8acc724a45f79b3ea4986b9f Mon Sep 17 00:00:00 2001 -From: Dinesh Prasanth M K -Date: Thu, 1 Nov 2018 16:29:11 -0400 -Subject: [PATCH 01/13] Add --force flag to pki-destroy - -Resolves: Bug 1372056 -Ticket: https://pagure.io/dogtagpki/issue/1172 - -List of changes with this commit: -- Adds new flag `--force` to pkidestroy to force remove a subsystem -- Use `os.path.join()` instead of appending '/' between path names -- Remove the `pki_database_path` dir instead of removing contents of the dir - - This is moved to `security_database.py` instead of `configuration.py` -- pkidestroy and pkispawn logs are owned by `root` instead of configured pkiuser - -Signed-off-by: Dinesh Prasanth M K -(cherry picked from commit 926c26e10db1b3fde8f24802d7a77419d0f2f28d) ---- - .../python/pki/server/deployment/pkihelper.py | 6 +- - .../server/deployment/scriptlets/configuration.py | 7 +- - .../server/deployment/scriptlets/finalization.py | 5 +- - .../server/deployment/scriptlets/initialization.py | 92 ++++++++++++---------- - .../deployment/scriptlets/security_databases.py | 8 +- - .../deployment/scriptlets/webapp_deployment.py | 2 +- - base/server/sbin/pkidestroy | 44 ++++++++--- - 7 files changed, 96 insertions(+), 68 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 79f1e57..e1b9a02 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -947,8 +947,10 @@ class Instance: - rv = [] - try: - for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: -- path = self.mdict['pki_instance_path'] + \ -- "/" + subsystem.lower() -+ path = os.path.join( -+ self.mdict['pki_instance_path'], -+ subsystem.lower() -+ ) - if os.path.exists(path) and os.path.isdir(path): - rv.append(subsystem) - except OSError as exc: -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 1b62445..7bc0023 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -1274,9 +1274,4 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - raise RuntimeError("server failed to restart") - - def destroy(self, deployer): -- -- config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, -- extra=config.PKI_INDENTATION_LEVEL_1) -- if len(deployer.instance.tomcat_instance_subsystems()) == 1: -- if deployer.directory.exists(deployer.mdict['pki_client_dir']): -- deployer.directory.delete(deployer.mdict['pki_client_dir']) -+ pass -diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py -index e62051f..3c7e118 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/finalization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py -@@ -68,19 +68,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_subsystem'], - deployer.mdict['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) -- deployer.file.modify(deployer.mdict['pki_spawn_log'], silent=True) - - def destroy(self, deployer): - - config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) -- deployer.file.modify(deployer.mdict['pki_destroy_log'], silent=True) - # If this is the last remaining PKI instance, ALWAYS remove the - # link to start configured PKI instances upon system reboot - if deployer.mdict['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - deployer.instance.pki_instance_subsystems() == 0: - deployer.systemd.disable() -- # Start this Tomcat PKI Process -+ -+ # Start this Tomcat PKI Process back if there are any subsystems still existing - if len(deployer.instance.tomcat_instance_subsystems()) >= 1: - deployer.systemd.start() - config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, -diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py -index 9528ec5..efd1536 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/initialization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py -@@ -86,45 +86,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.configuration_file.verify_ds_secure_connection_data() - - def destroy(self, deployer): -- -- # begin official logging -- config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, -- deployer.mdict['pki_subsystem'], -- deployer.mdict['pki_instance_name'], -- extra=config.PKI_INDENTATION_LEVEL_0) -- config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, -- extra=config.PKI_INDENTATION_LEVEL_1) -- # verify that this type of "subsystem" currently EXISTS -- # for this "instance" -- deployer.instance.verify_subsystem_exists() -- # verify that the command-line parameters match the values -- # that are present in the corresponding configuration file -- deployer.configuration_file.verify_command_matches_configuration_file() -- # establish 'uid' and 'gid' -- deployer.identity.set_uid(deployer.mdict['pki_user']) -- deployer.identity.set_gid(deployer.mdict['pki_group']) -- # get ports to remove selinux context -- deployer.configuration_file.populate_non_default_ports() -- -- # remove kra connector from CA if this is a KRA -- deployer.kra_connector.deregister() -- -- # remove tps connector from TKS if this is a TPS -- deployer.tps_connector.deregister() -- -- # de-register instance from its Security Domain -- # -- # NOTE: Since the security domain of an instance must be up -- # and running in order to be de-registered, this step -- # must be done PRIOR to instance shutdown because this -- # instance's security domain may be a part of a -- # tightly-coupled shared instance. -- # -- -- # Previously we obtained the token through a command line interface -- # no longer supported. Thus we assume no token and the deregister op will -- # take place without the token using an alternate method. -- -- deployer.security_domain.deregister(None) -- # ALWAYS Stop this Tomcat PKI Process -- deployer.systemd.stop() -+ try: -+ # begin official logging -+ config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, -+ deployer.mdict['pki_subsystem'], -+ deployer.mdict['pki_instance_name'], -+ extra=config.PKI_INDENTATION_LEVEL_0) -+ config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, -+ extra=config.PKI_INDENTATION_LEVEL_1) -+ # verify that this type of "subsystem" currently EXISTS -+ # for this "instance" -+ deployer.instance.verify_subsystem_exists() -+ # verify that the command-line parameters match the values -+ # that are present in the corresponding configuration file -+ deployer.configuration_file.verify_command_matches_configuration_file() -+ # establish 'uid' and 'gid' -+ deployer.identity.set_uid(deployer.mdict['pki_user']) -+ deployer.identity.set_gid(deployer.mdict['pki_group']) -+ # get ports to remove selinux context -+ deployer.configuration_file.populate_non_default_ports() -+ -+ # remove kra connector from CA if this is a KRA -+ deployer.kra_connector.deregister() -+ -+ # remove tps connector from TKS if this is a TPS -+ deployer.tps_connector.deregister() -+ -+ # de-register instance from its Security Domain -+ # -+ # NOTE: Since the security domain of an instance must be up -+ # and running in order to be de-registered, this step -+ # must be done PRIOR to instance shutdown because this -+ # instance's security domain may be a part of a -+ # tightly-coupled shared instance. -+ # -+ -+ # Previously we obtained the token through a command line interface -+ # no longer supported. Thus we assume no token and the deregister op will -+ # take place without the token using an alternate method. -+ -+ deployer.security_domain.deregister(None) -+ -+ except Exception as e: # pylint: disable=broad-except -+ config.pki_log.error(str(e)) -+ # If it is a normal destroy, pass any exception -+ if not deployer.mdict['pki_force_destroy']: -+ raise -+ -+ finally: -+ # ALWAYS Stop this Tomcat PKI Process -+ deployer.systemd.stop() -diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -index b8550ad..02f4713 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py -+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -@@ -259,7 +259,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if len(deployer.instance.tomcat_instance_subsystems()) == 0: -- deployer.file.delete(deployer.mdict['pki_cert_database']) -- deployer.file.delete(deployer.mdict['pki_key_database']) -- deployer.file.delete(deployer.mdict['pki_secmod_database']) -+ -+ if deployer.directory.exists(deployer.mdict['pki_client_dir']): -+ deployer.directory.delete(deployer.mdict['pki_client_dir']) -+ -+ deployer.directory.delete(deployer.mdict['pki_database_path']) - deployer.file.delete(deployer.mdict['pki_shared_password_conf']) -diff --git a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py -index bfa3c32..8957d9d 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py -+++ b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py -@@ -70,7 +70,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - -- # Delete /conf/Catalina/localhost/.xml -+ # Delete /Catalina/localhost/.xml - deployer.file.delete( - os.path.join( - deployer.mdict['pki_instance_configuration_path'], -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 58f0541..4692e36 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -95,6 +95,13 @@ def main(argv): - nargs=1, metavar='', - help='security domain password file path') - -+ parser.optional.add_argument( -+ '--force', -+ dest='pki_force_destroy', -+ action='store_true', -+ help='force removal of subsystem' -+ ) -+ - args = parser.process_command_line_arguments() - - interactive = False -@@ -155,20 +162,26 @@ def main(argv): - pwd_file: - config.pki_secdomain_pass = pwd_file.readline().strip('\n') - -+ # '--force' -+ force_destroy = args.pki_force_destroy -+ - # verify that previously deployed instance exists -- deployed_pki_instance_path = \ -- config.pki_root_prefix + config.PKI_DEPLOYMENT_BASE_ROOT + "/" + \ -- config.pki_deployed_instance_name -- if not os.path.exists(deployed_pki_instance_path): -+ deployed_pki_instance_path = os.path.join( -+ config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name -+ ) -+ -+ if not os.path.exists(deployed_pki_instance_path) and not force_destroy: - print("ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 % - deployed_pki_instance_path) - print() - parser.arg_parser.exit(-1) - - # verify that previously deployed subsystem for this instance exists -- deployed_pki_subsystem_path = \ -- deployed_pki_instance_path + "/" + deployer.subsystem_name.lower() -- if not os.path.exists(deployed_pki_subsystem_path): -+ deployed_pki_subsystem_path = os.path.join( -+ deployed_pki_instance_path, deployer.subsystem_name.lower() -+ ) -+ -+ if not os.path.exists(deployed_pki_subsystem_path) and not force_destroy: - print("ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 % - (deployer.subsystem_name, deployed_pki_instance_path)) - print() -@@ -178,11 +191,16 @@ def main(argv): - config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE - - # establish complete path to previously deployed configuration file -- config.user_deployment_cfg =\ -- deployed_pki_subsystem_path + "/" +\ -- "registry" + "/" +\ -- deployer.subsystem_name.lower() + "/" +\ -+ config.user_deployment_cfg = os.path.join( -+ deployed_pki_subsystem_path, -+ "registry", -+ deployer.subsystem_name.lower(), - config.USER_DEPLOYMENT_CONFIGURATION -+ ) -+ -+ if force_destroy and not os.path.exists(config.user_deployment_cfg): -+ # During force destroy, try to load the file. If file doesn't exist, we ignore it -+ config.user_deployment_cfg = None - - parser.validate() - parser.init_config() -@@ -213,6 +231,10 @@ def main(argv): - parser.compose_pki_master_dictionary() - parser.mdict['pki_destroy_log'] = \ - config.pki_log_dir + "/" + config.pki_log_name -+ -+ # Add force_destroy to master dictionary -+ parser.mdict['pki_force_destroy'] = force_destroy -+ - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.log_format(parser.mdict), --- -1.8.3.1 - - -From 7f0af3958605c9826c5bb71fcb43cfccb3056d90 Mon Sep 17 00:00:00 2001 -From: Dinesh Prasanth M K -Date: Thu, 1 Nov 2018 16:43:36 -0400 -Subject: [PATCH 02/13] Add --remove-logs flag to pki-destroy - -Partially resolves: Bug 1372056 - -List of changes by this commit: - -- Logs are preserved by default (comment #1 in BZ) -- Add `--remove-flags` flag to pkidestroy to remove logs - -Signed-off-by: Dinesh Prasanth M K -(cherry picked from commit 9e2cdb0b2f5df552ef50ba7883b4c686adec41b3) ---- - .../server/deployment/scriptlets/instance_layout.py | 7 +++++-- - .../server/deployment/scriptlets/subsystem_layout.py | 19 +++++++++++-------- - base/server/sbin/pkidestroy | 13 +++++++++++++ - 3 files changed, 29 insertions(+), 10 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index 2095212..568c0a0 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -199,8 +199,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - # remove Tomcat instance base - deployer.directory.delete(deployer.mdict['pki_instance_path']) -- # remove Tomcat instance logs -- deployer.directory.delete(deployer.mdict['pki_instance_log_path']) -+ -+ # remove Tomcat instance logs only if --remove-logs is specified -+ if deployer.mdict['pki_remove_logs']: -+ deployer.directory.delete(deployer.mdict['pki_instance_log_path']) -+ - # remove shared NSS security database path for this instance - deployer.directory.delete(deployer.mdict['pki_database_path']) - # remove Tomcat instance configuration -diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -index a0e4658..fb9f754 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -@@ -124,15 +124,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.directory.delete( - deployer.mdict['pki_subsystem_profiles_path']) - deployer.directory.delete(deployer.mdict['pki_subsystem_path']) -- # remove instance-based subsystem logs -- if deployer.mdict['pki_subsystem'] in \ -- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: -+ -+ # remove instance-based subsystem logs only if --remove-logs flag is specified -+ if deployer.mdict['pki_remove_logs']: -+ if deployer.mdict['pki_subsystem'] in \ -+ config.PKI_SIGNED_AUDIT_SUBSYSTEMS: -+ deployer.directory.delete( -+ deployer.mdict['pki_subsystem_signed_audit_log_path']) - deployer.directory.delete( -- deployer.mdict['pki_subsystem_signed_audit_log_path']) -- deployer.directory.delete( -- deployer.mdict['pki_subsystem_archive_log_path']) -- deployer.directory.delete( -- deployer.mdict['pki_subsystem_log_path']) -+ deployer.mdict['pki_subsystem_archive_log_path']) -+ deployer.directory.delete( -+ deployer.mdict['pki_subsystem_log_path']) -+ - # remove instance-based subsystem configuration - deployer.directory.delete( - deployer.mdict['pki_subsystem_configuration_path']) -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 4692e36..4095d13 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -102,6 +102,13 @@ def main(argv): - help='force removal of subsystem' - ) - -+ parser.optional.add_argument( -+ '--remove-logs', -+ dest='pki_remove_logs', -+ action='store_true', -+ help='remove subsystem logs' -+ ) -+ - args = parser.process_command_line_arguments() - - interactive = False -@@ -165,6 +172,9 @@ def main(argv): - # '--force' - force_destroy = args.pki_force_destroy - -+ # '--remove-logs' -+ remove_logs = args.pki_remove_logs -+ - # verify that previously deployed instance exists - deployed_pki_instance_path = os.path.join( - config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name -@@ -235,6 +245,9 @@ def main(argv): - # Add force_destroy to master dictionary - parser.mdict['pki_force_destroy'] = force_destroy - -+ # Add remove logs to master dictionary -+ parser.mdict['pki_remove_logs'] = remove_logs -+ - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.log_format(parser.mdict), --- -1.8.3.1 - - -From 24405fac463e59250ccf42507bba7fb811e3a2fb Mon Sep 17 00:00:00 2001 -From: Dinesh Prasanth M K -Date: Thu, 1 Nov 2018 17:02:03 -0400 -Subject: [PATCH 03/13] Reuse same instance log dirs (if exists) - -Resolves: Bug 1644769 -Ticket: https://pagure.io/dogtagpki/issue/3077 - -- `pkidestroy` behaviour was chagned to preserve the logs by default. - When `pkispawn` is run, it throws a name space collision error. -- This patch reuses the log dir and appends logs to the same log dir - structure (if exists) and logs it accordingly. - -`Signed-off-by: Dinesh Prasanth M K ` - -(cherry picked from commit c6c6757b4c566d10d25fe220fa9f59539c7a55ee) ---- - base/server/python/pki/server/deployment/pkihelper.py | 12 +++++------- - base/server/python/pki/server/deployment/pkimessages.py | 2 ++ - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index e1b9a02..3b55f78 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -345,18 +345,16 @@ class Namespace: - log.PKIHELPER_NAMESPACE_COLLISION_2 % ( - self.mdict['pki_instance_name'], - self.mdict['pki_cgroup_cpu_systemd_service_path'])) -+ - if os.path.exists(self.mdict['pki_instance_log_path']) and\ - os.path.exists(self.mdict['pki_subsystem_log_path']): -- # Top-Level PKI log path collision -- config.pki_log.error( -- log.PKIHELPER_NAMESPACE_COLLISION_2, -+ # Check if logs already exist. If so, append to it. Log it as info -+ config.pki_log.info( -+ log.PKIHELPER_LOG_REUSE, - self.mdict['pki_instance_name'], - self.mdict['pki_instance_log_path'], - extra=config.PKI_INDENTATION_LEVEL_2) -- raise Exception( -- log.PKIHELPER_NAMESPACE_COLLISION_2 % ( -- self.mdict['pki_instance_name'], -- self.mdict['pki_instance_log_path'])) -+ - if os.path.exists(self.mdict['pki_instance_configuration_path']) and\ - os.path.exists(self.mdict['pki_subsystem_configuration_path']): - # Top-Level PKI configuration path collision -diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py -index 7bb79ca..6539295 100644 ---- a/base/server/python/pki/server/deployment/pkimessages.py -+++ b/base/server/python/pki/server/deployment/pkimessages.py -@@ -277,6 +277,8 @@ PKIHELPER_NAMESPACE_COLLISION_2 = \ - "PKI instance '%s' would produce a namespace collision with '%s'!" - PKIHELPER_NAMESPACE_RESERVED_NAME_2 = \ - "PKI instance '%s' is already a reserved name under '%s'!" -+PKIHELPER_LOG_REUSE = \ -+ "previous logs of PKI instance '%s' already exist. Appending logs to '%s'" - PKIHELPER_NCIPHER_RESTART_1 = "executing '%s'" - PKIHELPER_NOISE_FILE_2 = \ - "generating noise file called '%s' and filling it with '%d' random bytes" --- -1.8.3.1 - - -From 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 22 Aug 2018 00:02:03 +0200 -Subject: [PATCH 04/13] Updated pki.nssdb to support multiple CSR delimiters - types - -The pki.nssdb module has been modified to support both standard -and legacy CSR delimiters as defined in RFC 7468. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7 -(cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3) ---- - base/common/python/pki/nssdb.py | 46 ++++++++++++++++++++++++++++++++++------- - 1 file changed, 39 insertions(+), 7 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index f350255..d4ae804 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -34,8 +34,11 @@ from cryptography.hazmat.backends import default_backend - - import pki - --CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' --CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' -+CSR_HEADER = '-----BEGIN CERTIFICATE REQUEST-----' -+CSR_FOOTER = '-----END CERTIFICATE REQUEST-----' -+ -+LEGACY_CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' -+LEGACY_CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' - - CERT_HEADER = '-----BEGIN CERTIFICATE-----' - CERT_FOOTER = '-----END CERTIFICATE-----' -@@ -51,10 +54,18 @@ logger = logging.LoggerAdapter( - extra={'indent': ''}) - - --def convert_data(data, input_format, output_format, header=None, footer=None): -+def convert_data(data, input_format, output_format, -+ header=None, footer=None, -+ headers=None, footers=None): -+ ''' -+ This method converts a PEM file to base-64 and vice versa. -+ It supports CSR, certificate, and PKCS #7 certificate chain. -+ ''' -+ - if input_format == output_format: - return data - -+ # converting from base-64 to PEM - if input_format == 'base64' and output_format == 'pem': - - # join base-64 data into a single line -@@ -66,16 +77,30 @@ def convert_data(data, input_format, output_format, header=None, footer=None): - # add header and footer - return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer) - -+ # converting from PEM to base-64 - if input_format == 'pem' and output_format == 'base64': - -+ # initialize list of headers if not provided -+ if not headers: -+ headers = [header] -+ -+ # initialize list of footers if not provided -+ if not footers: -+ footers = [footer] -+ - # join multiple lines into a single line - lines = [] - for line in data.splitlines(): - line = line.rstrip('\r\n') -- if line == header: -+ -+ # if the line is a header, skip -+ if line in headers: - continue -- if line == footer: -+ -+ # if the line is a footer, skip -+ if line in footers: - continue -+ - lines.append(line) - - return ''.join(lines) -@@ -86,7 +111,9 @@ def convert_data(data, input_format, output_format, header=None, footer=None): - - def convert_csr(csr_data, input_format, output_format): - return convert_data(csr_data, input_format, output_format, -- CSR_HEADER, CSR_FOOTER) -+ CSR_HEADER, CSR_FOOTER, -+ headers=[CSR_HEADER, LEGACY_CSR_HEADER], -+ footers=[CSR_FOOTER, LEGACY_CSR_FOOTER]) - - - def convert_cert(cert_data, input_format, output_format): -@@ -100,10 +127,15 @@ def convert_pkcs7(pkcs7_data, input_format, output_format): - - - def get_file_type(filename): -+ ''' -+ This method detects the content of a PEM file. It supports -+ CSR, certificate, PKCS #7 certificate chain. -+ ''' -+ - with open(filename, 'r') as f: - data = f.read() - -- if data.startswith(CSR_HEADER): -+ if data.startswith(CSR_HEADER) or data.startswith(LEGACY_CSR_HEADER): - return 'csr' - - if data.startswith(CERT_HEADER): --- -1.8.3.1 - - -From b9867142f4971a98b6c79ba16788db8829dfd79d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 20 Aug 2018 23:14:25 +0200 -Subject: [PATCH 05/13] Removed default CSR paths - -The default.cfg has been modified to remove default CSR paths. - -The verify_predefined_configuration_file_data() has been modified -to no longer require CSR path parameters in the first step of -external CA scenario. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2 -(cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710) ---- - base/server/etc/default.cfg | 24 ++++++++-------- - .../python/pki/server/deployment/pkihelper.py | 32 +--------------------- - 2 files changed, 13 insertions(+), 43 deletions(-) - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index b92cca7..2c0430a 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -330,7 +330,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=% - pki_ca_signing_token= - - # DEPRECATED: Use 'pki_ca_signing_csr_path' instead. --pki_external_csr_path=%(pki_instance_configuration_path)s/external_ca.csr -+pki_external_csr_path= - pki_ca_signing_csr_path=%(pki_external_csr_path)s - - pki_ocsp_signing_csr_path= -@@ -442,12 +442,12 @@ pki_kra_ephemeral_requests=False - - # DEPRECATED - # Use 'pki_*_csr_path' instead. --pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr --pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr --pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr --pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr --pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr --pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr -+pki_external_admin_csr_path= -+pki_external_audit_signing_csr_path= -+pki_external_sslserver_csr_path= -+pki_external_storage_csr_path= -+pki_external_subsystem_csr_path= -+pki_external_transport_csr_path= - - pki_admin_csr_path=%(pki_external_admin_csr_path)s - pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s -@@ -527,11 +527,11 @@ pki_standalone=False - - # DEPRECATED - # Use 'pki_*_csr_path' instead. --pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr --pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr --pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr --pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr --pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr -+pki_external_admin_csr_path= -+pki_external_audit_signing_csr_path= -+pki_external_signing_csr_path= -+pki_external_sslserver_csr_path= -+pki_external_subsystem_csr_path= - - pki_admin_csr_path=%(pki_external_admin_csr_path)s - pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 3b55f78..b3c3ccb 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -712,39 +712,9 @@ class ConfigurationFile: - # pki_ca_signing_cert_path are optional. - pass - elif not self.skip_configuration and self.standalone: -- if not self.external_step_two: -- -- # Stand-alone PKI Admin CSR (Step 1) -- self.confirm_data_exists("pki_admin_csr_path") -- -- # Stand-alone PKI Audit Signing CSR (Step 1) -- self.confirm_data_exists( -- "pki_audit_signing_csr_path") - -- # Stand-alone PKI SSL Server CSR (Step 1) -- self.confirm_data_exists("pki_sslserver_csr_path") -+ if self.external_step_two: - -- # Stand-alone PKI Subsystem CSR (Step 1) -- self.confirm_data_exists("pki_subsystem_csr_path") -- -- # Stand-alone PKI KRA CSRs -- if self.subsystem == "KRA": -- -- # Stand-alone PKI KRA Storage CSR (Step 1) -- self.confirm_data_exists( -- "pki_storage_csr_path") -- -- # Stand-alone PKI KRA Transport CSR (Step 1) -- self.confirm_data_exists( -- "pki_transport_csr_path") -- -- # Stand-alone PKI OCSP CSRs -- if self.subsystem == "OCSP": -- # Stand-alone PKI OCSP OCSP Signing CSR (Step 1) -- self.confirm_data_exists( -- "pki_ocsp_signing_csr_path") -- -- else: - # Stand-alone PKI External CA Certificate (Step 2) - # The pki_ca_signing_cert_path is optional. - --- -1.8.3.1 - - -From e2563b186203e5e89d281ff5c39ca182f62cfefa Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 21 Aug 2018 01:03:11 +0200 -Subject: [PATCH 06/13] Added support for installation with custom CSRs - -The installation code has been modified to import custom -CSRs for KRA and OCSP system certicates if provided. The -CA installation already supports this functionality. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188 -(cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97) ---- - .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 11 +++-------- - .../pki/server/deployment/scriptlets/configuration.py | 16 ++++++++++++---- - 2 files changed, 15 insertions(+), 12 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index d8b4965..7398891 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -2986,14 +2986,9 @@ public class ConfigurationUtils { - - CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")"); - -- try { -- String certreq = config.getString(subsystem + "." + tag + ".certreq"); -- return CryptoUtil.base64Decode(certreq); -- -- } catch (EPropertyNotFound e) { -- // The CSR is optional for existing CA case. -- return null; -- } -+ // the CSR must exist in the second step of external CA scenario -+ String certreq = config.getString(subsystem + "." + tag + ".certreq"); -+ return CryptoUtil.base64Decode(certreq); - } - - public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception { -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 7bc0023..cf02205 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -368,7 +368,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - csr_data = f.read() - - b64_csr = pki.nssdb.convert_csr(csr_data, 'pem', 'base64') -- subsystem.config['ca.%s.certreq' % tag] = b64_csr -+ subsystem.config['%s.%s.certreq' % (subsystem.name, tag)] = b64_csr - - def import_ca_signing_csr(self, deployer, subsystem): - -@@ -391,9 +391,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if subsystem.name == 'ca': - self.import_ca_signing_csr(deployer, subsystem) - self.import_system_cert_request(deployer, subsystem, 'ocsp_signing') -- self.import_system_cert_request(deployer, subsystem, 'audit_signing') -- self.import_system_cert_request(deployer, subsystem, 'subsystem') -- self.import_system_cert_request(deployer, subsystem, 'sslserver') -+ -+ if subsystem.name == 'kra': -+ self.import_system_cert_request(deployer, subsystem, 'storage') -+ self.import_system_cert_request(deployer, subsystem, 'transport') -+ -+ if subsystem.name == 'ocsp': -+ self.import_system_cert_request(deployer, subsystem, 'signing') -+ -+ self.import_system_cert_request(deployer, subsystem, 'audit_signing') -+ self.import_system_cert_request(deployer, subsystem, 'subsystem') -+ self.import_system_cert_request(deployer, subsystem, 'sslserver') - - def import_ca_signing_cert(self, deployer, nssdb): - --- -1.8.3.1 - - -From e3b8099fb20b6806020bab1a1687340da643eacf Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 21 Aug 2018 20:01:30 +0200 -Subject: [PATCH 07/13] Fixed messages for installation with custom keys - -The pkispawn has been modified to display the proper message -for installation with custom keys where the CSRs will not be -generated. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c -(cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f) ---- - base/server/sbin/pkispawn | 81 +++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 65 insertions(+), 16 deletions(-) - -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index ab94b8b..64c7a67 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -760,9 +760,17 @@ def print_external_ca_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" A CSR for the CA certificate has been generated at:\n" -- " %s" -- % mdict['pki_ca_signing_csr_path']) -+ print(" NSS database: %s" % mdict['pki_database_path']) -+ print() -+ -+ signing_csr = mdict['pki_ca_signing_csr_path'] -+ -+ if signing_csr: -+ print(" A CSR for the CA signing certificate has been generated in:") -+ print(" %s" % mdict['pki_ca_signing_csr_path']) -+ else: -+ print(" No CSR has been generated for CA signing certificate.") -+ - print(log.PKI_RUN_INSTALLATION_STEP_TWO) - print(log.PKI_SPAWN_INFORMATION_FOOTER) - -@@ -773,13 +781,35 @@ def print_kra_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" The CSRs for KRA certificates have been generated in:") -- print(" storage: %s" % mdict['pki_storage_csr_path']) -- print(" transport: %s" % mdict['pki_transport_csr_path']) -- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) -- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) -- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) -- print(" admin: %s" % mdict['pki_admin_csr_path']) -+ print(" NSS database: %s" % mdict['pki_database_path']) -+ print() -+ -+ storage_csr = mdict['pki_storage_csr_path'] -+ transport_csr = mdict['pki_transport_csr_path'] -+ subsystem_csr = mdict['pki_subsystem_csr_path'] -+ sslserver_csr = mdict['pki_sslserver_csr_path'] -+ audit_csr = mdict['pki_audit_signing_csr_path'] -+ admin_csr = mdict['pki_admin_csr_path'] -+ -+ if storage_csr or transport_csr or subsystem_csr or sslserver_csr \ -+ or audit_csr or admin_csr: -+ print(" The CSRs for KRA certificates have been generated in:") -+ else: -+ print(" No CSRs have been generated for KRA certificates.") -+ -+ if storage_csr: -+ print(" storage: %s" % storage_csr) -+ if transport_csr: -+ print(" transport: %s" % transport_csr) -+ if subsystem_csr: -+ print(" subsystem: %s" % subsystem_csr) -+ if sslserver_csr: -+ print(" SSL server: %s" % sslserver_csr) -+ if audit_csr: -+ print(" audit signing: %s" % audit_csr) -+ if admin_csr: -+ print(" admin: %s" % admin_csr) -+ - print(log.PKI_RUN_INSTALLATION_STEP_TWO) - print(log.PKI_SPAWN_INFORMATION_FOOTER) - -@@ -790,12 +820,31 @@ def print_ocsp_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" The CSRs for OCSP certificates have been generated in:") -- print(" OCSP signing: %s" % mdict['pki_ocsp_signing_csr_path']) -- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) -- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) -- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) -- print(" admin: %s" % mdict['pki_admin_csr_path']) -+ print(" NSS database: %s" % mdict['pki_database_path']) -+ print() -+ -+ signing_csr = mdict['pki_ocsp_signing_csr_path'] -+ subsystem_csr = mdict['pki_subsystem_csr_path'] -+ sslserver_csr = mdict['pki_sslserver_csr_path'] -+ audit_csr = mdict['pki_audit_signing_csr_path'] -+ admin_csr = mdict['pki_admin_csr_path'] -+ -+ if signing_csr or subsystem_csr or sslserver_csr or audit_csr or admin_csr: -+ print(" The CSRs for OCSP certificates have been generated in:") -+ else: -+ print(" No CSRs have been generated for OCSP certificates.") -+ -+ if signing_csr: -+ print(" OCSP signing: %s" % signing_csr) -+ if subsystem_csr: -+ print(" subsystem: %s" % subsystem_csr) -+ if sslserver_csr: -+ print(" SSL server: %s" % sslserver_csr) -+ if audit_csr: -+ print(" audit signing: %s" % audit_csr) -+ if admin_csr: -+ print(" admin: %s" % admin_csr) -+ - print(log.PKI_RUN_INSTALLATION_STEP_TWO) - print(log.PKI_SPAWN_INFORMATION_FOOTER) - --- -1.8.3.1 - - -From 6c7079adf8878a2c799cd716c3df9ec75816accd Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 23 Aug 2018 06:10:44 +0200 -Subject: [PATCH 08/13] Fixed pki client-cert-import to accept PKCS #7 CA cert - chain - -The NSSDatabase.add_cert() has been modified to accept both single -certificates and PKCS #7 certificate chains in PEM format. - -The pki client-cert-import has been modified to support importing -CA cert chain in PKCS #7 format. - -The Cert.parseCertificate() has been modified to parse PKCS #7 -cert chain properly. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1 -(cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce) ---- - base/common/python/pki/nssdb.py | 2 ++ - .../com/netscape/cmstools/client/ClientCertImportCLI.java | 14 +++++++++++--- - base/util/src/com/netscape/cmsutil/util/Cert.java | 12 +++++++++--- - 3 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index d4ae804..05d2c62 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -223,6 +223,7 @@ class NSSDatabase(object): - '-P', self.token, - '-f', self.password_file, - '-n', nickname, -+ '-a', - '-i', cert_file, - '-t', '' - ] -@@ -242,6 +243,7 @@ class NSSDatabase(object): - '-d', self.directory, - '-f', self.internal_password_file, - '-n', nickname, -+ '-a', - '-i', cert_file, - '-t', trust_attributes - ] -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index 99b215e..62fd4d6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -19,7 +19,6 @@ - package com.netscape.cmstools.client; - - import java.io.File; --import java.io.FileOutputStream; - import java.io.FileWriter; - import java.io.PrintWriter; - import java.net.URI; -@@ -45,6 +44,7 @@ import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; -+import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS12; - import netscape.security.pkcs.PKCS7; -@@ -250,8 +250,11 @@ public class ClientCertImportCLI extends CLI { - File certFile = File.createTempFile("pki-client-cert-import-", ".crt"); - certFile.deleteOnExit(); - -- try (FileOutputStream out = new FileOutputStream(certFile)) { -- out.write(bytes); -+ try (FileWriter fw = new FileWriter(certFile); -+ PrintWriter out = new PrintWriter(fw)) { -+ out.println(PKCS7.HEADER); -+ out.print(Utils.base64encode(bytes, true)); -+ out.println(PKCS7.FOOTER); - } - - if (trustAttributes == null) -@@ -338,6 +341,9 @@ public class ClientCertImportCLI extends CLI { - command.add(dbPasswordFile.getAbsolutePath()); - } - -+ // accept PEM or PKCS #7 certificate -+ command.add("-a"); -+ - command.add("-i"); - command.add(certFile); - command.add("-n"); -@@ -362,10 +368,12 @@ public class ClientCertImportCLI extends CLI { - String trustAttributes) throws Exception { - - if (nickname != null) { -+ // import a single CA certificate with the provided nickname - importCert(dbPath, dbPasswordFile, certFile, nickname, trustAttributes); - return; - } - -+ // import CA certificate chain with auto-generated nicknames - String pemCert = new String(Files.readAllBytes(Paths.get(certFile))).trim(); - byte[] binCert = Cert.parseCertificate(pemCert); - -diff --git a/base/util/src/com/netscape/cmsutil/util/Cert.java b/base/util/src/com/netscape/cmsutil/util/Cert.java -index f084395..e6f2460 100644 ---- a/base/util/src/com/netscape/cmsutil/util/Cert.java -+++ b/base/util/src/com/netscape/cmsutil/util/Cert.java -@@ -33,6 +33,9 @@ public class Cert { - public static final String HEADER = "-----BEGIN CERTIFICATE-----"; - public static final String FOOTER = "-----END CERTIFICATE-----"; - -+ public static final String PKCS7_HEADER = "-----BEGIN PKCS7-----"; -+ public static final String PKCS7_FOOTER = "-----END PKCS7-----"; -+ - // From https://www.rfc-editor.org/rfc/rfc7468.txt - public static final String REQUEST_HEADER = "-----BEGIN CERTIFICATE REQUEST-----"; - public static final String REQUEST_FOOTER = "-----END CERTIFICATE REQUEST-----"; -@@ -68,9 +71,12 @@ public class Cert { - return s; - } - -- if ((s.startsWith(HEADER)) && -- (s.endsWith(FOOTER))) { -- return (s.substring(27, (s.length() - 25))); -+ if (s.startsWith(HEADER) && s.endsWith(FOOTER)) { -+ return s.substring(HEADER.length(), s.length() - FOOTER.length()); -+ } -+ -+ if (s.startsWith(PKCS7_HEADER) && s.endsWith(PKCS7_FOOTER)) { -+ return s.substring(PKCS7_HEADER.length(), s.length() - PKCS7_FOOTER.length()); - } - - // To support Thawte's header and footer --- -1.8.3.1 - - -From ea9b582909d10d8f6c485860615319b6f6c31741 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 31 Aug 2018 00:32:44 +0200 -Subject: [PATCH 09/13] Renamed server NSS database parameters - -The following parameters have been renamed for consistency: -* pki_database_path -> pki_server_database_path -* pki_pin -> pki_server_database_password - -The old parameters are still usable but they have been -deprecated. - -The pki_client_pin is redundant so it has been removed. - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: I243a01b360f573a16a160e9a415f786e38681603 -(cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853) ---- - base/server/etc/default.cfg | 10 ++++++- - .../python/pki/server/deployment/pkihelper.py | 10 +++---- - .../python/pki/server/deployment/pkiparser.py | 34 +++++++++++++--------- - .../server/deployment/scriptlets/configuration.py | 4 +-- - .../deployment/scriptlets/instance_layout.py | 6 ++-- - .../deployment/scriptlets/security_databases.py | 21 ++++++------- - .../server/deployment/scriptlets/selinux_setup.py | 8 ++--- - base/server/sbin/pkispawn | 6 ++-- - 8 files changed, 57 insertions(+), 42 deletions(-) - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index 2c0430a..0ae0764 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -31,6 +31,7 @@ sensitive_parameters= - pki_pin - pki_replication_password - pki_security_domain_password -+ pki_server_database_password - pki_server_pkcs12_password - pki_token_password - -@@ -173,6 +174,14 @@ pki_cert_chain_path=%(pki_external_ca_cert_chain_path)s - pki_external_ca_cert_chain_nickname=caSigningCert External CA - pki_cert_chain_nickname=%(pki_external_ca_cert_chain_nickname)s - -+# DEPRECATED: Use 'pki_server_database_path' instead. -+pki_database_path=%(pki_instance_configuration_path)s/alias -+pki_server_database_path=%(pki_database_path)s -+ -+# DEPRECATED: Use 'pki_server_database_password' instead. -+pki_pin= -+pki_server_database_password= -+ - pki_pkcs12_path= - pki_pkcs12_password= - -@@ -201,7 +210,6 @@ pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki - pki_instance_path=%(pki_path)s/%(pki_instance_name)s - pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s - pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s --pki_database_path=%(pki_instance_configuration_path)s/alias - pki_instance_database_link=%(pki_instance_path)s/alias - pki_instance_conf_link=%(pki_instance_path)s/conf - pki_instance_logs_link=%(pki_instance_path)s/logs -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index b3c3ccb..77594ec 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -3092,7 +3092,7 @@ class KRAConnector: - "-h", cahost, - "-n", subsystemnick, - "-P", "https", -- "-d", self.mdict['pki_database_path'], -+ "-d", self.mdict['pki_server_database_path'], - "-c", token_pwd, - "ca-kraconnector-del", - "--host", krahost, -@@ -3125,7 +3125,7 @@ class KRAConnector: - command = ["/usr/bin/sslget", - "-n", subsystemnick, - "-p", token_pwd, -- "-d", self.mdict['pki_database_path'], -+ "-d", self.mdict['pki_server_database_path'], - "-e", params, - "-v", - "-r", update_url, cahost + ":" + str(caport)] -@@ -3236,7 +3236,7 @@ class TPSConnector: - "-h", tkshost, - "-n", subsystemnick, - "-P", "https", -- "-d", self.mdict['pki_database_path'], -+ "-d", self.mdict['pki_server_database_path'], - "-c", token_pwd, - "-t", "tks", - "tks-tpsconnector-del", -@@ -3336,7 +3336,7 @@ class SecurityDomain: - admin_update_url = "/ca/admin/ca/updateDomainXML" - command = ["/usr/bin/sslget", - "-p", str(123456), -- "-d", self.mdict['pki_database_path'], -+ "-d", self.mdict['pki_server_database_path'], - "-e", params, - "-v", - "-r", admin_update_url, -@@ -3451,7 +3451,7 @@ class SecurityDomain: - command = ["/usr/bin/sslget", - "-n", subsystemnick, - "-p", token_pwd, -- "-d", self.mdict['pki_database_path'], -+ "-d", self.mdict['pki_server_database_path'], - "-e", params, - "-v", - "-r", update_url, sechost + ":" + str(secagentport)] -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 2397f43..5b8cdd3 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -84,7 +84,11 @@ class PKIConfigParser: - (None, 'pki_ssl_server_subject_dn', - None, 'pki_sslserver_subject_dn'), - (None, 'pki_ssl_server_token', -- None, 'pki_sslserver_token') -+ None, 'pki_sslserver_token'), -+ (None, 'pki_database_path', -+ None, 'pki_server_database_path'), -+ (None, 'pki_pin', -+ None, 'pki_server_database_password'), - ] - - DEPRECATED_CA_PARAMS = [ -@@ -490,6 +494,7 @@ class PKIConfigParser: - 'pki_pin', - 'pki_replication_password', - 'pki_security_domain_password', -+ 'pki_server_database_password', - 'pki_server_pkcs12_password', - 'pki_token_password') - -@@ -766,17 +771,23 @@ class PKIConfigParser: - - # if instance already exists and has password, reuse the password - if internal_token in instance.passwords: -- self.mdict['pki_pin'] = instance.passwords.get(internal_token) -+ self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) - - # otherwise, use user-provided password if specified -- elif 'pki_pin' in self.mdict: -+ elif self.mdict['pki_server_database_password']: - pass - -+ # otherwise, use user-provided pin if specified -+ elif self.mdict['pki_pin']: -+ self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] -+ - # otherwise, generate a random password - else: -- self.mdict['pki_pin'] = pki.generate_password() -+ self.mdict['pki_server_database_password'] = pki.generate_password() - -- self.mdict['pki_client_pin'] = pki.generate_password() -+ # generate random password for client database if not specified -+ if not self.mdict['pki_client_database_password']: -+ self.mdict['pki_client_database_password'] = pki.generate_password() - - pkilogging.sensitive_parameters = \ - self.mdict['sensitive_parameters'].split() -@@ -1231,13 +1242,13 @@ class PKIConfigParser: - self.mdict['pki_instance_configuration_path'], - "password.conf") - self.mdict['pki_cert_database'] = \ -- os.path.join(self.mdict['pki_database_path'], -+ os.path.join(self.mdict['pki_server_database_path'], - "cert8.db") - self.mdict['pki_key_database'] = \ -- os.path.join(self.mdict['pki_database_path'], -+ os.path.join(self.mdict['pki_server_database_path'], - "key3.db") - self.mdict['pki_secmod_database'] = \ -- os.path.join(self.mdict['pki_database_path'], -+ os.path.join(self.mdict['pki_server_database_path'], - "secmod.db") - self.mdict['pki_self_signed_nickname'] = \ - self.mdict['pki_sslserver_nickname'] -@@ -1262,11 +1273,6 @@ class PKIConfigParser: - self.mdict['pki_subsystem_configuration_path'], - "password.conf") - -- if not len(self.mdict['pki_client_database_password']): -- # use randomly generated client 'pin' -- self.mdict['pki_client_database_password'] = \ -- str(self.mdict['pki_client_pin']) -- - # Configuration scriptlet - # 'Security Domain' Configuration name/value pairs - # 'Subsystem Name' Configuration name/value pairs -@@ -1393,7 +1399,7 @@ class PKIConfigParser: - # NOTE: ALWAYS store the PKCS #12 backup keys file - # in with the NSS "server" security databases - self.mdict['pki_backup_keys_p12'] = \ -- self.mdict['pki_database_path'] + "/" + \ -+ self.mdict['pki_server_database_path'] + "/" + \ - self.mdict['pki_subsystem'].lower() + "_" + \ - "backup" + "_" + "keys" + "." + "p12" - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index cf02205..f085e80 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -865,7 +865,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - deployer.password.create_password_conf( - deployer.mdict['pki_shared_pfile'], -- deployer.mdict['pki_pin'], pin_sans_token=True) -+ deployer.mdict['pki_server_database_password'], pin_sans_token=True) - - # only create a self signed cert for a new instance - # -@@ -884,7 +884,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - f.write("not_so_random_data") - - deployer.certutil.generate_self_signed_certificate( -- deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_server_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index 568c0a0..e5ce820 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -162,10 +162,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.systemd.daemon_reload() - - # establish shared NSS security databases for this instance -- deployer.directory.create(deployer.mdict['pki_database_path']) -+ deployer.directory.create(deployer.mdict['pki_server_database_path']) - # establish instance convenience symbolic links - deployer.symlink.create( -- deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_server_database_path'], - deployer.mdict['pki_instance_database_link']) - deployer.symlink.create( - deployer.mdict['pki_instance_configuration_path'], -@@ -205,7 +205,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.directory.delete(deployer.mdict['pki_instance_log_path']) - - # remove shared NSS security database path for this instance -- deployer.directory.delete(deployer.mdict['pki_database_path']) -+ deployer.directory.delete(deployer.mdict['pki_server_database_path']) - # remove Tomcat instance configuration - deployer.directory.delete( - deployer.mdict['pki_instance_configuration_path']) -diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -index 02f4713..7ce32a8 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py -+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -@@ -54,12 +54,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if config.str2bool(deployer.mdict['pki_hsm_enable']): - deployer.password.create_hsm_password_conf( - deployer.mdict['pki_shared_password_conf'], -- deployer.mdict['pki_pin'], -+ deployer.mdict['pki_server_database_password'], - deployer.mdict['pki_token_password']) - else: - deployer.password.create_password_conf( - deployer.mdict['pki_shared_password_conf'], -- deployer.mdict['pki_pin']) -+ deployer.mdict['pki_server_database_password']) - - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a temporary server 'pfile' -@@ -67,11 +67,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # allowing 'certutil' to generate the security databases - deployer.password.create_password_conf( - deployer.mdict['pki_shared_pfile'], -- deployer.mdict['pki_pin'], pin_sans_token=True) -+ deployer.mdict['pki_server_database_password'], pin_sans_token=True) - deployer.file.modify(deployer.mdict['pki_shared_password_conf']) - - deployer.certutil.create_security_databases( -- deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_server_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], -@@ -79,7 +79,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - if config.str2bool(deployer.mdict['pki_hsm_enable']): - deployer.modutil.register_security_module( -- deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_server_database_path'], - deployer.mdict['pki_hsm_modulename'], - deployer.mdict['pki_hsm_libfile']) - deployer.file.modify( -@@ -103,7 +103,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - raise Exception('Missing pki_server_pkcs12_password property.') - - nssdb = pki.nssdb.NSSDatabase( -- directory=deployer.mdict['pki_database_path'], -+ directory=deployer.mdict['pki_server_database_path'], - password_file=deployer.mdict['pki_shared_pfile']) - - try: -@@ -129,7 +129,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - raise Exception('Missing pki_clone_pkcs12_password property.') - - nssdb = pki.nssdb.NSSDatabase( -- directory=deployer.mdict['pki_database_path'], -+ directory=deployer.mdict['pki_server_database_path'], - password_file=deployer.mdict['pki_shared_pfile']) - - try: -@@ -162,7 +162,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname=deployer.mdict['pki_audit_signing_nickname'], - trust_attributes='u,u,Pu') - -- print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) -+ print('Imported certificates into %s:' % -+ deployer.mdict['pki_server_database_path']) - - nssdb.show_certs() - -@@ -180,7 +181,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # the instance will utilize 'softokn' or an HSM - # - rv = deployer.certutil.verify_certificate_exists( -- deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_server_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], -@@ -195,7 +196,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - 'pki_ds_secure_connection_ca_trustargs'], - deployer.mdict['pki_ds_secure_connection_ca_pem_file'], - password_file=deployer.mdict['pki_shared_pfile'], -- path=deployer.mdict['pki_database_path'], -+ path=deployer.mdict['pki_server_database_path'], - token=deployer.mdict['pki_self_signed_token']) - - # Always delete the temporary 'pfile' -diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -index d5e4b0c..7d324d4 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -+++ b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -@@ -115,10 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - config.pki_log.info( - "adding selinux fcontext \"%s\"", -- deployer.mdict['pki_database_path'] + self.suffix, -+ deployer.mdict['pki_server_database_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.add( -- deployer.mdict['pki_database_path'] + self.suffix, -+ deployer.mdict['pki_server_database_path'] + self.suffix, - config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") - - port_records = seobject.portRecords(trans) -@@ -206,10 +206,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - config.pki_log.info( - "deleting selinux fcontext \"%s\"", -- deployer.mdict['pki_database_path'] + self.suffix, -+ deployer.mdict['pki_server_database_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.delete( -- deployer.mdict['pki_database_path'] + -+ deployer.mdict['pki_server_database_path'] + - self.suffix, "") - - port_records = seobject.portRecords(trans) -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 64c7a67..867a381 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -760,7 +760,7 @@ def print_external_ca_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" NSS database: %s" % mdict['pki_database_path']) -+ print(" NSS database: %s" % mdict['pki_server_database_path']) - print() - - signing_csr = mdict['pki_ca_signing_csr_path'] -@@ -781,7 +781,7 @@ def print_kra_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" NSS database: %s" % mdict['pki_database_path']) -+ print(" NSS database: %s" % mdict['pki_server_database_path']) - print() - - storage_csr = mdict['pki_storage_csr_path'] -@@ -820,7 +820,7 @@ def print_ocsp_step_one_information(mdict): - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - print() -- print(" NSS database: %s" % mdict['pki_database_path']) -+ print(" NSS database: %s" % mdict['pki_server_database_path']) - print() - - signing_csr = mdict['pki_ocsp_signing_csr_path'] --- -1.8.3.1 - - -From a3d27ed43b9c119cfaff100573d89c2caa08e3b7 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 7 Sep 2018 16:32:47 +0200 -Subject: [PATCH 10/13] Fixed password generation in pkispawn - -Previously the NSS database passwords were generated in -pkiparser.py. Under certain scenarios the password may be -overwritten by a subsequent code in pkispawn. To avoid the -problem the code that generates the NSS database passwords -has been moved into the initialization scriptlet. - -https://pagure.io/dogtagpki/issue/3061 - -Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb -(cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86) ---- - .../python/pki/server/deployment/pkiparser.py | 25 -------------------- - .../server/deployment/scriptlets/initialization.py | 27 ++++++++++++++++++++++ - 2 files changed, 27 insertions(+), 25 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 5b8cdd3..2ea7319 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -764,31 +764,6 @@ class PKIConfigParser: - - self.deployer.flatten_master_dict() - -- instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) -- instance.load() -- -- internal_token = self.mdict['pki_self_signed_token'] -- -- # if instance already exists and has password, reuse the password -- if internal_token in instance.passwords: -- self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) -- -- # otherwise, use user-provided password if specified -- elif self.mdict['pki_server_database_password']: -- pass -- -- # otherwise, use user-provided pin if specified -- elif self.mdict['pki_pin']: -- self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] -- -- # otherwise, generate a random password -- else: -- self.mdict['pki_server_database_password'] = pki.generate_password() -- -- # generate random password for client database if not specified -- if not self.mdict['pki_client_database_password']: -- self.mdict['pki_client_database_password'] = pki.generate_password() -- - pkilogging.sensitive_parameters = \ - self.mdict['sensitive_parameters'].split() - -diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py -index efd1536..4515b55 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/initialization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py -@@ -19,6 +19,7 @@ - # - - from __future__ import absolute_import -+import pki - - # PKI Deployment Imports - from .. import pkiconfig as config -@@ -36,6 +37,32 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_subsystem'], - deployer.mdict['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) -+ -+ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) -+ instance.load() -+ -+ internal_token = deployer.mdict['pki_self_signed_token'] -+ -+ # if instance already exists and has password, reuse the password -+ if internal_token in instance.passwords: -+ deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) -+ -+ # otherwise, use user-provided password if specified -+ elif deployer.mdict['pki_server_database_password']: -+ pass -+ -+ # otherwise, use user-provided pin if specified -+ elif deployer.mdict['pki_pin']: -+ deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] -+ -+ # otherwise, generate a random password -+ else: -+ deployer.mdict['pki_server_database_password'] = pki.generate_password() -+ -+ # generate random password for client database if not specified -+ if not deployer.mdict['pki_client_database_password']: -+ deployer.mdict['pki_client_database_password'] = pki.generate_password() -+ - # ALWAYS initialize 'uid' and 'gid' - deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], - deployer.mdict['pki_group']) --- -1.8.3.1 - - -From 4886a7f4fa3678cd26c7c38c5140784dc53b76b5 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 2 Oct 2018 18:11:43 +0200 -Subject: [PATCH 11/13] Updated pki-server subsystem-cert-validate output - -The pki-server subsystem-cert-validate CLI has been modified to -show the actual message generated by NSS if the validation fails. - -(cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876) ---- - base/server/python/pki/server/cli/subsystem.py | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index 57093d4..068d1db 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -1038,10 +1038,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI): - return True - - except subprocess.CalledProcessError as e: -- if e.returncode == 1: -- print(' Status: INVALID') -+ if e.output: -+ status = e.output.decode('utf-8') - else: -- print(' Status: ERROR: %s' % e.output) -+ status = 'ERROR' -+ print(' Status: %s' % status) - return False - - finally: --- -1.8.3.1 - - -From 0115c05727962dac2bdb3865388144315719a0b0 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 24 Aug 2018 03:36:15 +0200 -Subject: [PATCH 12/13] Added docs for installation with custom keys - -https://pagure.io/dogtagpki/issue/3053 - -Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5 -(cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252) ---- - .../Installing_CA_with_Custom_CA_Signing_Key.md | 169 ++++++++++++++++++ - .../Installing_KRA_with_Custom_Keys.md | 190 +++++++++++++++++++++ - .../Installing_OCSP_with_Custom_Keys.md | 183 ++++++++++++++++++++ - 3 files changed, 542 insertions(+) - create mode 100644 docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md - create mode 100644 docs/installation/Installing_KRA_with_Custom_Keys.md - create mode 100644 docs/installation/Installing_OCSP_with_Custom_Keys.md - -diff --git a/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md -new file mode 100644 -index 0000000..5cdf786 ---- /dev/null -+++ b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md -@@ -0,0 +1,169 @@ -+Installing CA with Custom CA Signing Key -+======================================== -+ -+Overview -+-------- -+ -+This page describes the process to install a CA subsystem with a custom CA signing key, CSR, and certificate. -+ -+Starting CA Subsystem Installation -+---------------------------------- -+ -+Prepare a file (e.g. ca-step1.cfg) that contains the deployment configuration step 1, for example: -+ -+``` -+[DEFAULT] -+pki_server_database_password=Secret.123 -+ -+[CA] -+pki_admin_email=caadmin@example.com -+pki_admin_name=caadmin -+pki_admin_nickname=caadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=caadmin -+ -+pki_client_database_password=Secret.123 -+pki_client_database_purge=False -+pki_client_pkcs12_password=Secret.123 -+ -+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -+pki_ds_database=ca -+pki_ds_password=Secret.123 -+ -+pki_security_domain_name=EXAMPLE -+ -+pki_ca_signing_nickname=ca_signing -+pki_ocsp_signing_nickname=ca_ocsp_signing -+pki_audit_signing_nickname=ca_audit_signing -+pki_sslserver_nickname=sslserver -+pki_subsystem_nickname=subsystem -+ -+pki_external=True -+pki_external_step_two=False -+``` -+ -+Then execute the following command: -+ -+``` -+$ pkispawn -f ca-step1.cfg -s CA -+``` -+ -+It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -+* server NSS database: /etc/pki/pki-tomcat/alias -+* admin NSS database: ~/.dogtag/pki-tomcat/ca/alias -+ -+Since there is no CSR path parameter specified, it will not generate the CA signing key by default. -+ -+Generating CA Signing Key, CSR, and Certificate -+----------------------------------------------- -+ -+Generate a custom CA signing key in the server NSS database, then generate a CSR and store it in a file (e.g. ca_signing.csr). -+ -+Use the CSR to issue the CA signing certificate: -+* for root CA installation, generate a self-signed CA signing certificate -+* for subordinate CA installation, submit the CSR to an external CA to issue the CA signing certificate -+ -+Store the CA signing certificate in a file (e.g. ca_signing.crt). The CA signing certificate can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. -+ -+If the CA signing certificate was issued by an external CA, store the external CA certificate chain in a file (e.g. external.crt). The certificate chain can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the CA signing certificate, but it should not include the CA signing certificate itself. -+ -+See also: -+* [Generating CA Signing Certificate](http://www.dogtagpki.org/wiki/Generating_CA_Signing_Certificate) -+ -+Finishing CA Subsystem Installation -+----------------------------------- -+ -+Prepare another file (e.g. ca-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ca-step1.cfg) with additional changes below. -+ -+Specify step 2 with the following parameter: -+ -+``` -+pki_external_step_two=True -+``` -+ -+Specify the custom CA signing CSR with the following parameter: -+ -+``` -+pki_ca_signing_csr_path=ca_signing.csr -+``` -+ -+Specify the custom CA signing certificate with the following parameter: -+ -+``` -+pki_ca_signing_cert_path=ca_signing.crt -+``` -+ -+If the CA signing certificate was issued by an external CA, specify the external CA certificate chain with the following parameters: -+ -+``` -+pki_cert_chain_nickname=external -+pki_cert_chain_path=external.crt -+``` -+ -+Finally, execute the following command: -+ -+``` -+$ pkispawn -f ca-step2.cfg -s CA -+``` -+ -+Verifying System Certificates -+----------------------------- -+ -+Verify that the server NSS database contains the following certificates: -+ -+``` -+$ certutil -L -d /etc/pki/pki-tomcat/alias -+ -+Certificate Nickname Trust Attributes -+ SSL,S/MIME,JAR/XPI -+ -+external CT,C,C -+ca_signing CTu,Cu,Cu -+ca_ocsp_signing u,u,u -+subsystem u,u,u -+ca_audit_signing u,u,Pu -+sslserver u,u,u -+``` -+ -+Verifying Admin Certificate -+--------------------------- -+ -+Prepare a client NSS database (e.g. ~/.dogtag/nssdb): -+ -+``` -+$ pki -c Secret.123 client-init -+``` -+ -+Import the external CA certificate chain: -+ -+``` -+$ pki -c Secret.123 client-cert-import --ca-cert external.crt -+``` -+ -+Import the CA signing certificate: -+ -+``` -+$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -+``` -+ -+Import admin key and certificate: -+ -+``` -+$ pki -c Secret.123 client-cert-import \ -+ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ -+ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf -+``` -+ -+Verify that the admin certificate can be used to access the CA subsystem by executing the following command: -+ -+``` -+$ pki -c Secret.123 -n caadmin ca-user-show caadmin -+-------------- -+User "caadmin" -+-------------- -+ User ID: caadmin -+ Full name: caadmin -+ Email: caadmin@example.com -+ Type: adminType -+ State: 1 -+``` -diff --git a/docs/installation/Installing_KRA_with_Custom_Keys.md b/docs/installation/Installing_KRA_with_Custom_Keys.md -new file mode 100644 -index 0000000..e555363 ---- /dev/null -+++ b/docs/installation/Installing_KRA_with_Custom_Keys.md -@@ -0,0 +1,190 @@ -+Installing KRA with Custom Keys -+=============================== -+ -+Overview -+-------- -+ -+This page describes the process to install a KRA subsystem with custom KRA system and admin keys, CSRs, and certificates. -+ -+Starting KRA Subsystem Installation -+----------------------------------- -+ -+Prepare a file (e.g. kra-step1.cfg) that contains the deployment configuration step 1, for example: -+ -+``` -+[DEFAULT] -+pki_server_database_password=Secret.123 -+ -+[KRA] -+pki_admin_email=kraadmin@example.com -+pki_admin_name=kraadmin -+pki_admin_nickname=kraadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=kraadmin -+ -+pki_client_database_password=Secret.123 -+pki_client_database_purge=False -+pki_client_pkcs12_password=Secret.123 -+ -+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -+pki_ds_database=kra -+pki_ds_password=Secret.123 -+ -+pki_security_domain_name=EXAMPLE -+pki_security_domain_user=caadmin -+pki_security_domain_password=Secret.123 -+ -+pki_storage_nickname=kra_storage -+pki_transport_nickname=kra_transport -+pki_subsystem_nickname=subsystem -+pki_sslserver_nickname=sslserver -+pki_audit_signing_nickname=kra_audit_signing -+ -+pki_external=True -+pki_external_step_two=False -+``` -+ -+Then execute the following command: -+ -+``` -+$ pkispawn -f kra-step1.cfg -s KRA -+``` -+ -+It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -+* server NSS database: /etc/pki/pki-tomcat/alias -+* admin NSS database: ~/dogtag/pki-tomcat/kra/alias -+ -+Since there are no CSR path parameters specified, it will not generate KRA system and admin keys. -+ -+Generating KRA Keys, CSRs, and Certificates -+------------------------------------------- -+ -+Generate custom KRA system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: -+* kra_storage.csr -+* kra_transport.csr -+* subsystem.csr -+* sslserver.csr -+* kra_audit_signing.csr -+* kra_admin.csr -+ -+Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: -+* kra_storage.crt -+* kra_transport.crt -+* subsystem.crt -+* sslserver.crt -+* kra_audit_signing.crt -+* kra_admin.crt -+ -+The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. -+ -+Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the KRA system and admin certificates. -+ -+See also: -+* [Generating KRA Storage Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Storage_Certificate) -+* [Generating KRA Transport Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Transport_Certificate) -+* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) -+* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) -+* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) -+* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) -+ -+Finishing KRA Subsystem Installation -+------------------------------------ -+ -+Prepare another file (e.g. kra-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. kra-step1.cfg) with additional changes below. -+ -+Specify step 2 with the following parameter: -+ -+``` -+pki_external_step_two=True -+``` -+ -+Specify the custom CSRs with the following parameters: -+ -+``` -+pki_storage_csr_path=kra_storage.csr -+pki_transport_csr_path=kra_transport.csr -+pki_subsystem_csr_path=subsystem.csr -+pki_sslserver_csr_path=sslserver.csr -+pki_audit_signing_csr_path=kra_audit_signing.csr -+pki_admin_csr_path=kra_admin.csr -+``` -+ -+Specify the custom certificates with the following parameters: -+ -+``` -+pki_storage_cert_path=kra_storage.crt -+pki_transport_cert_path=kra_transport.crt -+pki_subsystem_cert_path=subsystem.crt -+pki_sslserver_cert_path=sslserver.crt -+pki_audit_signing_cert_path=kra_audit_signing.crt -+pki_admin_cert_path=kra_admin.crt -+``` -+ -+Specify the external CA certificate chain with the following parameters: -+ -+``` -+pki_cert_chain_nickname=ca_signing -+pki_cert_chain_path=ca_signing.crt -+``` -+ -+Finally, execute the following command: -+ -+``` -+$ pkispawn -f kra-step2.cfg -s KRA -+``` -+ -+Verifying System Certificates -+----------------------------- -+ -+Verify that the server NSS database contains the following certificates: -+ -+``` -+$ certutil -L -d /etc/pki/pki-tomcat/alias -+ -+Certificate Nickname Trust Attributes -+ SSL,S/MIME,JAR/XPI -+ -+ca_signing CT,C,C -+kra_storage CTu,Cu,Cu -+kra_transport u,u,u -+subsystem u,u,u -+kra_audit_signing u,u,Pu -+sslserver u,u,u -+``` -+ -+Verifying Admin Certificate -+--------------------------- -+ -+Prepare a client NSS database (e.g. ~/.dogtag/nssdb): -+ -+``` -+$ pki -c Secret.123 client-init -+``` -+ -+Import the external CA certificate chain: -+ -+``` -+$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt -+``` -+ -+Import the admin key and certificate: -+ -+``` -+$ pki -c Secret.123 client-cert-import \ -+ --pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \ -+ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf -+``` -+ -+Verify that the admin certificate can be used to access KRA by executing the following command: -+ -+``` -+$ pki -c Secret.123 -n kraadmin kra-user-show kraadmin -+--------------- -+User "kraadmin" -+--------------- -+ User ID: kraadmin -+ Full name: kraadmin -+ Email: kraadmin@example.com -+ Type: adminType -+ State: 1 -+``` -diff --git a/docs/installation/Installing_OCSP_with_Custom_Keys.md b/docs/installation/Installing_OCSP_with_Custom_Keys.md -new file mode 100644 -index 0000000..dca4f79 ---- /dev/null -+++ b/docs/installation/Installing_OCSP_with_Custom_Keys.md -@@ -0,0 +1,183 @@ -+Installing OCSP with Custom Keys -+================================ -+ -+Overview -+-------- -+ -+This page describes the process to install a OCSP subsystem with custom OCSP system and admin keys, CSRs, and certificates. -+ -+Starting OCSP Subsystem Installation -+------------------------------------ -+ -+Prepare a file (e.g. ocsp-step1.cfg) that contains the deployment configuration step 1, for example: -+ -+``` -+[DEFAULT] -+pki_server_database_password=Secret.123 -+ -+[OCSP] -+pki_admin_email=ocspadmin@example.com -+pki_admin_name=ocspadmin -+pki_admin_nickname=ocspadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=ocspadmin -+ -+pki_client_database_password=Secret.123 -+pki_client_database_purge=False -+pki_client_pkcs12_password=Secret.123 -+ -+pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com -+pki_ds_database=ocsp -+pki_ds_password=Secret.123 -+ -+pki_security_domain_name=EXAMPLE -+pki_security_domain_user=caadmin -+pki_security_domain_password=Secret.123 -+ -+pki_ocsp_signing_nickname=ocsp_signing -+pki_subsystem_nickname=subsystem -+pki_sslserver_nickname=sslserver -+pki_audit_signing_nickname=ocsp_audit_signing -+ -+pki_external=True -+pki_external_step_two=False -+``` -+ -+Then execute the following command: -+ -+``` -+$ pkispawn -f ocsp-step1.cfg -s OCSP -+``` -+ -+It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -+* server NSS database: /etc/pki/pki-tomcat/alias -+* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias -+ -+Since there are no CSR path parameters specified, it will not generate the OCSP system and admin keys. -+ -+Generating OCSP Keys, CSRs, and Certificates -+-------------------------------------------- -+ -+Generate custom OCSP system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: -+* ocsp_signing.csr -+* subsystem.csr -+* sslserver.csr -+* ocsp_audit_signing.csr -+* ocsp_admin.csr -+ -+Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: -+* ocsp_signing.crt -+* subsystem.crt -+* sslserver.crt -+* ocsp_audit_signing.crt -+* ocsp_admin.crt -+ -+The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. -+ -+Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the OCSP system and admin certificates. -+ -+See also: -+* [Generating OCSP Signing Certificate](http://www.dogtagpki.org/wiki/Generating_OCSP_Signing_Certificate) -+* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) -+* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) -+* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) -+* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) -+ -+Finishing OCSP Subsystem Installation -+------------------------------------- -+ -+Prepare another file (e.g. ocsp-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ocsp-step1.cfg) with additional changes below. -+ -+Specify step 2 with the following parameter: -+ -+``` -+pki_external_step_two=True -+``` -+ -+Specify the custom CSRs with the following parameters: -+ -+``` -+pki_ocsp_signing_csr_path=ocsp_signing.csr -+pki_subsystem_csr_path=subsystem.csr -+pki_sslserver_csr_path=sslserver.csr -+pki_audit_signing_csr_path=ocsp_audit_signing.csr -+pki_admin_csr_path=ocsp_admin.csr -+``` -+ -+Specify the custom certificates with the following parameters: -+ -+``` -+pki_ocsp_signing_cert_path=ocsp_signing.crt -+pki_subsystem_cert_path=subsystem.crt -+pki_sslserver_cert_path=sslserver.crt -+pki_audit_signing_cert_path=ocsp_audit_signing.crt -+pki_admin_cert_path=ocsp_admin.crt -+``` -+ -+Specify the external CA certificate chain with the following parameters: -+ -+``` -+pki_cert_chain_nickname=ca_signing -+pki_cert_chain_path=ca_signing.crt -+``` -+ -+Finally, execute the following command: -+ -+``` -+$ pkispawn -f ocsp-step2.cfg -s OCSP -+``` -+ -+Verifying System Certificates -+----------------------------- -+ -+Verify that the server NSS database contains the following certificates: -+ -+``` -+$ certutil -L -d /etc/pki/pki-tomcat/alias -+ -+Certificate Nickname Trust Attributes -+ SSL,S/MIME,JAR/XPI -+ -+ca_signing CT,C,C -+ocsp_signing CTu,Cu,Cu -+subsystem u,u,u -+ocsp_audit_signing u,u,Pu -+sslserver u,u,u -+``` -+ -+Verifying Admin Certificate -+--------------------------- -+ -+Prepare a client NSS database (e.g. ~/.dogtag/nssdb): -+ -+``` -+$ pki -c Secret.123 client-init -+``` -+ -+Import the external CA certificate chain: -+ -+``` -+$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt -+``` -+ -+Import the admin key and certificate: -+ -+``` -+$ pki -c Secret.123 client-cert-import \ -+ --pkcs12 ~/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \ -+ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf -+``` -+ -+Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: -+ -+``` -+$ pki -c Secret.123 -n ocspadmin ocsp-user-show ocspadmin -+---------------- -+User "ocspadmin" -+---------------- -+ User ID: ocspadmin -+ Full name: ocspadmin -+ Email: ocspadmin@example.com -+ Type: adminType -+ State: 1 -+``` --- -1.8.3.1 - - -From 253f16813de60b1951b769a437c92322e36647bf Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 9 Nov 2018 11:06:57 -0800 -Subject: [PATCH 13/13] bug 1653863 tools supporting CMC requests output keyID - needs to be captured in file - -This patch adds code in both CRMFPopClient and PKCS10Client to automatically -write the private key id into a file named .keyId so that -they can be featched later for CMCRequest -is the name of the file specified with the "-o" option. - -This patch also changed all references from "CMC self-test" to -"CMC shared secret" instead. - -A test feature is also added to CMCRequest. - -fixes https://bugzilla.redhat.com/show_bug.cgi?id=1655951 - -Change-Id: Iaf2772be54f9937da456655cdec688f13f6e8b71 -(cherry picked from commit cb99e112b9421f6fe98b4ac5ab5885c28ee958c3) ---- - base/ca/shared/conf/CS.cfg | 10 +- - base/ca/shared/conf/registry.cfg | 8 +- - .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 82 -------- - .../profiles/ca/caECFullCMCSharedTokenCert.cfg | 82 ++++++++ - .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 82 -------- - .../profiles/ca/caFullCMCSharedTokenCert.cfg | 82 ++++++++ - base/java-tools/man/man1/CMCRequest.1 | 22 +- - base/java-tools/man/man1/PKCS10Client.1 | 3 +- - .../src/com/netscape/cmstools/CMCRequest.java | 227 ++++++++++++++++----- - .../src/com/netscape/cmstools/CRMFPopClient.java | 22 +- - .../src/com/netscape/cmstools/PKCS10Client.java | 24 ++- - .../CMCSelfSignedSubjectNameConstraint.java | 129 ------------ - .../CMCSharedTokenSubjectNameConstraint.java | 130 ++++++++++++ - 13 files changed, 526 insertions(+), 377 deletions(-) - delete mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg - delete mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg - delete mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java - create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 4cef240..29d4fd4 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 - oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension - oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 - os.userid=nobody --profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment -+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment - profile.caUUIDdeviceCert.class_id=caEnrollImpl - profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg - profile.caManualRenewal.class_id=caEnrollImpl -@@ -1050,10 +1050,10 @@ profile.caFullCMCUserSignedCert.class_id=caEnrollImpl - profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg - profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl - profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg --profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl --profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg --profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl --profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg -+profile.caFullCMCSharedTokenCert.class_id=caEnrollImpl -+profile.caFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSharedTokenCert.cfg -+profile.caECFullCMCSharedTokenCert.class_id=caEnrollImpl -+profile.caECFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSharedTokenCert.cfg - profile.caInternalAuthOCSPCert.class_id=caEnrollImpl - profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg - profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 4fe6e93..a78af86 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -36,9 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr - constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint - constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint - constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint --constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint --constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint --constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint -+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSharedTokenSubjectNameConstraint -+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.desc=CMC Shared Token request User Subject Name Constraint -+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.name=CMC Shared Token request User Subject Name Constraint - constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint - constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint - constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -deleted file mode 100644 -index b3cc471..0000000 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ /dev/null -@@ -1,82 +0,0 @@ --desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request --enable=false --enableBy=admin --name=Self-Signed CMC User Certificate Enrollment --visible=false --auth.instance_id=CMCUserSignedAuth --input.list=i1 --input.i1.class_id=cmcCertReqInputImpl --output.list=o1 --output.o1.class_id=certOutputImpl --policyset.list=cmcUserCertSet --policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint --policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl --policyset.cmcUserCertSet.1.default.name=Subject Name Default --policyset.cmcUserCertSet.1.default.params.name= --policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl --policyset.cmcUserCertSet.2.constraint.name=Validity Constraint --policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false --policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false --policyset.cmcUserCertSet.2.constraint.params.range=365 --policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl --policyset.cmcUserCertSet.2.default.name=Validity Default --policyset.cmcUserCertSet.2.default.params.range=180 --policyset.cmcUserCertSet.2.default.params.startTime=0 --policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl --policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 --policyset.cmcUserCertSet.3.constraint.params.keyType=EC --policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl --policyset.cmcUserCertSet.3.default.name=Key Default --policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.4.constraint.name=No Constraint --policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl --policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default --policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.5.constraint.name=No Constraint --policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl --policyset.cmcUserCertSet.5.default.name=AIA Extension Default --policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true --policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName --policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= --policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false --policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 --policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl --policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint --policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl --policyset.cmcUserCertSet.6.default.name=Key Usage Default --policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true --policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false --policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false --policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false --policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true --policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false --policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.7.constraint.name=No Constraint --policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl --policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default --policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false --policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 --policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl --policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC --policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl --policyset.cmcUserCertSet.8.default.name=Signing Alg --policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg -new file mode 100644 -index 0000000..ffdccb1 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg -@@ -0,0 +1,82 @@ -+desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC Shared Token certificate request -+enable=false -+enableBy=admin -+name=CMC Shared Token User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -deleted file mode 100644 -index 538b16a..0000000 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ /dev/null -@@ -1,82 +0,0 @@ --desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request --enable=false --enableBy=admin --name=Self-Signed CMC User Certificate Enrollment --visible=false --auth.instance_id=CMCUserSignedAuth --input.list=i1 --input.i1.class_id=cmcCertReqInputImpl --output.list=o1 --output.o1.class_id=certOutputImpl --policyset.list=cmcUserCertSet --policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint --policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl --policyset.cmcUserCertSet.1.default.name=Subject Name Default --policyset.cmcUserCertSet.1.default.params.name= --policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl --policyset.cmcUserCertSet.2.constraint.name=Validity Constraint --policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false --policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false --policyset.cmcUserCertSet.2.constraint.params.range=365 --policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl --policyset.cmcUserCertSet.2.default.name=Validity Default --policyset.cmcUserCertSet.2.default.params.range=180 --policyset.cmcUserCertSet.2.default.params.startTime=0 --policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl --policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 --policyset.cmcUserCertSet.3.constraint.params.keyType=RSA --policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl --policyset.cmcUserCertSet.3.default.name=Key Default --policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.4.constraint.name=No Constraint --policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl --policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default --policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.5.constraint.name=No Constraint --policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl --policyset.cmcUserCertSet.5.default.name=AIA Extension Default --policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true --policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName --policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= --policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false --policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 --policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl --policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint --policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl --policyset.cmcUserCertSet.6.default.name=Key Usage Default --policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true --policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false --policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false --policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false --policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false --policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true --policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl --policyset.cmcUserCertSet.7.constraint.name=No Constraint --policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl --policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default --policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false --policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 --policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl --policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC --policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl --policyset.cmcUserCertSet.8.default.name=Signing Alg --policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg -new file mode 100644 -index 0000000..5ef8004 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg -@@ -0,0 +1,82 @@ -+desc=This certificate profile is for enrolling user certificates by using the CMC Shared Token certificate request -+enable=false -+enableBy=admin -+name=CMC Shared Token User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 -index 8c67fc0..18f5e50 100644 ---- a/base/java-tools/man/man1/CMCRequest.1 -+++ b/base/java-tools/man/man1/CMCRequest.1 -@@ -63,7 +63,7 @@ name of crypto token where user signing certificate key can be found (default is - .B nickname - The nickname of the user certificate that corresponds to the private key that is used to sign the request. - --This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true. -+This parameter is ignored if \fBuseSharedSecret\fP or \fBidentityProofV2.enable\fP is true. - - .TP - .B password -@@ -114,27 +114,27 @@ Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP - Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP - - .TP --.B request.selfSign --\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. -+.B request.useSharedSecret -+\fBtrue\fP or \fBfalse\fP. If \fBuseSharedSecret\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. - --\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. -+\fBrequest.useSharedSecret\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. - --In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. -+In Dogtag, if \fBrequest.useSharedSecret\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. - --The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. -+The \fBrequest.useSharedSecret\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. - --By default, if unspecified, \fBselfSign\fP is false. -+By default, if unspecified, \fBrequest.useSharedSecret\fP is false. - --\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) -+\fBNote\fP: to employ the \fBrequest.useSharedSecret\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) - --If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified. -+If \fBrequest.useSharedSecret\fP is true, \fBrequest.privKeyId\fP must be specified. - It is crutial that the caller that employs this option has access to the private key of the certificate request. - - .TP - .B request.privKeyId - The \fBrequest.privKeyId\fP parameter is required in the following cases: - --\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP -+\fBrequest.useSharedSecret\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP - - .TP - .B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile -@@ -149,7 +149,7 @@ When preparing for the second trip, the following parameters must be present: - - \fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key. - --Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. -+Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBrequest.useSharedSecret\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. - - .TP - .B revRequest.