diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b52c028 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/pki-core-10.4.1.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata new file mode 100644 index 0000000..59de659 --- /dev/null +++ b/.pki-core.metadata @@ -0,0 +1 @@ +5187b494ec33ba6f11e5fc3204d891b2c46ac9b2 SOURCES/pki-core-10.4.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch b/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch new file mode 100644 index 0000000..5be0f9c --- /dev/null +++ b/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch @@ -0,0 +1,28 @@ +From ad8c47aaf675bbda7b2ab50e6fc20b22862f83c3 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Tue, 23 May 2017 11:46:41 -0600 +Subject: [PATCH] Always check FIPS mode at installation time + +- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error + +(cherry picked from commit 3249ddc2c19f6f5ded11823b345c9c58bae4750b) +--- + base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 0e31543..4dc4e9a 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # ALWAYS establish 'uid' and 'gid' + deployer.identity.set_uid(deployer.mdict['pki_user']) + deployer.identity.set_gid(deployer.mdict['pki_group']) ++ # ALWAYS check FIPS mode ++ deployer.fips.is_fips_enabled() + # ALWAYS initialize HSMs (when and if present) + deployer.hsm.initialize() + if config.str2bool(deployer.mdict['pki_skip_installation']): +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch b/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch new file mode 100644 index 0000000..2783a45 --- /dev/null +++ b/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch @@ -0,0 +1,615 @@ +From 32cf3850935590f7f4cd457b824cc296b6af44b9 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 14 Jun 2017 14:57:10 -0700 +Subject: [PATCH 2/4] Ticket#2737 CMC: check HTTPS client authentication cert + against CMC signer + +This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. +Some auditing adjustments are also done. + +(cherry picked from commit 63c9582009b3858a6878863b9658d04c9aad45c1) +--- + base/ca/shared/conf/CS.cfg | 3 +- + .../com/netscape/certsrv/base/SessionContext.java | 7 + + .../cms/authentication/CMCUserSignedAuth.java | 220 ++++++++++++++------- + .../profile/constraint/UniqueKeyConstraint.java | 8 +- + .../com/netscape/cms/servlet/base/CMSServlet.java | 10 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 7 + + base/server/cmsbundle/src/LogMessages.properties | 4 +- + 7 files changed, 175 insertions(+), 84 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index d1bf7db..4da7429 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -734,11 +734,10 @@ ca.publish.rule.instance.LdapXCertRule.pluginName=Rule + ca.publish.rule.instance.LdapXCertRule.predicate= + ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher + ca.publish.rule.instance.LdapXCertRule.type=xcert +-cmc.cert.confirmRequired=false + cmc.popLinkWitnessRequired=false +-cmc.revokeCert.verify=true + cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret + cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret ++cmc.token=internal + cms.passwordlist=internaldb,replicationdb + cms.password.ignore.publishing.failure=true + cms.version=@APPLICATION_VERSION_MAJOR@.@APPLICATION_VERSION_MINOR@ +diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java +index 8bcb3c1..9323e6e 100644 +--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java ++++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java +@@ -56,6 +56,13 @@ public class SessionContext extends Hashtable { + * Principal name object of the signed CMC request + */ + public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; ++ public static final String CMC_SIGNER_INFO = "cmcSignerInfo"; ++ public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject"; ++ ++ /** ++ * authenticated SSL client certificate ++ */ ++ public static final String SSL_CLIENT_CERT = "sslClientCert"; + + /** + * User object of the authenticated user in the current thread. +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 2e4d6dc..6c3ee8f 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -28,6 +28,7 @@ package com.netscape.cms.authentication; + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; ++import java.security.cert.X509Certificate; + import java.math.BigInteger; + import java.security.MessageDigest; + import java.security.PublicKey; +@@ -260,11 +261,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + CMS.debug(method + "begins"); + + String auditMessage = null; +- String auditSubjectID = auditSubjectID(); ++ String auditSubjectID = getAuditSubjectID(); + String auditReqType = ILogger.UNIDENTIFIED; +- String auditCertSubject = ILogger.UNIDENTIFIED; ++ String requestCertSubject = ILogger.UNIDENTIFIED; + String auditSignerInfo = ILogger.UNIDENTIFIED; + ++ SessionContext auditContext = SessionContext.getExistingContext(); ++ ++ // create audit context if clientCert exists ++ X509Certificate