[enable, serial, reason, comment, issuer, sharedSecret] -diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1 -index e85c833..122680c 100644 ---- a/base/java-tools/man/man1/PKCS10Client.1 -+++ b/base/java-tools/man/man1/PKCS10Client.1 -@@ -84,7 +84,8 @@ Gives the subject DN of the certificate. - .B -x - - .TP --.B -y -+.B -y -+To be used with "request.useSharedSecret=true" when running CMCRequest. - - .SH AUTHORS - Amol Kahat . -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 4e40143..1070a93 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -268,13 +268,19 @@ public class CMCRequest { - } - - /* -- * signData self-signs the PKIData using the private key that matches -- * the public key in the request -+ * signData self-signs (for Shared Token) the PKIData using the private key -+ * that matches the public key in the request - */ - static SignedData signData( - java.security.PrivateKey privKey, - PKIData pkidata) { -- String method = "signData for selfSign: "; -+ return signData(privKey, pkidata, null); -+ } -+ static SignedData signData( -+ java.security.PrivateKey privKey, -+ PKIData pkidata, -+ SignerIdentifier test_cmc_si /*for TEST_CMC use_shared_secret case only*/) { -+ String method = "signData for useSharedSecret begins: "; - System.out.println(method + "begins: "); - SignedData req = null; - -@@ -286,10 +292,15 @@ public class CMCRequest { - - KeyIdentifier keyIdObj = null; - try { -- keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); -- SignerIdentifier si = new SignerIdentifier( -+ SignerIdentifier si = null; -+ if (test_cmc_si == null) { -+ keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); -+ si = new SignerIdentifier( - SignerIdentifier.SUBJECT_KEY_IDENTIFIER, - null, new OCTET_STRING(keyIdObj.getIdentifier())); -+ } else //TEST_CMC use_shared_secret case -+ si = test_cmc_si; -+ - req = createSignedData(privKey, si, null /*certChain*/, pkidata); - } catch (Exception e) { - e.printStackTrace(); -@@ -430,7 +441,7 @@ public class CMCRequest { - * @return request in PKIData - */ - static PKIData createPKIData( -- String selfSign, -+ String useSharedSecret, - String[] rValue, String format, String transactionMgtEnable, - String transactionMgtId, - String identificationEnable, String identification, -@@ -495,16 +506,16 @@ public class CMCRequest { - - CertRequest certReq = certReqMsg.getCertReq(); - CertTemplate certTemplate = certReq.getCertTemplate(); -- if (selfSign.equals("true")) { -+ if (useSharedSecret.equals("true")) { - skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate( - certTemplate, - PKIXExtensions.SubjectKey_Id); - if (skiExtn != null) { - System.out.println(method + -- " SubjectKeyIdentifier extension found in self-signed request"); -+ " SubjectKeyIdentifier extension found in self-signed Shared Token request"); - } else { - System.out.println(method + -- " SubjectKeyIdentifier extension missing in self-signed request"); -+ " SubjectKeyIdentifier extension missing in self-signed Shared Token request"); - System.exit(1); - } - } -@@ -569,7 +580,7 @@ public class CMCRequest { - System.exit(1); - } - -- if (selfSign.equals("true")) { -+ if (useSharedSecret.equals("true")) { - try { - skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10( - pkcs, "SubjectKeyIdentifier"); -@@ -798,13 +809,13 @@ public class CMCRequest { - System.out.println("#nickname: nickname for user certificate which will be used"); - System.out.println("#to sign the CMC full request (enrollment or revocation)."); - System.out.println(""); -- System.out.println("#selfSign: if selfSign is true, the CMC request will be"); -+ System.out.println("#request.useSharedSecret: if request.useSharedSecret is true, the CMC request will be"); - System.out.println("#signed with the pairing private key of the enrollment request;"); - System.out.println("#and in which case the nickname will be ignored"); - System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored."); - System.out.println("nickname=CMS User Signing Certificate"); - System.out.println(""); -- System.out.println("selfSign=false"); -+ System.out.println("request.useSharedSecret=false"); - System.out.println(""); - System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); - System.out.println("dbdir=./"); -@@ -1219,7 +1230,7 @@ public class CMCRequest { - * Constructing OtherMsg to include the SignerInfo makes no sense here - * as the outer layer SignedData would have SignerInfo. - * It is possibly done because the original code assumed a self-signed -- * revocation request that is subsequently signed by an agent... -+ * Shared Token revocation request that is subsequently signed by an agent... - * which is not conforming to the RFC. - - EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( -@@ -1881,6 +1892,7 @@ public class CMCRequest { - HMACDigest hmacDigest = new HMACDigest(SHA2Digest, challenge); - hmacDigest.update(ASN1Util.encode(request)); - popProofValue = hmacDigest.digest(); -+ System.out.println(method + "popProofValue length = " + popProofValue.length); - } catch (Exception ex) { - CryptoUtil.obscureBytes(challenge, "random"); - System.out.println(method + "calculating POP Proof Value failed: " + ex); -@@ -1926,6 +1938,137 @@ public class CMCRequest { - return pkidata; - } - -+ static void outputContentInfo(ContentInfo cmcblob, String ofilename) { -+ try (FileOutputStream os = new FileOutputStream(ofilename)){ -+ cmcblob.encode(os); -+ System.out.println(""); -+ System.out.println(""); -+ System.out.println("The CMC enrollment request in binary format is stored in " + -+ ofilename); -+ } catch (IOException e) { -+ System.out.println("CMCRequest: unable to open file " + ofilename + -+ " for writing:\n" + e); -+ } -+ } -+ -+ -+ /* -+ * processResignCMC -+ * -+ * This is for testing only, for the purpose of producing -+ * negative tests consisted of deliberate alteration of -+ * CMC controls to see how CA reacts to these variations. -+ * -+ * It takes in a blob of the format cmc (with altered fields): -+ * format=test_cmc -+ * which is the same as output format from CMCRequest, -+ * and re-signs it with either signerCert or privKeyID -+ * and spits out to output -+ * Note: if signerCert is not null, then privKeyID is ignored -+ * -+ * @author cfu -+ */ -+ static void processResignCMC(String ifilename, String ofilename, X509Certificate signerCert, String privKeyId, String tokenName, String nickname, CryptoManager cm) { -+ try { -+ if (ifilename == null || ifilename.equals("")) { -+ System.out.println("TEST_CMC: param input needed for test_cmc"); -+ System.exit(1); -+ } -+ if (ofilename == null || ofilename.equals("")) { -+ System.out.println("TEST_CMC: param output needed for test_cmc"); -+ System.exit(1); -+ } -+ -+ PrivateKey privk = null; -+ if (signerCert == null) { -+ if (privKeyId == null) { -+ System.out.println("TEST_CMC: signerCert not supplied, need privKeyId to re-sign."); -+ System.exit(1); -+ } else { -+ System.out.println("TEST_CMC: got re-signing privKeyId: " + privKeyId); -+ -+ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyId); -+ -+ privk = CryptoUtil.findPrivateKeyFromID(keyIDb); -+ -+ if (privk != null) { -+ System.out.println("TEST_CMC: got private key"); -+ } else { -+ System.out.println("TEST_CMC: error getting private key null"); -+ System.exit(1); -+ } -+ } -+ } -+ -+ FileInputStream inputBlob = null; -+ FileOutputStream outputBlob = null; -+ try { -+ inputBlob = new FileInputStream(ifilename); -+ } catch (FileNotFoundException e) { -+ System.out.println("can''t find file " + -+ ifilename + e); -+ System.exit(1); -+ } -+ -+ byte data[] = new byte[inputBlob.available()]; -+ inputBlob.read(data); -+ System.out.println("TEST_CMC: input read"); -+ ContentInfo.Template ci_template = new ContentInfo.Template(); -+ ContentInfo ci = -+ (ContentInfo) ci_template.decode(new ByteArrayInputStream(data)); -+ if (ci != null) -+ System.out.println("TEST_CMC: ContentInfo template decoded"); -+ -+ SignedData signedData = (SignedData) ci.getInterpretedContent(); -+ if (signedData != null) -+ System.out.println("TEST_CMC: SignedData retrieved"); -+ -+ EncapsulatedContentInfo eci = signedData.getContentInfo(); -+ if (eci != null) -+ System.out.println("TEST_CMC: EncapsulatedContentInfo retrieved"); -+ OCTET_STRING os = eci.getContent(); //this is the orig data -+ if (os != null) -+ System.out.println("TEST_CMC: orig data retrieved"); -+ byte origData [] = os.toByteArray(); -+ PKIData.Template pkidata_template = new PKIData.Template(); -+ PKIData pkidata = -+ (PKIData) pkidata_template.decode(new ByteArrayInputStream(origData)); -+ if (pkidata != null) -+ System.out.println("TEST_CMC: PKIData decoded"); -+ -+ // now re-sign -+ SignedData newSignedData = null; -+ if (signerCert != null) { -+ System.out.println("TEST_CMC: re-signing using signer cert:" + -+ nickname); -+ newSignedData = signData(signerCert, tokenName, nickname, cm, pkidata); -+ } else { // self-signed Shared Token request -+ System.out.println("TEST_CMC: re-signing using private key: " + -+ privKeyId); -+ SET signInfos = signedData.getSignerInfos(); -+ SignerInfo si = (SignerInfo) (ASN1Util.decode(SignerInfo.getTemplate(), ASN1Util.encode(signInfos.elementAt(0)))); -+ newSignedData = signData(privk, pkidata, si.getSignerIdentifier()); -+ } -+ -+ if (newSignedData == null) { -+ System.out.println("TEST_CMC: PKIData signing returned null"); -+ System.exit(1); -+ } -+ System.out.println("TEST_CMC: PKIData signed"); -+ ContentInfo cmcblob = getCMCBlob(newSignedData, null); -+ if (cmcblob == null) { -+ System.out.println("TEST_CMC: getCMCBlob returned null"); -+ System.exit(1); -+ } -+ -+ outputContentInfo(cmcblob, ofilename); -+ System.out.println("TEST_CMC: completed"); -+ } catch (Exception ex) { -+ System.out.println("TEST_CMC: exception caught: " + ex); -+ System.exit(1); -+ } -+ } -+ - public static void main(String[] s) { - String numRequests = null; - String dbdir = null, nickname = null; -@@ -1948,7 +2091,7 @@ public class CMCRequest { - String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; - String popLinkWitnessEnable = "false"; - String bodyPartIDs = null, lraPopWitnessEnable = "false"; -- String selfSign = "false"; -+ String useSharedSecret = "false"; - - System.out.println(""); - -@@ -2009,8 +2152,9 @@ public class CMCRequest { - decryptedPopEnable = val; - } else if (name.equals("encryptedPopResponseFile")) { - encryptedPopResponseFile = val; -- } else if (name.equals("request.selfSign")) { -- selfSign = val; -+ } else if (name.equals("request.useSharedSecret") || -+ name.equals("request.selfSign")) { -+ useSharedSecret = val; - } else if (name.equals("request.privKeyId")) { - privKeyId = val; - } else if (name.equals("decryptedPopRequestFile")) { -@@ -2095,12 +2239,13 @@ public class CMCRequest { - printUsage(); - } - -- if ((!selfSign.equals("true") && (revRequestSharedSecret == null)) -+ if ((!useSharedSecret.equals("true") && (revRequestSharedSecret == null)) - && nickname == null) { - System.out.println("Missing nickname."); - printUsage(); - } - -+ - try { - // initialize CryptoManager - if (dbdir == null) -@@ -2142,7 +2287,7 @@ public class CMCRequest { - certname.append(tokenName); - certname.append(":"); - } -- if ((!selfSign.equals("true") || (revRequestSharedSecret == null)) -+ if ((!useSharedSecret.equals("true") || (revRequestSharedSecret == null)) - && nickname != null) { - certname.append(nickname); - signerCert = cm.findCertByNickname(certname.toString()); -@@ -2151,14 +2296,22 @@ public class CMCRequest { - } - } - -+ // TEST_CMC -+ if (format.equals("test_cmc")) { -+ System.out.println("TEST_CMC: request format is test_cmc; re-signing the request"); -+ processResignCMC(ifilename, ofilename, signerCert, privKeyId, -+ tokenName, nickname, cm); -+ System.exit(0); -+ } -+ - ContentInfo cmcblob = null; - PKIData pkidata = null; - PrivateKey privk = null; -- if (selfSign.equalsIgnoreCase("true") || -+ if (useSharedSecret.equalsIgnoreCase("true") || - decryptedPopEnable.equalsIgnoreCase("true") || - popLinkWitnessV2Enable.equalsIgnoreCase("true")) { - if (privKeyId == null) { -- System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); -+ System.out.println("useSharedSecret or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); - printUsage(); - } else { - System.out.println("got request privKeyId: " + privKeyId); -@@ -2353,7 +2506,7 @@ public class CMCRequest { - - // create the request PKIData - pkidata = createPKIData( -- selfSign, -+ useSharedSecret, - requests, - format, transactionMgtEnable, transactionMgtId, - identificationEnable, identification, -@@ -2381,13 +2534,13 @@ public class CMCRequest { - SignedData signedData = null; - - // sign the request -- if (selfSign.equalsIgnoreCase("true")) { -- // selfSign signs with private key -- System.out.println("selfSign is true..."); -+ if (useSharedSecret.equalsIgnoreCase("true")) { -+ // useSharedSecret signs with private key -+ System.out.println("useSharedSecret is true..."); - signedData = signData(privk, pkidata); - } else { -- // none selfSign signs with existing cert -- System.out.println("selfSign is false..."); -+ // none useSharedSecret signs with existing cert -+ System.out.println("useSharedSecret is false..."); - signedData = signData(signerCert, tokenName, nickname, cm, pkidata); - } - if (signedData == null) { -@@ -2404,27 +2557,7 @@ public class CMCRequest { - - // (6) Finally, print the actual CMC blob to the - // specified output file -- FileOutputStream os = null; -- try { -- os = new FileOutputStream(ofilename); -- cmcblob.encode(os); -- System.out.println(""); -- System.out.println(""); -- System.out.println("The CMC enrollment request in binary format is stored in " + -- ofilename); -- } catch (IOException e) { -- System.out.println("CMCRequest: unable to open file " + ofilename + -- " for writing:\n" + e); -- } -- -- try { -- os.close(); -- } catch (IOException e) { -- System.out.println("CMCRequest: Unexpected error " + -- "encountered while attempting to close() " + -- "\n" + e); -- } -- -+ outputContentInfo(cmcblob, ofilename); - } catch (Exception e) { - e.printStackTrace(); - System.exit(1); -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 747b7d6..dd7a264 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -190,7 +190,7 @@ public class CRMFPopClient { - option.setArgName("keywrap algorithm"); - options.addOption(option); - -- options.addOption("y", false, "for Self-signed cmc."); -+ options.addOption("y", false, "for cmc SharedSecret requests."); - - options.addOption("v", "verbose", false, "Run in verbose mode."); - options.addOption(null, "help", false, "Show help message."); -@@ -210,7 +210,7 @@ public class CRMFPopClient { - System.out.println(" -k Attribute value encoding in subject DN (default: false)"); - System.out.println(" - true: enabled"); - System.out.println(" - false: disabled"); -- System.out.println(" -y Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)"); -+ System.out.println(" -y Add SubjectKeyIdentifier extension in case of CMC SharedSecret requests (default: false); To be used with 'request.useSharedSecret=true' when running CMCRequest."); - System.out.println(" - true: enabled"); - System.out.println(" - false: disabled"); - System.out.println(" -a Key algorithm (default: rsa)"); -@@ -320,7 +320,7 @@ public class CRMFPopClient { - int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); - int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); - -- boolean self_sign = cmd.hasOption("y"); -+ boolean use_shared_secret = cmd.hasOption("y"); - - // get the keywrap algorithm - KeyWrapAlgorithm keyWrapAlgorithm = null; -@@ -335,6 +335,7 @@ public class CRMFPopClient { - } - - String output = cmd.getOptionValue("o"); -+ String output_kid = output + ".keyId"; - - String hostPort = cmd.getOptionValue("m"); - String username = cmd.getOptionValue("u"); -@@ -507,7 +508,7 @@ public class CRMFPopClient { - - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest( -- self_sign, -+ use_shared_secret, - token, transportCert, algorithm, keyPair, - subject, keyWrapAlgorithm); - -@@ -558,11 +559,16 @@ public class CRMFPopClient { - requestor); - - } else if (output != null) { -- System.out.println("Storing CRMF requrest into " + output); -+ System.out.println("Storing CRMF request into " + output); - try (FileWriter out = new FileWriter(output)) { - out.write(csr); - } - -+ System.out.println("Storing CRMF request key id into " + output_kid); -+ try (FileWriter out_kid = new FileWriter(output_kid)) { -+ out_kid.write(kid); -+ } -+ - } else { - System.out.println(csr); - } -@@ -655,7 +661,7 @@ public class CRMFPopClient { - } - - public CertRequest createCertRequest( -- boolean self_sign, -+ boolean use_shared_secret, - CryptoToken token, - X509Certificate transportCert, - String algorithm, -@@ -701,8 +707,8 @@ public class CRMFPopClient { - seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); - */ - -- if (self_sign) { // per rfc 5272 -- System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension."); -+ if (use_shared_secret) { // per rfc 5272 -+ System.out.println("CRMFPopClient: use_shared_secret true. Generating SubjectKeyIdentifier extension."); - KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair); - OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); - SEQUENCE extns = new SEQUENCE(); -diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -index 9f39430..137049e 100644 ---- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -@@ -18,6 +18,7 @@ - package com.netscape.cmstools; - - import java.io.FileOutputStream; -+import java.io.FileWriter; - import java.io.IOException; - import java.io.PrintStream; - import java.security.KeyPair; -@@ -84,11 +85,11 @@ public class PKCS10Client { - System.out.println( - " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); - System.out.println( -- "In addition: -y \n"); -+ "In addition: -y To be used with 'request.useSharedSecret=true' when running CMCRequest.\n"); - } - - public static void main(String args[]) throws Exception { -- String dbdir = null, ofilename = null, password = null, subjectName = null, tokenName = null; -+ String dbdir = null, ofilename = null, kid_ofilename = null, password = null, subjectName = null, tokenName = null; - - String alg = "rsa"; - String ecc_curve = "nistp256"; -@@ -99,7 +100,7 @@ public class PKCS10Client { - boolean ec_ssl_ecdh = false; - int rsa_keylen = 2048; - -- boolean self_sign = false; -+ boolean use_shared_secret = false; - - if (args.length < 4) { - printUsage(); -@@ -163,6 +164,7 @@ public class PKCS10Client { - rsa_keylen = Integer.parseInt(args[i+1]); - } else if (name.equals("-o")) { - ofilename = args[i+1]; -+ kid_ofilename = ofilename + ".keyId"; - } else if (name.equals("-n")) { - subjectName = args[i+1]; - } else if (name.equals("-h")) { -@@ -170,9 +172,9 @@ public class PKCS10Client { - } else if (name.equals("-y")) { - String temp = args[i+1]; - if (temp.equals("true")) -- self_sign = true; -+ use_shared_secret = true; - else -- self_sign = false; -+ use_shared_secret = false; - } else { - System.out.println("Unrecognized argument(" + i + "): " - + name); -@@ -277,8 +279,8 @@ public class PKCS10Client { - - - Extensions extns = new Extensions(); -- if (self_sign) { // per rfc 5272 -- System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension."); -+ if (use_shared_secret) { // per rfc 5272 -+ System.out.println("PKCS10Client: use_shared_secret true. Generating SubjectKeyIdentifier extension."); - KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair); - SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false, - subjKeyId.getIdentifier()); -@@ -318,7 +320,13 @@ public class PKCS10Client { - ps.println(Cert.REQUEST_FOOTER); - ps.flush(); - ps.close(); -- System.out.println("PKCS10Client: done. Request written to file: "+ ofilename); -+ System.out.println("PKCS10Client: done. Certificate request written into "+ ofilename); -+ -+ try (FileWriter out_kid = new FileWriter(kid_ofilename)) { -+ out_kid.write(kid); -+ } -+ System.out.println("PKCS10Client: PKCS#10 request key id written into " + kid_ofilename); -+ - } catch (Exception e) { - System.out.println("PKCS10Client: Exception caught: "+e.toString()); - System.exit(1); -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -deleted file mode 100644 -index d4554ca..0000000 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -+++ /dev/null -@@ -1,129 +0,0 @@ --// --- BEGIN COPYRIGHT BLOCK --- --// This program is free software; you can redistribute it and/or modify --// it under the terms of the GNU General Public License as published by --// the Free Software Foundation; version 2 of the License. --// --// This program is distributed in the hope that it will be useful, --// but WITHOUT ANY WARRANTY; without even the implied warranty of --// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --// GNU General Public License for more details. --// --// You should have received a copy of the GNU General Public License along --// with this program; if not, write to the Free Software Foundation, Inc., --// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --// --// (C) 2013 Red Hat, Inc. --// All rights reserved. --// --- END COPYRIGHT BLOCK --- --package com.netscape.cms.profile.constraint; -- --import java.util.Locale; -- --import com.netscape.certsrv.apps.CMS; --import com.netscape.certsrv.authentication.IAuthToken; --import com.netscape.certsrv.authentication.IAuthManager; --import com.netscape.certsrv.base.IConfigStore; --import com.netscape.certsrv.profile.EProfileException; --import com.netscape.certsrv.profile.ERejectException; --import com.netscape.certsrv.profile.IPolicyDefault; --import com.netscape.certsrv.profile.IProfile; --import com.netscape.certsrv.property.IDescriptor; --import com.netscape.certsrv.request.IRequest; --import com.netscape.cms.profile.common.EnrollProfile; --import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; -- --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertInfo; -- --/** -- * This class implements the user subject name constraint for self-signed cmc requests. -- * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match -- * -- * @author cfu -- * @version $Revision$, $Date$ -- */ --public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { -- -- public CMCSelfSignedSubjectNameConstraint() { -- } -- -- public void init(IProfile profile, IConfigStore config) -- throws EProfileException { -- super.init(profile, config); -- } -- -- public IDescriptor getConfigDescriptor(Locale locale, String name) { -- return null; -- } -- -- public String getDefaultConfig(String name) { -- return null; -- } -- -- /** -- * Validates the request. The request is not modified -- * during the validation. User encoded subject name -- * is copied into the certificate template. -- */ -- public void validate(IRequest request, X509CertInfo info) -- throws ERejectException { -- String method = "CMCSelfSignedSubjectNameConstraint: "; -- String msg = ""; -- -- CertificateSubjectName infoCertSN = null; -- String authTokenSharedTokenSN = null; -- -- try { -- infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); -- if (infoCertSN == null) { -- msg = method + "infoCertSN null"; -- CMS.debug(msg); -- throw new Exception(msg); -- } -- CMS.debug(method + "validate user subject ="+ -- infoCertSN.toString()); -- X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); -- if (infoCertName == null) { -- msg = method + "infoCertName null"; -- CMS.debug(msg); -- throw new Exception(msg); -- } -- -- authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -- if (authTokenSharedTokenSN == null) { -- msg = method + "authTokenSharedTokenSN null"; -- CMS.debug(msg); -- throw new Exception(msg); -- } -- if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { -- CMS.debug(method + "names matched"); -- } else { -- msg = method + "names do not match; authTokenSharedTokenSN =" + -- authTokenSharedTokenSN; -- CMS.debug(msg); -- throw new Exception(msg); -- } -- -- } catch (Exception e) { -- throw new ERejectException( -- CMS.getUserMessage(getLocale(request), -- "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); -- } -- } -- -- public String getText(Locale locale) { -- return CMS.getUserMessage(locale, -- "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); -- } -- -- public boolean isApplicable(IPolicyDefault def) { -- String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; -- if (def instanceof AuthTokenSubjectNameDefault) { -- CMS.debug(method + "true"); -- return true; -- } -- CMS.debug(method + "false"); -- return false; -- } --} -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java -new file mode 100644 -index 0000000..879e1cc ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java -@@ -0,0 +1,130 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cms.profile.constraint; -+ -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IPolicyDefault; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.common.EnrollProfile; -+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; -+ -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ -+/** -+ * This class implements the user subject name constraint for cmc requests -+ * authenticated by the SharedSecret -+ * The resulting cert should match that of the authenticating DN -+ * -+ * @author cfu -+ * @version $Revision$, $Date$ -+ */ -+public class CMCSharedTokenSubjectNameConstraint extends EnrollConstraint { -+ -+ public CMCSharedTokenSubjectNameConstraint() { -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ } -+ -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ return null; -+ } -+ -+ public String getDefaultConfig(String name) { -+ return null; -+ } -+ -+ /** -+ * Validates the request. The request is not modified -+ * during the validation. User encoded subject name -+ * is copied into the certificate template. -+ */ -+ public void validate(IRequest request, X509CertInfo info) -+ throws ERejectException { -+ String method = "CMCSharedTokenSubjectNameConstraint: "; -+ String msg = ""; -+ -+ CertificateSubjectName infoCertSN = null; -+ String authTokenSharedTokenSN = null; -+ -+ try { -+ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); -+ if (infoCertSN == null) { -+ msg = method + "infoCertSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ CMS.debug(method + "validate user subject ="+ -+ infoCertSN.toString()); -+ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); -+ if (infoCertName == null) { -+ msg = method + "infoCertName null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (authTokenSharedTokenSN == null) { -+ msg = method + "authTokenSharedTokenSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { -+ CMS.debug(method + "names matched"); -+ } else { -+ msg = method + "names do not match; authTokenSharedTokenSN =" + -+ authTokenSharedTokenSN; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ } catch (Exception e) { -+ throw new ERejectException( -+ CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); -+ } -+ } -+ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, -+ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); -+ } -+ -+ public boolean isApplicable(IPolicyDefault def) { -+ String method = "CMCSharedTokenSubjectNameConstraint: isApplicable: "; -+ if (def instanceof AuthTokenSubjectNameDefault) { -+ CMS.debug(method + "true"); -+ return true; -+ } -+ CMS.debug(method + "false"); -+ return false; -+ } -+} --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.9-batch-3.0.patch b/SOURCES/pki-core-10.5.9-batch-3.0.patch deleted file mode 100644 index 5ba8682..0000000 --- a/SOURCES/pki-core-10.5.9-batch-3.0.patch +++ /dev/null @@ -1,2863 +0,0 @@ -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 63cb299..2d5d962 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -911,7 +911,7 @@ log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable insert n+1 empty lines -+.\" for man page specific macros, see man(7) -+.SH NAME -+PKICertImport \- Used to safely validate and import certificates into the NSS database. -+ -+.SH SYNOPSIS -+.PP -+\fBUsage: PKICertImport -d -i -n -t -u [-h ] [-f ] [-a]\fP -+ -+Validate and import a certificate into the specified NSS database. Verifies signature, trust chain, trust, and usage flags. If a certificate is not valid, it will not be added to the NSS DB or specified hardware token. -+ -+.SH DESCRIPTION -+.PP -+The certificate import utility validates signature, trust chain, trust, and usage flags before importing a certificate into the specified NSS database. This ensures that no certificate is used before its authenticity has been verified. Unlike \fBcertutil\fP, only one invocation is necessary to both validate and import certificates. -+.PP -+See \fBcertutil\fP for more information about the parameters to \fBPKICertImport\fP. -+ -+.SH OPTIONS -+.PP -+\fBPKICertImport\fP parameters: -+.PP -+.TP -+.B --ascii, -a -+The certificate is encoded in ASCII (PEM) format instead of binary format. Optional. -+ -+.TP -+.B --database, -d -+The directory containing the NSS database. This is usually the client's personal directory. Required. -+ -+.TP -+.B --password, -f -+The path to a file containing the password to the NSS database. Optional. -+ -+.TP -+.B --hsm, -h -+Name of the token. By default it takes 'internal'. Optional. -+ -+.TP -+.B --certificate, -i -+Path to the certificate to import. Required. -+ -+.TP -+.B --nickname, -n -+Nickname for the certificate in the NSS DB. Required. -+ -+.TP -+.B --trust, -t -+Trust flags for the certificate. See \fBcertutil\fP for more information about the available trust flags. Required. -+ -+.TP -+.B --usage, -u -+Usage to validate the certificate against. See \fBcertutil\fP for more information about available usage flags. Required. -+ -+.SH AUTHORS -+Alexander Scheel . -+ -+.SH COPYRIGHT -+Copyright (c) 2019 Red Hat, Inc. This is licensed under the GNU General Public -+License, version 2 (GPLv2). A copy of this license is available at -+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 8bfb0fb..f21f305 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -306,7 +306,7 @@ log.instance.SignedAudit._007=## $ pki-server kra-audit-event-enable/disable - * - *
    -- *
  • signed.audit LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN used at audit function shutdown -+ *
  • signed.audit AUDIT_LOG_SHUTDOWN used at audit function shutdown - *
- */ - public synchronized void shutdown() { -diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties -index ddc278e..64548da 100644 ---- a/base/server/cmsbundle/src/audit-events.properties -+++ b/base/server/cmsbundle/src/audit-events.properties -@@ -8,1286 +8,1758 @@ - # - # Event: - # Description: -+# - # Applicable subsystems: - # Enabled by default: - # Fields: - # - : -+# - # - # Note: In the actual event definition there should be exactly 1 space - # after the # sign. - # - # Common fields: --# - Outcome: must be "success" or "failure" --# - SubjectID: must be the UID of the user responsible for the operation --# "$System$" if system-initiated operation (e.g. log signing) -+# - Outcome: "Success" or "Failure" -+# - SubjectID: The UID of the user responsible for the operation -+# "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing). - # - ######################################################################### --# Selectable Signed Audit Events -+# Required Audit Events -+# -+# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] -+# Description: This event is used when access session failed to establish. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - ClientIP: Client IP address. -+# - ServerIP: Server IP address. -+# - SubjectID: Client certificate subject DN. -+# - Outcome: Failure -+# - Info: Failure reason. -+# -+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ -+:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure -+# -+# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] -+# Description: This event is used when access session was established successfully. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - ClientIP: Client IP address. -+# - ServerIP: Server IP address. -+# - SubjectID: Client certificate subject DN. -+# - Outcome: Success -+# -+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ -+:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success -+# -+# Event: ACCESS_SESSION_TERMINATED -+# Description: This event is used when access session was terminated. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - ClientIP: Client IP address. -+# - ServerIP: Server IP address. -+# - SubjectID: Client certificate subject DN. -+# - Info: The TLS Alert received from NSS -+# - Outcome: Success -+# - Info: The TLS Alert received from NSS -+# -+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ -+:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated -+# -+# Event: AUDIT_LOG_SIGNING -+# Description: This event is used when a signature on the audit log is generated (same as "flush" time). -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: Predefined to be "$System$" because this operation -+# associates with no user. -+# - Outcome: Success -+# - sig: The base-64 encoded signature of the buffer just flushed. -+# -+LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} - # - # Event: AUDIT_LOG_STARTUP --# - used at audit function startup -+# Description: This event is used at audit function startup. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: - # - LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup - # --# Event: AUDIT_LOG_SHUTDOWN --# - used at audit function shutdown -+# Event: AUTH with [Outcome=Failure] -+# Description: This event is used when authentication fails. -+# In case of SSL-client auth, only webserver env can pick up the SSL violation. -+# CS authMgr can pick up certificate mismatch, so this event is used. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: Failure -+# (obviously, if authentication failed, you won't have a valid SubjectID, so -+# in this case, SubjectID should be $Unidentified$) -+# - AuthMgr: The authentication manager instance name that did -+# this authentication. -+# - AttemptedCred: The credential attempted and failed. - # --LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown -+LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure - # --# Event: CIMC_CERT_VERIFICATION --# - used for verifying CIMC system certificates -+# Event: AUTH with [Outcome=Success] -+# Description: This event is used when authentication succeeded. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: No --# - CertNickName is the cert nickname -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: id of user who has been authenticated -+# - Outcome: Success -+# - AuthMgr: The authentication manager instance name that did -+# this authentication. - # --LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification -+LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success - # --# Event: ROLE_ASSUME --# - used when user assumes a role (in current CS that's when one accesses a --# role port) -+# Event: AUTHZ with [Outcome=Failure] -+# Description: This event is used when authorization has failed. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# Role must be be one of the valid roles, by default: "Administrators", --# "Certificate Manager Agents", and "Auditors" --# note that customized role names can be used once configured -+# Fields: -+# - SubjectID: id of user who has failed to be authorized for an action -+# - Outcome: Failure -+# - aclResource: The ACL resource ID as defined in ACL resource list. -+# - Op: One of the operations as defined with the ACL statement -+# e.g. "read" for an ACL statement containing "(read,write)". -+# - Info: - # --LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role -+LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure - # --# Event: CONFIG_CERT_POLICY --# - used when configuring certificate policy constraints and extensions --# Applicable subsystems: CA --# Enabled by default: No --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Event: AUTHZ with [Outcome=Success] -+# Description: This event is used when authorization is successful. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: id of user who has been authorized for an action -+# - Outcome: Success -+# - aclResource: The ACL resource ID as defined in ACL resource list. -+# - Op: One of the operations as defined with the ACL statement -+# e.g. "read" for an ACL statement containing "(read,write)". - # --LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success - # --# Event: CONFIG_CERT_PROFILE --# - used when configuring certificate profile --# (general settings and certificate profile) --# (extensions and constraints policies are to be obsoleted but do it anyway) -+# Event: CERT_PROFILE_APPROVAL -+# Description: This event is used when an agent approves/disapproves a certificate profile set by the -+# administrator for automatic approval. - # Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - SubjectID: id of the CA agent who approved the certificate enrollment profile -+# - Outcome: -+# - ProfileID: One of the profiles defined by the administrator -+# and to be approved by an agent. -+# - Op: "approve" or "disapprove". - # --LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval - # --# Event: CONFIG_CRL_PROFILE --# - used when configuring CRL profile --# (extensions, frequency, CRL format) -+# Event: CERT_REQUEST_PROCESSED -+# Description: This event is used when certificate request has just been through the approval process. - # Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - SubjectID: The UID of the agent who approves, rejects, or cancels -+# the certificate request. -+# - Outcome: -+# - ReqID: The request ID. -+# - InfoName: "certificate" (in case of approval), "rejectReason" -+# (in case of reject), or "cancelReason" (in case of cancel) -+# - InfoValue: The certificate (in case of success), a reject reason in -+# text, or a cancel reason in text. -+# - CertSerialNum: - # --LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed - # --# Event: CONFIG_OCSP_PROFILE --# - used when configuring OCSP profile --# (everything under Online Certificate Status Manager) --# Applicable subsystems: OCSP -+# Event: CERT_SIGNING_INFO -+# Description: This event indicates which key is used to sign certificates. -+# Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: Success -+# - SKI: Subject Key Identifier of the certificate signing certificate -+# - AuthorityID: (applicable only to lightweight CA) - # --LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info - # --# Event: CONFIG_AUTH --# - used when configuring authentication --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CERT_STATUS_CHANGE_REQUEST -+# Description: This event is used when a certificate status change request (e.g. revocation) -+# is made (before approval process). -+# Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- Password MUST NOT be logged --- -+# Fields: -+# - SubjectID: id of uer who performed the action -+# - Outcome: -+# - ReqID: The request ID. -+# - CertSerialNum: The serial number (in hex) of the certificate to be revoked. -+# - RequestType: "revoke", "on-hold", "off-hold" - # --LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made - # --# Event: CONFIG_ROLE --# - used when configuring role information (anything under users/groups) --# add/remove/edit a role, etc) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED -+# Description: This event is used when certificate status is changed (revoked, expired, on-hold, -+# off-hold). -+# Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - SubjectID: The UID of the agent that processed the request. -+# - Outcome: -+# - ReqID: The request ID. -+# - RequestType: "revoke", "on-hold", "off-hold" -+# - Approval: "complete", "rejected", or "canceled" -+# (note that "complete" means "approved") -+# - CertSerialNum: The serial number (in hex). -+# - RevokeReasonNum: One of the following number: -+# reason number reason -+# -------------------------------------- -+# 0 Unspecified -+# 1 Key compromised -+# 2 CA key compromised (should not be used) -+# 3 Affiliation changed -+# 4 Certificate superceded -+# 5 Cessation of operation -+# 6 Certificate is on-hold -+# - Info: - # --LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed - # --# Event: CONFIG_ACL --# - used when configuring ACL information -+# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] -+# Description: This event is when access session failed to establish when Certificate System acts as client. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - ClientHost: Client hostname. -+# - ServerHost: Server hostname. -+# - ServerPort: Server port. -+# - SubjectID: SYSTEM -+# - Outcome: Failure -+# - Info: - # --LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client - # --# Event: CONFIG_SIGNED_AUDIT --# - used when configuring signedAudit -+# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] -+# Description: This event is used when access session was established successfully when -+# Certificate System acts as client. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - ClientHost: Client hostname. -+# - ServerHost: Server hostname. -+# - ServerPort: Server port. -+# - SubjectID: SYSTEM -+# - Outcome: Success - # --LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client - # --# Event: CONFIG_ENCRYPTION --# - used when configuring encryption (cert settings and SSL cipher preferences) -+# Event: CLIENT_ACCESS_SESSION_TERMINATED -+# Description: This event is used when access session was terminated when Certificate System acts as client. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - ClientHost: Client hostname. -+# - ServerHost: Server hostname. -+# - ServerPort: Server port. -+# - SubjectID: SYSTEM -+# - Outcome: Success -+# - Info: The TLS Alert received from NSS - # --LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ -+:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client - # --# Event: CONFIG_TRUSTED_PUBLIC_KEY --# - used when --# 1. "Manage Certificate" is used to edit the trustness of certificates --# and deletion of certificates --# 2. "Certificate Setup Wizard" is used to import CA certificates into the --# certificate database (Although CrossCertificatePairs are stored --# within internaldb, audit them as well) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CMC_REQUEST_RECEIVED -+# Description: This event is used when a CMC request is received. -+# Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Fields: -+# - SubjectID: The UID of user that triggered this event. -+# If CMC requests is signed by an agent, SubjectID should -+# be that of the agent. -+# In case of an unsigned request, it would bear $Unidentified$. -+# - Outcome: -+# - CMCRequest: Base64 encoding of the CMC request received - # --LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration -+LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received - # --# Event: CONFIG_DRM --# - used when configuring DRM --# (Key recovery scheme, change of any secret component) --# Applicable subsystems: KRA -+# Event: CMC_RESPONSE_SENT -+# Description: This event is used when a CMC response is sent. -+# Applicable subsystems: CA - # Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- -+# Fields: -+# - SubjectID: The UID of user that triggered this event. -+# - Outcome: -+# - CMCResponse: Base64 encoding of the CMC response sent - # --LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent - # --# Event: SELFTESTS_EXECUTION --# - used when self tests are run --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CMC_SIGNED_REQUEST_SIG_VERIFY -+# Description: This event is used when agent signed CMC certificate requests or revocation requests -+# are submitted and signature is verified. -+# Applicable subsystems: CA - # Enabled by default: Yes -+# Fields: -+# - SubjectID: the user who signed the CMC request (success case) -+# - Outcome: -+# - ReqType: The request type (enrollment, or revocation). -+# - CertSubject: The certificate subject name of the certificate request. -+# - SignerInfo: A unique String representation for the signer. - # --LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) -+LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification - # --# Event: AUDIT_LOG_DELETE --# - used AFTER audit log gets expired (authz should not allow, --# but in case authz gets compromised. Make sure it is written --# AFTER the log expiration happens) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: No --# LogFile must be the complete name (including the path) of the --# signedAudit log that is attempted to be deleted -+# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY -+# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests -+# are submitted and signature is verified. -+# Applicable subsystems: CA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: the user who signed the CMC request (success case) -+# - Outcome: -+# - ReqType: The request type (enrollment, or revocation). -+# - CertSubject: The certificate subject name of the certificate request. -+# - CMCSignerInfo: A unique String representation for the CMC request signer. -+# - info: - # --LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success - # --# Event: LOG_PATH_CHANGE --# - used when log file name (including any path changes) for any of --# audit, system, transaction, or other customized log file --# change is attempted (authz should not allow, but make sure it's --# written after the attempt) -+# Event: CONFIG_ACL -+# Description: This event is used when configuring ACL information. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# LogType must be "System", "Transaction", or "SignedAudit" --# toLogFile must be the name (including any path changes) that the user is --# attempting to change to -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt -+LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change - # --# Event: LOG_EXPIRATION_CHANGE --# - used when log expiration time change is attempted (authz should not --# allow, but make sure it's written after the attempt) -+# Event: CONFIG_AUTH -+# Description: This event is used when configuring authentication. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: No --# LogType must be "System", "Transaction", or "SignedAudit" --# ExpirationTime must be the amount of time (in seconds) that is --# attempted to be changed to -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- Password MUST NOT be logged --- - # --# -- feature disabled -- --#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt -+LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change - # --# Event: SERVER_SIDE_KEYGEN_REQUEST --# - used when server-side key generation request is made --# This is for tokenkeys --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CONFIG_CERT_PROFILE -+# Description: This event is used when configuring certificate profile -+# (general settings and certificate profile). -+# Applicable subsystems: CA - # Enabled by default: Yes --# EntityID must be the representation of the subject that will be on the certificate when issued -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request -+LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change - # --# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED --# - used when server-side key generation request has been processed. --# This is for tokenkeys --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: CONFIG_CRL_PROFILE -+# Description: This event is used when configuring CRL profile -+# (extensions, frequency, CRL format). -+# Applicable subsystems: CA - # Enabled by default: Yes --# EntityID must be the representation of the subject that will be on the certificate when issued --# PubKey must be the base-64 encoded public key associated with --# the private key to be archived -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed -+LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change - # --# Event: KEY_RECOVERY_REQUEST --# - used when key recovery request is made --# Applicable subsystems: CA, OCSP, TKS, TPS, TPS --# Enabled by default: No --# RecoveryID must be the recovery request ID --# PubKey must be the base-64 encoded public key associated with --# the private key to be recovered -+# Event: CONFIG_DRM -+# Description: This event is used when configuring KRA. -+# This includes key recovery scheme, change of any secret component. -+# Applicable subsystems: KRA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- - # --LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made -+LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change - # --# Event: KEY_RECOVERY_AGENT_LOGIN --# - used when DRM agents login as recovery agents to approve --# key recovery requests --# Applicable subsystems: KRA --# Enabled by default: No --# RecoveryID must be the recovery request ID --# RecoveryAgent must be the recovery agent the DRM agent is --# logging in with -+# Event: CONFIG_OCSP_PROFILE -+# Description: This event is used when configuring OCSP profile -+# (everything under Online Certificate Status Manager). -+# Applicable subsystems: OCSP -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login -+LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change - # --# Event: KEY_GEN_ASYMMETRIC --# - used when asymmetric keys are generated --# (like when CA certificate requests are generated - --# e.g. CA certificate change over, renewal with new key, etc.) -+# Event: CONFIG_ROLE -+# Description: This event is used when configuring role information. -+# This includes anything under users/groups, add/remove/edit a role, etc. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# PubKey must be the base-64 encoded public key material -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation -+LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change - # --# Event: CERT_SIGNING_INFO --# Applicable subsystems: CA -+# Event: CONFIG_SERIAL_NUMBER -+# Description: This event is used when configuring serial number ranges -+# (when requesting a serial number range when cloning, for example). -+# Applicable subsystems: CA, KRA - # Enabled by default: Yes -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info -+LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update - # --# Event: OCSP_SIGNING_INFO --# Applicable subsystems: CA, OCSP -+# Event: CONFIG_SIGNED_AUDIT -+# Description: This event is used when configuring signedAudit. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes -+# Fields: -+# - SubjectID: id of administrator who performed the action -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info -+LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change -+# -+# Event: CONFIG_TRUSTED_PUBLIC_KEY -+# Description: This event is used when: -+# 1. "Manage Certificate" is used to edit the trustness of certificates -+# and deletion of certificates -+# 2. "Certificate Setup Wizard" is used to import CA certificates into the -+# certificate database (Although CrossCertificatePairs are stored -+# within internaldb, audit them as well) -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: ID of administrator who performed this configuration -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration - # - # Event: CRL_SIGNING_INFO -+# Description: This event indicates which key is used to sign CRLs. - # Applicable subsystems: CA - # Enabled by default: Yes -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: -+# - SKI: Subject Key Identifier of the CRL signing certificate - # - LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info - # --# Event: NON_PROFILE_CERT_REQUEST --# - used when a non-profile certificate request is made (before approval process) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: No --# SubjectID must be the UID of user that triggered this event --# (if CMC enrollment requests signed by an agent, SubjectID should --# be that of the agent), while --# CertSubject must be the certificate subject name of the certificate request --# ReqID must be the certificate request ID --# ServiceID must be the identity of the servlet that submitted the original --# request --# --LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles --# --# Event: CMC_REQUEST_RECEIVED --# - used when a CMC request is received. -+# Event: DELTA_CRL_GENERATION -+# Description: This event is used when delta CRL generation is complete. - # Applicable subsystems: CA - # Enabled by default: Yes --# SubjectID must be the UID of user that triggered this event --# (if CMC requests is signed by an agent, SubjectID should --# be that of the agent) --# In case of an unsigned request, it would bear $Unidentified$ -+# Fields: -+# - SubjectID: $Unidentified$ -+# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise. -+# - CRLnum: The CRL number that identifies the CRL -+# - Info: -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received -+LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation - # --# Event: CMC_RESPONSE_SENT --# - used when a CMC response is sent -+# Event: FULL_CRL_GENERATION -+# Description: This event is used when full CRL generation is complete. - # Applicable subsystems: CA - # Enabled by default: Yes --# SubjectID must be the UID of user that triggered this event -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise. -+# - CRLnum: The CRL number that identifies the CRL -+# - Info: -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent -+LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation - # - # Event: PROFILE_CERT_REQUEST --# - used when a profile certificate request is made (before approval process) -+# Description: This event is used when a profile certificate request is made (before approval process). - # Applicable subsystems: CA - # Enabled by default: Yes --# SubjectID must be the UID of user that triggered this event --# (if CMC enrollment requests signed by an agent, SubjectID should --# be that of the agent), while --# CertSubject must be the certificate subject name of the certificate request --# ReqID must be the certificate request ID --# ProfileID must be one of the certificate profiles defined by the --# administrator -+# Fields: -+# - SubjectID: The UID of user that triggered this event. -+# If CMC enrollment requests signed by an agent, SubjectID should -+# be that of the agent. -+# - Outcome: -+# - CertSubject: The certificate subject name of the certificate request. -+# - ReqID: The certificate request ID. -+# - ProfileID: One of the certificate profiles defined by the -+# administrator. - # - LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles - # --# Event: CERT_REQUEST_PROCESSED --# - used when certificate request has just been through the approval process -+# Event: PROOF_OF_POSSESSION -+# Description: This event is used for proof of possession during certificate enrollment processing. - # Applicable subsystems: CA - # Enabled by default: Yes --# SubjectID must be the UID of the agent who approves, rejects, or cancels --# the certificate request --# ReqID must be the request ID --# InfoName must be value "certificate" (in case of approval), "rejectReason" --# (in case of reject), or "cancelReason" (in case of cancel) --# InfoValue must contain the certificate (in case of success), a reject reason in --# text, or a cancel reason in text -+# Fields: -+# - SubjectID: id that represents the authenticated user -+# - Outcome: -+# - Info: some information on when/how it occurred - # --LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed -+LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession - # --# Event: CERT_STATUS_CHANGE_REQUEST --# - used when a certificate status change request (e.g. revocation) --# is made (before approval process) --# Applicable subsystems: CA -+# Event: OCSP_ADD_CA_REQUEST_PROCESSED -+# Description: This event is used when an add CA request to the OCSP Responder is processed. -+# Applicable subsystems: OCSP - # Enabled by default: Yes --# ReqID must be the request ID --# CertSerialNum must be the serial number (in hex) of the certificate to be revoked --# RequestType must be "revoke", "on-hold", "off-hold" -+# Fields: -+# - SubjectID: OCSP administrator user id -+# - Outcome: "Success" when CA is added successfully, "Failure" otherwise. -+# - CASubjectDN: The subject DN of the leaf CA cert in the chain. - # --LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made -+LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder - # --# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED --# - used when certificate status is changed (revoked, expired, on-hold, --# off-hold) --# Applicable subsystems: CA -+# Event: OCSP_GENERATION -+# Description: This event is used when an OCSP response generated is complete. -+# Applicable subsystems: CA, OCSP - # Enabled by default: Yes --# SubjectID must be the UID of the agent that processed the request --# ReqID must be the request ID --# RequestType must be "revoke", "on-hold", "off-hold" --# Approval must be "complete", "rejected", or "canceled" --# (note that "complete" means "approved") --# CertSerialNum must be the serial number (in hex) --# RevokeReasonNum must contain one of the following number: --# reason number reason --# -------------------------------------- --# 0 Unspecified --# 1 Key compromised --# 2 CA key compromised (should not be used) --# 3 Affiliation changed --# 4 Certificate superceded --# 5 Cessation of operation --# 6 Certificate is on-hold -+# Fields: -+# - SubjectID: $NonRoleUser$ -+# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise. -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed -+LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation - # --# Event: AUTHZ with [Outcome=Success] --# - used when authorization is successful --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] -+# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed. -+# Applicable subsystems: OCSP - # Enabled by default: Yes --# Outcome must be success for this event --# aclResource must be the ACL resource ID as defined in ACL resource list --# Op must be one of the operations as defined with the ACL statement --# e.g. "read" for an ACL statement containing "(read,write)" -+# Fields: -+# - SubjectID: OCSP administrator user id -+# - Outcome: Failure -+# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. - # --LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success -+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed - # --# Event: AUTHZ with [Outcome=Failure] --# - used when authorization has failed --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] -+# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully. -+# Applicable subsystems: OCSP - # Enabled by default: Yes --# Outcome must be failure for this event --# aclResource must be the ACL resource ID as defined in ACL resource list --# Op must be one of the operations as defined with the ACL statement --# e.g. "read" for an ACL statement containing "(read,write)" -+# Fields: -+# - SubjectID: OCSP administrator user id -+# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise. -+# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. - # --LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure -+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful - # --# Event: INTER_BOUNDARY --# - used when inter-CIMC_Boundary data transfer is successful --# (this is used when data does not need to be captured) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: No --# ProtectionMethod must be one of the following: "SSL", or "unknown" --# ReqType must be the request type --# ReqID must be the request ID -+# Event: OCSP_SIGNING_INFO -+# Description: This event indicates which key is used to sign OCSP responses. -+# Applicable subsystems: CA, OCSP -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: -+# - SKI: Subject Key Identifier of the OCSP signing certificate -+# - AuthorityID: (applicable only to lightweight CA) - # --LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success -+LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info - # --# Event: AUTH with [Outcome=Failure] --# - used when authentication fails (in case of SSL-client auth, --# only webserver env can pick up the SSL violation; --# CS authMgr can pick up certificate mis-match, so this event is used) -+# Event: ROLE_ASSUME -+# Description: This event is used when a user assumes a role. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# Outcome should always be "failure" in this event --# (obviously, if authentication failed, you won't have a valid SubjectID, so --# in this case, SubjectID should be $Unidentified$) --# AuthMgr must be the authentication manager instance name that did --# this authentication --# AttemptedCred must be the credential attempted and failed -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - Role: One of the valid roles: -+# "Administrators", "Certificate Manager Agents", or "Auditors". -+# Note that customized role names can be used once configured. - # --LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure -+LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role - # --# Event: AUTH with [Outcome=Success] --# - used when authentication succeeded -+# Event: SECURITY_DOMAIN_UPDATE -+# Description: This event is used when updating contents of security domain -+# (add/remove a subsystem). -+# Applicable subsystems: CA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: CA administrator user ID -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# -+LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update -+# -+# Event: SELFTESTS_EXECUTION -+# Description: This event is used when self tests are run. - # Applicable subsystems: CA, KRA, OCSP, TKS, TPS - # Enabled by default: Yes --# Outcome should always be "success" in this event --# AuthMgr must be the authentication manager instance name that did --# this authentication -+# Fields: -+# - SubjectID: $System$ -+# - Outcome: - # --LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success -+LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) -+######################################################################### -+# Available Audit Events - Enabled by default: Yes -+######################################################################### - # --# Event: CERT_PROFILE_APPROVAL --# - used when an agent approves/disapproves a certificate profile set by the --# administrator for automatic approval --# Applicable subsystems: CA -+# Event: ASYMKEY_GENERATION_REQUEST -+# Description: This event is used when asymmetric key generation request is made. -+# Applicable subsystems: KRA - # Enabled by default: Yes --# ProfileID must be one of the profiles defined by the administrator --# and to be approved by an agent --# Op must be "approve" or "disapprove" -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - GenerationRequestID: -+# - ClientKeyID: - # --LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval -+LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made - # --# Event: PROOF_OF_POSSESSION --# - used for proof of possession during certificate enrollment processing --# Applicable subsystems: CA -+# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED -+# Description: This event is used when a request to generate asymmetric keys received by the KRA -+# is processed. -+# Applicable subsystems: KRA - # Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - GenerationRequestID: -+# - ClientKeyID: -+# - KeyID: -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession -+LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed - # --# Event: CMC_PROOF_OF_IDENTIFICATION --# - used for proof of identification during CMC request processing -+# Event: AUTHORITY_CONFIG -+# Description: This event is used when configuring lightweight authorities. - # Applicable subsystems: CA --# Enabled by default: No --# - In case of success, "SubjectID" is the actual identified identification; --# - In case of failure, "SubjectID" is the attempted identification -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request -+LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change - # --# Event: CMC_ID_POP_LINK_WITNESS --# - used for identification and POP linking verification during CMC request processing --# Applicable subsystems: CA --# Enabled by default: No -+# Event: CONFIG_ENCRYPTION -+# Description: This event is used when configuring encryption (cert settings and SSL cipher preferences). -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification -+LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change -+# -+# Event: CONFIG_TOKEN_AUTHENTICATOR -+# Description: This event is used when configuring token authenticators. -+# Applicable subsystems: TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - OP: -+# - Authenticator: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change -+# -+# Event: CONFIG_TOKEN_CONNECTOR -+# Description: This event is used when configuring token connectors. -+# Applicable subsystems: TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - Service: can be any of the methods offered -+# - Connector: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change -+# -+# Event: CONFIG_TOKEN_MAPPING_RESOLVER -+# Description: This event is used when configuring token mapping resolver. -+# Applicable subsystems: TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: TPS administrator id -+# - Outcome: -+# - Service: -+# - MappingResolverID: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change -+# -+# Event: CONFIG_TOKEN_RECORD -+# Description: This event is used when information in token record changed. -+# Applicable subsystems: TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: TPS administrator id -+# - Outcome: -+# - OP: operation to add or delete token -+# - TokenID: smart card unique id -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: in general is used for capturing error info for failed cases -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change -+# -+# Event: KEY_GEN_ASYMMETRIC -+# Description: This event is used when asymmetric keys are generated -+# such as when CA certificate requests are generated, -+# e.g. CA certificate change over, renewal with new key. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - PubKey: The base-64 encoded public key material. -+# -+LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation -+# -+# Event: LOG_PATH_CHANGE -+# Description: This event is used when log file name (including any path changes) for any of -+# audit, system, transaction, or other customized log file change is attempted. -+# The ACL should not allow this operation, but make sure it's written after the attempt. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: administrator user id -+# - Outcome: -+# - LogType: "System", "Transaction", or "SignedAudit" -+# - toLogFile: The name (including any path changes) that the user is -+# attempting to change to. -+# -+LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt -+# -+# Event: RANDOM_GENERATION -+# Description: This event is used when a random number generation is complete. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: "Success" when a random number is generated successfully, "Failure" otherwise. -+# - Info: -+# - Caller: PKI code that calls the random number generator. -+# - Size: Size of random number in bytes. -+# - FailureReason: -+# -+LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation - # - # Event: SCHEDULE_CRL_GENERATION --# - used when CRL generation is scheduled -+# Description: This event is used when CRL generation is scheduled. - # Applicable subsystems: CA --# Enabled by default: No --# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise. -+# - FailureReason: - # - LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation - # --# Event: DELTA_CRL_GENERATION --# - used when delta CRL generation is complete --# Applicable subsystems: CA -+# Event: SECURITY_DATA_ARCHIVAL_REQUEST -+# Description: This event is used when security data recovery request is made. -+# Applicable subsystems: KRA - # Enabled by default: Yes --# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ArchivalRequestID: The requestID provided by the CA through the connector. -+# It is used to track the request through from CA to KRA. -+# - RequestId: The KRA archival request ID. -+# - ClientKeyID: The user supplied client ID associated with -+# the security data to be archived. -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made - # --# Event: DELTA_CRL_PUBLISHING --# - used when delta CRL publishing is complete --# Applicable subsystems: CA --# Enabled by default: No --# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise -+# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED -+# Description: This event is used when user security data archive request is processed. -+# This is when KRA receives and processed the request. -+# Applicable subsystems: KRA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ArchivalRequestID: The requestID provided by the CA through the connector. -+# It is used to track the request through from CA to KRA. -+# - RequestId: The KRA archival request ID. -+# - ClientKeyID: The user supplied client ID associated with -+# the security data to be archived. -+# - KeyID: -+# - PubKey: -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed - # --# Event: FULL_CRL_GENERATION --# - used when full CRL generation is complete --# Applicable subsystems: CA -+# Event: SECURITY_DATA_RECOVERY_REQUEST -+# Description: This event is used when security data recovery request is made. -+# Applicable subsystems: KRA - # Enabled by default: Yes --# Outcome is "success" when full CRL is generated successfully, "failure" otherwise -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - DataID: The ID of the security data being requested to be recovered. -+# - PubKey: - # --LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made - # --# Event: FULL_CRL_PUBLISHING --# - used when full CRL publishing is complete --# Applicable subsystems: CA --# Enabled by default: No --# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise -+# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED -+# Description: This event is used when security data recovery request is processed. -+# Applicable subsystems: KRA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - KeyID: The ID of the security data being requested to be recovered. -+# - RecoveryAgents: The UIDs of the recovery agents approving this request. -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed - # --# Event: CRL_RETRIEVAL --# - used when CRLs are retrieved by the OCSP Responder --# Applicable subsystems: OCSP --# Enabled by default: No --# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise --# CRLnum is the CRL number that identifies the CRL -+# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE -+# Description: This event is used when KRA agents login as recovery agents to change -+# the state of key recovery requests. -+# Applicable subsystems: KRA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - Operation: The operation performed (approve, reject, cancel etc.). - # --LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change - # --# Event: CRL_VALIDATION --# - used when CRL is retrieved and validation process occurs --# Applicable subsystems: OCSP --# Enabled by default: No -+# Event: SERVER_SIDE_KEYGEN_REQUEST -+# Description: This event is used when server-side key generation request is made. -+# This is for token keys. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - EntityID: The representation of the subject that will be on the certificate when issued. -+# - RequestID: - # --LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation -+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request - # --# Event: OCSP_ADD_CA_REQUEST --# - used when a CA is attempted to be added to the OCSP Responder --# Applicable subsystems: OCSP --# Enabled by default: No --# Outcome is "success" as the request is made --# CA must be the base-64 encoded PKCS7 certificate (or chain) -+# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED -+# Description: This event is used when server-side key generation request has been processed. -+# This is for token keys. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - EntityID: The representation of the subject that will be on the certificate when issued. -+# - RequestID: -+# - PubKey: The base-64 encoded public key associated with -+# the private key to be archived. - # --LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder -+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed - # --# Event: OCSP_ADD_CA_REQUEST_PROCESSED --# - used when an add CA request to the OCSP Responder is processed --# Applicable subsystems: OCSP -+# Event: SYMKEY_GENERATION_REQUEST -+# Description: This event is used when symmetric key generation request is made. -+# Applicable subsystems: KRA - # Enabled by default: Yes --# Outcome is "success" when CA is added successfully, "failure" otherwise --# CASubjectDN is the subject DN of the leaf CA cert in the chain -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - GenerationRequestID: -+# - ClientKeyID: The ID of the symmetric key to be generated and archived. - # --LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder -+LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made - # --# Event: OCSP_REMOVE_CA_REQUEST --# - used when a CA is attempted to be removed from the OCSP Responder --# Applicable subsystems: OCSP --# Enabled by default: No --# Outcome is "success" as the request is made --# CA must be the DN id of the CA --LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder -+# Event: SYMKEY_GENERATION_REQUEST_PROCESSED -+# Description: This event is used when symmetric key generation request is processed. -+# This is when KRA receives and processes the request. -+# Applicable subsystems: KRA -+# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - GenerationRequestID: -+# - ClientKeyID: The user supplied client ID associated with -+# the symmetric key to be generated and archived. -+# - KeyID: -+# - FailureReason: - # --# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] --# - used when a remove CA request to the OCSP Responder is processed successfully --# Applicable subsystems: OCSP -+LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed -+# -+# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] -+# Description: This event is used when token apple upgrade failed. -+# Applicable subsystems: TPS - # Enabled by default: Yes --# Outcome is "success" when CA is removed successfully, "failure" otherwise --# CASubjectDN is the subject DN of the leaf CA cert in the chain -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - KeyVersion: -+# - oldAppletVersion: -+# - newAppletVersion: -+# - Info: - # --LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful -+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure - # --# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] --# - used when a remove CA request to the OCSP Responder is processed and failed --# Applicable subsystems: OCSP -+# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] -+# Description: This event is used when token apple upgrade succeeded. -+# Applicable subsystems: TPS - # Enabled by default: Yes --# Outcome is "failure" --# CASubjectDN is DN ID of the CA -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - KeyVersion: -+# - oldAppletVersion: -+# - newAppletVersion: -+# - Info: - # --LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed -+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success - # --# Event: OCSP_GENERATION --# - used when an OCSP response generated is complete --# Applicable subsystems: CA, OCSP -+# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] -+# Description: This event is used when token key changeover failed. -+# Applicable subsystems: TPS - # Enabled by default: Yes --# Outcome is "success" when OCSP response is generated successfully, "failure" otherwise -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - tokenType: -+# - AppletVersion: -+# - oldKeyVersion: -+# - newKeyVersion: -+# - Info: Info in case of failure. - # --LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure - # --# Event: RANDOM_GENERATION --# - used when a random number generation is complete --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] -+# Description: This event is used when token key changeover succeeded. -+# Applicable subsystems: TPS - # Enabled by default: Yes --# Info: --# - Caller is PKI code that calls the random number generator --# - Size is size of random number in bytes --# Outcome is "success" when a random number is generated successfully, "failure" otherwise --LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - tokenType: -+# - AppletVersion: -+# - oldKeyVersion: -+# - newKeyVersion: -+# - Info: Usually is unused for success. - # --# Event: CMC_SIGNED_REQUEST_SIG_VERIFY --# - used when agent signed CMC certificate requests or revocation requests --# are submitted and signature is verified --# Applicable subsystems: CA -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success -+# -+# Event: TOKEN_KEY_CHANGEOVER_REQUIRED -+# Description: This event is used when token key changeover is required. -+# Applicable subsystems: TPS - # Enabled by default: Yes --# ReqType must be the request type (enrollment, or revocation) --# CertSubject must be the certificate subject name of the certificate request --# SignerInfo must be a unique String representation for the signer -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - tokenType: -+# - AppletVersion: -+# - oldKeyVersion: -+# - newKeyVersion: -+# - Info: - # --LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required -+######################################################################### -+# Available Audit Events - Enabled by default: No -+######################################################################### - # --# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY --# - used when CMC (user-signed or self-signed) certificate requests or revocation requests --# are submitted and signature is verified -+# Event: AUDIT_LOG_DELETE -+# Description: This event is used AFTER audit log gets expired. -+# The ACL should not allow this operation, but it is provided in case ACL gets compromised. -+# Make sure it is written AFTER the log expiration happens. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - LogFile: The complete name (including the path) of the -+# signedAudit log that is attempted to be deleted. -+# -+LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion -+# -+# Event: AUDIT_LOG_SHUTDOWN -+# Description: This event is used at audit function shutdown. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# -+LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown -+# -+# Event: CIMC_CERT_VERIFICATION -+# Description: This event is used for verifying CS system certificates. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - CertNickName: The certificate nickname. -+# -+LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CS certificate verification -+# -+# Event: CMC_ID_POP_LINK_WITNESS -+# Description: This event is used for identification and POP linking verification during CMC request processing. - # Applicable subsystems: CA --# Enabled by default: Yes --# ReqType must be the request type (enrollment, or revocation) --# CertSubject must be the certificate subject name of the certificate request --# CMCSignerInfo must be a unique String representation for the CMC request signer -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - Info: - # --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure -+LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification - # --# Event: COMPUTE_RANDOM_DATA_REQUEST --# - used for TPS to TKS to get random challenge data --# Applicable subsystems: TKS, TPS -+# Event: CMC_PROOF_OF_IDENTIFICATION -+# Description: This event is used for proof of identification during CMC request processing. -+# Applicable subsystems: CA - # Enabled by default: No --# AgentID must be the trusted agent id used to make the request -+# Fields: -+# - SubjectID: -+# In case of success, "SubjectID" is the actual identified identification. -+# In case of failure, "SubjectID" is the attempted identification. -+# - Outcome: -+# - Info: - # --LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request -+LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request - # --# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] --# - used for TPS to TKS to get random challenge data -+# Event: COMPUTE_RANDOM_DATA_REQUEST -+# Description: This event is used when the request for TPS to TKS to get random challenge data is received. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# Outcome is SUCCESS or FAILURE --# Status is 0 for no error. --# AgentID must be the trusted agent id used to make the request --LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully -+# Fields: -+# - Outcome: -+# - AgentID: The trusted agent ID used to make the request. -+# -+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request - # - # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure] --# - used for TPS to TKS to get random challenge data -+# Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# Outcome is SUCCESS or FAILURE --# Status is 0 for no error. --# Error gives the error message --# AgentID must be the trusted agent id used to make the request -+# Fields: -+# - Outcome: Success or Failure. -+# - Status: 0 for no error. -+# - Error: The error message. -+# - AgentID: The trusted agent ID used to make the request. - # - LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed - # -+# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] -+# Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully. -+# Applicable subsystems: TKS, TPS -+# Fields: -+# - Outcome: Success or Failure. -+# - Status: 0 for no error. -+# - AgentID: The trusted agent ID used to make the request. -+# -+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully -+# - # Event: COMPUTE_SESSION_KEY_REQUEST --# - used for TPS to TKS to get a sessoin key for secure channel setup -+# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token establishing the secure channel --# AgentID must be the trusted agent id used to make the request -+# Fields: -+# - Outcome: -+# - AgentID: The trusted agent ID used to make the request. - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the - ## CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that - ## encoded parameters are being logged. --# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel --# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel -+# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. -+# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. - # - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request - # -+# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] -+# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully. -+# Applicable subsystems: TKS, TPS -+# Enabled by default: No -+# Fields: -+# - Outcome: Failure -+# - status: Error code or 0 for no error. -+# - AgentID: The trusted agent ID used to make the request. -+# - IsCryptoValidate: tells if the card cryptogram is to be validated -+# - IsServerSideKeygen: tells if the keys are to be generated on server -+# - SelectedToken: The cryptographic token performing key operations. -+# - KeyNickName: The numeric keyset, e.g. #01#01. -+# - Error: The error message. -+# -+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. -+## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - KeyInfo_KeyVersion: The key version number requested in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. -+# -+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed -+# - # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success] --# - request for TPS to TKS to get a sessoin key for secure channel processed -+# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token establishing the secure channel --# AgentID must be the trusted agent id used to make the request --# Outcome is SUCCESS or FAILURE --# Status is 0 for no error. --# IsCryptoValidate tells if the card cryptogram is to be validated --# IsServerSideKeygen tells if the keys are to be generated on server --# SelectedToken is the cryptographic token performing key operations --# KeyNickName is the number keyset ex: #01#01 -+# Fields: -+# - AgentID: The trusted agent ID used to make the request. -+# - Outcome: Success -+# - status: 0 for no error. -+# - IsCryptoValidate: tells if the card cryptogram is to be validated -+# - IsServerSideKeygen: tells if the keys are to be generated on server -+# - SelectedToken: The cryptographic token performing key operations. -+# - KeyNickName: The number keyset, e.g. #01#01. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the - ## CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact - ## that decoded parameters are now logged. - ## Also added TKSKeyset, KeyInfo_KeyVersion, - ## NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# KeyInfo_KeyVersion is the key version number requested in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - KeyInfo_KeyVersion: The key version number requested in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. - # - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully - # --# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] --# - request for TPS to TKS to get a sessoin key for secure channel processed --# Applicable subsystems: TKS, TPS -+# Event: CONFIG_CERT_POLICY -+# Description: This event is used when configuring certificate policy constraints and extensions. -+# Applicable subsystems: CA - # Enabled by default: No --# SubjectID must be the CUID of the token establishing the secure channel --# Outcome is SUCCESS or FAILURE --# Status is error code or 0 for no error. --# AgentID must be the trusted agent id used to make the request --# status is 0 for success, non-zero for various errors --# IsCryptoValidate tells if the card cryptogram is to be validated --# IsServerSideKeygen tells if the keys are to be generated on server --# SelectedToken is the cryptographic token performing key operations --# KeyNickName is the numeric keyset ex: #01#01 --# Error gives the error message -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. - # --## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. --## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# KeyInfo_KeyVersion is the key version number requested in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex -+LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change - # --LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed -+# Event: CONFIG_TOKEN_GENERAL -+# Description: This event is used when doing general TPS configuration. -+# Applicable subsystems: TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change -+# -+# Event: CONFIG_TOKEN_PROFILE -+# Description: This event is used when configuring token profile. -+# Applicable subsystems: TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - Service: can be any of the methods offered -+# - ProfileID: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. -+# -+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change -+# -+# Event: CRL_RETRIEVAL -+# Description: This event is used when CRLs are retrieved by the OCSP Responder. -+# Applicable subsystems: OCSP -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise. -+# - CRLnum: The CRL number that identifies the CRL. -+# -+LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval -+# -+# Event: CRL_VALIDATION -+# Description: This event is used when CRL is retrieved and validation process occurs. -+# Applicable subsystems: OCSP -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# -+LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation -+# -+# Event: DELTA_CRL_PUBLISHING -+# Description: This event is used when delta CRL publishing is complete. -+# Applicable subsystems: CA -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise. -+# - CRLnum: -+# - FailureReason: -+# -+LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing - # - # Event: DIVERSIFY_KEY_REQUEST --# - request for TPS to TKS to do key change over -+# Description: This event is used when the request for TPS to TKS to do key changeover is received. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting key change over --# AgentID must be the trusted agent id used to make the request --# status is 0 for success, non-zero for various errors --# oldMasterKeyName is the old master key name --# newMasterKeyName is the new master key name -+# Fields: -+# - Outcome: -+# - AgentID: The trusted agent ID used to make the request. -+# - oldMasterKeyName: The old master key name. -+# - newMasterKeyName: The new master key name. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. --# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel --# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel -+# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. -+# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. - # - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request - # --# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] --# - request for TPS to TKS to do key change over request processed -+# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] -+# Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting key change over --# AgentID must be the trusted agent id used to make the request --# Outcome is SUCCESS or FAILURE --# status is 0 for success, non-zero for various errors --# oldMasterKeyName is the old master key name --# newMasterKeyName is the new master key name -+# Fields: -+# - AgentID: The trusted agent ID used to make the request. -+# - Outcome: Failure -+# - status: 0 for success, non-zero for various errors. -+# - oldMasterKeyName: The old master key name. -+# - newMasterKeyName: The new master key name. -+# - Error: The error message. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. - ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# OldKeyInfo_KeyVersion is the old key version number in hex. --# NewKeyInfo_KeyVersion is the new key version number in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - OldKeyInfo_KeyVersion: The old key version number in hex. -+# - NewKeyInfo_KeyVersion: The new key version number in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. - # --LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully -+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed - # --# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] --# - request for TPS to TKS to do key change over request processed -+# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] -+# Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting key change over --# AgentID must be the trusted agent id used to make the request --# Outcome is SUCCESS or FAILURE --# status is 0 for success, non-zero for various errors --# oldMasterKeyName is the old master key name --# newMasterKeyName is the new master key name --# Error gives the error message -+# Fields: -+# - AgentID: The trusted agent ID used to make the request. -+# - Outcome: Success -+# - status: 0 for success, non-zero for various errors. -+# - oldMasterKeyName: The old master key name. -+# - newMasterKeyName: The new master key name. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. - ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# OldKeyInfo_KeyVersion is the old key version number in hex. --# NewKeyInfo_KeyVersion is the new key version number in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - OldKeyInfo_KeyVersion: The old key version number in hex. -+# - NewKeyInfo_KeyVersion: The new key version number in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. - # --LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed -+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully - # - # Event: ENCRYPT_DATA_REQUEST --# - request from TPS to TKS to encrypt data --# (or generate random data and encrypt) -+# Description: This event is used when the request from TPS to TKS to encrypt data -+# (or generate random data and encrypt) is received. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting encrypt data --# AgentID must be the trusted agent id used to make the request --# status is 0 for success, non-zero for various errors --# isRandom tells if the data is randomly generated on TKS --# --LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request -+# Fields: -+# - SubjectID: The CUID of the token requesting encrypt data. -+# - AgentID: The trusted agent ID used to make the request. -+# - status: 0 for success, non-zero for various errors. -+# - isRandom: tells if the data is randomly generated on TKS - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. --# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel --# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel -+# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. -+# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. - # -+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request - # --# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] --# - request from TPS to TKS to encrypt data --# (or generate random data and encrypt) -+# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] -+# Description: This event is used when the request from TPS to TKS to encrypt data -+# (or generate random data and encrypt) is processed unsuccessfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting encrypt data --# AgentID must be the trusted agent id used to make the request --# Outcome is SUCCESS or FAILURE --# status is 0 for success, non-zero for various errors --# isRandom tells if the data is randomly generated on TKS --# SelectedToken is the cryptographic token performing key operations --# KeyNickName is the numeric keyset ex: #01#01 -+# Fields: -+# - AgentID: The trusted agent ID used to make the request. -+# - Outcome: Failure -+# - status: 0 for success, non-zero for various errors. -+# - isRandom: tells if the data is randomly generated on TKS -+# - SelectedToken: The cryptographic token performing key operations. -+# - KeyNickName: The numeric keyset, e.g. #01#01. -+# - Error: The error message. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. - ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# KeyInfo_KeyVersion is the key version number requested in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - KeyInfo_KeyVersion: The key version number requested in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. - # --LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully -+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed - # --# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] --# - request from TPS to TKS to encrypt data --# (or generate random data and encrypt) -+# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] -+# Description: This event is used when the request from TPS to TKS to encrypt data -+# (or generate random data and encrypt) is processed successfully. - # Applicable subsystems: TKS, TPS - # Enabled by default: No --# SubjectID must be the CUID of the token requesting encrypt data --# AgentID must be the trusted agent id used to make the request --# Outocme is SUCCESS or FAILURE --# status is 0 for success, non-zero for various errors --# isRandom tells if the data is randomly generated on TKS --# SelectedToken is the cryptographic token performing key operations --# KeyNickName is the numeric keyset ex: #01#01 --# Error gives the error message -+# Fields: -+# - AgentID: The trusted agent ID used to make the request. -+# - Outcome: Success -+# - status: 0 for success, non-zero for various errors. -+# - isRandom: tells if the data is randomly generated on TKS -+# - SelectedToken: The cryptographic token performing key operations. -+# - KeyNickName: The numeric keyset, e.g. #01#01. - # - ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. - ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd --# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel --# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel --# TKSKeyset is the name of the TKS keyset being used for this request. --# KeyInfo_KeyVersion is the key version number requested in hex. --# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. --# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. -+# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. -+# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. -+# - TKSKeyset: The name of the TKS keyset being used for this request. -+# - KeyInfo_KeyVersion: The key version number requested in hex. -+# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. -+# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. - # --LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed -+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully - # --# Event: SECURITY_DOMAIN_UPDATE --# - used when updating contents of security domain --# (add/remove a subsystem) -+# Event: FULL_CRL_PUBLISHING -+# Description: This event is used when full CRL publishing is complete. - # Applicable subsystems: CA --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise. -+# - CRLnum: -+# - FailureReason: - # --LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update -+LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing - # --# Event: CONFIG_SERIAL_NUMBER --# - used when configuring serial number ranges --# (when requesting a serial number range when cloning, for example) --# Applicable subsystems: CA, KRA --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed -+# Event: INTER_BOUNDARY -+# Description: This event is used when inter-CS boundary data transfer is successful. -+# This is used when data does not need to be captured. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - ProtectionMethod: "SSL" or "unknown". -+# - ReqType: The request type. -+# - ReqID: The request ID. - # --LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update -+LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CS boundary communication (data exchange) success - # --# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED --# - used when user security data archive request is processed --# this is when DRM receives and processed the request -+# Event: KEY_RECOVERY_AGENT_LOGIN -+# Description: This event is used when KRA agents login as recovery agents to approve -+# key recovery requests. - # Applicable subsystems: KRA --# Enabled by default: Yes --# ArchivalRequestID is the requestID provided by the CA through the connector --# It is used to track the request through from CA to KRA. --# RequestId is the KRA archival request ID --# ClientKeyID must be the user supplied client ID associated with --# the security data to be archived -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - RecoveryAgent: The recovery agent the KRA agent is -+# logging in with. - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed -+LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login - # --# Event: SECURITY_DATA_ARCHIVAL_REQUEST --# - used when security data recovery request is made --# Applicable subsystems: CA, KRA --# Enabled by default: Yes --# ArchivalRequestID is the requestID provided by the CA through the connector --# It is used to track the request through from CA to KRA. --# RequestId is the KRA archival request ID --# ClientKeyID must be the user supplied client ID associated with --# the security data to be archived -+# Event: KEY_RECOVERY_REQUEST -+# Description: This event is used when key recovery request is made. -+# Applicable subsystems: CA, OCSP, TKS, TPS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - PubKey: The base-64 encoded public key associated with -+# the private key to be recovered. - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made -+LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made - # --# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED --# - used when security data recovery request is processed -+# Event: KEY_STATUS_CHANGE -+# Description: This event is used when modify key status is executed. - # Applicable subsystems: KRA --# Enabled by default: Yes --# RecoveryID must be the recovery request ID --# KeyID is the ID of the security data being requested to be recovered --# RecoveryAgents are the UIDs of the recovery agents approving this request -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - KeyID: An existing key ID in the database. -+# - OldStatus: The old status to change from. -+# - NewStatus: The new status to change to. -+# - Info: - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed -+LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change - # --# Event: SECURITY_DATA_RECOVERY_REQUEST --# - used when security data recovery request is made --# Applicable subsystems: KRA --# Enabled by default: Yes --# RecoveryID must be the recovery request ID --# DataID is the ID of the security data to be recovered -+# Event: LOG_EXPIRATION_CHANGE (disabled) -+# Description: This event is used when log expiration time change is attempted. -+# The ACL should not allow this operation, but make sure it's written after the attempt. -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - LogType: "System", "Transaction", or "SignedAudit". -+# - ExpirationTime: The amount of time (in seconds) that is -+# attempted to be changed to. - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made -+#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt - # --# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE --# - used when DRM agents login as recovery agents to change --# the state of key recovery requests --# Applicable subsystems: KRA --# Enabled by default: Yes --# RecoveryID must be the recovery request ID --# Operation is the operation performed (approve, reject, cancel etc.) -+# Event: NON_PROFILE_CERT_REQUEST -+# Description: This event is used when a non-profile certificate request is made (before approval process). -+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: The UID of user that triggered this event. -+# If CMC enrollment requests signed by an agent, SubjectID should -+# be that of the agent. -+# - Outcome: -+# - CertSubject: The certificate subject name of the certificate request. -+# - ReqID: The certificate request ID. -+# - ServiceID: The identity of the servlet that submitted the original -+# request. - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change -+LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles -+# -+# Event: OCSP_ADD_CA_REQUEST -+# Description: This event is used when a CA is attempted to be added to the OCSP Responder. -+# Applicable subsystems: OCSP -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - CA: The base-64 encoded PKCS7 certificate (or chain). -+# -+LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder -+# -+# Event: OCSP_REMOVE_CA_REQUEST -+# Description: This event is used when a CA is attempted to be removed from the OCSP Responder. -+# Applicable subsystems: OCSP -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - CASubjectDN: The DN ID of the CA. -+# -+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder - # - # Event: SECURITY_DATA_EXPORT_KEY --# - used when user attempts to retrieve key after the recovery request -+# Description: This event is used when user attempts to retrieve key after the recovery request - # has been approved. - # Applicable subsystems: KRA - # Enabled by default: No --# RecoveryID must be the recovery request ID --# KeyID is the key being retrieved --# Info is the failure reason if the export fails. --# PubKey is the public key for the private key being retrieved -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - RecoveryID: The recovery request ID. -+# - KeyID: The key being retrieved. -+# - Info: The failure reason if the export fails. -+# - PubKey: The public key for the private key being retrieved. - # - LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request - # - # Event: SECURITY_DATA_INFO --# - used when user attempts to get metadata information about a key -+# Description: This event is used when user attempts to get metadata information about a key. - # Applicable subsystems: KRA - # Enabled by default: No --# RecoveryID must be the recovery request ID --# KeyID is the key being retrieved --# Info is the failure reason if the export fails. --# PubKey is the public key for the private key being retrieved -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - KeyID: The key being retrieved. -+# - ClientKeyId: -+# - Info: The failure reason if the export fails. -+# - PubKey: The public key for the private key being retrieved. - # - LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request - # --# Event: KEY_STATUS_CHANGE --# - used when modify key status is executed --# Applicable subsystems: KRA -+# Event: TOKEN_AUTH with [Outcome=Failure] -+# Description: This event is used when authentication failed. -+# Applicable subsystems: TPS - # Enabled by default: No --# keyID must be an existing key id in the database --# oldStatus is the old status to change from --# newStatus is the new status to change to --# --LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change --# --# Event: SYMKEY_GENERATION_REQUEST_PROCESSED --# - used when symmetric key generation request is processed --# this is when DRM receives and processes the request --# Applicable subsystems: KRA --# Enabled by default: Yes --# Client ID must be the user supplied client ID associated with --# the symmetric key to be generated and archived --# --LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed --# --# Event: SYMKEY_GENERATION_REQUEST --# - used when symmetric key generation request is made --# Applicable subsystems: KRA --# Enabled by default: Yes --# ClientKeyID is the ID of the symmetirc key to be generated and archived --# --LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made --# --# Event: ASYMKEY_GENERATION_REQUEST --# - used when asymmetric key generation request is made --# Applicable subsystems: KRA --# Enabled by default: Yes -+# Fields: -+# - SubjectID: -+# - Outcome: Failure -+# (obviously, if authentication failed, you won't have a valid SubjectID, so -+# in this case, AttemptedID is recorded) -+# - IP: -+# - CUID: -+# - MSN: -+# - OP: -+# - tokenType: -+# - AppletVersion: -+# - AuthMgr: The authentication manager instance name that did -+# this authentication. - # --LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made -+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure - # --# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED --# - used when a request to generate asymmetric keys received by the DRM --# is processed. --# Applicable subsystems: KRA --# Enabled by default: Yes -+# Event: TOKEN_AUTH with [Outcome=Success] -+# Description: This event is used when authentication succeeded. -+# Applicable subsystems: TPS -+# Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: Success -+# - IP: -+# - CUID: -+# - MSN: -+# - OP: -+# - tokenType: -+# - AppletVersion: -+# - AuthMgr: The authentication manager instance name that did -+# this authentication. - # --LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed -+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success - # - # Event: TOKEN_CERT_ENROLLMENT --# - used for TPS when token certificate enrollment request is made -+# Description: This event is used for TPS when token certificate enrollment request is made. - # Applicable subsystems: TPS - # Enabled by default: No --# - Info is normally used to store more info in case of failure -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - tokenType: -+# - KeyVersion: -+# - Serial: -+# - CA_ID: -+# - Info: Info in case of failure. - # - LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made - # - # Event: TOKEN_CERT_RENEWAL --# - used for TPS when token certificate renewal request is made -+# Description: This event is used for TPS when token certificate renewal request is made. - # Applicable subsystems: TPS - # Enabled by default: No --# - Info is normally used to store more info in case of failure -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - tokenType: -+# - KeyVersion: -+# - Serial: -+# - CA_ID: -+# - Info: Info in case of failure. - # - LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made - # - # Event: TOKEN_CERT_RETRIEVAL --# - used for TPS when token certificate retrieval request is made; --# usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY -+# Description: This event is used for TPS when token certificate retrieval request is made; -+# usually used during recovery, along with TOKEN_KEY_RECOVERY. - # Applicable subsystems: TPS - # Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - tokenType: -+# - KeyVersion: -+# - Serial: -+# - CA_ID: -+# - Info: - # - LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made - # --# Event: TOKEN_KEY_RECOVERY --# - used for TPS when token certificate key recovery request is made --# Applicable subsystems: TPS --# Enabled by default: No --# --LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made --# - # Event: TOKEN_CERT_STATUS_CHANGE_REQUEST --# - used when a token certificate status change request (e.g. revocation) is made -+# Description: This event is used when a token certificate status change request (e.g. revocation) is made. - # Applicable subsystems: TPS - # Enabled by default: No --# CUID must be the last token that the certificate was associated with --# CertSerialNum must be the serial number (in decimal) of the certificate to be revoked --# RequestType must be "revoke", "on-hold", "off-hold" -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: The last token that the certificate was associated with. -+# - tokenType: -+# - CertSerialNum: The serial number (in decimal) of the certificate to be revoked. -+# - RequestType: "revoke", "on-hold", "off-hold". -+# - RevokeReasonNum: -+# - CA_ID: -+# - Info: - # - LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made - # --# Event: TOKEN_PIN_RESET with [Outcome=Success] --# - used when token pin reset request succeeded --# Applicable subsystems: TPS --# Enabled by default: No --# --LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success --# --# Event: TOKEN_PIN_RESET with [Outcome=Failure] --# - used when token pin reset request failed --# Applicable subsystems: TPS --# Enabled by default: No --# --LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure --# --# Event: TOKEN_OP_REQUEST --# - used when token processor op request is made -+# Event: TOKEN_FORMAT with [Outcome=Failure] -+# Description: This event is used when token format operation failed. - # Applicable subsystems: TPS - # Enabled by default: No --# - OP can be "format", "enroll", or "pinReset" -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - tokenType: -+# - AppletVersion: -+# - Info: - # --LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made -+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure - # - # Event: TOKEN_FORMAT with [Outcome=Success] --# - used when token format op succeeded -+# Description: This event is used when token format operation succeeded. - # Applicable subsystems: TPS - # Enabled by default: No -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - MSN: -+# - tokenType: -+# - AppletVersion: -+# - KeyVersion: - # - LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=:[AuditEvent=TOKEN_FORMAT]{0} token op format success - # --# Event: TOKEN_FORMAT with [Outcome=Failure] --# - used when token format op failed --# Applicable subsystems: TPS --# Enabled by default: No --# --LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure --# --# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] --# - used when token apple upgrade succeeded --# Applicable subsystems: TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success --# --# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] --# - used when token apple upgrade failed --# Applicable subsystems: TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure --# --# Event: TOKEN_KEY_CHANGEOVER_REQUIRED --# - used when token key changeover is required --# Applicable subsystems: TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required --# --# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] --# - used when token key changeover succeeded --# Applicable subsystems: TPS --# Enabled by default: Yes --# - Info usually is unused for success --# --LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success --# --# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] --# - used when token key changeover failed --# Applicable subsystems: TPS --# Enabled by default: Yes --# - Info is used for storing more info in case of failure --# --LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure --# --# Event: TOKEN_AUTH with [Outcome=Failure] --# - used when authentication failed -+# Event: TOKEN_KEY_RECOVERY -+# Description: This event is used for TPS when token certificate key recovery request is made. - # Applicable subsystems: TPS - # Enabled by default: No --# Outcome should always be "failure" in this event --# (obviously, if authentication failed, you won't have a valid SubjectID, so --# in this case, AttemptedID is recorded) --# AuthMgr must be the authentication manager instance name that did --# this authentication -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - IP: -+# - CUID: -+# - tokenType: -+# - KeyVersion: -+# - Serial: -+# - CA_ID: -+# - KRA_ID: -+# - Info: - # --LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made - # --# Event: TOKEN_AUTH with [Outcome=Success] --# - used when authentication succeeded -+# Event: TOKEN_OP_REQUEST -+# Description: This event is used when token processor operation request is made. - # Applicable subsystems: TPS - # Enabled by default: No --# Outcome should always be "success" in this event --# AuthMgr must be the authentication manager instance name that did --# this authentication -+# Fields: -+# - IP: -+# - CUID: -+# - MSN: -+# - Outcome: -+# - OP: "format", "enroll", or "pinReset" -+# - AppletVersion: - # --LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success -+LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made - # --# Event: CONFIG_TOKEN_GENERAL --# - used when doing general TPS configuration -+# Event: TOKEN_PIN_RESET with [Outcome=Failure] -+# Description: This event is used when token pin reset request failed. - # Applicable subsystems: TPS - # Enabled by default: No --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases -+# Fields: -+# - IP: -+# - SubjectID: -+# - CUID: -+# - Outcome: -+# - tokenType: -+# - AppletVersion: -+# - Info: - # --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure - # --# Event: CONFIG_TOKEN_PROFILE --# - used when configuring token profile -+# Event: TOKEN_PIN_RESET with [Outcome=Success] -+# Description: This event is used when token pin reset request succeeded. - # Applicable subsystems: TPS - # Enabled by default: No --# Service can be any of the methods offered --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases --# --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change --# --# Event: CONFIG_TOKEN_MAPPING_RESOLVER --# - used when configuring token mapping resolver --# Applicable subsystems: TPS --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases --# --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change --# --# Event: CONFIG_TOKEN_AUTHENTICATOR --# - used when configuring token authenticators --# Applicable subsystems: TPS --# Enabled by default: Yes --# Service can be any of the methods offered --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases --# --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change --# --# Event: CONFIG_TOKEN_CONNECTOR --# - used when configuring token connectors --# Applicable subsystems: TPS --# Enabled by default: Yes --# Service can be any of the methods offered --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases --# --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change --# --# Event: CONFIG_TOKEN_RECORD --# - used when information in token record changed --# Applicable subsystems: TPS --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases -+# Fields: -+# - IP: -+# - SubjectID: -+# - CUID: -+# - Outcome: -+# - tokenType: -+# - AppletVersion: -+# - KeyVersion: - # --LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change -+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success - # - # Event: TOKEN_STATE_CHANGE --# - used when token state changed -+# Description: This event is used when token state changed. - # Applicable subsystems: TPS - # Enabled by default: No --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --- secret component (password) MUST NOT be logged --- --# - info in general is used for caturing error info for failed cases -+# Fields: -+# - SubjectID: -+# - Outcome: -+# - oldState: -+# - oldReason: -+# - newState: -+# - newReason: -+# - ParamNameValPairs: A name-value pair -+# (where name and value are separated by the delimiter ;;) -+# separated by + (if more than one name-value pair) of config params changed. -+# --- secret component (password) MUST NOT be logged --- -+# - Info: Error info for failed cases. - # - LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed --# --# Event: AUTHORITY_CONFIG --# - used when configuring lightweight authorities --# Applicable subsystems: CA --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change --# --# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] --# - used when access session failed to establish --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ --:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure --# --# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] --# - used when access session was established successfully --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ --:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success --# --# Event: ACCESS_SESSION_TERMINATED --# - used when access session was terminated --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# ParamNameValPairs must be a name;;value pair --# (where name and value are separated by the delimiter ;;) --# separated by + (if more than one name;;value pair) of config params changed --# --LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ --:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated --# --# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] --# access session failed to establish when Certificate System acts as client --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ --:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client --# --# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] --# - used when access session was established successfully when --# Certificate System acts as client --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ --:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client --# --# Event: CLIENT_ACCESS_SESSION_TERMINATED --# - used when access session was terminated when Certificate System acts as client --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# --LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ --:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client --# --######################################################################### --# Unselectable Signed Audit Events --# --# Event: AUDIT_LOG_SIGNING --# - used when a signature on the audit log is generated (same as "flush" time) --# Applicable subsystems: CA, KRA, OCSP, TKS, TPS --# Enabled by default: Yes --# SubjectID is predefined to be "$System$" because this operation --# associates with no user --# sig must be the base-64 encoded signature of the buffer just flushed --# --LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index 2face58..9227c27 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -214,7 +214,7 @@ log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable -Date: Thu, 12 Jul 2018 10:24:33 -0700 -Subject: [PATCH 1/2] Bugzilla 1548203 LDAP password from console update in - audit - -This patch replace ldap passwords with "(sensitive)" in audit log. - -fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203 - -Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a -(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1) ---- - .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 769e8e4..2b8cec7 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet { - if (name.equals(Constants.OP_TYPE)) continue; - if (name.equals(Constants.RS_ID)) continue; - -- String value = req.getParameter(name); -+ String value = null; -+ if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) -+ value = "(sensitive)"; -+ else -+ value = req.getParameter(name); - params.put(name, value); - } - --- -1.8.3.1 - - -From 46e808e86bb393848cca6434cc06c79a14611fa9 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Mon, 15 Jan 2018 13:59:33 -0800 -Subject: [PATCH 2/2] Test fix for TPS server side key gen for only identity - cert problem. - -Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d -(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39) -(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8) ---- - .../server/tps/cms/TKSRemoteRequestHandler.java | 26 +++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -index 65d0ed0..8155f90 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -+++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler - String tokenType) - throws EBaseException { - -- CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); -+ String method = "TKSRemoteRequestHandler: computeSessionKey(): "; -+ CMS.debug(method + " begins."); - if (cuid == null || kdd == null || keyInfo == null || card_challenge == null - || card_cryptogram == null || host_challenge == null) { - throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); -@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler - - IConfigStore conf = CMS.getConfigStore(); - -- boolean serverKeygen = -- conf.getBoolean("op.enroll." + -- tokenType + ".keyGen.encryption.serverKeygen.enable", -- false); -+ boolean serverKeygen = false; -+ -+ //Try out all the currently supported cert types to see if we are doing server side keygen here -+ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"}; -+ for (String keygenString : keygenStrings) { -+ boolean enabled = conf.getBoolean("op.enroll." + -+ tokenType + ".keyGen." + -+ keygenString + ".serverKeygen.enable", false); -+ -+ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled); -+ if (enabled) { -+ serverKeygen = true; -+ break; -+ } -+ } -+ -+ -+ -+ - if (keySet == null) - keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet"); - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.9-snapshot-1.patch b/SOURCES/pki-core-10.5.9-snapshot-1.patch deleted file mode 100644 index a9b1a3f..0000000 --- a/SOURCES/pki-core-10.5.9-snapshot-1.patch +++ /dev/null @@ -1,1010 +0,0 @@ -From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 30 Jul 2018 17:15:09 -0700 -Subject: [PATCH 1/5] Bug 1601071 Certificate generation happens with partial - attributes in CMCRequest file - -This patch addresses the issue where when a cmcSelfSisnged profile is used -in a cmcUserSigned case, the certificate is issued. -A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has -been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case. -A new constraint CMCSelfSignedSubjectNameConstraint has been introduced -to verify. -In additional, all profiles that authenticate through CMCUserSignedAuth are -turned off by default to allow site administrators to make conscious decision -on their own for these features. -Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default. - -Change-Id: I275118d31b966494411888beb37032bb022c29ce -(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536) ---- - base/ca/shared/conf/CS.cfg | 2 +- - base/ca/shared/conf/registry.cfg | 9 +- - .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +- - .../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +- - .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- - .../certsrv/authentication/IAuthToken.java | 7 +- - .../com/netscape/cms/authentication/CMCAuth.java | 5 +- - .../cms/authentication/CMCUserSignedAuth.java | 16 ++- - .../netscape/cms/authentication/SharedSecret.java | 4 +- - .../netscape/cms/profile/common/EnrollProfile.java | 18 +++ - .../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++ - .../profile/def/AuthTokenSubjectNameDefault.java | 2 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++- - base/server/cmsbundle/src/UserMessages.properties | 3 +- - 15 files changed, 216 insertions(+), 28 deletions(-) - create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 1d65835..fcd85a2 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 54e4d95..4fe6e93 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr - constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint - constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint - constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint - constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint --constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint --constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint - constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint - constraintPolicy.validityConstraintImpl.desc=Validity Constraint - constraintPolicy.validityConstraintImpl.name=Validity Constraint -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index 144c05c..48e6499 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request --enable=true -+enable=false - enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false -@@ -10,10 +10,8 @@ output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint --policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint - policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -index d2286de..e7b60ee 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. --enable=true -+enable=false - enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index bdcdc24..538b16a 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request --enable=true -+enable=false - enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false -@@ -10,10 +10,8 @@ output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint --policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* --policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint - policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 9b5d3e9..b0ff8af 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. --enable=true -+enable=false - enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false -diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -index 59c6af2..d5d03b4 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -@@ -44,9 +44,14 @@ public interface IAuthToken { - public static final String GROUP = "group"; - public static final String GROUPS = "groups"; - -- /* Subject name of the certificate in the authenticating entry */ -+ /* Subject name of the certificate request in the authenticating entry */ - public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; - -+ /* Subject name of the authenticated cert */ -+ public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject"; -+ /* Subject DN of the Shared Token authenticated entry */ -+ public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject"; -+ - /* NotBefore value of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 86ffa2f..9b6a819 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - IAuthToken tempToken = agentAuth.authenticate(agentCred); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -- String ID = tempPrincipal.toString(); -+ String ID = tempPrincipal.getName(); - CMS.debug(method + " Principal name = " + ID); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); - - BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); -@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); -+ token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT)); - } - - public boolean isSSLClientRequired() { -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index d5f6c34..a9a7ade 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - if (requestCertSubject.equals("")) { - requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } -- - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); - auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); - //authToken.set("uid", uid); -@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - IAuthToken tempToken = new AuthToken(null); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -- String ID = tempPrincipal.toString(); //tempToken.get("userid"); -+ String ID = tempPrincipal.getName(); //tempToken.get("userid"); - CMS.debug(method + " Principal name = " + ID); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); - - BigInteger certSerial = x509Certs[0].getSerialNumber(); - CMS.debug(method + " verified cert serial=" + certSerial.toString()); -@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { -- request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); -+ String method = "CMCUserSignedAuth: populate: "; -+ String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (authenticatedDN != null) { -+ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -+ authenticatedDN); -+ CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+ -+ authenticatedDN); -+ } else { -+ CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?"); -+ } - } - - public boolean isSSLClientRequired() { -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index 5ebc213..2d8679c 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.pkix.cmc.PKIData; - - import com.netscape.certsrv.apps.CMS; --import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.EInvalidCredentials; - import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.base.EBaseException; -@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication - } - - CMS.debug(method + "found user ldap entry: userdn = " + userdn); -- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); -+ authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn); - - res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mShrTokAttr }, false); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 929e629..f9903c6 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile - - // catch for invalid request - cmc_msgs = parseCMC(locale, cert_request, donePOI); -+ SessionContext sessionContext = SessionContext.getContext(); -+ String authenticatedSubject = -+ (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ -+ if (authenticatedSubject != null) { -+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject); -+ } -+ - if (cmc_msgs == null) { - CMS.debug(method + "parseCMC returns cmc_msgs null"); - return null; -@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile - auditSubjectID = ident_string; - sessionContext.put(SessionContext.USER_ID, auditSubjectID); - -+ // subjectdn from SharedSecret ldap auth -+ // set in context and authToken to be used by profile -+ // default and constraints plugins -+ authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_PROOF_OF_IDENTIFICATION, - auditSubjectID, -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -new file mode 100644 -index 0000000..d4554ca ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -@@ -0,0 +1,129 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cms.profile.constraint; -+ -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IPolicyDefault; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.common.EnrollProfile; -+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; -+ -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ -+/** -+ * This class implements the user subject name constraint for self-signed cmc requests. -+ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match -+ * -+ * @author cfu -+ * @version $Revision$, $Date$ -+ */ -+public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { -+ -+ public CMCSelfSignedSubjectNameConstraint() { -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ } -+ -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ return null; -+ } -+ -+ public String getDefaultConfig(String name) { -+ return null; -+ } -+ -+ /** -+ * Validates the request. The request is not modified -+ * during the validation. User encoded subject name -+ * is copied into the certificate template. -+ */ -+ public void validate(IRequest request, X509CertInfo info) -+ throws ERejectException { -+ String method = "CMCSelfSignedSubjectNameConstraint: "; -+ String msg = ""; -+ -+ CertificateSubjectName infoCertSN = null; -+ String authTokenSharedTokenSN = null; -+ -+ try { -+ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); -+ if (infoCertSN == null) { -+ msg = method + "infoCertSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ CMS.debug(method + "validate user subject ="+ -+ infoCertSN.toString()); -+ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); -+ if (infoCertName == null) { -+ msg = method + "infoCertName null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (authTokenSharedTokenSN == null) { -+ msg = method + "authTokenSharedTokenSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { -+ CMS.debug(method + "names matched"); -+ } else { -+ msg = method + "names do not match; authTokenSharedTokenSN =" + -+ authTokenSharedTokenSN; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ } catch (Exception e) { -+ throw new ERejectException( -+ CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); -+ } -+ } -+ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, -+ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); -+ } -+ -+ public boolean isApplicable(IPolicyDefault def) { -+ String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; -+ if (def instanceof AuthTokenSubjectNameDefault) { -+ CMS.debug(method + "true"); -+ return true; -+ } -+ CMS.debug(method + "false"); -+ return false; -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -index e789625..85bf241 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault { - X500Name name = new X500Name( - request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME)); - -- CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString()); -+ CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName()); - info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name)); - } catch (Exception e) { - // failed to insert subject name -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 12fd294..03e94a8 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: null it out"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); - } -+ - String signingCertSerialS = null; - if (authToken != null) { - signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); -@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } - -+ String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { -+ // unlikely to happen, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); -+ } -+ - String errorCode = null; - String errorReason = null; - String auditRequesterID = ILogger.UNIDENTIFIED; -@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); - if (tmpCertSerialS != null) { -- // unlikely to happenm, but do this just in case -+ // unlikely to happen, but do this just in case - CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); - CMS.debug("ProfileSubmitCMCServlet: null it out"); - reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); - } - // put CMCUserSignedAuth authToken in request - if (signingCertSerialS != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); -+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); -+ } -+ -+ tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { -+ // unlikely to happen, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); -+ } -+ // put Shared Token authToken in request -+ String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (st_sbj != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth"); -+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj); -+ } -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { - CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); - reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index 208632d..e5e6ecc 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing - CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} - CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only - CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only --CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only -+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only -+CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only - CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. - CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} - CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. --- -1.8.3.1 - - -From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 1 Aug 2018 13:35:53 -0700 -Subject: [PATCH 2/5] Bug 1593805 Better understanding of - NSS_USE_DECODED_CKA_EC_POINT for ECC - -This patch removes the outdated reference to EC environment variable -NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage. - -More info in the usage are updated as well for correctness and clarity. - -Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9 -(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051) ---- - .../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++---------- - 1 file changed, 18 insertions(+), 14 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -index fcaf210..28934ab 100644 ---- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -@@ -251,43 +251,47 @@ public class HttpClient { - System.out.println("The configuration file should look like as follows:"); - System.out.println(""); - System.out.println("#host: host name for the http server"); -- System.out.println("host=host1.a.com"); -+ System.out.println("host=host.example.com"); - System.out.println(""); - System.out.println("#port: port number"); -- System.out.println("port=1025"); -+ System.out.println("port=8443"); - System.out.println(""); - System.out.println("#secure: true for secure connection, false for nonsecure connection"); -- System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command"); - System.out.println("secure=false"); - System.out.println(""); - System.out.println("#input: full path for the enrollment request, the content must be in binary format"); -- System.out.println("input=/u/doc/cmcReqCRMFBin"); -+ System.out.println("input=~/cmcReqCRMFBin"); - System.out.println(""); - System.out.println("#output: full path for the response in binary format"); -- System.out.println("output=/u/doc/cmcResp"); -+ System.out.println("#output could be parsed by running CMCResponse"); -+ System.out.println("output=~/cmcResp"); - System.out.println(""); -- System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)"); -+ System.out.println("#dbdir: directory for NSS certificate/key databases"); - System.out.println("#This parameter will be ignored if secure=false"); -- System.out.println("tokenname=hsmname"); -+ System.out.println("dbdir=/.dogtag/nssdb"); - System.out.println(""); -- System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); -+ System.out.println("#password: password for NSS database"); -+ System.out.println("#This parameter will be ignored if secure=false and clientmode=false"); -+ System.out.println("password="); -+ System.out.println(""); -+ System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)"); - System.out.println("#This parameter will be ignored if secure=false"); -- System.out.println("dbdir=/u/smith/.netscape"); -+ System.out.println("tokenname=internal"); - System.out.println(""); - System.out.println("#clientmode: true for client authentication, false for no client authentication"); - System.out.println("#This parameter will be ignored if secure=false"); - System.out.println("clientmode=false"); - System.out.println(""); -- System.out.println("#password: password for cert8.db"); -- System.out.println("#This parameter will be ignored if secure=false and clientauth=false"); -- System.out.println("password="); -- System.out.println(""); - System.out.println("#nickname: nickname for client certificate"); - System.out.println("#This parameter will be ignored if clientmode=false"); - System.out.println("nickname="); - System.out.println(""); - System.out.println("#servlet: target URL"); -- System.out.println("#This parameter may include query parameters"); -+ System.out.println("#This parameter may include query parameters;"); -+ System.out.println("# - reminder: profileId should be a profile that matches"); -+ System.out.println("# the intended certificate; for certificates intended"); -+ System.out.println("# for SSL (client or server), profiles should match"); -+ System.out.println("# the key type (RSA or EC) of the keys generated for CSR;"); - System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert"); - System.out.println(""); - System.exit(0); --- -1.8.3.1 - - -From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 2 Aug 2018 09:31:50 -0700 -Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same - reqIssuer & certissuer - -This patch resolves the possible encoding mismatch between the actual CA cert -and the X500Name gleaned from the CMC revocation request. - -Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d -(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248) ---- - .../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index a9a7ade..97971dd 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; - import com.netscape.certsrv.profile.EProfileException; -@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // to CMCOutputTemplate so that we can - // have a chance to capture user identification info - if (issuerANY != null) { -+ // get CA signing cert -+ ICertificateAuthority ca = null; -+ ca = (ICertificateAuthority) CMS.getSubsystem("ca"); -+ X500Name caName = ca.getX500Name(); -+ - try { - byte[] issuerBytes = issuerANY.getEncoded(); -- X500Name issuerName = new X500Name(issuerBytes); -- CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); -+ X500Name reqIssuerName = new X500Name(issuerBytes); -+ String reqIssuerNameStr = reqIssuerName.getName(); -+ CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr); -+ if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) { -+ // making sure it's identical, even in encoding -+ reqIssuerName = caName; -+ } else { -+ // not this CA; will be bumped off later; -+ // make a note in debug anyway -+ CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;"); -+ } - // capture issuer principal to be checked against - // cert issuer principal later in CMCOutputTemplate -- auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); -+ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName); - } catch (Exception e) { - CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); - } --- -1.8.3.1 - - -From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 8 Aug 2018 18:41:52 -0700 -Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events - -This patch enables the audit events concerning role actions (mostly config) -by default. - -Two additional minor issues are also addressed: -1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert - (bugzilla #1610718) -2. removing unrecommended signing algorithms - -fixes: https://pagure.io/dogtagpki/issue/3041 -Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d -(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099) ---- - base/ca/shared/conf/CS.cfg | 2 +- - base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +- - base/kra/shared/conf/CS.cfg | 2 +- - base/ocsp/shared/conf/CS.cfg | 2 +- - .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +- - .