clientCert = ++ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); ++ // null is okay, as it is not required in case of self-sign; ++ // will be checked later ++ if (clientCert != null) { ++ try { ++ createAuditSubjectFromCert(auditContext, clientCert); ++ } catch (IOException e) { ++ //unlikely, and not necessarily required at this point ++ CMS.debug("CMSUserSignedAuth: authenticate: after createAuditSubjectFromCert call; " + e); ++ } ++ } ++ + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { +@@ -296,8 +313,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + throw new EInvalidCredentials(msg); + } + +- SessionContext auditContext = SessionContext.getExistingContext(); +- + // authenticate by checking CMC. + + // everything OK. +@@ -364,13 +379,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + // reset value of auditSignerInfo + if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { +- CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); +- auditSignerInfo = uid.trim(); ++ //CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); ++ //auditSignerInfo = uid.trim(); + auditSubjectID = uid.trim(); + authToken.set(IAuthToken.USER_ID, auditSubjectID); + } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { +- CMS.debug(method + "setting auditSignerInfo to userid:" + userid); +- auditSignerInfo = userid.trim(); ++ //CMS.debug(method + "setting auditSignerInfo to userid:" + userid); ++ //auditSignerInfo = userid.trim(); + auditSubjectID = userid.trim(); + authToken.set(IAuthToken.USER_ID, auditSubjectID); + } +@@ -538,16 +553,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); +- // reset value of auditCertSubject ++ // reset value of requestCertSubject + X500Name tempName = pkcs10.getSubjectName(); + CMS.debug(method + "request subject name=" + tempName.toString()); + if (tempName != null) { +- auditCertSubject = tempName.toString().trim(); +- if (auditCertSubject.equals("")) { +- auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ requestCertSubject = tempName.toString().trim(); ++ if (requestCertSubject.equals("")) { ++ requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, +- auditCertSubject/*tempName.toString()*/); ++ requestCertSubject/*tempName.toString()*/); ++ auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); + } + + if (selfSigned) { +@@ -632,17 +648,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // xxx do we need to do anything else? + X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); + +- // reset value of auditCertSubject ++ // reset value of requestCertSubject + if (name != null) { + String ss = name.getRFC1485(); + +- CMS.debug(method + "setting auditCertSubject to: " + ss); +- auditCertSubject = ss; +- if (auditCertSubject.equals("")) { +- auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ CMS.debug(method + "setting requestCertSubject to: " + ss); ++ requestCertSubject = ss; ++ if (requestCertSubject.equals("")) { ++ requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); ++ auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); + //authToken.set("uid", uid); + //authToken.set("userid", userid); + } +@@ -696,10 +713,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + authToken.set("uid", uid); + authToken.set("userid", userid); ++ } catch (EMissingCredential e) { ++ throw e; ++ } catch (EInvalidCredentials e) { ++ throw e; + } catch (Exception e) { +- CMS.debug(method + e); ++ //CMS.debug(method + e); + //Debug.printStackTrace(e); +- throw new EInvalidCredentials(e.toString()); ++ //throw new EInvalidCredentials(e.toString()); ++ throw e; + } + + // For accuracy, make sure revocation by shared secret doesn't +@@ -709,11 +731,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, +- auditSubjectID, ++ getAuditSubjectID(), + ILogger.SUCCESS, + auditReqType, +- auditCertSubject, +- auditSignerInfo); ++ getRequestCertSubject(auditContext), ++ getAuditSignerInfo(auditContext)); + + audit(auditMessage); + } else { +@@ -725,17 +747,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + return authToken; + } catch (EMissingCredential eAudit1) { + CMS.debug(method + eAudit1); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo, +- eAudit1.toString()); +- +- audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; +@@ -744,11 +755,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, +- auditSubjectID, ++ getAuditSubjectID(), + ILogger.FAILURE, + auditReqType, +- auditCertSubject, +- auditSignerInfo, ++ getRequestCertSubject(auditContext), ++ getAuditSignerInfo(auditContext), + eAudit2.toString()); + + audit(auditMessage); +@@ -760,11 +771,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, +- auditSubjectID, ++ getAuditSubjectID(), + ILogger.FAILURE, + auditReqType, +- auditCertSubject, +- auditSignerInfo, ++ getRequestCertSubject(auditContext), ++ getAuditSignerInfo(auditContext), + eAudit3.toString()); + + audit(auditMessage); +@@ -776,17 +787,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, +- auditSubjectID, ++ getAuditSubjectID(), + ILogger.FAILURE, + auditReqType, +- auditCertSubject, +- auditSignerInfo, ++ getRequestCertSubject(auditContext), ++ getAuditSignerInfo(auditContext), + eAudit4.toString()); + + audit(auditMessage); + +- // rethrow the specific exception to be handled later +- throw eAudit4; ++ // rethrow the exception to be handled later ++ throw new EBaseException(eAudit4); + } + } + +@@ -935,8 +946,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + SessionContext auditContext, // to capture info in case of failure + AuthToken authToken, + SignedData cmcFullReq) +- throws EBaseException { ++ throws EBaseException, EInvalidCredentials, EMissingCredential { + String method = "CMCUserSignedAuth: verifySignerInfo: "; ++ String msg = ""; + CMS.debug(method + "begins"); + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OBJECT_IDENTIFIER id = ci.getContentType(); +@@ -1001,7 +1013,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + if (cmcFullReq.hasCertificates()) { + SET certs = cmcFullReq.getCertificates(); + int numCerts = certs.size(); +- java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; ++ X509Certificate[] x509Certs = new X509Certificate[1]; + byte[] certByteArray = new byte[0]; + for (int j = 0; j < numCerts; j++) { + Certificate certJss = (Certificate) certs.elementAt(j); +@@ -1029,25 +1041,44 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + + CMS.debug(method + "start checking signature"); +- String CN = null; + if (cert == null) { + // find from certDB + CMS.debug(method + "verifying signature"); + si.verify(digest, id); + } else { +- CMS.debug(method + "found signing cert... verifying"); ++ CMS.debug(method + "found CMC signing cert... verifying"); ++ ++ X509Certificate clientCert = ++ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); ++ // user-signed case requires ssl client authentication ++ if (clientCert == null) { ++ createAuditSubjectFromCert(auditContext, x509Certs[0]); ++ msg = "missing SSL client authentication certificate;"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EMissingCredential( ++ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); ++ } ++ netscape.security.x509.X500Name clientPrincipal = ++ (X500Name) clientCert.getSubjectDN(); + +- // capture auditSubjectID first in case of failure +- netscape.security.x509.X500Name principal = ++ netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // capture signer principal to be checked against + // cert subject principal later in CMCOutputTemplate + // in case of user signed revocation +- auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal); +- CN = principal.getCommonName(); //tempToken.get("userid"); +- CMS.debug(method + " Principal name = " + CN); +- auditContext.put(SessionContext.USER_ID, CN); ++ auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal); ++ auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName()); ++ ++ // check ssl client cert against cmc signer ++ if (!clientPrincipal.equals(cmcPrincipal)) { ++ msg = "SSL client authentication certificate and CMC signer do not match"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EInvalidCredentials( ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ } + + PublicKey signKey = cert.getPublicKey(); + PrivateKey.Type keyType = null; +@@ -1064,10 +1095,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + byte publicKeyData[] = ((X509Key) signKey).getEncoded(); + pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else { +- CMS.debug(method + "unsupported signature algorithm: " + alg); ++ msg = "unsupported signature algorithm: " + alg; ++ CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( +- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } + + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", +@@ -1095,9 +1127,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // ...or not; I think it just checks usage and + // validity, but not revocation status + if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { +- CMS.debug(method + "CMC signature failed to be verified"); ++ msg = "CMC signing cert is invalid"; ++ CMS.debug(method + msg); + s.close(); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "CMC signature verified; but signer not yet;"); + } +@@ -1105,28 +1138,28 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + // now check revocation status of the cert + if (CMS.isRevoked(x509Certs)) { +- CMS.debug(method + "CMC signing cert is a revoked certificate"); ++ msg = "CMC signing cert is a revoked certificate"; ++ CMS.debug(method + msg); + s.close(); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } + try { //do this again anyways + cert.checkValidity(); + } catch (CertificateExpiredException e) { +- CMS.debug(method + "CMC signing cert is an expired certificate"); ++ msg = "CMC signing cert is an expired certificate"; ++ CMS.debug(method + msg); + s.close(); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } catch (Exception e) { + CMS.debug(method + e.toString()); + s.close(); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + e.toString()); + } + + IAuthToken tempToken = new AuthToken(null); +-/* + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); + String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); + CMS.debug(method + " Principal name = " + CN); +-*/ + + BigInteger certSerial = x509Certs[0].getSerialNumber(); + CMS.debug(method + " verified cert serial=" + certSerial.toString()); +@@ -1137,7 +1170,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + return tempToken; + + } else { +- CMS.debug(method + "no certificate found in cmcFullReq"); ++ msg = "no certificate found in cmcFullReq"; ++ CMS.debug(method + msg); ++ throw new EMissingCredential(msg); + } + } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) { + CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER"); +@@ -1150,19 +1185,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + s.close(); + return tempToken; + } else { +- CMS.debug(method + "unsupported SignerIdentifier type"); ++ msg = "unsupported SignerIdentifier type"; ++ CMS.debug(method + msg); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } + } //for + ++ } catch (EMissingCredential e) { ++ throw e; ++ } catch (EInvalidCredentials e) { ++ throw e; + } catch (InvalidBERException e) { +- CMS.debug(method + e.toString()); +- } catch (IOException e) { +- CMS.debug(method + e.toString()); +- } catch (NotInitializedException e) { +- CMS.debug(method + e.toString()); ++ CMS.debug(method + e); + } catch (Exception e) { +- CMS.debug(method + e.toString()); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ CMS.debug(method + e); + } finally { + if ((tokenSwitched == true) && (savedToken != null)) { + cm.setThreadToken(savedToken); +@@ -1173,6 +1209,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + } + ++ private void createAuditSubjectFromCert ( ++ SessionContext auditContext, ++ X509Certificate cert) ++ throws IOException { ++ String method = "CMCUserSignedAuth:createAuditSubjectFromCert: "; ++ ++ // capture auditSubjectID first in case of failure ++ netscape.security.x509.X500Name principal = ++ (X500Name) cert.getSubjectDN(); ++ ++ String CN = principal.getCommonName(); ++ CMS.debug(method + " Principal name = " + CN); ++ auditContext.put(SessionContext.USER_ID, CN); ++ } ++ + public String[] getExtendedPluginInfo(Locale locale) { + return null; + } +@@ -1274,7 +1325,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + * + * @return id string containing the signed audit log message SubjectID + */ +- private String auditSubjectID() { ++ private String getAuditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; +@@ -1299,4 +1350,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + return subjectID; + } ++ ++ private String getAuditSignerInfo(SessionContext auditContext) { ++ String signerSubject = (String)auditContext.get(SessionContext.CMC_SIGNER_INFO); ++ if (signerSubject == null) ++ signerSubject = "$Unidentified$"; ++ ++ return signerSubject; ++ } ++ ++ private String getRequestCertSubject(SessionContext auditContext) { ++ String certSubject = (String)auditContext.get(SessionContext.CMC_REQUEST_CERT_SUBJECT); ++ if (certSubject == null) ++ certSubject = "$Unidentified$"; ++ ++ return certSubject; ++ } ++ + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +index 33cc7a9..030995a 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +@@ -219,12 +219,14 @@ public class UniqueKeyConstraint extends EnrollConstraint { + Date origNotAfter = null; + boolean first = true; + while (e != null && e.hasMoreElements()) { ++ CMS.debug(method + msg); + ICertRecord rec = e.nextElement(); + BigInteger serial = rec.getSerialNumber(); ++ msg = msg + "existing cert with same key found: " + serial.toString() + ";"; + + if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) + || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { +- msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";"; ++ msg = msg + "revoked cert cannot be renewed;"; + CMS.debug(method + msg); + rejected = true; + // this has to break +@@ -232,7 +234,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { + } + if (!rec.getStatus().equals(ICertRecord.STATUS_VALID) + && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) { +- CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString()); ++ CMS.debug(method + "invalid cert cannot be renewed; continue;" + serial.toString()); + // can still find another one to renew + continue; + } +@@ -297,7 +299,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { + } // (size > 0) + + if (rejected == true) { +- CMS.debug(method + " rejected"); ++ CMS.debug(method + " rejected: " + msg); + throw new ERejectException(msg); + } else { + CMS.debug(method + " approved"); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index 9dc7470..65dc06a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -843,6 +843,10 @@ public