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - base/tks/shared/conf/CS.cfg | 2 +- - base/tps/shared/conf/CS.cfg | 2 +- - base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++---- - 11 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index fcd85a2..6158d5a 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg -index f12c7ed..0b7f6b7 100644 ---- a/base/ca/shared/profiles/ca/caDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg -@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyType=RSA - policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default -diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -index 0663b40..b65999e 100644 ---- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=- -+policyset.userCertSet.3.constraint.params.keyType=EC - policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index f314234..878e5f8 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL - log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) - log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) -diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg -index dc993b0..b412e5e 100644 ---- a/base/ocsp/shared/conf/CS.cfg -+++ b/base/ocsp/shared/conf/CS.cfg -@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -index a1a83a4..2dcf9c1 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile - defConfig4 - .putString( - "params.signingAlgsAllowed", -- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); -+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); - - IProfilePolicy policy5 = - createProfilePolicy("set1", "p5", -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -index 710a461..9b1eacb 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile - defConfig4 - .putString( - "params.signingAlgsAllowed", -- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); -+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); - - IProfilePolicy policy5 = - createProfilePolicy("set1", "p5", -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 7963f6f..d534506 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authenticatio - # and to be approved by an agent - # Op must be "approve" or "disapprove" - # --LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval -+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval - # - # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION - # - used for proof of possession during certificate enrollment processing -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index d1da996..e9bf03e 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg -index c44bc75..3671100 100644 ---- a/base/tps/shared/conf/CS.cfg -+++ b/base/tps/shared/conf/CS.cfg -@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) -diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java -index ae5975a..012575c 100644 ---- a/base/util/src/netscape/security/x509/AlgorithmId.java -+++ b/base/util/src/netscape/security/x509/AlgorithmId.java -@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder { - * Supported signing algorithms for a RSA key. - */ - public static final String[] RSA_SIGNING_ALGORITHMS = new String[] -- { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" }; -+ { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" }; - - public static final String[] EC_SIGNING_ALGORITHMS = new String[] -- { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" }; -+ { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; - - /** - * All supported signing algorithms. - */ - public static final String[] ALL_SIGNING_ALGORITHMS = new String[] - { -- "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC", -- "SHA256withEC", "SHA384withEC", "SHA512withEC" }; -+ "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA", -+ "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; - - } --- -1.8.3.1 - - -From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 10 Aug 2018 14:04:14 -0700 -Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit - logs - -This patch addes support for ECC audit log signing key. -All enrollment profiles for audit signing certificate are updated to allow that. - -fixes https://pagure.io/dogtagpki/issue/2481 - -Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f -(cherry picked from commit 435ede04d525d8816345271a887753a620795d56) ---- - base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++---- - base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++--- - base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++----- - 5 files changed, 14 insertions(+), 16 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -index ff4856c..642e67b 100644 ---- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720 - policyset.auditSigningCertSet.2.default.params.startTime=0 - policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl - policyset.auditSigningCertSet.3.constraint.name=Key Constraint --policyset.auditSigningCertSet.3.constraint.params.keyType=RSA --policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.auditSigningCertSet.3.constraint.params.keyType=- -+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl - policyset.auditSigningCertSet.3.default.name=Key Default - policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl -diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -index b850f1c..4acaab7 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0 - policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl - policyset.auditSigningCertSet.3.constraint.name=Key Constraint - policyset.auditSigningCertSet.3.constraint.params.keyType=- --policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl - policyset.auditSigningCertSet.3.default.name=Key Default - policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl -@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.auditSigningCertSet.9.constraint.name=No Constraint --policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.auditSigningCertSet.9.default.name=Signing Alg - policyset.auditSigningCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg -index 6fdb8b5..c568572 100644 ---- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg -+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg -@@ -3,7 +3,7 @@ visible=true - enable=true - enableBy=admin - auth.class_id= --name=Manual Log Signing Certificate Enrollment -+name=Manual Audit Log Signing Certificate Enrollment - input.list=i1,i2 - input.i1.class_id=certReqInputImpl - input.i2.class_id=submitterInfoInputImpl -@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720 - policyset.caLogSigningSet.2.default.params.startTime=0 - policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl - policyset.caLogSigningSet.3.constraint.name=Key Constraint --policyset.caLogSigningSet.3.constraint.params.keyType=RSA --policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.caLogSigningSet.3.constraint.params.keyType=- -+policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl - policyset.caLogSigningSet.3.default.name=Key Default - policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl -@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul - policyset.caLogSigningSet.8.default.params.critical=false - policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caLogSigningSet.9.constraint.name=No Constraint --policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl - policyset.caLogSigningSet.9.default.name=Signing Alg - policyset.caLogSigningSet.9.default.params.signingAlg=- -diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -index 7693ba3..be9c0ed 100644 ---- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -@@ -25,7 +25,6 @@ import java.io.FilenameFilter; - import java.io.IOException; - import java.security.PublicKey; - import java.security.Signature; --import java.security.interfaces.DSAPublicKey; - import java.security.interfaces.RSAPublicKey; - import java.util.List; - import java.util.StringTokenizer; -@@ -34,6 +33,7 @@ import java.util.Vector; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.ObjectNotFoundException; - import org.mozilla.jss.crypto.X509Certificate; -+import org.mozilla.jss.pkcs11.PK11ECPublicKey; - - import com.netscape.cmsutil.util.Utils; - -@@ -159,8 +159,8 @@ public class AuditVerify { - String sigAlgorithm = null; - if (pubk instanceof RSAPublicKey) { - sigAlgorithm = "SHA-256/RSA"; -- } else if (pubk instanceof DSAPublicKey) { -- sigAlgorithm = "SHA-256/DSA"; -+ } else if (pubk instanceof PK11ECPublicKey) { -+ sigAlgorithm = "SHA-256/EC"; - } else { - throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm()); - } -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 74a8ada..b04f70d 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -41,8 +41,6 @@ import java.security.PrivateKey; - import java.security.Provider; - import java.security.Signature; - import java.security.SignatureException; --import java.security.interfaces.DSAPrivateKey; --import java.security.interfaces.RSAPrivateKey; - import java.text.ParseException; - import java.text.SimpleDateFormat; - import java.util.Date; -@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - mSigningKey = cm.findPrivKeyByCert(cert); - - String sigAlgorithm; -- if (mSigningKey instanceof RSAPrivateKey) { -+ if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) { - sigAlgorithm = "SHA-256/RSA"; -- } else if (mSigningKey instanceof DSAPrivateKey) { -- sigAlgorithm = "SHA-256/DSA"; -+ } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) { -+ sigAlgorithm = "SHA-256/EC"; - } else { - throw new NoSuchAlgorithmException("Unknown private key type"); - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-Add-Subject-Key-ID-to-CSR.patch b/SOURCES/pki-core-Add-Subject-Key-ID-to-CSR.patch new file mode 100644 index 0000000..d425865 --- /dev/null +++ b/SOURCES/pki-core-Add-Subject-Key-ID-to-CSR.patch @@ -0,0 +1,366 @@ +From 5c459c1861e4132904fe88e99341738f1c3555e8 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 11 Jan 2018 19:02:09 +1100 +Subject: [PATCH 1/2] install: support adding Subject Key ID to CSR + +For externally-signed CA installation, some users want to be able to +generate a CSR with a Subject Key Identifier extension - either +user-specified or a generated default. + +This commit adds support to NSSDatabase.create_request for +generating a CSR with an SKI extension. The process to achieve this +is: + +1. Generate the key. This behaviour has been extracted to a + separate method (NSSDatabase.generate_key). + +2. If a "default" SKI is requested, generate a throw-away CSR and + compute an SKI value from the public key contained therein. + This is a "minimal" CSR whose only purpose is to get the public + key in a convenient format. + +3. Generate the CSR and write it to the caller-specified file. + This CSR contains all the extensions the caller asked for. + +This commit relies on an enhancement to the certutil(1) program that +allows create a CSR for a private key specified by CKA_ID. + +Part-of: https://pagure.io/dogtagpki/issue/2854 +(cherry picked from commit f1f32c31d51dffb93e7874d8c4dd0325136c4db7) +--- + base/common/python/pki/nssdb.py | 177 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 152 insertions(+), 25 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index bbcb261..11509f0 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -22,14 +22,18 @@ + + from __future__ import absolute_import + import base64 ++import binascii + import logging + import os ++import re + import shutil + import stat + import subprocess + import tempfile + import datetime + ++import six ++ + from cryptography import x509 + from cryptography.hazmat.backends import default_backend + +@@ -444,20 +448,78 @@ class NSSDatabase(object): + basic_constraints_ext=None, + key_usage_ext=None, + extended_key_usage_ext=None, ++ cka_id=None, ++ subject_key_id=None, + generic_exts=None): ++ """ ++ Generate a CSR. ++ ++ ``cka_id`` ++ PKCS #11 CKA_ID of key in the NSSDB to use, as text. ++ If ``None`` a new key will be generated (this is ++ the typical use case). ++ ++ ``subject_key_id`` ++ If ``None``, no Subject Key ID will be included in the ++ request. If ``"DEFAULT"``, the Subject Key ID will be ++ derived from the generated key, using the default ++ digest. Otherwise the value must be a hex-encoded ++ string, without leading ``0x``, containing the desired ++ Subject Key ID. ++ ++ ``generic_exts`` ++ List of generic extensions, each being a mapping with ++ the following keys: ++ ++ ``oid`` ++ Extension OID (``str``) ++ ``critical`` ++ ``bool`` ++ ``data`` ++ Raw extension data (``bytes``) ++ ++ """ ++ if not cka_id: ++ cka_id = self.generate_key( ++ key_type=key_type, key_size=key_size, ++ curve=curve, noise_file=noise_file) ++ if not isinstance(cka_id, six.text_type): ++ raise TypeError('cka_id must be a text string') + + tmpdir = tempfile.mkdtemp() + + try: +- if not noise_file: +- noise_file = os.path.join(tmpdir, 'noise.bin') +- if key_size: +- size = key_size ++ if subject_key_id is not None: ++ if subject_key_id == 'DEFAULT': ++ # Caller wants a default subject key ID included ++ # in CSR. To do this we must first generate a ++ # temporary CSR for the key, then compute an SKI ++ # from the public key data. ++ tmp_csr = os.path.join(tmpdir, 'tmp_csr.pem') ++ self.create_request( ++ subject_dn, tmp_csr, ++ cka_id=cka_id, subject_key_id=None) ++ with open(tmp_csr, 'rb') as f: ++ data = f.read() ++ csr = x509.load_pem_x509_csr(data, default_backend()) ++ pub = csr.public_key() ++ ski = x509.SubjectKeyIdentifier.from_public_key(pub) ++ ski_bytes = ski.digest + else: +- size = 2048 +- self.create_noise( +- noise_file=noise_file, +- size=size) ++ # Explicit subject_key_id provided; decode it ++ ski_bytes = binascii.unhexlify(subject_key_id) ++ ++ if generic_exts is None: ++ generic_exts = [] ++ generic_exts.append({ ++ 'oid': x509.SubjectKeyIdentifier.oid.dotted_string, ++ 'critical': False, ++ 'data': bytearray([0x04, len(ski_bytes)]) + ski_bytes, ++ # OCTET STRING ^tag ^length ^data ++ # ++ # This structure is incorrect if len > 127 bytes, but this ++ # will be fine for a CKA_ID or SKID of sensible length. ++ }) + + binary_request_file = os.path.join(tmpdir, 'request.bin') + +@@ -478,25 +540,9 @@ class NSSDatabase(object): + '-f', self.password_file, + '-s', subject_dn, + '-o', binary_request_file, +- '-z', noise_file ++ '-k', cka_id, + ]) + +- if key_type: +- cmd.extend(['-k', key_type]) +- +- if key_type.lower() == 'ec': +- # This is fix for Bugzilla 1544843 +- cmd.extend([ +- '--keyOpFlagsOn', 'sign', +- '--keyOpFlagsOff', 'derive' +- ]) +- +- if key_size: +- cmd.extend(['-g', str(key_size)]) +- +- if curve: +- cmd.extend(['-q', curve]) +- + if hash_alg: + cmd.extend(['-Z', hash_alg]) + +@@ -603,6 +649,87 @@ class NSSDatabase(object): + finally: + shutil.rmtree(tmpdir) + ++ def generate_key( ++ self, ++ key_type=None, key_size=None, curve=None, ++ noise_file=None): ++ """ ++ Generate a key of the given type and size. ++ Returns the CKA_ID of the generated key, as a text string. ++ ++ ``noise_file`` ++ Path to a noise file, or ``None`` to automatically ++ generate a noise file. ++ ++ """ ++ ids_pre = set(self.list_private_keys()) ++ ++ cmd = [ ++ 'certutil', ++ '-d', self.directory, ++ '-f', self.password_file, ++ '-G', ++ ] ++ if self.token: ++ cmd.extend(['-h', self.token]) ++ if key_type: ++ cmd.extend(['-k', key_type]) ++ if key_type.lower() == 'ec': ++ # This is fix for Bugzilla 1544843 ++ cmd.extend([ ++ '--keyOpFlagsOn', 'sign', ++ '--keyOpFlagsOff', 'derive', ++ ]) ++ if key_size: ++ cmd.extend(['-g', str(key_size)]) ++ if curve: ++ cmd.extend(['-q', curve]) ++ ++ temp_noise_file = noise_file is None ++ if temp_noise_file: ++ fd, noise_file = tempfile.mkstemp() ++ os.close(fd) ++ size = key_size if key_size else 2048 ++ self.create_noise(noise_file=noise_file, size=size) ++ cmd.extend(['-z', noise_file]) ++ ++ try: ++ subprocess.check_call(cmd) ++ finally: ++ if temp_noise_file: ++ os.unlink(noise_file) ++ ++ ids_post = set(self.list_private_keys()) ++ return list(ids_post - ids_pre)[0].decode('ascii') ++ ++ def list_private_keys(self): ++ """ ++ Return list of hex-encoded private key CKA_IDs in the token. ++ ++ """ ++ cmd = [ ++ 'certutil', ++ '-d', self.directory, ++ '-f', self.password_file, ++ '-K', ++ ] ++ if self.token: ++ cmd.extend(['-h', self.token]) ++ try: ++ out = subprocess.check_output(cmd) ++ except subprocess.CalledProcessError as e: ++ if e.returncode == 255: ++ return [] # no keys were found ++ else: ++ raise e # other error; re-raise ++ ++ # output contains list that looks like: ++ # < 0> rsa b995381610fb58e8b45d3c2401dfd30d6efdd595 (orphan) ++ # < 1> rsa dcd6cbc1226ede02a961488553b01639ff981cdd someNickame ++ # ++ # The hex string is the hex-encoded CKA_ID ++ return re.findall(br'^<\s*\d+>\s+\w+\s+(\w+)', out, re.MULTILINE) ++ + def create_cert(self, request_file, cert_file, serial, issuer=None, + key_usage_ext=None, basic_constraints_ext=None, + aki_ext=None, ski_ext=None, aia_ext=None, +-- +1.8.3.1 + + +From 8f638afeec1527d581a8dd9eefc84cde69c1c6b6 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 11 Jan 2018 19:46:40 +1100 +Subject: [PATCH 2/2] install: add pkispawn option for adding SKI to CSR + +For externally-signed CA installation, some users want to be able to +generate a CSR with a Subject Key Identifier extension - either +user-specified or a generated default. + +This commit adds the 'pki_req_ski' pkispwan option for specifying +that the CSR should bear the SKI extension. It can either be a +hex-encoded SKI value or the string "DEFAULT" which asks that the +value be derived from the public key. + +Update the pki_default.cfg.5 man page to document the new option. + +Fixes: https://pagure.io/dogtagpki/issue/2854 +(cherry picked from commit 4f9327b85eab58463adcece81269b823e9def2b4) +--- + base/server/man/man5/pki_default.cfg.5 | 6 ++++++ + base/server/python/pki/server/deployment/pkihelper.py | 2 ++ + .../server/python/pki/server/deployment/scriptlets/configuration.py | 6 +++++- + .../python/pki/server/deployment/scriptlets/security_databases.py | 4 ++++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index afdcbfb..4d83fcc 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -352,6 +352,12 @@ Sets whether the new CA will have a signing certificate that will be issued by a + .IP + Required in the first step of the external CA signing process. The CSR will be printed to the screen and stored in this location. + .PP ++.B pki_req_ski ++.IP ++Include a Subject Key Identifier extension in the CSR. The value is either a ++hex-encoded byte string (\fBwithout\fR leading "0x"), or the string "DEFAULT" ++which will derive a value from the public key. ++.PP + .B pki_external_step_two + .IP + Specifies that this is the second step of the external CA process. Defaults to False. +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 740caff..48446b0 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -429,6 +429,8 @@ class ConfigurationFile: + # generic extension support in CSR - for external CA + self.add_req_ext = config.str2bool( + self.mdict['pki_req_ext_add']) ++ # include SKI extension in CSR - for external CA ++ self.req_ski = self.mdict.get('pki_req_ski') + + self.existing = config.str2bool(self.mdict['pki_existing']) + self.external = config.str2bool(self.mdict['pki_external']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index b4f3141..3f153ec 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -94,6 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + basic_constraints_ext=None, + key_usage_ext=None, + extended_key_usage_ext=None, ++ subject_key_id=None, + generic_exts=None): + + cert_id = self.get_cert_id(subsystem, tag) +@@ -121,6 +122,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + basic_constraints_ext=basic_constraints_ext, + key_usage_ext=key_usage_ext, + extended_key_usage_ext=extended_key_usage_ext, ++ subject_key_id=subject_key_id, + generic_exts=generic_exts) + + with open(csr_path) as f: +@@ -174,7 +176,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + csr_path, + basic_constraints_ext=basic_constraints_ext, + key_usage_ext=key_usage_ext, +- generic_exts=generic_exts ++ generic_exts=generic_exts, ++ subject_key_id=subsystem.config.get( ++ 'preop.cert.signing.subject_key_id'), + ) + + def generate_sslserver_csr(self, deployer, nssdb, subsystem): +diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +index 7ce32a8..82dd85c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py ++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +@@ -240,6 +240,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + subsystem.config['preop.cert.signing.ext.critical'] = \ + deployer.configuration_file.req_ext_critical.lower() + ++ if deployer.configuration_file.req_ski: ++ subsystem.config['preop.cert.signing.subject_key_id'] = \ ++ deployer.configuration_file.req_ski ++ + subsystem.save() + + def update_external_certs_conf(self, external_path, deployer): +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts-2.patch b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts-2.patch deleted file mode 100644 index 781303f..0000000 --- a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts-2.patch +++ /dev/null @@ -1,346 +0,0 @@ -diff --git a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java -index 2e7ca34..0aa5c6c 100644 ---- a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java -+++ b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java -@@ -17,9 +17,12 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.certsrv.client; - -+import java.net.URI; - import java.net.URISyntaxException; - --import javax.ws.rs.core.Response; -+import org.apache.http.HttpResponse; -+import org.apache.http.client.methods.HttpGet; -+import org.apache.http.impl.client.DefaultHttpClient; - - import com.netscape.certsrv.account.AccountClient; - import com.netscape.certsrv.account.AccountInfo; -@@ -49,12 +52,23 @@ public class SubsystemClient extends Client { - - public boolean exists() throws Exception { - -+ ClientConfig config = client.getConfig(); -+ URI serverURI = config.getServerURI(); - -- PKIConnection connection = client.getConnection(); -- Response response = connection.get("/" + name); -+ URI subsystemURI = new URI( -+ serverURI.getScheme(), -+ null, -+ serverURI.getHost(), -+ serverURI.getPort(), -+ "/" + name, -+ null, -+ null); - -+ DefaultHttpClient client = new DefaultHttpClient(); -+ HttpGet method = new HttpGet(subsystemURI); - try { -- int code = response.getStatus(); -+ HttpResponse response = client.execute(method); -+ int code = response.getStatusLine().getStatusCode(); - - if (code == 200) { - return true; -@@ -63,11 +77,11 @@ public class SubsystemClient extends Client { - return false; - - } else { -- throw new Exception("Error: " + response.getStatusInfo()); -+ throw new Exception("Error: " + response.getStatusLine()); - } - - } finally { -- response.close(); -+ method.releaseConnection(); - } - } - -diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -index f20ab4b..8a8ed2e 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -@@ -32,9 +32,6 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.cms.logging.Logger; - import com.netscape.cms.logging.SignedAuditLogger; - --import netscape.security.util.DerValue; --import netscape.security.x509.X509Key; -- - /** - * This implementation services SecurityData Recovery requests. - *

-diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 98d5e29..c289245 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -29,7 +29,6 @@ import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; --import java.security.cert.X509Certificate; - import java.security.MessageDigest; - import java.security.PublicKey; - import java.security.cert.X509Certificate; -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 97971dd..b3136a0 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -28,7 +28,6 @@ package com.netscape.cms.authentication; - import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; --import java.security.cert.X509Certificate; - import java.math.BigInteger; - import java.security.MessageDigest; - import java.security.PublicKey; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 7398891..cc65c78 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -54,34 +54,6 @@ import javax.ws.rs.core.MultivaluedMap; - import javax.ws.rs.core.Response; - import javax.xml.parsers.ParserConfigurationException; - --import netscape.ldap.LDAPAttribute; --import netscape.ldap.LDAPAttributeSet; --import netscape.ldap.LDAPConnection; --import netscape.ldap.LDAPDN; --import netscape.ldap.LDAPEntry; --import netscape.ldap.LDAPException; --import netscape.ldap.LDAPModification; --import netscape.ldap.LDAPSearchConstraints; --import netscape.ldap.LDAPSearchResults; --import netscape.ldap.LDAPv3; --import netscape.security.pkcs.ContentInfo; --import netscape.security.pkcs.PKCS10; --import netscape.security.pkcs.PKCS12; --import netscape.security.pkcs.PKCS12Util; --import netscape.security.pkcs.PKCS7; --import netscape.security.pkcs.SignerInfo; --import netscape.security.util.DerOutputStream; --import netscape.security.util.ObjectIdentifier; --import netscape.security.x509.AlgorithmId; --import netscape.security.x509.BasicConstraintsExtension; --import netscape.security.x509.CertificateChain; --import netscape.security.x509.Extension; --import netscape.security.x509.Extensions; --import netscape.security.x509.KeyUsageExtension; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509Key; -- - import org.apache.commons.lang.StringUtils; - import org.apache.velocity.context.Context; - import org.mozilla.jss.CryptoManager; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -index 338e26b..1cb8a4c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java -@@ -138,7 +138,7 @@ public class GetStatus extends CMSServlet { - try { - inputStream = new FileInputStream(versionFilePathName); - String contents = IOUtils.toString(inputStream); -- -+ - if(contents != null) { - CMS.debug("Returning product version: " + version); - version = contents.trim(); -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index 0ae0764..515136b 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -399,11 +399,6 @@ pki_master_crl_enable=True - # based on the CMS hostname and port. - pki_default_ocsp_uri= - --# Default OCSP URI added by AuthInfoAccessExtDefault if the profile --# config is blank. If both are blank, the value is constructed --# based on the CMS hostname and port. --pki_default_ocsp_uri= -- - # Paths - # These are used in the processing of pkispawn and are not supposed - # to be overwritten by user configuration files. -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index e0989a9..45af9a0 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -202,20 +202,21 @@ class PKISubsystem(object): - def load(self): - self.config.clear() - -- lines = open(self.cs_conf).read().splitlines() -- -- for index, line in enumerate(lines): -- if not line or line.startswith('#'): -- continue -- parts = line.split('=', 1) -- if len(parts) < 2: -- raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) -- name = parts[0] -- value = parts[1] -- self.config[name] = value -- -- self.type = self.config['cs.type'] -- self.prefix = self.type.lower() -+ if os.path.exists(self.cs_conf): -+ lines = open(self.cs_conf).read().splitlines() -+ -+ for index, line in enumerate(lines): -+ if not line or line.startswith('#'): -+ continue -+ parts = line.split('=', 1) -+ if len(parts) < 2: -+ raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) -+ name = parts[0] -+ value = parts[1] -+ self.config[name] = value -+ -+ self.type = self.config['cs.type'] -+ self.prefix = self.type.lower() - - def find_system_certs(self): - certs = [] -diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py -index 9e1cab5..cb71db9 100644 ---- a/base/server/python/pki/server/deployment/pkiconfig.py -+++ b/base/server/python/pki/server/deployment/pkiconfig.py -@@ -39,9 +39,7 @@ PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" - PKI_DEPLOYMENT_DEFAULT_UID = 17 - PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" - --PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "RA", "TKS", "TPS"] --PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] --PKI_TOMCAT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] -+PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] - PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", - "lib", "logs", "ocsp", "temp", "tks", "tps", - "webapps", "work"] -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 77594ec..9b9e1b8 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -914,7 +914,7 @@ class Instance: - # Return list of PKI subsystems in the specified tomcat instance - rv = [] - try: -- for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: -+ for subsystem in config.PKI_SUBSYSTEMS: - path = os.path.join( - self.mdict['pki_instance_path'], - subsystem.lower() -diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py -index 4515b55..b35e82c 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/initialization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py -@@ -155,7 +155,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.security_domain.deregister(None) - - except Exception as e: # pylint: disable=broad-except -- config.pki_log.error(str(e)) -+ config.pki_log.error(log.PKI_OSERROR_1, e, -+ extra=config.PKI_INDENTATION_LEVEL_0) - # If it is a normal destroy, pass any exception - if not deployer.mdict['pki_force_destroy']: - raise -diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -index fb9f754..32b716a 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py -@@ -42,10 +42,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.directory.create(deployer.mdict['pki_subsystem_log_path']) - deployer.directory.create( - deployer.mdict['pki_subsystem_archive_log_path']) -- if deployer.mdict['pki_subsystem'] in \ -- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: -- deployer.directory.create( -- deployer.mdict['pki_subsystem_signed_audit_log_path']) -+ -+ deployer.directory.create( -+ deployer.mdict['pki_subsystem_signed_audit_log_path']) - - # create /var/lib/pki///conf - deployer.directory.create( -@@ -127,10 +126,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - # remove instance-based subsystem logs only if --remove-logs flag is specified - if deployer.mdict['pki_remove_logs']: -- if deployer.mdict['pki_subsystem'] in \ -- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: -- deployer.directory.delete( -- deployer.mdict['pki_subsystem_signed_audit_log_path']) -+ deployer.directory.delete( -+ deployer.mdict['pki_subsystem_signed_audit_log_path']) - deployer.directory.delete( - deployer.mdict['pki_subsystem_archive_log_path']) - deployer.directory.delete( -diff --git a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress -deleted file mode 100755 -index b7d5c0e..0000000 ---- a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress -+++ /dev/null -@@ -1,62 +0,0 @@ --#!/usr/bin/python --# Authors: --# Endi S. Dewata --# --# This program is free software; you can redistribute it and/or modify --# it under the terms of the GNU General Public License as published by --# the Free Software Foundation; version 2 of the License. --# --# This program is distributed in the hope that it will be useful, --# but WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --# GNU General Public License for more details. --# --# You should have received a copy of the GNU General Public License along --# with this program; if not, write to the Free Software Foundation, Inc., --# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --# --# Copyright (C) 2017 Red Hat, Inc. --# All rights reserved. --# -- --from __future__ import absolute_import --import os --from lxml import etree -- --import pki -- -- --class UpdateAJPLoopbackAddress( -- pki.server.upgrade.PKIServerUpgradeScriptlet): -- -- def __init__(self): -- super(UpdateAJPLoopbackAddress, self).__init__() -- self.message = 'Update AJP loopback address' -- -- self.parser = etree.XMLParser(remove_blank_text=True) -- -- def upgrade_instance(self, instance): -- -- server_xml = os.path.join(instance.conf_dir, 'server.xml') -- self.backup(server_xml) -- -- document = etree.parse(server_xml, self.parser) -- -- server = document.getroot() -- connectors = server.findall('.//Connector') -- -- # replace IPv4- or IPv6-specific AJP loopback address with localhost -- for connector in connectors: -- -- protocol = connector.get('protocol') -- if protocol != 'AJP/1.3': -- continue -- -- address = connector.get('address') -- if address != '127.0.0.1' and address != '::1': -- continue -- -- connector.set('address', 'localhost') -- -- with open(server_xml, 'wb') as f: -- document.write(f, pretty_print=True, encoding='utf-8') diff --git a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch deleted file mode 100644 index 9fbf423..0000000 --- a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch +++ /dev/null @@ -1,13020 +0,0 @@ -From f06a4c36834fae773da8ed429d0a91fbcda8d6aa Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 31 Oct 2018 21:56:14 +0100 -Subject: [PATCH 01/26] Updated upgrade framework - -The upgrade framework has been updated to match PKI 10.6 -which no longer requires an upgrade folder for each -upgradable version. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit b4e5de9d618b57868be8b8d9a49d574ea58a7d40) ---- - base/common/python/pki/upgrade.py | 118 +++++++-------------- - base/common/python/pki/util.py | 86 ++++++++++++++- - base/common/sbin/pki-upgrade | 3 +- - .../python/pki/server/deployment/pkiparser.py | 4 +- - base/server/python/pki/server/upgrade.py | 10 ++ - base/server/sbin/pki-server-upgrade | 19 +++- - 6 files changed, 152 insertions(+), 88 deletions(-) - -diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py -index 3106c70..c2d217f 100644 ---- a/base/common/python/pki/upgrade.py -+++ b/base/common/python/pki/upgrade.py -@@ -22,8 +22,8 @@ - from __future__ import absolute_import - from __future__ import print_function - import functools -+import logging - import os --import re - import shutil - import traceback - -@@ -36,70 +36,9 @@ DEFAULT_VERSION = '10.0.0' - UPGRADE_DIR = pki.SHARE_DIR + '/upgrade' - BACKUP_DIR = pki.LOG_DIR + '/upgrade' - SYSTEM_TRACKER = pki.CONF_DIR + '/pki.version' --verbose = False -- -- --@functools.total_ordering --class Version(object): -- -- def __init__(self, obj): -- -- if isinstance(obj, str): -- -- # parse - -- pos = obj.find('-') -- -- if pos > 0: -- self.version = obj[0:pos] -- elif pos < 0: -- self.version = obj -- else: -- raise Exception('Invalid version number: ' + obj) -- -- # parse .. -- match = re.match(r'^(\d+)\.(\d+)\.(\d+)$', self.version) -- -- if match is None: -- raise Exception('Invalid version number: ' + self.version) -- -- self.major = int(match.group(1)) -- self.minor = int(match.group(2)) -- self.patch = int(match.group(3)) -- -- elif isinstance(obj, Version): -- -- self.major = obj.major -- self.minor = obj.minor -- self.patch = obj.patch -- -- else: -- raise Exception('Unsupported version type: ' + str(type(obj))) -- -- # release is ignored in comparisons -- def __eq__(self, other): -- return (self.major == other.major and -- self.minor == other.minor and -- self.patch == other.patch) -- -- def __lt__(self, other): -- if self.major < other.major: -- return True - -- if self.major == other.major and self.minor < other.minor: -- return True -- -- if (self.major == other.major and -- self.minor == other.minor and -- self.patch < other.patch): -- return True -- -- return False -- -- # not hashable -- __hash__ = None -- -- def __repr__(self): -- return self.version -+logger = logging.getLogger(__name__) -+verbose = False - - - class PKIUpgradeTracker(object): -@@ -203,9 +142,9 @@ class PKIUpgradeTracker(object): - - version = self.properties.get(self.version_key) - if version: -- return Version(version) -+ return pki.util.Version(version) - -- return Version(DEFAULT_VERSION) -+ return pki.util.Version(DEFAULT_VERSION) - - def set_version(self, version): - -@@ -479,7 +418,7 @@ class PKIUpgrader(object): - - if os.path.exists(self.upgrade_dir): - for version in os.listdir(self.upgrade_dir): -- version = Version(version) -+ version = pki.util.Version(version) - all_versions.append(version) - - all_versions.sort() -@@ -489,25 +428,46 @@ class PKIUpgrader(object): - def versions(self): - - current_version = self.get_current_version() -+ logger.debug('Current version: %s', current_version) -+ - target_version = self.get_target_version() -+ logger.debug('Target version: %s', target_version) - -- current_versions = [] -+ upgrade_path = [] - - for version in self.all_versions(): - -- # skip old versions -- if version >= current_version: -- current_versions.append(version) -+ # skip older versions -+ if version < current_version: -+ continue -+ -+ # skip newer versions -+ if version > target_version: -+ continue -+ -+ upgrade_path.append(version) - -- current_versions.sort() -+ upgrade_path.sort() -+ -+ # start from current version -+ if not upgrade_path or upgrade_path[0] != current_version: -+ upgrade_path.insert(0, current_version) -+ -+ # stop at target version -+ if not upgrade_path or upgrade_path[-1] != target_version: -+ upgrade_path.append(target_version) -+ -+ logger.debug('Upgrade path:') -+ for version in upgrade_path: -+ logger.debug(' - %s', version) - - versions = [] - -- for index, version in enumerate(current_versions): -+ for index, version in enumerate(upgrade_path): - - # link versions -- if index < len(current_versions) - 1: -- version.next = current_versions[index + 1] -+ if index < len(upgrade_path) - 1: -+ version.next = upgrade_path[index + 1] - else: - version.next = target_version - -@@ -587,7 +547,7 @@ class PKIUpgrader(object): - return tracker.get_version() - - def get_target_version(self): -- return Version(pki.implementation_version()) -+ return pki.util.Version(pki.implementation_version()) - - def is_complete(self): - -@@ -632,9 +592,6 @@ class PKIUpgrader(object): - scriptlet.init() - scriptlet.upgrade() - -- except pki.PKIException: -- raise -- - except Exception as e: # pylint: disable=W0703 - - print() -@@ -699,9 +656,6 @@ class PKIUpgrader(object): - try: - scriptlet.revert() - -- except pki.PKIException: -- raise -- - except Exception as e: # pylint: disable=W0703 - - print() -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 871c899..65a861f 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -24,7 +24,9 @@ Module containing utility functions and classes for the Dogtag python code - - - from __future__ import absolute_import -+import functools - import os -+import re - import shutil - from shutil import Error - try: -@@ -32,6 +34,7 @@ try: - except ImportError: - WindowsError = None - -+import six - import subprocess - - DEFAULT_PKI_ENV_LIST = [ -@@ -124,11 +127,14 @@ def copydirs(source, dest): - - def chown(path, uid, gid): - """ -- Change ownership of a folder and its contents. -+ Change ownership of a file or folder recursively. - """ - - os.chown(path, uid, gid) - -+ if not os.path.isdir(path): -+ return -+ - for item in os.listdir(path): - itempath = os.path.join(path, item) - -@@ -138,6 +144,25 @@ def chown(path, uid, gid): - chown(itempath, uid, gid) - - -+def chmod(path, perms): -+ """ -+ Change permissions of a file or folder recursively. -+ """ -+ -+ os.chmod(path, perms) -+ -+ if not os.path.isdir(path): -+ return -+ -+ for item in os.listdir(path): -+ itempath = os.path.join(path, item) -+ -+ if os.path.isfile(itempath): -+ os.chmod(itempath, perms) -+ elif os.path.isdir(itempath): -+ chmod(itempath, perms) -+ -+ - def customize_file(input_file, output_file, params): - """ - Customize a file with specified parameters. -@@ -275,3 +300,62 @@ def read_environment_files(env_file_list=None): - if not key.strip() or key == u'_': - continue - os.environ[key] = value -+ -+ -+@functools.total_ordering -+class Version(object): -+ -+ def __init__(self, obj): -+ -+ if isinstance(obj, six.string_types): -+ -+ # parse ..[] -+ match = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj) -+ -+ if match is None: -+ raise Exception('Unable to parse version number: %s' % obj) -+ -+ self.major = int(match.group(1)) -+ self.minor = int(match.group(2)) -+ self.patch = int(match.group(3)) -+ -+ elif isinstance(obj, Version): -+ -+ self.major = obj.major -+ self.minor = obj.minor -+ self.patch = obj.patch -+ -+ else: -+ raise Exception('Unsupported version type: %s' % type(obj)) -+ -+ # release is ignored in comparisons -+ def __eq__(self, other): -+ return (self.major == other.major and -+ self.minor == other.minor and -+ self.patch == other.patch) -+ -+ def __ne__(self, other): -+ return not self.__eq__(other) -+ -+ def __lt__(self, other): -+ if self.major < other.major: -+ return True -+ -+ if self.major == other.major and self.minor < other.minor: -+ return True -+ -+ if (self.major == other.major and -+ self.minor == other.minor and -+ self.patch < other.patch): -+ return True -+ -+ return False -+ -+ def __gt__(self, other): -+ return not self.__lt__(other) and not self.__eq__(other) -+ -+ # not hashable -+ __hash__ = None -+ -+ def __repr__(self): -+ return '%d.%d.%d' % (self.major, self.minor, self.patch) -diff --git a/base/common/sbin/pki-upgrade b/base/common/sbin/pki-upgrade -index 1833de8..b6bf930 100755 ---- a/base/common/sbin/pki-upgrade -+++ b/base/common/sbin/pki-upgrade -@@ -26,6 +26,7 @@ import signal - import sys - - import pki -+import pki.util - import pki.upgrade - - # pylint: disable=W0613 -@@ -113,7 +114,7 @@ def main(argv): - reset_tracker = True - - elif o == '--set-tracker': -- tracker_version = pki.upgrade.Version(a) -+ tracker_version = pki.util.Version(a) - - elif o in ('-v', '--verbose'): - pki.upgrade.verbose = True -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 2ea7319..8971bb5 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -40,7 +40,7 @@ from six.moves.urllib.parse import urlparse # pylint: disable=F0401,E0611 - - # PKI Imports - import pki --import pki.upgrade -+import pki.util - import pki.account - import pki.client - import pki.system -@@ -337,7 +337,7 @@ class PKIConfigParser: - default_http_port = '8080' - default_https_port = '8443' - -- application_version = str(pki.upgrade.Version( -+ application_version = str(pki.util.Version( - pki.implementation_version())) - - self.deployer.main_config = configparser.SafeConfigParser({ -diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py -index 926c683..e636b8a 100644 ---- a/base/server/python/pki/server/upgrade.py -+++ b/base/server/python/pki/server/upgrade.py -@@ -20,6 +20,7 @@ - - from __future__ import absolute_import - from __future__ import print_function -+import logging - import os - import traceback - -@@ -35,6 +36,8 @@ BACKUP_DIR = pki.LOG_DIR + '/server/upgrade' - INSTANCE_TRACKER = '%s/tomcat.conf' - SUBSYSTEM_TRACKER = '%s/CS.cfg' - -+logger = logging.getLogger(__name__) -+ - - class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - -@@ -65,8 +68,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - tracker.set_version(self.version.next) - - def upgrade(self): -+ - for instance in self.upgrader.instances(): - -+ logger.info('Upgrading %s instance', instance.name) -+ - self.upgrade_subsystems(instance) - - # If upgrading a specific subsystem don't upgrade the instance. -@@ -81,6 +87,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - try: - if verbose: - print('Upgrading ' + str(instance) + ' instance.') -+ - self.upgrade_instance(instance) - self.update_server_tracker(instance) - -@@ -106,8 +113,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - 'Upgrade failed in %s: %s' % (instance, e), e, instance) - - def upgrade_subsystems(self, instance): -+ - for subsystem in self.upgrader.subsystems(instance): - -+ logger.info('Upgrading %s subsystem', subsystem.name) -+ - if not self.can_upgrade_server(instance, subsystem): - if verbose: - print('Skipping ' + str(subsystem) + ' subsystem.') -diff --git a/base/server/sbin/pki-server-upgrade b/base/server/sbin/pki-server-upgrade -index 73e0e4a..932f1c5 100755 ---- a/base/server/sbin/pki-server-upgrade -+++ b/base/server/sbin/pki-server-upgrade -@@ -22,6 +22,7 @@ - from __future__ import absolute_import - from __future__ import print_function - import getopt -+import logging - import signal - import sys - -@@ -29,6 +30,8 @@ import pki - import pki.upgrade - import pki.server.upgrade - -+logger = logging.getLogger('pki.server.cli.upgrade') -+ - - # pylint: disable=W0613 - def interrupt_handler(event, frame): -@@ -71,13 +74,15 @@ def main(argv): - - signal.signal(signal.SIGINT, interrupt_handler) - -+ logging.basicConfig(format='%(levelname)s: %(message)s') -+ - try: - opts, _ = getopt.getopt(argv[1:], 'hi:s:t:vX', [ - 'instance=', 'subsystem=', 'instance-type=', - 'scriptlet-version=', 'scriptlet-index=', - 'silent', 'status', 'revert', - 'remove-tracker', 'reset-tracker', 'set-tracker=', -- 'verbose', 'help']) -+ 'verbose', 'debug', 'help']) - - except getopt.GetoptError as e: - print('ERROR: ' + str(e)) -@@ -132,10 +137,14 @@ def main(argv): - reset_tracker = True - - elif o == '--set-tracker': -- tracker_version = pki.upgrade.Version(a) -+ tracker_version = pki.util.Version(a) - - elif o in ('-v', '--verbose'): - pki.upgrade.verbose = True -+ logging.getLogger().setLevel(logging.INFO) -+ -+ elif o == '--debug': -+ logging.getLogger().setLevel(logging.DEBUG) - - elif o in ('-h', '--help'): - usage() -@@ -171,21 +180,27 @@ def main(argv): - silent=silent) - - if status: -+ logger.info('Getting PKI server upgrade status') - upgrader.status() - - elif revert: -+ logger.info('Reverting PKI server last upgrade') - upgrader.revert() - - elif remove_tracker: -+ logger.info('Removing PKI server upgrade tracker') - upgrader.remove_tracker() - - elif reset_tracker: -+ logger.info('Resetting PKI server upgrade tracker') - upgrader.reset_tracker() - - elif tracker_version is not None: -+ logger.info('Setting PKI server upgrade tracker') - upgrader.set_tracker(tracker_version) - - else: -+ logger.info('Upgrading PKI server') - upgrader.upgrade() - - except pki.PKIException as e: --- -1.8.3.1 - - -From a7e4a037ed99dfc44de67dd4396627d452c34355 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 31 Oct 2018 22:57:17 +0100 -Subject: [PATCH 02/26] Removed empty upgrade folders - -The empty upgrade folders have been removed since they -are no longer necessary for upgrades. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit 42f14ef88deb25336563a23c67fb2ad3a3a8aa3c) ---- - base/common/upgrade/10.0.0/.gitignore | 4 ---- - base/common/upgrade/10.0.2/.gitignore | 4 ---- - base/common/upgrade/10.0.4/.gitignore | 4 ---- - base/common/upgrade/10.0.5/.gitignore | 4 ---- - base/common/upgrade/10.0.6/.gitignore | 4 ---- - base/common/upgrade/10.1.0/.gitignore | 4 ---- - base/common/upgrade/10.1.1/.gitignore | 4 ---- - base/common/upgrade/10.1.2/.gitignore | 4 ---- - base/common/upgrade/10.1.99/.gitignore | 4 ---- - base/common/upgrade/10.2.0/.gitignore | 4 ---- - base/common/upgrade/10.2.1/.gitignore | 4 ---- - base/common/upgrade/10.2.2/.gitignore | 4 ---- - base/common/upgrade/10.2.3/.gitignore | 4 ---- - base/common/upgrade/10.2.4/.gitignore | 0 - base/common/upgrade/10.2.5/.gitignore | 4 ---- - base/common/upgrade/10.2.6/.gitignore | 4 ---- - base/common/upgrade/10.3.0/.gitignore | 4 ---- - base/common/upgrade/10.3.1/.gitignore | 4 ---- - base/common/upgrade/10.3.2/.gitignore | 4 ---- - base/common/upgrade/10.3.3/.gitignore | 4 ---- - base/common/upgrade/10.3.4/.gitignore | 4 ---- - base/common/upgrade/10.3.5/.gitignore | 4 ---- - base/common/upgrade/10.4.0/.gitignore | 4 ---- - base/common/upgrade/10.4.1/.gitignore | 4 ---- - base/common/upgrade/10.4.2/.gitignore | 4 ---- - base/common/upgrade/10.4.3/.gitignore | 4 ---- - base/common/upgrade/10.4.4/.gitignore | 4 ---- - base/common/upgrade/10.4.5/.gitignore | 4 ---- - base/common/upgrade/10.4.6/.gitignore | 4 ---- - base/server/upgrade/10.0.0/.gitignore | 4 ---- - base/server/upgrade/10.0.2/.gitignore | 4 ---- - base/server/upgrade/10.0.3/.gitignore | 4 ---- - base/server/upgrade/10.0.4/.gitignore | 4 ---- - base/server/upgrade/10.0.6/.gitignore | 4 ---- - base/server/upgrade/10.1.0/.gitignore | 4 ---- - base/server/upgrade/10.1.2/.gitignore | 4 ---- - base/server/upgrade/10.2.0/.gitignore | 4 ---- - base/server/upgrade/10.3.1/.gitignore | 4 ---- - base/server/upgrade/10.3.2/.gitignore | 4 ---- - base/server/upgrade/10.3.4/.gitignore | 4 ---- - base/server/upgrade/10.4.1/.gitignore | 4 ---- - base/server/upgrade/10.4.3/.gitignore | 4 ---- - base/server/upgrade/10.4.4/.gitignore | 4 ---- - base/server/upgrade/10.4.5/.gitignore | 4 ---- - base/server/upgrade/10.5.1/.gitignore | 4 ---- - 45 files changed, 176 deletions(-) - delete mode 100644 base/common/upgrade/10.0.0/.gitignore - delete mode 100644 base/common/upgrade/10.0.2/.gitignore - delete mode 100644 base/common/upgrade/10.0.4/.gitignore - delete mode 100644 base/common/upgrade/10.0.5/.gitignore - delete mode 100644 base/common/upgrade/10.0.6/.gitignore - delete mode 100644 base/common/upgrade/10.1.0/.gitignore - delete mode 100644 base/common/upgrade/10.1.1/.gitignore - delete mode 100644 base/common/upgrade/10.1.2/.gitignore - delete mode 100644 base/common/upgrade/10.1.99/.gitignore - delete mode 100644 base/common/upgrade/10.2.0/.gitignore - delete mode 100644 base/common/upgrade/10.2.1/.gitignore - delete mode 100644 base/common/upgrade/10.2.2/.gitignore - delete mode 100644 base/common/upgrade/10.2.3/.gitignore - delete mode 100644 base/common/upgrade/10.2.4/.gitignore - delete mode 100644 base/common/upgrade/10.2.5/.gitignore - delete mode 100644 base/common/upgrade/10.2.6/.gitignore - delete mode 100644 base/common/upgrade/10.3.0/.gitignore - delete mode 100644 base/common/upgrade/10.3.1/.gitignore - delete mode 100644 base/common/upgrade/10.3.2/.gitignore - delete mode 100644 base/common/upgrade/10.3.3/.gitignore - delete mode 100644 base/common/upgrade/10.3.4/.gitignore - delete mode 100644 base/common/upgrade/10.3.5/.gitignore - delete mode 100644 base/common/upgrade/10.4.0/.gitignore - delete mode 100644 base/common/upgrade/10.4.1/.gitignore - delete mode 100644 base/common/upgrade/10.4.2/.gitignore - delete mode 100644 base/common/upgrade/10.4.3/.gitignore - delete mode 100644 base/common/upgrade/10.4.4/.gitignore - delete mode 100644 base/common/upgrade/10.4.5/.gitignore - delete mode 100644 base/common/upgrade/10.4.6/.gitignore - delete mode 100644 base/server/upgrade/10.0.0/.gitignore - delete mode 100644 base/server/upgrade/10.0.2/.gitignore - delete mode 100644 base/server/upgrade/10.0.3/.gitignore - delete mode 100644 base/server/upgrade/10.0.4/.gitignore - delete mode 100644 base/server/upgrade/10.0.6/.gitignore - delete mode 100644 base/server/upgrade/10.1.0/.gitignore - delete mode 100644 base/server/upgrade/10.1.2/.gitignore - delete mode 100644 base/server/upgrade/10.2.0/.gitignore - delete mode 100644 base/server/upgrade/10.3.1/.gitignore - delete mode 100644 base/server/upgrade/10.3.2/.gitignore - delete mode 100644 base/server/upgrade/10.3.4/.gitignore - delete mode 100644 base/server/upgrade/10.4.1/.gitignore - delete mode 100644 base/server/upgrade/10.4.3/.gitignore - delete mode 100644 base/server/upgrade/10.4.4/.gitignore - delete mode 100644 base/server/upgrade/10.4.5/.gitignore - delete mode 100644 base/server/upgrade/10.5.1/.gitignore - -diff --git a/base/common/upgrade/10.0.0/.gitignore b/base/common/upgrade/10.0.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.0.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.0.2/.gitignore b/base/common/upgrade/10.0.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.0.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.0.4/.gitignore b/base/common/upgrade/10.0.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.0.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.0.5/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.0.6/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.1.0/.gitignore b/base/common/upgrade/10.1.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.1.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.1.1/.gitignore b/base/common/upgrade/10.1.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.1.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.1.2/.gitignore b/base/common/upgrade/10.1.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.1.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.1.99/.gitignore b/base/common/upgrade/10.1.99/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.1.99/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.0/.gitignore b/base/common/upgrade/10.2.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.1/.gitignore b/base/common/upgrade/10.2.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.2/.gitignore b/base/common/upgrade/10.2.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.3/.gitignore b/base/common/upgrade/10.2.3/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.3/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.4/.gitignore b/base/common/upgrade/10.2.4/.gitignore -deleted file mode 100644 -index e69de29..0000000 -diff --git a/base/common/upgrade/10.2.5/.gitignore b/base/common/upgrade/10.2.5/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.5/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.2.6/.gitignore b/base/common/upgrade/10.2.6/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.2.6/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.0/.gitignore b/base/common/upgrade/10.3.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.1/.gitignore b/base/common/upgrade/10.3.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.2/.gitignore b/base/common/upgrade/10.3.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.3/.gitignore b/base/common/upgrade/10.3.3/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.3/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.3.5/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.0/.gitignore b/base/common/upgrade/10.4.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.3/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.5/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/common/upgrade/10.4.6/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.0.0/.gitignore b/base/server/upgrade/10.0.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.0.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.0.2/.gitignore b/base/server/upgrade/10.0.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.0.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.0.3/.gitignore b/base/server/upgrade/10.0.3/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.0.3/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.0.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.0.6/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.1.0/.gitignore b/base/server/upgrade/10.1.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.1.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.1.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.2.0/.gitignore b/base/server/upgrade/10.2.0/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.2.0/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.3.1/.gitignore b/base/server/upgrade/10.3.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.3.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.3.2/.gitignore b/base/server/upgrade/10.3.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.3.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.3.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.4.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.4.3/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.4.4/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.4.5/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.5.1/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore --- -1.8.3.1 - - -From 8bdcb3dcb6d304604dc68e44917847b71724cde5 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Nov 2018 04:34:50 +0100 -Subject: [PATCH 03/26] Updated pki-server -audit-event-find - -The pki-server -audit-event-find has been modified -to support searching all events, enabled events, and disabled -events. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit 1d7b48538cc6ede7780489cc22bc631caffebe04) ---- - base/server/python/pki/server/__init__.py | 95 ++++++++++++++++++++++++++++--- - 1 file changed, 88 insertions(+), 7 deletions(-) - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index b5180f0..ace98f3 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -428,24 +428,105 @@ class PKISubsystem(object): - - def find_audit_events(self, enabled=None): - -- if not enabled: -- raise Exception('This operation is not yet supported. Specify --enabled True.') -- - events = [] - -- names = self.config['log.instance.SignedAudit.events'].split(',') -- names = list(map(str.strip, names)) -- names.sort() -+ # get enabled events -+ enabled_event_names = self.get_enabled_audit_events() -+ -+ if enabled is None: -+ # get all events -+ names = self.get_audit_events() -+ -+ elif enabled: # enabled == True -+ # get enabled events -+ names = enabled_event_names -+ -+ else: # enabled == False -+ # get all events -+ all_event_names = self.get_audit_events() -+ -+ # get disabled events by subtracting enabled events from all events -+ names = sorted(set(all_event_names) - set(enabled_event_names)) - -+ # get event properties - for name in names: - event = {} - event['name'] = name -- event['enabled'] = True -+ event['enabled'] = name in enabled_event_names - event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) - events.append(event) - - return events - -+ def get_audit_events(self): -+ -+ # get the full list of audit events from LogMessages.properties -+ -+ properties = {} -+ tmpdir = tempfile.mkdtemp() -+ -+ try: -+ # export LogMessages.properties from cmsbundle.jar -+ cmsbundle_jar = \ -+ '/usr/share/pki/%s/webapps/%s/WEB-INF/lib/pki-cmsbundle.jar' \ -+ % (self.name, self.name) -+ -+ cmd = [ -+ 'jar', -+ 'xf', -+ cmsbundle_jar, -+ 'LogMessages.properties' -+ ] -+ -+ logger.debug('Command: %s', ' '.join(cmd)) -+ -+ subprocess.check_output( -+ cmd, -+ cwd=tmpdir, -+ stderr=subprocess.STDOUT) -+ -+ # load LogMessages.properties -+ log_messages_properties = os.path.join(tmpdir, 'LogMessages.properties') -+ pki.util.load_properties(log_messages_properties, properties) -+ -+ finally: -+ shutil.rmtree(tmpdir) -+ -+ # get audit events -+ events = set() -+ name_pattern = re.compile(r'LOGGING_SIGNED_AUDIT_') -+ value_pattern = re.compile(r':') -+ -+ for name in properties: -+ -+ name_match = name_pattern.match(name) -+ if not name_match: -+ continue -+ -+ value = properties[name] -+ -+ value_match = value_pattern.match(value) -+ if not value_match: -+ continue -+ -+ event = value_match.group(1) -+ events.add(event) -+ -+ return sorted(events) -+ -+ def get_enabled_audit_events(self): -+ -+ # parse enabled audit events -+ value = self.config['log.instance.SignedAudit.events'] -+ event_list = value.replace(' ', '').split(',') -+ -+ # remove duplicates -+ events = set() -+ for event in event_list: -+ events.add(event) -+ -+ return sorted(events) -+ - def get_audit_log_dir(self): - - current_file_path = self.config['log.instance.SignedAudit.fileName'] --- -1.8.3.1 - - -From bcc43b903a67a88c254240840e885407e7c51f3c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 7 Nov 2018 16:53:57 +0100 -Subject: [PATCH 04/26] Updated pki.util.load_properties() - -The pki.util.load_properties() has been modified to support -multi-line property value. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit 618c5aec2cf1f16bcf30e676d3ed1f84722a32e3) ---- - base/common/python/pki/util.py | 38 +++++++++++++++++++++++++++++--------- - 1 file changed, 29 insertions(+), 9 deletions(-) - -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 65a861f..a5d220f 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -180,22 +180,42 @@ def load_properties(filename, properties): - with open(filename) as f: - - lines = f.read().splitlines() -+ name = None -+ multi_line = False - - for index, line in enumerate(lines): - -- line = line.strip() -+ if multi_line: -+ # append line to previous property - -- if not line or line.startswith('#'): -- continue -+ value = properties[name] -+ value = value + line - -- parts = line.split('=', 1) -+ else: -+ # parse line for new property -+ -+ line = line.lstrip() -+ if not line or line.startswith('#'): -+ continue -+ -+ parts = line.split('=', 1) -+ if len(parts) < 2: -+ raise Exception('Missing delimiter in %s line %d' % -+ (filename, index + 1)) - -- if len(parts) < 2: -- raise Exception('Missing delimiter in %s line %d' % -- (filename, index + 1)) -+ name = parts[0].rstrip() -+ value = parts[1].lstrip() -+ -+ # check if the value is multi-line -+ if value.endswith('\\'): -+ value = value[:-1] -+ multi_line = True -+ -+ else: -+ value = value.rstrip() -+ multi_line = False - -- name = parts[0].strip() -- value = parts[1].strip() -+ # store value in properties - properties[name] = value - - --- -1.8.3.1 - - -From 68427be67b3b5cf1c55b2ffe5eefd37f45dd8cab Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 9 Nov 2018 16:34:14 +0100 -Subject: [PATCH 05/26] Added audit event management tools - -The pki-server -audit-* commands have been backported -to PKI 10.5. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit adc316972072789b12ab2c2feb391bbdb01768d5) ---- - base/server/python/pki/server/__init__.py | 83 +++- - base/server/python/pki/server/cli/audit.py | 587 ++++++++++++++++++++++++++++- - 2 files changed, 662 insertions(+), 8 deletions(-) - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index ace98f3..6cbda2f 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -426,7 +426,65 @@ class PKISubsystem(object): - - pki.util.customize_file(input_file, output_file, params) - -- def find_audit_events(self, enabled=None): -+ def enable_audit_event(self, event_name): -+ -+ if not event_name: -+ raise ValueError("Please specify the Event name") -+ -+ names = self.get_audit_events() -+ if event_name not in names: -+ raise PKIServerException('Invalid audit event: %s' % event_name) -+ -+ value = self.config['log.instance.SignedAudit.events'] -+ events = set(value.replace(' ', '').split(',')) -+ -+ if event_name in events: -+ return False -+ -+ events.add(event_name) -+ event_list = ','.join(sorted(events)) -+ self.config['log.instance.SignedAudit.events'] = event_list -+ -+ return True -+ -+ def update_audit_event_filter(self, event_name, event_filter): -+ -+ if not event_name: -+ raise ValueError("Please specify the Event name") -+ -+ names = self.get_audit_events() -+ if event_name not in names: -+ raise PKIServerException('Invalid audit event: %s' % event_name) -+ -+ name = 'log.instance.SignedAudit.filters.%s' % event_name -+ -+ if event_filter: -+ self.config[name] = event_filter -+ else: -+ self.config.pop(name, None) -+ -+ def disable_audit_event(self, event_name): -+ -+ if not event_name: -+ raise ValueError("Please specify the Event name") -+ -+ names = self.get_audit_events() -+ if event_name not in names: -+ raise PKIServerException('Invalid audit event: %s' % event_name) -+ -+ value = self.config['log.instance.SignedAudit.events'] -+ events = set(value.replace(' ', '').split(',')) -+ -+ if event_name not in events: -+ return False -+ -+ events.remove(event_name) -+ event_list = ','.join(sorted(events)) -+ self.config['log.instance.SignedAudit.events'] = event_list -+ -+ return True -+ -+ def find_audit_event_configs(self, enabled=None): - - events = [] - -@@ -458,6 +516,22 @@ class PKISubsystem(object): - - return events - -+ def get_audit_event_config(self, name): -+ -+ names = self.get_audit_events() -+ -+ if name not in names: -+ raise PKIServerException('Invalid audit event: %s' % name) -+ -+ enabled_event_names = self.get_enabled_audit_events() -+ -+ event = {} -+ event['name'] = name -+ event['enabled'] = name in enabled_event_names -+ event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) -+ -+ return event -+ - def get_audit_events(self): - - # get the full list of audit events from LogMessages.properties -@@ -518,12 +592,7 @@ class PKISubsystem(object): - - # parse enabled audit events - value = self.config['log.instance.SignedAudit.events'] -- event_list = value.replace(' ', '').split(',') -- -- # remove duplicates -- events = set() -- for event in event_list: -- events.add(event) -+ events = set(value.replace(' ', '').split(',')) - - return sorted(events) - -diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py -index bbbdd10..44fd86a 100644 ---- a/base/server/python/pki/server/cli/audit.py -+++ b/base/server/python/pki/server/cli/audit.py -@@ -20,6 +20,7 @@ - - from __future__ import absolute_import - from __future__ import print_function -+ - import getopt - import os - import shutil -@@ -37,10 +38,271 @@ class AuditCLI(pki.cli.CLI): - 'audit', 'Audit management commands') - - self.parent = parent -+ self.add_module(AuditConfigShowCLI(self)) -+ self.add_module(AuditConfigModifyCLI(self)) - self.add_module(AuditEventFindCLI(self)) -+ self.add_module(AuditEventShowCLI(self)) -+ self.add_module(AuditEventEnableCLI(self)) -+ self.add_module(AuditEventDisableCLI(self)) -+ self.add_module(AuditEventUpdateCLI(self)) - self.add_module(AuditFileFindCLI(self)) - self.add_module(AuditFileVerifyCLI(self)) - -+ @staticmethod -+ def print_audit_config(subsystem): -+ -+ name = 'log.instance.SignedAudit.%s' -+ -+ enabled = subsystem.config[name % 'enable'].lower() == 'true' -+ -+ fileName = subsystem.config[name % 'fileName'] -+ bufferSize = subsystem.config[name % 'bufferSize'] -+ flushInterval = subsystem.config[name % 'flushInterval'] -+ -+ maxFileSize = subsystem.config[name % 'maxFileSize'] -+ rolloverInterval = subsystem.config[name % 'rolloverInterval'] -+ expirationTime = subsystem.config[name % 'expirationTime'] -+ -+ logSigning = subsystem.config[name % 'logSigning'].lower() == 'true' -+ signedAuditCertNickname = subsystem.config[name % 'signedAuditCertNickname'] -+ -+ print(' Enabled: %s' % enabled) -+ -+ print(' Log File: %s' % fileName) -+ print(' Buffer Size (bytes): %s' % bufferSize) -+ print(' Flush Interval (seconds): %s' % flushInterval) -+ -+ print(' Max File Size (bytes): %s' % maxFileSize) -+ print(' Rollover Interval (seconds): %s' % rolloverInterval) -+ print(' Expiration Time (seconds): %s' % expirationTime) -+ -+ print(' Log Signing: %s' % logSigning) -+ print(' Signing Certificate: %s' % signedAuditCertNickname) -+ -+ @staticmethod -+ def print_audit_event_config(event): -+ print(' Event Name: %s' % event.get('name')) -+ print(' Enabled: %s' % event.get('enabled')) -+ print(' Filter: %s' % event.get('filter')) -+ -+ -+class AuditConfigShowCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditConfigShowCLI, self).__init__( -+ 'config-show', 'Display audit configuration') -+ self.parent = parent -+ -+ def print_help(self): -+ print('Usage: pki-server %s-audit-config-show [OPTIONS]' % self.parent.parent.name) -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, argv): -+ try: -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ -+ 'instance=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.print_help() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o == '--help': -+ self.print_help() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.print_help() -+ sys.exit(1) -+ -+ instance = pki.server.PKIInstance(instance_name) -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ subsystem_name = self.parent.parent.name -+ subsystem = instance.get_subsystem(subsystem_name) -+ -+ if not subsystem: -+ print('ERROR: No %s subsystem in instance %s.' -+ % (subsystem_name.upper(), instance_name)) -+ sys.exit(1) -+ -+ AuditCLI.print_audit_config(subsystem) -+ -+ -+class AuditConfigModifyCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditConfigModifyCLI, self).__init__( -+ 'config-mod', 'Modify audit configuration') -+ self.parent = parent -+ -+ def print_help(self): -+ print('Usage: pki-server %s-audit-config-mod [OPTIONS]' % self.parent.parent.name) -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --enabled Enable/disable audit logging.') -+ print(' --logFile Set log file.') -+ print(' --bufferSize Set buffer size (bytes).') -+ print(' --flushInterval Set flush interval (seconds).') -+ print(' --maxFileSize Set maximum file size (bytes).') -+ print(' --rolloverInterval Set rollover interval (seconds).') -+ print(' --expirationTime

    -- *
  • signed.audit LOGGING_SIGNED_AUDIT_SIGNING used when a signature on the audit log is generated (same as -+ *
  • signed.audit AUDIT_LOG_SIGNING used when a signature on the audit log is generated (same as - * "flush" time) - *
- * -diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties -index d181db5..ddc278e 100644 ---- a/base/server/cmsbundle/src/audit-events.properties -+++ b/base/server/cmsbundle/src/audit-events.properties -@@ -1290,4 +1290,4 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ - # associates with no user - # sig must be the base-64 encoded signature of the buffer just flushed - # --LOGGING_SIGNED_AUDIT_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} -+LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} -diff --git a/base/server/upgrade/10.5.14/01-UpdateAuditEvents b/base/server/upgrade/10.5.14/01-UpdateAuditEvents -new file mode 100755 -index 0000000..ebedc8d ---- /dev/null -+++ b/base/server/upgrade/10.5.14/01-UpdateAuditEvents -@@ -0,0 +1,117 @@ -+#!/usr/bin/python -+# Authors: -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2018 Red Hat, Inc. -+# All rights reserved. -+# -+ -+from __future__ import absolute_import -+ -+import pki -+ -+ -+class UpdateAuditEvents( -+ pki.server.upgrade.PKIServerUpgradeScriptlet): -+ -+ REPLACEMENTS = [ -+ ['ACCESS_SESSION_ESTABLISH_FAILURE', 'ACCESS_SESSION_ESTABLISH'], -+ ['ACCESS_SESSION_ESTABLISH_SUCCESS', 'ACCESS_SESSION_ESTABLISH'], -+ ['AUTH_FAIL', 'AUTH'], -+ ['AUTH_SUCCESS', 'AUTH'], -+ ['AUTHZ_FAIL', 'AUTHZ'], -+ ['AUTHZ_SUCCESS', 'AUTHZ'], -+ ['ASYMKEY_GEN_REQUEST_PROCESSED', 'ASYMKEY_GENERATION_REQUEST_PROCESSED'], -+ ['CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE', 'CMC_USER_SIGNED_REQUEST_SIG_VERIFY'], -+ ['CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS', 'CMC_USER_SIGNED_REQUEST_SIG_VERIFY'], -+ ['COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE', 'COMPUTE_RANDOM_DATA_REQUEST_PROCESSED'], -+ ['COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS', 'COMPUTE_RANDOM_DATA_REQUEST_PROCESSED'], -+ ['COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE', 'COMPUTE_SESSION_KEY_REQUEST_PROCESSED'], -+ ['COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS', 'COMPUTE_SESSION_KEY_REQUEST_PROCESSED'], -+ ['DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE', 'DIVERSIFY_KEY_REQUEST_PROCESSED'], -+ ['DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS', 'DIVERSIFY_KEY_REQUEST_PROCESSED'], -+ ['ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE', 'ENCRYPT_DATA_REQUEST_PROCESSED'], -+ ['ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS', 'ENCRYPT_DATA_REQUEST_PROCESSED'], -+ ['LOGGING_SIGNED_AUDIT_SIGNING', 'AUDIT_LOG_SIGNING'], -+ ['OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE', 'OCSP_REMOVE_CA_REQUEST_PROCESSED'], -+ ['OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS', 'OCSP_REMOVE_CA_REQUEST_PROCESSED'], -+ ['SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE', 'SERVER_SIDE_KEYGEN_REQUEST_PROCESSED'], -+ ['SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS', 'SERVER_SIDE_KEYGEN_REQUEST_PROCESSED'], -+ ['SYMKEY_GEN_REQUEST_PROCESSED', 'SYMKEY_GENERATION_REQUEST_PROCESSED'], -+ ['TOKEN_APPLET_UPGRADE_FAILURE', 'TOKEN_APPLET_UPGRADE'], -+ ['TOKEN_APPLET_UPGRADE_SUCCESS', 'TOKEN_APPLET_UPGRADE'], -+ ['TOKEN_AUTH_FAILURE', 'TOKEN_AUTH'], -+ ['TOKEN_AUTH_SUCCESS', 'TOKEN_AUTH'], -+ ['TOKEN_FORMAT_FAILURE', 'TOKEN_FORMAT'], -+ ['TOKEN_FORMAT_SUCCESS', 'TOKEN_FORMAT'], -+ ['TOKEN_KEY_CHANGEOVER_FAILURE', 'TOKEN_KEY_CHANGEOVER'], -+ ['TOKEN_KEY_CHANGEOVER_SUCCESS', 'TOKEN_KEY_CHANGEOVER'], -+ ['TOKEN_PIN_RESET_FAILURE', 'TOKEN_PIN_RESET'], -+ ['TOKEN_PIN_RESET_SUCCESS', 'TOKEN_PIN_RESET'], -+ ] -+ -+ def __init__(self): -+ super(UpdateAuditEvents, self).__init__() -+ self.message = 'Update audit events' -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ -+ self.backup(subsystem.cs_conf) -+ -+ # update documentation -+ subsystem.config['log.instance.SignedAudit._003'] = \ -+ '## To list available audit events:' -+ subsystem.config['log.instance.SignedAudit._004'] = \ -+ '## $ pki-server %s-audit-event-find' % subsystem.name -+ subsystem.config['log.instance.SignedAudit._005'] = \ -+ '##' -+ subsystem.config['log.instance.SignedAudit._006'] = \ -+ '## To enable/disable audit event:' -+ subsystem.config['log.instance.SignedAudit._007'] = \ -+ '## $ pki-server %s-audit-event-enable/disable ' % subsystem.name -+ subsystem.config['log.instance.SignedAudit._008'] = \ -+ '##' -+ -+ # update selected audit events -+ self.update_audit_events(subsystem, 'log.instance.SignedAudit.events') -+ -+ # update mandatory audit events -+ self.update_audit_events(subsystem, 'log.instance.SignedAudit.mandatory.events') -+ -+ # remove unselected audit events -+ subsystem.config.pop('log.instance.SignedAudit.unselected.events', None) -+ -+ subsystem.save() -+ -+ def update_audit_events(self, subsystem, prop_name): -+ -+ value = subsystem.config.get(prop_name, None) -+ if not value: -+ return -+ -+ events = set(value.replace(' ', '').split(',')) -+ -+ for replacement in UpdateAuditEvents.REPLACEMENTS: -+ -+ old_event = replacement[0] -+ new_event = replacement[1] -+ -+ if old_event in events: -+ events.remove(old_event) -+ events.add(new_event) -+ -+ event_list = ','.join(sorted(events)) -+ subsystem.config[prop_name] = event_list -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index 3d95735..2face58 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -214,9 +214,8 @@ log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable -Date: Thu, 31 Jan 2019 01:32:59 +0100 -Subject: [PATCH 26/26] Added method to upgrade event filters - -The upgrade script has been modified to upgrade audit event -filters as well. - -https://pagure.io/dogtagpki/issue/2686 -(cherry picked from commit 49bf217d04af878ebbf980656f5969abfb40970c) ---- - base/server/upgrade/10.5.14/01-UpdateAuditEvents | 29 ++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/base/server/upgrade/10.5.14/01-UpdateAuditEvents b/base/server/upgrade/10.5.14/01-UpdateAuditEvents -index ebedc8d..34934b5 100755 ---- a/base/server/upgrade/10.5.14/01-UpdateAuditEvents -+++ b/base/server/upgrade/10.5.14/01-UpdateAuditEvents -@@ -94,6 +94,9 @@ class UpdateAuditEvents( - # remove unselected audit events - subsystem.config.pop('log.instance.SignedAudit.unselected.events', None) - -+ # update audit event filters -+ self.update_audit_event_filters(subsystem, 'log.instance.SignedAudit.filters.') -+ - subsystem.save() - - def update_audit_events(self, subsystem, prop_name): -@@ -115,3 +118,29 @@ class UpdateAuditEvents( - - event_list = ','.join(sorted(events)) - subsystem.config[prop_name] = event_list -+ -+ def update_audit_event_filters(self, subsystem, prefix): -+ -+ prop_names = subsystem.config.keys() -+ for prop_name in prop_names: -+ -+ # not a filter, skip -+ if not prop_name.startswith(prefix): -+ continue -+ -+ event_name = prop_name[len(prefix):] -+ -+ for replacement in UpdateAuditEvents.REPLACEMENTS: -+ -+ old_event = replacement[0] -+ new_event = replacement[1] -+ -+ if event_name != old_event: -+ continue -+ -+ # remove filter for old event -+ event_filter = subsystem.config.pop(prop_name) -+ -+ # add filter for new event -+ prop_name = prefix + new_event -+ subsystem.config[prop_name] = event_filter --- -1.8.3.1 - diff --git a/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch b/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch deleted file mode 100644 index 5697215..0000000 --- a/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch +++ /dev/null @@ -1,258 +0,0 @@ -From da51b869a4ad3e558689c4dfa054605495c96485 Mon Sep 17 00:00:00 2001 -From: jmagne -Date: Thu, 8 Nov 2018 17:07:40 -0800 -Subject: [PATCH] Resolve: Bug 1641119 - CC: CA/OCSP startup fail on - SystemCertsVerification if enableOCSP is true. (#87) - -The approach taken by this patch is quite simple. The SystemCertsVerification self test has been modified to -optionally act differently when verifying the system certs of both ca and ocsp instances. - -Previously, the test would do a full cert verification , which results in an ocsp check being done at the nss level, if ocsp has been enabled in the server.xml. The past result was to have the server hang on startup , due to the fact that an ocsp check of a given cert would loop back to the ca or ocsp server itself to do the work. In the case of the self test /startup scenario, the server will not be sufficiently ready to field such a request, thus resulting in a hang situation. - -This fix modifies the cert checks for ca and ocsp to ONLY do a validity test for each cert. - -The code has created an optional parameter than can force our of this behaviour if the admin absolutely wants to: - -selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify= true - -IF, the admin wants the test to behave as it did before. This may be the case where we know ocsp is not configured for the ca or ocsp itself. - -The value, is false by default and is false if the line is not present. - -The simple validity test is all that gets done at this point but could be modified to do more in the future. -We already have a validity test for just the CA singing and OCSP signing certs. I felt it was cleaner to just leave those in place unchanged, safely leaving the original wiring in place. - -(cherry picked from commit 3eab287365d83a167fff7ec1287bd70647e93757) ---- - base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 2 +- - .../selftests/common/SystemCertsVerification.java | 17 +++++++- - .../src/com/netscape/cmscore/apps/CMSEngine.java | 2 +- - .../src/com/netscape/cmscore/cert/CertUtils.java | 50 ++++++++++++++++++++-- - base/server/tomcat7/conf/server.xml | 9 +++- - base/server/tomcat8/conf/server.xml | 9 +++- - 6 files changed, 78 insertions(+), 11 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -index 226c05c..c45da2e 100644 ---- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC certificate request with CMC Signature authentication. --visible=true -+visible=false - enable=true - enableBy=admin - auth.instance_id=CMCAuth -diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java -index cc52f83..335a940 100644 ---- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java -+++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.selftests.EMissingSelfTestException; - import com.netscape.certsrv.selftests.ESelfTestException; - import com.netscape.certsrv.selftests.ISelfTestSubsystem; - import com.netscape.cms.selftests.ASelfTest; -+import com.netscape.cmscore.cert.CertUtils; - - ////////////////////// - // class definition // -@@ -60,7 +61,9 @@ public class SystemCertsVerification - - // parameter information - public static final String PROP_SUB_ID = "SubId"; -+ public static final String PROP_FULL_CA_OCSP_VERIFY = "FullCAandOCSPVerify"; - private String mSubId = null; -+ private boolean mFullCAandOCSPVerify = false; - - ///////////////////// - // default methods // -@@ -122,6 +125,13 @@ public class SystemCertsVerification - - // retrieve optional parameter(s) - -+ try { -+ mFullCAandOCSPVerify = mConfig.getBoolean(PROP_FULL_CA_OCSP_VERIFY, false); -+ } catch (EBaseException e) { -+ //Since this is fully optional, keep going. -+ mFullCAandOCSPVerify = false; -+ } -+ - return; - } - -@@ -190,7 +200,12 @@ public class SystemCertsVerification - public void runSelfTest(ILogEventListener logger) throws Exception { - - try { -- CMS.verifySystemCerts(); -+ if (("ca".equalsIgnoreCase(mSubId) || "ocsp".equalsIgnoreCase(mSubId)) && !mFullCAandOCSPVerify) { -+ //Perform validity only -+ CertUtils.verifySystemCerts(true); -+ } else { -+ CertUtils.verifySystemCerts(false); -+ } - - String logMessage = CMS.getLogMessage( - "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS", -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index 2c953cc..f1a3b78 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -1711,7 +1711,7 @@ public class CMSEngine implements ICMSEngine { - } - - public void verifySystemCerts() throws Exception { -- CertUtils.verifySystemCerts(); -+ CertUtils.verifySystemCerts(false); - } - - public void verifySystemCertByTag(String tag) throws Exception { -diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -index 3334b43..6669632 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -@@ -817,6 +817,30 @@ public class CertUtils { - return tmp.toString(); - } - -+ public static void verifySystemCertValidityByNickname(String nickname) throws Exception { -+ -+ String method = "Certutils.verifySystemCertValidityByNickname: "; -+ -+ CMS.debug(method + "(" + nickname + ")"); -+ try { -+ CryptoManager cm = CryptoManager.getInstance(); -+ org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); -+ -+ X509CertImpl impl = new X509CertImpl(cert.getEncoded()); -+ -+ boolean valid = isValidCert(impl); -+ -+ if (!valid) { -+ throw new Exception(method + " failed: nickname: " + nickname); -+ } -+ } catch (Exception e) { -+ CMS.debug(method + " failed : " + e); -+ throw new Exception(method + " faliled: nickname: "+ nickname + "cause: " + e); -+ } -+ -+ CMS.debug(method + "success"); -+ } -+ - /* - * verify a certificate by its nickname - * @throws Exception if something is wrong -@@ -891,10 +915,18 @@ public class CertUtils { - } - - /* -- * verify a certificate by its tag name -+ * verify a certificate by its tag name, do a full verification - * @throws Exception if something is wrong - */ - public static void verifySystemCertByTag(String tag) throws Exception { -+ verifySystemCertByTag(tag,false); -+ } -+ /* -+ * verify a certificate by its tag name -+ * @throws Exception if something is wrong -+ * perform optional validity check only -+ */ -+ public static void verifySystemCertByTag(String tag,boolean checkValidityOnly) throws Exception { - - CMS.debug("CertUtils: verifySystemCertByTag(" + tag + ")"); - -@@ -934,7 +966,11 @@ public class CertUtils { - // throw new Exception("Missing certificate usage for " + tag + " certificate"); ? - } - -- verifySystemCertByNickname(nickname, certusage); -+ if(!checkValidityOnly) { -+ verifySystemCertByNickname(nickname, certusage); -+ } else { -+ verifySystemCertValidityByNickname(nickname); -+ } - - auditMessage = CMS.getLogMessage( - AuditEvent.CIMC_CERT_VERIFICATION, -@@ -999,8 +1035,9 @@ public class CertUtils { - * goes through all system certs and check to see if they are good - * and audit the result - * @throws Exception if something is wrong -+ * optionally only check certs validity. - */ -- public static void verifySystemCerts() throws Exception { -+ public static void verifySystemCerts(boolean checkValidityOnly) throws Exception { - - String auditMessage = null; - IConfigStore config = CMS.getConfigStore(); -@@ -1051,7 +1088,12 @@ public class CertUtils { - String tag = tokenizer.nextToken(); - tag = tag.trim(); - CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag); -- verifySystemCertByTag(tag); -+ -+ if (!checkValidityOnly) { -+ verifySystemCertByTag(tag); -+ } else { -+ verifySystemCertByTag(tag, true); -+ } - } - - } catch (Exception e) { -diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml -index dae513d..02eb8eb 100644 ---- a/base/server/tomcat7/conf/server.xml -+++ b/base/server/tomcat7/conf/server.xml -@@ -173,6 +173,11 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 -+ -+ If both ocspResponderURL and ocspResponderCertNickname are both unset -+ all OCSP checks will be made using the URL encoded within the AIA extension -+ of each cert being verified. -+ - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt -@@ -192,8 +197,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" -- ocspMinCacheEntryDuration="60" -- ocspMaxCacheEntryDuration="120" -+ ocspMinCacheEntryDuration="7200" -+ ocspMaxCacheEntryDuration="14400" - ocspTimeout="10" - strictCiphers="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" -diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml -index d08e3b1..c83ab58 100644 ---- a/base/server/tomcat8/conf/server.xml -+++ b/base/server/tomcat8/conf/server.xml -@@ -193,6 +193,11 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 -+ -+ If both ocspResponderURL and ocspResponderCertNickname are both unset -+ all OCSP checks will be made using the URL encoded within the AIA extension -+ of each cert being verified. -+ - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt -@@ -218,8 +223,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" -- ocspMinCacheEntryDuration="60" -- ocspMaxCacheEntryDuration="120" -+ ocspMinCacheEntryDuration="7200" -+ ocspMaxCacheEntryDuration="14400" - ocspTimeout="10" - strictCiphers="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" --- -1.8.3.1 - diff --git a/SOURCES/pki-core-PKI-startup-init-LDAP-operation-attr-independence.patch b/SOURCES/pki-core-PKI-startup-init-LDAP-operation-attr-independence.patch new file mode 100644 index 0000000..76e7ac7 --- /dev/null +++ b/SOURCES/pki-core-PKI-startup-init-LDAP-operation-attr-independence.patch @@ -0,0 +1,541 @@ +From d24a4a587dbd9e67d4401d3032008cdfe015f69b Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 12 Nov 2018 11:47:48 +1100 +Subject: [PATCH 1/2] LDAPProfileSubsystem: add watchdog timer for initial load + +During initial profile loading, if we receive fewer entries than +indicated by the parent entry's numSubordinates attribute, the +AsyncLoader will not unlock, and the Dogtag startup thread is +blocked. This situation can arise when there are entries that are +contributing to the numSubordinates count, which are not visible to +Dogtag. Replication conflicts are one such example. + +The implementation currently uses a persistent search that also +returns existing entries. The alternative approach - a regular +search followed by a persistent search - leaves open the possibility +of missing replicated changes to the subtree that were processed in +between the regular and persistent search. Therefore we use a +single search, which avoids this possibility. + +We also *do* want to block startup until all profiles are loaded. +The system reporting ready before profiles are loaded has led to +issues in CI and production environments. During a persistent +search, there is no in-band signal that indicates when all the +"immediate" results have been delivered. The solution was to read +the numSubordinates value of the container to know how many +immediate results to process. So we have to address the corner +cases discussed above. + +The approach to resolving this is to use a watchdog timer during +initial load of profiles. The AsyncLoader is now initialised with a +timeout value (in seconds). A timer is started and the lock is +forcibly released after the timeout. A value <= 0 suppresses the +watchdog. Update the LDAPProfileSubsystem to time out the loader +after 10 seconds. The existing behaviour of unlocking when the +expected number of entries have been processed is maintained. + +Also add a log message when the start await gets interrupted, to +indicate that there may be replication conflicts or other extraneous +data in the profile configuration subtree. + +Fixes: https://pagure.io/dogtagpki/issue/3078 +(cherry picked from commit 758d2a7e551e532f464419d68306cf13e096fe85) +--- + .../src/com/netscape/certsrv/util/AsyncLoader.java | 105 +++++++++++++++++++-- + .../cmscore/profile/LDAPProfileSubsystem.java | 65 +++++++++---- + 2 files changed, 145 insertions(+), 25 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/util/AsyncLoader.java b/base/common/src/com/netscape/certsrv/util/AsyncLoader.java +index 39f8efd..6d10531 100644 +--- a/base/common/src/com/netscape/certsrv/util/AsyncLoader.java ++++ b/base/common/src/com/netscape/certsrv/util/AsyncLoader.java +@@ -18,6 +18,8 @@ + + package com.netscape.certsrv.util; + ++import java.util.Timer; ++import java.util.TimerTask; + import java.util.concurrent.CountDownLatch; + import java.util.concurrent.locks.ReentrantLock; + +@@ -33,28 +35,54 @@ import java.util.concurrent.locks.ReentrantLock; + */ + public class AsyncLoader { + private CountDownLatch producerInitialised = new CountDownLatch(1); +- private ReentrantLock loadingLock = new ReentrantLock(); ++ private GoAwayLock loadingLock = new GoAwayLock(); + private Integer numItems = null; + private int numItemsLoaded = 0; ++ private boolean loading = true; ++ private int timeoutSeconds = 0; ++ private Timer timer = new Timer("AsyncLoader watchdog"); ++ private TimerTask watchdog = null; ++ ++ /** Create an AsyncLoader with the specified timeout. ++ * ++ * If timeoutSeconds > 0, startLoading() will start a timer ++ * that will forcibly unlock the loader after the specified ++ * timeout. ++ */ ++ public AsyncLoader(int timeoutSeconds) { ++ this.timeoutSeconds = timeoutSeconds; ++ } + + /** +- * Acquire the lock as a producer. ++ * Acquire the lock as a producer and reset ++ * progress-tracking variables. + */ + public void startLoading() { ++ loadingLock.lock(); ++ loading = true; + numItems = null; + numItemsLoaded = 0; +- loadingLock.lock(); + producerInitialised.countDown(); ++ if (timeoutSeconds > 0) { ++ if (watchdog != null) ++ watchdog.cancel(); ++ watchdog = new AsyncLoaderWatchdog(); ++ timer.schedule(watchdog, timeoutSeconds * 1000); ++ } + } + + /** + * Increment the number of items loaded by 1. If the number + * of items is known and that many items have been loaded, + * unlock the loader. ++ * ++ * If the loader is not currently loading, does nothing. + */ + public void increment() { +- numItemsLoaded += 1; +- checkLoadDone(); ++ if (loading) { ++ numItemsLoaded += 1; ++ checkLoadDone(); ++ } + } + + /** +@@ -69,18 +97,77 @@ public class AsyncLoader { + + private void checkLoadDone() { + if (numItems != null && numItemsLoaded >= numItems) { ++ watchdog.cancel(); ++ loading = false; + while (loadingLock.isHeldByCurrentThread()) + loadingLock.unlock(); + } + } + ++ /** ++ * Wait upon the consumer to finish loading items. ++ * ++ * @throws InterruptedException if the thread is interrupted ++ * while waiting for the loading lock. This can happen due ++ * to timeout. ++ */ + public void awaitLoadDone() throws InterruptedException { + /* A consumer may await upon the Loader immediately after + * starting the producer. To ensure that the producer +- * has time to acquire the lock, we use a CountDownLatch. ++ * has time to acquire the lock, we use a CountDownLatch ++ * that only the producer can release (in 'startLoading'). + */ +- producerInitialised.await(); +- loadingLock.lock(); +- loadingLock.unlock(); ++ if (loading) { ++ producerInitialised.await(); ++ loadingLock.lockInterruptibly(); ++ loadingLock.unlock(); ++ } ++ } ++ ++ /** Forcibly unlock this AsyncLoader. ++ * ++ * There's no way we can safely interrupt the producer to ++ * release the loadingLock. So here's what we do. ++ * ++ * - Interrupt all threads that are waiting on the lock. ++ * - Set loading = false so that future call to awaitLoadDone() ++ * return immediately. ++ * ++ * Upon subseqent re-loads (e.g. due to loss and reesablishment ++ * of LDAP persistent search), the producer thread will call ++ * startLoading() again, which will increment the producer's ++ * hold count. That's OK because when the unlock condition is ++ * met, checkLoadDone() will call loadingLock.unlock() as many ++ * times as needed to effect the unlock. ++ * ++ * This method DOES NOT interrupt threads waiting on the ++ * producerInitialised CountDownLatch. The producer MUST call ++ * startLoading() which will acquire the loading lock then ++ * release the CountDownLatch. ++ */ ++ private void forceUnlock() { ++ loading = false; ++ loadingLock.interruptWaitingThreads(); ++ } ++ ++ /** Subclass of ReentrantLock that can tell waiting threads ++ * to go away (by interrupting them). Awaiters must use ++ * lockInterruptibly() to acquire the lock. ++ * ++ * This needed to be a subclass of ReentrantLock because ++ * ReentrantLock.getQueuedThreads() has visibility 'protected'. ++ */ ++ private static class GoAwayLock extends ReentrantLock { ++ public void interruptWaitingThreads() { ++ for (Thread thread : getQueuedThreads()) { ++ thread.interrupt(); ++ } ++ } ++ } ++ ++ private class AsyncLoaderWatchdog extends TimerTask { ++ public void run() { ++ forceUnlock(); ++ } + } + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java +index bce675e..7a9d0ba 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java +@@ -58,7 +58,9 @@ public class LDAPProfileSubsystem + extends AbstractProfileSubsystem + implements IProfileSubsystem, Runnable { + +- private String dn; ++ private String profileContainerDNString; ++ private DN profileContainerDN; ++ + private ILdapConnFactory dbFactory; + + private boolean stopped = false; +@@ -73,7 +75,7 @@ public class LDAPProfileSubsystem + /* Set of nsUniqueIds of deleted entries */ + private TreeSet deletedNsUniqueIds; + +- private AsyncLoader loader = new AsyncLoader(); ++ private AsyncLoader loader = new AsyncLoader(10 /*10s timeout*/); + + /** + * Initializes this subsystem with the given configuration +@@ -112,7 +114,8 @@ public class LDAPProfileSubsystem + + // read profile id, implementation, and its configuration files + String basedn = cs.getString("internaldb.basedn"); +- dn = "ou=certificateProfiles,ou=ca," + basedn; ++ profileContainerDNString = "ou=certificateProfiles,ou=ca," + basedn; ++ profileContainerDN = new DN(profileContainerDNString); + + monitor = new Thread(this, "profileChangeMonitor"); + monitor.start(); +@@ -121,6 +124,8 @@ public class LDAPProfileSubsystem + } catch (InterruptedException e) { + CMS.debug("LDAPProfileSubsystem: caught InterruptedException " + + "while waiting for initial load of profiles."); ++ CMS.debug("You may have replication conflict entries or " ++ + "extraneous data under " + profileContainerDNString); + } + CMS.debug("LDAPProfileSubsystem: finished init"); + } +@@ -294,12 +299,10 @@ public class LDAPProfileSubsystem + } + + private synchronized void handleMODDN(DN oldDN, LDAPEntry entry) { +- DN profilesDN = new DN(dn); +- +- if (oldDN.isDescendantOf(profilesDN)) ++ if (oldDN.isDescendantOf(profileContainerDN)) + forgetProfile(oldDN.explodeDN(true)[0]); + +- if ((new DN(entry.getDN())).isDescendantOf(profilesDN)) ++ if ((new DN(entry.getDN())).isDescendantOf(profileContainerDN)) + readProfile(entry); + } + +@@ -384,12 +387,14 @@ public class LDAPProfileSubsystem + if (id == null) { + throw new EProfileException("CMS_PROFILE_ID_NOT_FOUND"); + } +- return "cn=" + id + "," + dn; ++ return "cn=" + id + "," + profileContainerDNString; + } + + private void ensureProfilesOU(LDAPConnection conn) throws LDAPException { + try { +- conn.search(dn, LDAPConnection.SCOPE_BASE, "(objectclass=*)", null, false); ++ conn.search( ++ profileContainerDNString, LDAPConnection.SCOPE_BASE, ++ "(objectclass=*)", null, false); + } catch (LDAPException e) { + if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) { + CMS.debug("Adding LDAP certificate profiles container"); +@@ -398,7 +403,7 @@ public class LDAPProfileSubsystem + new LDAPAttribute("ou", "certificateProfiles") + }; + LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs); +- LDAPEntry entry = new LDAPEntry(dn, attrSet); ++ LDAPEntry entry = new LDAPEntry(profileContainerDNString, attrSet); + conn.add(entry); + } + } +@@ -426,8 +431,8 @@ public class LDAPProfileSubsystem + cons.setServerTimeLimit(0 /* seconds */); + String[] attrs = {"*", "entryUSN", "nsUniqueId", "numSubordinates"}; + LDAPSearchResults results = conn.search( +- dn, LDAPConnection.SCOPE_SUB, "(objectclass=*)", +- attrs, false, cons); ++ profileContainerDNString, LDAPConnection.SCOPE_SUB, ++ "(objectclass=*)", attrs, false, cons); + + /* Wait until the last possible moment before taking + * the load lock and dropping all profiles, so that +@@ -443,16 +448,44 @@ public class LDAPProfileSubsystem + + while (!stopped && results.hasMoreElements()) { + LDAPEntry entry = results.next(); +- +- String[] objectClasses = +- entry.getAttribute("objectClass").getStringValueArray(); +- if (Arrays.asList(objectClasses).contains("organizationalUnit")) { ++ DN entryDN = new DN(entry.getDN()); ++ ++ if (entryDN.countRDNs() == profileContainerDN.countRDNs()) { ++ /* This is the profile container. Read numSubordinates to get ++ * the expected number of profiles entries to read. ++ * ++ * numSubordinates is not reliable; it may be too high ++ * due to objects we cannot see (e.g. replication conflict ++ * entries). In that case AsyncLoader has a watchdog ++ * timer to interrupt waiting threads. ++ */ + loader.setNumItems(new Integer( + entry.getAttribute("numSubordinates") + .getStringValueArray()[0])); + continue; + } + ++ if (entryDN.countRDNs() > profileContainerDN.countRDNs() + 1) { ++ /* This entry is unexpectedly deep. We ignore it. ++ * numSubordinates only counts immediate subordinates ++ * (https://tools.ietf.org/html/draft-boreham-numsubordinates-01) ++ * so don't increment() the AsyncLoader. ++ */ ++ continue; ++ } ++ ++ /* This entry is at the expected depth. Is it a certProfile? */ ++ String[] objectClasses = ++ entry.getAttribute("objectClass").getStringValueArray(); ++ if (!Arrays.asList(objectClasses).contains("certProfile")) { ++ /* It is not a certProfile; ignore it. But it does ++ * contribute to numSubordinates so increment the loader. */ ++ loader.increment(); ++ continue; ++ } ++ ++ /* We have a profile. Process it. */ ++ + LDAPEntryChangeControl changeControl = (LDAPEntryChangeControl) + LDAPUtil.getControl( + LDAPEntryChangeControl.class, results.getResponseControls()); +-- +1.8.3.1 + + +From 94ce76abe56b680982b363bca8edf6d10d6d9a7f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 28 Mar 2019 18:06:20 +1100 +Subject: [PATCH 2/2] Add watchdog timer for initial load of LWCAs + +Similar to the work done for LDAPProfileSubsystem, to avoid hanging +startup when the number of entries processed during initial load of +LWCAs is less than suggested by the numSubordinates attribute of the +container entry (replication conflict entries can cause this). +Switch the authority monitor to use AsyncLoader which provides the +watchdog timer, and takes care of some of the existing logic. + +Also add a log message when the startup await gets interrupted, to +indicate that there may be replication conflicts or other extraneous +data in the LWCA subtree. + +Related: https://pagure.io/dogtagpki/issue/3078 +(cherry picked from commit 54c15eb4eba3568eace3791d183f8d2700e5d04e) +--- + .../src/com/netscape/ca/CertificateAuthority.java | 102 +++++++++++---------- + 1 file changed, 55 insertions(+), 47 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 90a8fba..0281db0 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -125,6 +125,7 @@ import com.netscape.certsrv.request.IRequestScheduler; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.request.RequestStatus; + import com.netscape.certsrv.security.ISigningUnit; ++import com.netscape.certsrv.util.AsyncLoader; + import com.netscape.certsrv.util.IStatsSubsystem; + import com.netscape.cms.logging.Logger; + import com.netscape.cms.logging.SignedAuditLogger; +@@ -335,20 +336,10 @@ public class CertificateAuthority + private boolean mUseNonces = true; + private int mMaxNonces = 100; + +- /* Variables to manage loading and tracking of lightweight CAs +- * +- * The initialLoadDone latch causes the host authority's 'init' +- * method to block until the monitor thread has finished the +- * initial loading of lightweight CAs. +- * +- * In other words: the "server startup" cannot complete until +- * all the lightweight CAs that exist at start time are loaded. +- */ ++ /* Variables to manage loading and tracking of lightweight CAs */ + private static boolean stopped = false; + private static boolean foundHostAuthority = false; +- private static Integer initialNumAuthorities = null; +- private static int numAuthoritiesLoaded = 0; +- private static CountDownLatch initialLoadDone = new CountDownLatch(1); ++ private AsyncLoader lwcaLoader = new AsyncLoader(10 /*10s timeout*/); + + /* Maps and sets of entryUSNs and nsUniqueIds for avoiding race + * conditions and unnecessary reloads related to replication */ +@@ -637,10 +628,17 @@ public class CertificateAuthority + if (isHostAuthority() && haveLightweightCAsContainer()) { + new Thread(this, "authorityMonitor").start(); + try { +- initialLoadDone.await(); ++ // block until the expected number of authorities ++ // have been loaded (based on numSubordinates of ++ // container entry), or watchdog times it out (in case ++ // numSubordinates is larger than the number of entries ++ // we can see, e.g. replication conflict entries). ++ lwcaLoader.awaitLoadDone(); + } catch (InterruptedException e) { + CMS.debug("CertificateAuthority: caught InterruptedException " + + "while waiting for initial load of authorities."); ++ CMS.debug("You may have replication conflict entries or " ++ + "extraneous data under " + authorityBaseDN()); + } + + if (!foundHostAuthority) { +@@ -3260,12 +3258,6 @@ public class CertificateAuthority + } + } + +- private void checkInitialLoadDone() { +- if (initialNumAuthorities != null +- && numAuthoritiesLoaded >= initialNumAuthorities) +- initialLoadDone.countDown(); +- } +- + public void run() { + int op = LDAPPersistSearchControl.ADD + | LDAPPersistSearchControl.MODIFY +@@ -3274,6 +3266,9 @@ public class CertificateAuthority + LDAPPersistSearchControl persistCtrl = + new LDAPPersistSearchControl(op, false, true, true); + ++ String lwcaContainerDNString = authorityBaseDN(); ++ DN lwcaContainerDN = new DN(lwcaContainerDNString); ++ + CMS.debug("authorityMonitor: starting."); + + while (!stopped) { +@@ -3286,38 +3281,52 @@ public class CertificateAuthority + cons.setServerTimeLimit(0 /* seconds */); + String[] attrs = {"*", "entryUSN", "nsUniqueId", "numSubordinates"}; + LDAPSearchResults results = conn.search( +- authorityBaseDN(), LDAPConnection.SCOPE_SUB, ++ lwcaContainerDNString, LDAPConnection.SCOPE_SUB, + "(objectclass=*)", attrs, false, cons); ++ ++ /* Wait until the last possible moment before taking ++ * the load lock so that we can continue to service ++ * requests while LDAP is down. ++ */ ++ lwcaLoader.startLoading(); ++ + while (!stopped && results.hasMoreElements()) { + LDAPEntry entry = results.next(); ++ DN entryDN = new DN(entry.getDN()); ++ ++ if (entryDN.countRDNs() == lwcaContainerDN.countRDNs()) { ++ /* This must be the base entry of the search, i.e. the ++ * LWCA container. Read numSubordinates to get the ++ * expected number of LWCA entries to read. ++ * ++ * numSubordinates is not reliable; it may be too high ++ * due to objects we cannot see (e.g. replication ++ * conflict entries). In that case AsyncLoader has a ++ * watchdog timer to interrupt waiting threads after it ++ * times out. ++ */ ++ lwcaLoader.setNumItems(new Integer( ++ entry.getAttribute("numSubordinates") ++ .getStringValueArray()[0])); ++ continue; ++ } + +- /* This behaviour requires detailed explanation. +- * +- * We want to block startup until all the +- * lightweight CAs existing at startup time are +- * loaded. To do this, we need to know how many +- * authority entries there are. And we must do +- * this atomically - we cannot issue two LDAP +- * searches in case things change. +- * +- * Therefore, we do a subtree search from the +- * authority container. When we find the +- * container (objectClass=organizationalUnit), +- * we set initialNumAuthorities to the value of +- * its numSubordinates attribute. +- * +- * We increment numAuthoritiesLoaded for each +- * authority entry. When numAuthoritiesLoaded +- * equals initialNumAuthorities, we unlock the +- * initialLoadDone latch. +- */ ++ if (entryDN.countRDNs() > lwcaContainerDN.countRDNs() + 1) { ++ /* This entry is unexpectedly deep. We ignore it. ++ * numSubordinates only counts immediate subordinates ++ * (https://tools.ietf.org/html/draft-boreham-numsubordinates-01) ++ * so don't increment() the AsyncLoader. ++ */ ++ continue; ++ } ++ ++ /* This entry is at the expected depth. Is it a LWCA entry? */ + String[] objectClasses = + entry.getAttribute("objectClass").getStringValueArray(); +- if (Arrays.asList(objectClasses).contains("organizationalUnit")) { +- initialNumAuthorities = new Integer( +- entry.getAttribute("numSubordinates") +- .getStringValueArray()[0]); +- checkInitialLoadDone(); ++ if (!Arrays.asList(objectClasses).contains("authority")) { ++ /* It is not a LWCA entry; ignore it. But it does ++ * contribute to numSubordinates so increment the loader. */ ++ lwcaLoader.increment(); + continue; + } + +@@ -3352,8 +3361,7 @@ public class CertificateAuthority + } else { + CMS.debug("authorityMonitor: immediate result"); + readAuthority(entry); +- numAuthoritiesLoaded += 1; +- checkInitialLoadDone(); ++ lwcaLoader.increment(); + } + } + } catch (ELdapException e) { +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Session-Timeout.patch b/SOURCES/pki-core-Session-Timeout.patch deleted file mode 100644 index 4aa0af6..0000000 --- a/SOURCES/pki-core-Session-Timeout.patch +++ /dev/null @@ -1,5141 +0,0 @@ -From 05ebd730708f4dd6b59c667535fef0808e0e0468 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Dec 2018 08:17:20 +0100 -Subject: [PATCH] Simplifying Web UI session timeout configuration - -The web.xml files for PKI webapps have been modified to remove -hard-coded parameters. The webapps will now -use the timeout defined in /etc/pki//web.xml. - -Unused web.xml files have been removed as well. - -https://pagure.io/dogtagpki/issue/3084 -(cherry picked from commit 30a47907af087a9d2f7739e8d577d7cdd28de18b) ---- - base/ca/shared/conf/web.xml | 989 ------------------------- - base/ca/shared/webapps/ca/WEB-INF/web.xml | 10 - - base/kra/shared/conf/web.xml | 989 ------------------------- - base/kra/shared/webapps/kra/WEB-INF/web.xml | 10 - - base/ocsp/shared/conf/web.xml | 993 -------------------------- - base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 11 - - base/server/share/webapps/pki/WEB-INF/web.xml | 4 - - base/tks/shared/conf/web.xml | 993 -------------------------- - base/tks/shared/webapps/tks/WEB-INF/web.xml | 10 - - base/tps/shared/conf/web.xml | 993 -------------------------- - base/tps/shared/webapps/tps/WEB-INF/web.xml | 10 - - 11 files changed, 5012 deletions(-) - delete mode 100644 base/ca/shared/conf/web.xml - delete mode 100644 base/kra/shared/conf/web.xml - delete mode 100644 base/ocsp/shared/conf/web.xml - delete mode 100644 base/tks/shared/conf/web.xml - delete mode 100644 base/tps/shared/conf/web.xml - -diff --git a/base/ca/shared/conf/web.xml b/base/ca/shared/conf/web.xml -deleted file mode 100644 -index fb22468..0000000 ---- a/base/ca/shared/conf/web.xml -+++ /dev/null -@@ -1,989 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- org.apache.catalina.servlets.DefaultServlet -- -- debug -- 0 -- -- -- listings -- false -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- jsp -- org.apache.jasper.servlet.JspServlet -- -- fork -- false -- -- -- xpoweredBy -- false -- -- 3 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- / -- -- -- -- -- -- -- -- jsp -- *.jsp -- -- -- -- jsp -- *.jspx -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30 -- -- -- -- -- -- -- -- -- -- -- -- abs -- audio/x-mpeg -- -- -- ai -- application/postscript -- -- -- aif -- audio/x-aiff -- -- -- aifc -- audio/x-aiff -- -- -- aiff -- audio/x-aiff -- -- -- aim -- application/x-aim -- -- -- art -- image/x-jg -- -- -- asf -- video/x-ms-asf -- -- -- asx -- video/x-ms-asf -- -- -- au -- audio/basic -- -- -- avi -- video/x-msvideo -- -- -- avx -- video/x-rad-screenplay -- -- -- bcpio -- application/x-bcpio -- -- -- bin -- application/octet-stream -- -- -- bmp -- image/bmp -- -- -- body -- text/html -- -- -- cdf -- application/x-cdf -- -- -- cer -- application/x-x509-ca-cert -- -- -- class -- application/java -- -- -- cpio -- application/x-cpio -- -- -- csh -- application/x-csh -- -- -- css -- text/css -- -- -- dib -- image/bmp -- -- -- doc -- application/msword -- -- -- dtd -- application/xml-dtd -- -- -- dv -- video/x-dv -- -- -- dvi -- application/x-dvi -- -- -- eps -- application/postscript -- -- -- etx -- text/x-setext -- -- -- exe -- application/octet-stream -- -- -- gif -- image/gif -- -- -- gtar -- application/x-gtar -- -- -- gz -- application/x-gzip -- -- -- hdf -- application/x-hdf -- -- -- hqx -- application/mac-binhex40 -- -- -- htc -- text/x-component -- -- -- htm -- text/html -- -- -- html -- text/html -- -- -- hqx -- application/mac-binhex40 -- -- -- ief -- image/ief -- -- -- jad -- text/vnd.sun.j2me.app-descriptor -- -- -- jar -- application/java-archive -- -- -- java -- text/plain -- -- -- jnlp -- application/x-java-jnlp-file -- -- -- jpe -- image/jpeg -- -- -- jpeg -- image/jpeg -- -- -- jpg -- image/jpeg -- -- -- js -- text/javascript -- -- -- jsf -- text/plain -- -- -- jspf -- text/plain -- -- -- kar -- audio/x-midi -- -- -- latex -- application/x-latex -- -- -- m3u -- audio/x-mpegurl -- -- -- mac -- image/x-macpaint -- -- -- man -- application/x-troff-man -- -- -- mathml -- application/mathml+xml -- -- -- me -- application/x-troff-me -- -- -- mid -- audio/x-midi -- -- -- midi -- audio/x-midi -- -- -- mif -- application/x-mif -- -- -- mov -- video/quicktime -- -- -- movie -- video/x-sgi-movie -- -- -- mp1 -- audio/x-mpeg -- -- -- mp2 -- audio/x-mpeg -- -- -- mp3 -- audio/x-mpeg -- -- -- mpa -- audio/x-mpeg -- -- -- mpe -- video/mpeg -- -- -- mpeg -- video/mpeg -- -- -- mpega -- audio/x-mpeg -- -- -- mpg -- video/mpeg -- -- -- mpv2 -- video/mpeg2 -- -- -- ms -- application/x-wais-source -- -- -- nc -- application/x-netcdf -- -- -- oda -- application/oda -- -- -- ogg -- application/ogg -- -- -- pbm -- image/x-portable-bitmap -- -- -- pct -- image/pict -- -- -- pdf -- application/pdf -- -- -- pgm -- image/x-portable-graymap -- -- -- pic -- image/pict -- -- -- pict -- image/pict -- -- -- pls -- audio/x-scpls -- -- -- png -- image/png -- -- -- pnm -- image/x-portable-anymap -- -- -- pnt -- image/x-macpaint -- -- -- ppm -- image/x-portable-pixmap -- -- -- ppt -- application/powerpoint -- -- -- ps -- application/postscript -- -- -- psd -- image/x-photoshop -- -- -- qt -- video/quicktime -- -- -- qti -- image/x-quicktime -- -- -- qtif -- image/x-quicktime -- -- -- ras -- image/x-cmu-raster -- -- -- rdf -- application/rdf+xml -- -- -- rgb -- image/x-rgb -- -- -- rm -- application/vnd.rn-realmedia -- -- -- roff -- application/x-troff -- -- -- rtf -- application/rtf -- -- -- rtx -- text/richtext -- -- -- sh -- application/x-sh -- -- -- shar -- application/x-shar -- -- -- smf -- audio/x-midi -- -- -- sit -- application/x-stuffit -- -- -- snd -- audio/basic -- -- -- src -- application/x-wais-source -- -- -- sv4cpio -- application/x-sv4cpio -- -- -- sv4crc -- application/x-sv4crc -- -- -- svg -- image/svg+xml -- -- -- swf -- application/x-shockwave-flash -- -- -- t -- application/x-troff -- -- -- tar -- application/x-tar -- -- -- tcl -- application/x-tcl -- -- -- tex -- application/x-tex -- -- -- texi -- application/x-texinfo -- -- -- texinfo -- application/x-texinfo -- -- -- tif -- image/tiff -- -- -- tiff -- image/tiff -- -- -- tr -- application/x-troff -- -- -- tsv -- text/tab-separated-values -- -- -- txt -- text/plain -- -- -- ulw -- audio/basic -- -- -- ustar -- application/x-ustar -- -- -- vxml -- application/voicexml+xml -- -- -- xbm -- image/x-xbitmap -- -- -- xht -- application/xhtml+xml -- -- -- xhtml -- application/xhtml+xml -- -- -- xml -- application/xml -- -- -- xpm -- image/x-xpixmap -- -- -- xsl -- application/xml -- -- -- xslt -- application/xslt+xml -- -- -- xul -- application/vnd.mozilla.xul+xml -- -- -- xwd -- image/x-xwindowdump -- -- -- wav -- audio/x-wav -- -- -- svg -- image/svg -- -- -- svgz -- image/svg -- -- -- vsd -- application/x-visio -- -- -- -- wbmp -- image/vnd.wap.wbmp -- -- -- -- wml -- text/vnd.wap.wml -- -- -- -- wmlc -- application/vnd.wap.wmlc -- -- -- -- wmls -- text/vnd.wap.wmlscript -- -- -- -- wmlscriptc -- application/vnd.wap.wmlscriptc -- -- -- wrl -- x-world/x-vrml -- -- -- Z -- application/x-compress -- -- -- z -- application/x-compress -- -- -- zip -- application/zip -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- index.html -- index.htm -- index.jsp -- -- -- -- 404 -- /404.html -- -- -- -- 500 -- /500.html -- -- -- -diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml -index 2666049..92d4e6b 100644 ---- a/base/ca/shared/webapps/ca/WEB-INF/web.xml -+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml -@@ -2618,16 +2618,6 @@ - /ee/ca/pkiclient - - -- -- -- -- -- -- -- -- 30 -- -- - - - Account Services -diff --git a/base/kra/shared/conf/web.xml b/base/kra/shared/conf/web.xml -deleted file mode 100644 -index fb22468..0000000 ---- a/base/kra/shared/conf/web.xml -+++ /dev/null -@@ -1,989 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- org.apache.catalina.servlets.DefaultServlet -- -- debug -- 0 -- -- -- listings -- false -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- jsp -- org.apache.jasper.servlet.JspServlet -- -- fork -- false -- -- -- xpoweredBy -- false -- -- 3 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- / -- -- -- -- -- -- -- -- jsp -- *.jsp -- -- -- -- jsp -- *.jspx -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30 -- -- -- -- -- -- -- -- -- -- -- -- abs -- audio/x-mpeg -- -- -- ai -- application/postscript -- -- -- aif -- audio/x-aiff -- -- -- aifc -- audio/x-aiff -- -- -- aiff -- audio/x-aiff -- -- -- aim -- application/x-aim -- -- -- art -- image/x-jg -- -- -- asf -- video/x-ms-asf -- -- -- asx -- video/x-ms-asf -- -- -- au -- audio/basic -- -- -- avi -- video/x-msvideo -- -- -- avx -- video/x-rad-screenplay -- -- -- bcpio -- application/x-bcpio -- -- -- bin -- application/octet-stream -- -- -- bmp -- image/bmp -- -- -- body -- text/html -- -- -- cdf -- application/x-cdf -- -- -- cer -- application/x-x509-ca-cert -- -- -- class -- application/java -- -- -- cpio -- application/x-cpio -- -- -- csh -- application/x-csh -- -- -- css -- text/css -- -- -- dib -- image/bmp -- -- -- doc -- application/msword -- -- -- dtd -- application/xml-dtd -- -- -- dv -- video/x-dv -- -- -- dvi -- application/x-dvi -- -- -- eps -- application/postscript -- -- -- etx -- text/x-setext -- -- -- exe -- application/octet-stream -- -- -- gif -- image/gif -- -- -- gtar -- application/x-gtar -- -- -- gz -- application/x-gzip -- -- -- hdf -- application/x-hdf -- -- -- hqx -- application/mac-binhex40 -- -- -- htc -- text/x-component -- -- -- htm -- text/html -- -- -- html -- text/html -- -- -- hqx -- application/mac-binhex40 -- -- -- ief -- image/ief -- -- -- jad -- text/vnd.sun.j2me.app-descriptor -- -- -- jar -- application/java-archive -- -- -- java -- text/plain -- -- -- jnlp -- application/x-java-jnlp-file -- -- -- jpe -- image/jpeg -- -- -- jpeg -- image/jpeg -- -- -- jpg -- image/jpeg -- -- -- js -- text/javascript -- -- -- jsf -- text/plain -- -- -- jspf -- text/plain -- -- -- kar -- audio/x-midi -- -- -- latex -- application/x-latex -- -- -- m3u -- audio/x-mpegurl -- -- -- mac -- image/x-macpaint -- -- -- man -- application/x-troff-man -- -- -- mathml -- application/mathml+xml -- -- -- me -- application/x-troff-me -- -- -- mid -- audio/x-midi -- -- -- midi -- audio/x-midi -- -- -- mif -- application/x-mif -- -- -- mov -- video/quicktime -- -- -- movie -- video/x-sgi-movie -- -- -- mp1 -- audio/x-mpeg -- -- -- mp2 -- audio/x-mpeg -- -- -- mp3 -- audio/x-mpeg -- -- -- mpa -- audio/x-mpeg -- -- -- mpe -- video/mpeg -- -- -- mpeg -- video/mpeg -- -- -- mpega -- audio/x-mpeg -- -- -- mpg -- video/mpeg -- -- -- mpv2 -- video/mpeg2 -- -- -- ms -- application/x-wais-source -- -- -- nc -- application/x-netcdf -- -- -- oda -- application/oda -- -- -- ogg -- application/ogg -- -- -- pbm -- image/x-portable-bitmap -- -- -- pct -- image/pict -- -- -- pdf -- application/pdf -- -- -- pgm -- image/x-portable-graymap -- -- -- pic -- image/pict -- -- -- pict -- image/pict -- -- -- pls -- audio/x-scpls -- -- -- png -- image/png -- -- -- pnm -- image/x-portable-anymap -- -- -- pnt -- image/x-macpaint -- -- -- ppm -- image/x-portable-pixmap -- -- -- ppt -- application/powerpoint -- -- -- ps -- application/postscript -- -- -- psd -- image/x-photoshop -- -- -- qt -- video/quicktime -- -- -- qti -- image/x-quicktime -- -- -- qtif -- image/x-quicktime -- -- -- ras -- image/x-cmu-raster -- -- -- rdf -- application/rdf+xml -- -- -- rgb -- image/x-rgb -- -- -- rm -- application/vnd.rn-realmedia -- -- -- roff -- application/x-troff -- -- -- rtf -- application/rtf -- -- -- rtx -- text/richtext -- -- -- sh -- application/x-sh -- -- -- shar -- application/x-shar -- -- -- smf -- audio/x-midi -- -- -- sit -- application/x-stuffit -- -- -- snd -- audio/basic -- -- -- src -- application/x-wais-source -- -- -- sv4cpio -- application/x-sv4cpio -- -- -- sv4crc -- application/x-sv4crc -- -- -- svg -- image/svg+xml -- -- -- swf -- application/x-shockwave-flash -- -- -- t -- application/x-troff -- -- -- tar -- application/x-tar -- -- -- tcl -- application/x-tcl -- -- -- tex -- application/x-tex -- -- -- texi -- application/x-texinfo -- -- -- texinfo -- application/x-texinfo -- -- -- tif -- image/tiff -- -- -- tiff -- image/tiff -- -- -- tr -- application/x-troff -- -- -- tsv -- text/tab-separated-values -- -- -- txt -- text/plain -- -- -- ulw -- audio/basic -- -- -- ustar -- application/x-ustar -- -- -- vxml -- application/voicexml+xml -- -- -- xbm -- image/x-xbitmap -- -- -- xht -- application/xhtml+xml -- -- -- xhtml -- application/xhtml+xml -- -- -- xml -- application/xml -- -- -- xpm -- image/x-xpixmap -- -- -- xsl -- application/xml -- -- -- xslt -- application/xslt+xml -- -- -- xul -- application/vnd.mozilla.xul+xml -- -- -- xwd -- image/x-xwindowdump -- -- -- wav -- audio/x-wav -- -- -- svg -- image/svg -- -- -- svgz -- image/svg -- -- -- vsd -- application/x-visio -- -- -- -- wbmp -- image/vnd.wap.wbmp -- -- -- -- wml -- text/vnd.wap.wml -- -- -- -- wmlc -- application/vnd.wap.wmlc -- -- -- -- wmls -- text/vnd.wap.wmlscript -- -- -- -- wmlscriptc -- application/vnd.wap.wmlscriptc -- -- -- wrl -- x-world/x-vrml -- -- -- Z -- application/x-compress -- -- -- z -- application/x-compress -- -- -- zip -- application/zip -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- index.html -- index.htm -- index.jsp -- -- -- -- 404 -- /404.html -- -- -- -- 500 -- /500.html -- -- -- -diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml -index 5b7031a..ffa33f6 100644 ---- a/base/kra/shared/webapps/kra/WEB-INF/web.xml -+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml -@@ -1055,16 +1055,6 @@ - - [PKI_CLOSE_STANDALONE_COMMENT] - -- -- -- -- -- -- -- -- 30 -- -- - - - Account Services -diff --git a/base/ocsp/shared/conf/web.xml b/base/ocsp/shared/conf/web.xml -deleted file mode 100644 -index 860a9c4..0000000 ---- a/base/ocsp/shared/conf/web.xml -+++ /dev/null -@@ -1,993 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- org.apache.catalina.servlets.DefaultServlet -- -- debug -- 0 -- -- -- listings -- false -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- jsp -- org.apache.jasper.servlet.JspServlet -- -- fork -- false -- -- -- xpoweredBy -- false -- -- 3 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- / -- -- -- -- -- -- -- -- jsp -- *.jsp -- -- -- -- jsp -- *.jspx -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30 -- -- -- -- -- -- -- -- -- -- -- -- abs -- audio/x-mpeg -- -- -- ai -- application/postscript -- -- -- aif -- audio/x-aiff -- -- -- aifc -- audio/x-aiff -- -- -- aiff -- audio/x-aiff -- -- -- aim -- application/x-aim -- -- -- art -- image/x-jg -- -- -- asf -- video/x-ms-asf -- -- -- asx -- video/x-ms-asf -- -- -- au -- audio/basic -- -- -- avi -- video/x-msvideo -- -- -- avx -- video/x-rad-screenplay -- -- -- bcpio -- application/x-bcpio -- -- -- bin -- application/octet-stream -- -- -- bmp -- image/bmp -- -- -- body -- text/html -- -- -- cdf -- application/x-cdf -- -- -- cer -- application/x-x509-ca-cert -- -- -- class -- application/java -- -- -- cpio -- application/x-cpio -- -- -- csh -- application/x-csh -- -- -- css -- text/css -- -- -- dib -- image/bmp -- -- -- doc -- application/msword -- -- -- dtd -- application/xml-dtd -- -- -- dv -- video/x-dv -- -- -- dvi -- application/x-dvi -- -- -- eps -- application/postscript -- -- -- etx -- text/x-setext -- -- -- exe -- application/octet-stream -- -- -- gif -- image/gif -- -- -- gtar -- application/x-gtar -- -- -- gz -- application/x-gzip -- -- -- hdf -- application/x-hdf -- -- -- hqx -- application/mac-binhex40 -- -- -- htc -- text/x-component -- -- -- htm -- text/html -- -- -- html -- text/html -- -- -- hqx -- application/mac-binhex40 -- -- -- ief -- image/ief -- -- -- jad -- text/vnd.sun.j2me.app-descriptor -- -- -- jar -- application/java-archive -- -- -- java -- text/plain -- -- -- jnlp -- application/x-java-jnlp-file -- -- -- jpe -- image/jpeg -- -- -- jpeg -- image/jpeg -- -- -- jpg -- image/jpeg -- -- -- js -- text/javascript -- -- -- jsf -- text/plain -- -- -- jspf -- text/plain -- -- -- kar -- audio/x-midi -- -- -- latex -- application/x-latex -- -- -- m3u -- audio/x-mpegurl -- -- -- mac -- image/x-macpaint -- -- -- man -- application/x-troff-man -- -- -- mathml -- application/mathml+xml -- -- -- me -- application/x-troff-me -- -- -- mid -- audio/x-midi -- -- -- midi -- audio/x-midi -- -- -- mif -- application/x-mif -- -- -- mov -- video/quicktime -- -- -- movie -- video/x-sgi-movie -- -- -- mp1 -- audio/x-mpeg -- -- -- mp2 -- audio/x-mpeg -- -- -- mp3 -- audio/x-mpeg -- -- -- mpa -- audio/x-mpeg -- -- -- mpe -- video/mpeg -- -- -- mpeg -- video/mpeg -- -- -- mpega -- audio/x-mpeg -- -- -- mpg -- video/mpeg -- -- -- mpv2 -- video/mpeg2 -- -- -- ms -- application/x-wais-source -- -- -- nc -- application/x-netcdf -- -- -- oda -- application/oda -- -- -- ogg -- application/ogg -- -- -- pbm -- image/x-portable-bitmap -- -- -- pct -- image/pict -- -- -- pdf -- application/pdf -- -- -- pgm -- image/x-portable-graymap -- -- -- pic -- image/pict -- -- -- pict -- image/pict -- -- -- pls -- audio/x-scpls -- -- -- png -- image/png -- -- -- pnm -- image/x-portable-anymap -- -- -- pnt -- image/x-macpaint -- -- -- ppm -- image/x-portable-pixmap -- -- -- ppt -- application/powerpoint -- -- -- ps -- application/postscript -- -- -- psd -- image/x-photoshop -- -- -- qt -- video/quicktime -- -- -- qti -- image/x-quicktime -- -- -- qtif -- image/x-quicktime -- -- -- ras -- image/x-cmu-raster -- -- -- rdf -- application/rdf+xml -- -- -- rgb -- image/x-rgb -- -- -- rm -- application/vnd.rn-realmedia -- -- -- roff -- application/x-troff -- -- -- rtf -- application/rtf -- -- -- rtx -- text/richtext -- -- -- sh -- application/x-sh -- -- -- shar -- application/x-shar -- -- -- smf -- audio/x-midi -- -- -- sit -- application/x-stuffit -- -- -- snd -- audio/basic -- -- -- src -- application/x-wais-source -- -- -- sv4cpio -- application/x-sv4cpio -- -- -- sv4crc -- application/x-sv4crc -- -- -- svg -- image/svg+xml -- -- -- swf -- application/x-shockwave-flash -- -- -- t -- application/x-troff -- -- -- tar -- application/x-tar -- -- -- tcl -- application/x-tcl -- -- -- tex -- application/x-tex -- -- -- texi -- application/x-texinfo -- -- -- texinfo -- application/x-texinfo -- -- -- tif -- image/tiff -- -- -- tiff -- image/tiff -- -- -- tr -- application/x-troff -- -- -- tsv -- text/tab-separated-values -- -- -- txt -- text/plain -- -- -- ulw -- audio/basic -- -- -- ustar -- application/x-ustar -- -- -- vxml -- application/voicexml+xml -- -- -- xbm -- image/x-xbitmap -- -- -- xht -- application/xhtml+xml -- -- -- xhtml -- application/xhtml+xml -- -- -- xml -- application/xml -- -- -- xpm -- image/x-xpixmap -- -- -- xsl -- application/xml -- -- -- xslt -- application/xslt+xml -- -- -- xul -- application/vnd.mozilla.xul+xml -- -- -- xwd -- image/x-xwindowdump -- -- -- wav -- audio/x-wav -- -- -- svg -- image/svg -- -- -- svgz -- image/svg -- -- -- vsd -- application/x-visio -- -- -- -- wbmp -- image/vnd.wap.wbmp -- -- -- -- wml -- text/vnd.wap.wml -- -- -- -- wmlc -- application/vnd.wap.wmlc -- -- -- -- wmls -- text/vnd.wap.wmlscript -- -- -- -- wmlscriptc -- application/vnd.wap.wmlscriptc -- -- -- wrl -- x-world/x-vrml -- -- -- Z -- application/x-compress -- -- -- z -- application/x-compress -- -- -- zip -- application/zip -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- index.html -- index.htm -- index.jsp -- -- -- -- 404 -- /404.html -- -- -- -- 500 -- /500.html -- -- -- -diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -index e610800..1bdc9cf 100644 ---- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -@@ -689,17 +689,6 @@ - - [PKI_CLOSE_STANDALONE_COMMENT] - -- -- -- -- -- -- -- -- -- 30 -- -- - - - Account Services -diff --git a/base/server/share/webapps/pki/WEB-INF/web.xml b/base/server/share/webapps/pki/WEB-INF/web.xml -index aacdffa..4f08b16 100644 ---- a/base/server/share/webapps/pki/WEB-INF/web.xml -+++ b/base/server/share/webapps/pki/WEB-INF/web.xml -@@ -45,8 +45,4 @@ - - - -- -- 30 -- -- - -diff --git a/base/tks/shared/conf/web.xml b/base/tks/shared/conf/web.xml -deleted file mode 100644 -index 860a9c4..0000000 ---- a/base/tks/shared/conf/web.xml -+++ /dev/null -@@ -1,993 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- org.apache.catalina.servlets.DefaultServlet -- -- debug -- 0 -- -- -- listings -- false -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- jsp -- org.apache.jasper.servlet.JspServlet -- -- fork -- false -- -- -- xpoweredBy -- false -- -- 3 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- / -- -- -- -- -- -- -- -- jsp -- *.jsp -- -- -- -- jsp -- *.jspx -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30 -- -- -- -- -- -- -- -- -- -- -- -- abs -- audio/x-mpeg -- -- -- ai -- application/postscript -- -- -- aif -- audio/x-aiff -- -- -- aifc -- audio/x-aiff -- -- -- aiff -- audio/x-aiff -- -- -- aim -- application/x-aim -- -- -- art -- image/x-jg -- -- -- asf -- video/x-ms-asf -- -- -- asx -- video/x-ms-asf -- -- -- au -- audio/basic -- -- -- avi -- video/x-msvideo -- -- -- avx -- video/x-rad-screenplay -- -- -- bcpio -- application/x-bcpio -- -- -- bin -- application/octet-stream -- -- -- bmp -- image/bmp -- -- -- body -- text/html -- -- -- cdf -- application/x-cdf -- -- -- cer -- application/x-x509-ca-cert -- -- -- class -- application/java -- -- -- cpio -- application/x-cpio -- -- -- csh -- application/x-csh -- -- -- css -- text/css -- -- -- dib -- image/bmp -- -- -- doc -- application/msword -- -- -- dtd -- application/xml-dtd -- -- -- dv -- video/x-dv -- -- -- dvi -- application/x-dvi -- -- -- eps -- application/postscript -- -- -- etx -- text/x-setext -- -- -- exe -- application/octet-stream -- -- -- gif -- image/gif -- -- -- gtar -- application/x-gtar -- -- -- gz -- application/x-gzip -- -- -- hdf -- application/x-hdf -- -- -- hqx -- application/mac-binhex40 -- -- -- htc -- text/x-component -- -- -- htm -- text/html -- -- -- html -- text/html -- -- -- hqx -- application/mac-binhex40 -- -- -- ief -- image/ief -- -- -- jad -- text/vnd.sun.j2me.app-descriptor -- -- -- jar -- application/java-archive -- -- -- java -- text/plain -- -- -- jnlp -- application/x-java-jnlp-file -- -- -- jpe -- image/jpeg -- -- -- jpeg -- image/jpeg -- -- -- jpg -- image/jpeg -- -- -- js -- text/javascript -- -- -- jsf -- text/plain -- -- -- jspf -- text/plain -- -- -- kar -- audio/x-midi -- -- -- latex -- application/x-latex -- -- -- m3u -- audio/x-mpegurl -- -- -- mac -- image/x-macpaint -- -- -- man -- application/x-troff-man -- -- -- mathml -- application/mathml+xml -- -- -- me -- application/x-troff-me -- -- -- mid -- audio/x-midi -- -- -- midi -- audio/x-midi -- -- -- mif -- application/x-mif -- -- -- mov -- video/quicktime -- -- -- movie -- video/x-sgi-movie -- -- -- mp1 -- audio/x-mpeg -- -- -- mp2 -- audio/x-mpeg -- -- -- mp3 -- audio/x-mpeg -- -- -- mpa -- audio/x-mpeg -- -- -- mpe -- video/mpeg -- -- -- mpeg -- video/mpeg -- -- -- mpega -- audio/x-mpeg -- -- -- mpg -- video/mpeg -- -- -- mpv2 -- video/mpeg2 -- -- -- ms -- application/x-wais-source -- -- -- nc -- application/x-netcdf -- -- -- oda -- application/oda -- -- -- ogg -- application/ogg -- -- -- pbm -- image/x-portable-bitmap -- -- -- pct -- image/pict -- -- -- pdf -- application/pdf -- -- -- pgm -- image/x-portable-graymap -- -- -- pic -- image/pict -- -- -- pict -- image/pict -- -- -- pls -- audio/x-scpls -- -- -- png -- image/png -- -- -- pnm -- image/x-portable-anymap -- -- -- pnt -- image/x-macpaint -- -- -- ppm -- image/x-portable-pixmap -- -- -- ppt -- application/powerpoint -- -- -- ps -- application/postscript -- -- -- psd -- image/x-photoshop -- -- -- qt -- video/quicktime -- -- -- qti -- image/x-quicktime -- -- -- qtif -- image/x-quicktime -- -- -- ras -- image/x-cmu-raster -- -- -- rdf -- application/rdf+xml -- -- -- rgb -- image/x-rgb -- -- -- rm -- application/vnd.rn-realmedia -- -- -- roff -- application/x-troff -- -- -- rtf -- application/rtf -- -- -- rtx -- text/richtext -- -- -- sh -- application/x-sh -- -- -- shar -- application/x-shar -- -- -- smf -- audio/x-midi -- -- -- sit -- application/x-stuffit -- -- -- snd -- audio/basic -- -- -- src -- application/x-wais-source -- -- -- sv4cpio -- application/x-sv4cpio -- -- -- sv4crc -- application/x-sv4crc -- -- -- svg -- image/svg+xml -- -- -- swf -- application/x-shockwave-flash -- -- -- t -- application/x-troff -- -- -- tar -- application/x-tar -- -- -- tcl -- application/x-tcl -- -- -- tex -- application/x-tex -- -- -- texi -- application/x-texinfo -- -- -- texinfo -- application/x-texinfo -- -- -- tif -- image/tiff -- -- -- tiff -- image/tiff -- -- -- tr -- application/x-troff -- -- -- tsv -- text/tab-separated-values -- -- -- txt -- text/plain -- -- -- ulw -- audio/basic -- -- -- ustar -- application/x-ustar -- -- -- vxml -- application/voicexml+xml -- -- -- xbm -- image/x-xbitmap -- -- -- xht -- application/xhtml+xml -- -- -- xhtml -- application/xhtml+xml -- -- -- xml -- application/xml -- -- -- xpm -- image/x-xpixmap -- -- -- xsl -- application/xml -- -- -- xslt -- application/xslt+xml -- -- -- xul -- application/vnd.mozilla.xul+xml -- -- -- xwd -- image/x-xwindowdump -- -- -- wav -- audio/x-wav -- -- -- svg -- image/svg -- -- -- svgz -- image/svg -- -- -- vsd -- application/x-visio -- -- -- -- wbmp -- image/vnd.wap.wbmp -- -- -- -- wml -- text/vnd.wap.wml -- -- -- -- wmlc -- application/vnd.wap.wmlc -- -- -- -- wmls -- text/vnd.wap.wmlscript -- -- -- -- wmlscriptc -- application/vnd.wap.wmlscriptc -- -- -- wrl -- x-world/x-vrml -- -- -- Z -- application/x-compress -- -- -- z -- application/x-compress -- -- -- zip -- application/zip -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- index.html -- index.htm -- index.jsp -- -- -- -- 404 -- /404.html -- -- -- -- 500 -- /500.html -- -- -- -diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml -index ddbea88..9c0a0de 100644 ---- a/base/tks/shared/webapps/tks/WEB-INF/web.xml -+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml -@@ -368,16 +368,6 @@ - /admin/tks/getStatus - - -- -- -- -- -- -- -- -- 30 -- -- - - - Account Services -diff --git a/base/tps/shared/conf/web.xml b/base/tps/shared/conf/web.xml -deleted file mode 100644 -index 8330ecc..0000000 ---- a/base/tps/shared/conf/web.xml -+++ /dev/null -@@ -1,993 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- org.apache.catalina.servlets.DefaultServlet -- -- debug -- 0 -- -- -- listings -- false -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- jsp -- org.apache.jasper.servlet.JspServlet -- -- fork -- false -- -- -- xpoweredBy -- false -- -- 3 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- default -- / -- -- -- -- -- -- -- -- jsp -- *.jsp -- -- -- -- jsp -- *.jspx -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30 -- -- -- -- -- -- -- -- -- -- -- -- abs -- audio/x-mpeg -- -- -- ai -- application/postscript -- -- -- aif -- audio/x-aiff -- -- -- aifc -- audio/x-aiff -- -- -- aiff -- audio/x-aiff -- -- -- aim -- application/x-aim -- -- -- art -- image/x-jg -- -- -- asf -- video/x-ms-asf -- -- -- asx -- video/x-ms-asf -- -- -- au -- audio/basic -- -- -- avi -- video/x-msvideo -- -- -- avx -- video/x-rad-screenplay -- -- -- bcpio -- application/x-bcpio -- -- -- bin -- application/octet-stream -- -- -- bmp -- image/bmp -- -- -- body -- text/html -- -- -- cdf -- application/x-cdf -- -- -- cer -- application/x-x509-ca-cert -- -- -- class -- application/java -- -- -- cpio -- application/x-cpio -- -- -- csh -- application/x-csh -- -- -- css -- text/css -- -- -- dib -- image/bmp -- -- -- doc -- application/msword -- -- -- dtd -- application/xml-dtd -- -- -- dv -- video/x-dv -- -- -- dvi -- application/x-dvi -- -- -- eps -- application/postscript -- -- -- etx -- text/x-setext -- -- -- exe -- application/octet-stream -- -- -- gif -- image/gif -- -- -- gtar -- application/x-gtar -- -- -- gz -- application/x-gzip -- -- -- hdf -- application/x-hdf -- -- -- hqx -- application/mac-binhex40 -- -- -- htc -- text/x-component -- -- -- htm -- text/html -- -- -- html -- text/html -- -- -- hqx -- application/mac-binhex40 -- -- -- ief -- image/ief -- -- -- jad -- text/vnd.sun.j2me.app-descriptor -- -- -- jar -- application/java-archive -- -- -- java -- text/plain -- -- -- jnlp -- application/x-java-jnlp-file -- -- -- jpe -- image/jpeg -- -- -- jpeg -- image/jpeg -- -- -- jpg -- image/jpeg -- -- -- js -- text/javascript -- -- -- jsf -- text/plain -- -- -- jspf -- text/plain -- -- -- kar -- audio/x-midi -- -- -- latex -- application/x-latex -- -- -- m3u -- audio/x-mpegurl -- -- -- mac -- image/x-macpaint -- -- -- man -- application/x-troff-man -- -- -- mathml -- application/mathml+xml -- -- -- me -- application/x-troff-me -- -- -- mid -- audio/x-midi -- -- -- midi -- audio/x-midi -- -- -- mif -- application/x-mif -- -- -- mov -- video/quicktime -- -- -- movie -- video/x-sgi-movie -- -- -- mp1 -- audio/x-mpeg -- -- -- mp2 -- audio/x-mpeg -- -- -- mp3 -- audio/x-mpeg -- -- -- mpa -- audio/x-mpeg -- -- -- mpe -- video/mpeg -- -- -- mpeg -- video/mpeg -- -- -- mpega -- audio/x-mpeg -- -- -- mpg -- video/mpeg -- -- -- mpv2 -- video/mpeg2 -- -- -- ms -- application/x-wais-source -- -- -- nc -- application/x-netcdf -- -- -- oda -- application/oda -- -- -- ogg -- application/ogg -- -- -- pbm -- image/x-portable-bitmap -- -- -- pct -- image/pict -- -- -- pdf -- application/pdf -- -- -- pgm -- image/x-portable-graymap -- -- -- pic -- image/pict -- -- -- pict -- image/pict -- -- -- pls -- audio/x-scpls -- -- -- png -- image/png -- -- -- pnm -- image/x-portable-anymap -- -- -- pnt -- image/x-macpaint -- -- -- ppm -- image/x-portable-pixmap -- -- -- ppt -- application/powerpoint -- -- -- ps -- application/postscript -- -- -- psd -- image/x-photoshop -- -- -- qt -- video/quicktime -- -- -- qti -- image/x-quicktime -- -- -- qtif -- image/x-quicktime -- -- -- ras -- image/x-cmu-raster -- -- -- rdf -- application/rdf+xml -- -- -- rgb -- image/x-rgb -- -- -- rm -- application/vnd.rn-realmedia -- -- -- roff -- application/x-troff -- -- -- rtf -- application/rtf -- -- -- rtx -- text/richtext -- -- -- sh -- application/x-sh -- -- -- shar -- application/x-shar -- -- -- smf -- audio/x-midi -- -- -- sit -- application/x-stuffit -- -- -- snd -- audio/basic -- -- -- src -- application/x-wais-source -- -- -- sv4cpio -- application/x-sv4cpio -- -- -- sv4crc -- application/x-sv4crc -- -- -- svg -- image/svg+xml -- -- -- swf -- application/x-shockwave-flash -- -- -- t -- application/x-troff -- -- -- tar -- application/x-tar -- -- -- tcl -- application/x-tcl -- -- -- tex -- application/x-tex -- -- -- texi -- application/x-texinfo -- -- -- texinfo -- application/x-texinfo -- -- -- tif -- image/tiff -- -- -- tiff -- image/tiff -- -- -- tr -- application/x-troff -- -- -- tsv -- text/tab-separated-values -- -- -- txt -- text/plain -- -- -- ulw -- audio/basic -- -- -- ustar -- application/x-ustar -- -- -- vxml -- application/voicexml+xml -- -- -- xbm -- image/x-xbitmap -- -- -- xht -- application/xhtml+xml -- -- -- xhtml -- application/xhtml+xml -- -- -- xml -- application/xml -- -- -- xpm -- image/x-xpixmap -- -- -- xsl -- application/xml -- -- -- xslt -- application/xslt+xml -- -- -- xul -- application/vnd.mozilla.xul+xml -- -- -- xwd -- image/x-xwindowdump -- -- -- wav -- audio/x-wav -- -- -- svg -- image/svg -- -- -- svgz -- image/svg -- -- -- vsd -- application/x-visio -- -- -- -- wbmp -- image/vnd.wap.wbmp -- -- -- -- wml -- text/vnd.wap.wml -- -- -- -- wmlc -- application/vnd.wap.wmlc -- -- -- -- wmls -- text/vnd.wap.wmlscript -- -- -- -- wmlscriptc -- application/vnd.wap.wmlscriptc -- -- -- wrl -- x-world/x-vrml -- -- -- Z -- application/x-compress -- -- -- z -- application/x-compress -- -- -- zip -- application/zip -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- index.html -- index.htm -- index.jsp -- -- -- -- 404 -- /404.html -- -- -- -- 500 -- /500.html -- -- -- -diff --git a/base/tps/shared/webapps/tps/WEB-INF/web.xml b/base/tps/shared/webapps/tps/WEB-INF/web.xml -index 8506b27..c99c918 100644 ---- a/base/tps/shared/webapps/tps/WEB-INF/web.xml -+++ b/base/tps/shared/webapps/tps/WEB-INF/web.xml -@@ -133,16 +133,6 @@ - /tps - - -- -- -- -- -- -- -- -- 30 -- -- - - - Account Services --- -1.8.3.1 - diff --git a/SOURCES/pki-core-Verify-Cert-Before-Import.patch b/SOURCES/pki-core-Verify-Cert-Before-Import.patch deleted file mode 100644 index 53c98ff..0000000 --- a/SOURCES/pki-core-Verify-Cert-Before-Import.patch +++ /dev/null @@ -1,387 +0,0 @@ -From bbc31b8303d34053562c9cb6e2c1132f124bfdb1 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 16 Jan 2019 17:16:09 -0500 -Subject: [PATCH 1/2] Add validate-then-import certificate utility - -The NSS utility certutil requires certificates to be imported -(`certutil -A`) prior to validating their signatures and usage -(`certutil -V -e`). PKICertImport avoids this pitfall by handling both -import and validation in the same step, so if the validation fails, the -certificate is removed. This ensures it is not accidentally used before -it is verified. - -Signed-off-by: Alexander Scheel -(cherry picked from commit a187cccc269968e310d97eafc99771d2cd5b366e) ---- - base/util/PKICertImport.bash | 328 +++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 328 insertions(+) - create mode 100755 base/util/PKICertImport.bash - -diff --git a/base/util/PKICertImport.bash b/base/util/PKICertImport.bash -new file mode 100755 -index 0000000..d0b54c7 ---- /dev/null -+++ b/base/util/PKICertImport.bash -@@ -0,0 +1,328 @@ -+#!/bin/bash -+ -+# Copyright (C) 2018 Red Hat -+ -+# PKICertImport performs a validate-then-import strategy for importing -+# certificates into a NSS DB or HSM Token by wrapping both calls to -+# certutil (`certutil -A` and `certutil -V`) such that the certificate -+# will be removed if import fails (`certutil -D`). This helps to ensure -+# that certificates are not used prior to validation. -+function PKICertImport() { -+ ## [ overview ] ## -+ -+ # This script has four major sections: -+ # -+ # 1. Globals -- the definitions of all script-global variables -+ # 2. Helper functions -- functions which don't perform key operations -+ # 3. Core commands -- functions which interact with the NSS DB via -+ # certutil -+ # 4. Program flow -- main flow of the program -+ -+ -+ ## [ globals ] ## -+ -+ # Path to certificate; parsed from arguments. -+ local CERT_PATH="" -+ -+ # User-given nickname for the certificate. -+ local CERT_NICKNAME="" -+ -+ # Whether or not the certificate is in ASCII/PEM format. -+ local CERT_ASCII="false" -+ -+ # What trust flags to use when importing the certificate. -+ local CERT_TRUST="" -+ -+ # What usage flags to validate the certificate against. -+ local CERT_USAGE="" -+ -+ # Location of the original NSS DB. -+ local NSSDB="" -+ -+ # Type of the NSSDB. -+ local NSSDB_TYPE="" -+ -+ # Location to the NSS DB Password file, if present. -+ local NSSDB_PASSWORD="" -+ -+ # Name of the HSM token, if used. -+ local HSM_TOKEN="" -+ -+ -+ ## [ helper functions ] ## -+ -+ # __e prints error messages, prefixing them with "e: " and writing the -+ # output to stderr instead of stdout. -+ function __e() { -+ echo "e:" "$@" 1>&2 -+ } -+ -+ # __v prints debug messages in verbose mode; these also go to stderr. -+ # Messages are only present if the environment variable VERBOSE is set. -+ function __v() { -+ if [ "x$VERBOSE" != "x" ]; then -+ echo "v:" "$@" 1>&2 -+ fi -+ } -+ -+ ## [ core commands ] ## -+ -+ # Parse the command line arguments and set the appropriate global -+ # variables. Return status of non-zero indicates a fatal error; help -+ # should be displayed. Return status of zero indicates no error and help -+ # should not be displayed. -+ function _parse_args() { -+ # Use a read-and-shift approach to parse both "