abstract class CMSServlet extends HttpServlet { + * get ssl client authenticated certificate + */ + protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq) throws EBaseException { ++ return getSSLClientCertificate(httpReq, true); ++ } ++ ++ protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq, boolean clientCertRequired) throws EBaseException { + + X509Certificate cert = null; + +@@ -855,7 +859,11 @@ public abstract class CMSServlet extends HttpServlet { + X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR); + + if (allCerts == null || allCerts.length == 0) { +- throw new EBaseException("You did not provide a valid certificate for this operation"); ++ if (!clientCertRequired) { ++ return null; ++ } else { ++ throw new EBaseException("You did not provide a valid certificate for this operation"); ++ } + } + + cert = allCerts[0]; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 330b5ff..73195e9 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -19,6 +19,7 @@ package com.netscape.cms.servlet.profile; + + import java.io.InputStream; + import java.io.OutputStream; ++import java.security.cert.X509Certificate; + import java.util.Enumeration; + import java.util.Locale; + +@@ -169,6 +170,12 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + String authMgrID = authenticator.getName(); + SessionContext sc = SessionContext.getContext(); + ++ X509Certificate clientCert = ++ getSSLClientCertificate(request, false /*cert may not be required*/); ++ if (clientCert != null) { ++ sc.put(SessionContext.SSL_CLIENT_CERT, clientCert); ++ } ++ + try { + authToken = authenticator.authenticate(credentials); + if (sc != null) { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 9490098..5e51440 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2208,10 +2208,10 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][CMCSignerInfo={4}][info={5}] User signed CMC request signature verification failure + + # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST + # - used for TPS to TKS to get random challenge data +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch b/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch new file mode 100644 index 0000000..25d8f46 --- /dev/null +++ b/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch @@ -0,0 +1,1927 @@ +From 724b91a4688ca73a07c6c225e0e61e0a79073f42 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 16 Jun 2017 18:20:38 -0700 +Subject: [PATCH] Ticket #2616 CMC: id-cmc-statusInfo ==> id-cmc-statusInfoV2 + +This patch contains the following update: +* Structurely, CMCStatusInfo to CMCStatusInfoV2 update; no extendedFailInfo has been added at this point +* In case of EncryptedPOP, instead of returning with CMCStatus pending where + PendInfo contains the requestID, it now returns CMCStatus failed whith + responseInfo control contains the requestID. On the client side, CMCRequest + now processes the responseInfo and returns the DecryptedPOP with requestID in + the regInfo control. CMCResponse has been updated to handle the new controls + as well. +* A number of fail info codes are now being supported by the server to add + clarity to CMC failed status, including: + badMessageCheck, badRequest, unsuportedExt, badIdentity, popRequired, and popFailed. + +(cherry picked from commit 6273907e0ca36425fa30c106b7fdd28c510b1162) +--- + .../certsrv/profile/ECMCBadIdentityException.java | 54 ++++++ + .../profile/ECMCBadMessageCheckException.java | 54 ++++++ + .../certsrv/profile/ECMCBadRequestException.java | 53 +++++ + .../certsrv/profile/ECMCPopFailedException.java | 53 +++++ + .../certsrv/profile/ECMCPopRequiredException.java | 59 ++++++ + .../profile/ECMCUnsupportedExtException.java | 53 +++++ + .../src/com/netscape/cmstools/CMCRequest.java | 69 +++++-- + .../src/com/netscape/cmstools/CMCResponse.java | 36 +++- + .../netscape/cms/profile/common/EnrollProfile.java | 195 ++++++++++++------- + .../cms/servlet/common/CMCOutputTemplate.java | 216 ++++++++++++--------- + .../servlet/common/GenPendingTemplateFiller.java | 10 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 96 ++++++++- + .../netscape/cms/servlet/request/CheckRequest.java | 8 +- + base/server/cmsbundle/src/UserMessages.properties | 1 + + 14 files changed, 747 insertions(+), 210 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java + create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java + +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java +new file mode 100644 +index 0000000..118a8ee +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java +@@ -0,0 +1,54 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC badIdentity condition. ++ * The framework raises this exception when a request fails identity ++ * checks ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCBadIdentityException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = -89147145684990870L; ++ ++ /** ++ * Creates an exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. ++ */ ++ public ECMCBadIdentityException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCBadIdentityException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++ ++ public ECMCBadIdentityException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++} +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java +new file mode 100644 +index 0000000..fb56eb4 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java +@@ -0,0 +1,54 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC badMessageCheck condition. ++ * The framework raises this exception when a request fails various ++ * checks ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCBadMessageCheckException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = 1353005739159030604L; ++ ++ /** ++ * Creates an exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. ++ */ ++ public ECMCBadMessageCheckException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCBadMessageCheckException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++ public ECMCBadMessageCheckException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++ ++} +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java +new file mode 100644 +index 0000000..dc4a107 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java +@@ -0,0 +1,53 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC badRequest condition. ++ * The framework raises this exception when a request fails ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCBadRequestException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = -957171725482446695L; ++ ++ /** ++ * Creates an exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. ++ */ ++ public ECMCBadRequestException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCBadRequestException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++ public ECMCBadRequestException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++ ++} +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java b/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java +new file mode 100644 +index 0000000..cc87434 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java +@@ -0,0 +1,53 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC popFailed condition. ++ * The framework raises this exception when a request fails POP ++ * (Proof Of Possession) check ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCPopFailedException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = -3098694565652563197L; ++ ++ /** ++ * Creates an exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. ++ */ ++ public ECMCPopFailedException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCPopFailedException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++ public ECMCPopFailedException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java b/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java +new file mode 100644 +index 0000000..25a7bc0 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java +@@ -0,0 +1,59 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC popRequired condition. ++ * The framework raises this exception when a request is missing POP ++ * (Proof Of Possession) ++ *

++ * A CMC request with missing POP will not be processed immediately. ++ * Round trip is required to return with CMC direct POP (DecryptedPOP) ++ * for processing the request again. ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCPopRequiredException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = 8328983412028345364L; ++ ++ /** ++ * Creates a defer exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. This message ++ * should indicate the reason why a request ++ * is deferred. ++ */ ++ public ECMCPopRequiredException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCPopRequiredException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++ public ECMCPopRequiredException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java b/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java +new file mode 100644 +index 0000000..b33c58a +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java +@@ -0,0 +1,53 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.profile; ++ ++/** ++ * This represents a profile specific exception for handling ++ * CMC unsupportedExt condition. ++ * The framework raises this exception when a request contains extensions ++ * that's not supported ++ *

++ * ++ * @version $Revision$, $Date$ ++ */ ++public class ECMCUnsupportedExtException extends EProfileException { ++ ++ /** ++ * ++ */ ++ private static final long serialVersionUID = -2065658791983639446L; ++ ++ /** ++ * Creates an exception. ++ * ++ * @param msg localized message that will be ++ * displayed to end user. ++ */ ++ public ECMCUnsupportedExtException(String msg) { ++ super(msg); ++ } ++ ++ public ECMCUnsupportedExtException(String msg, Throwable cause) { ++ super(msg, cause); ++ } ++ ++ public ECMCUnsupportedExtException(Throwable cause) { ++ super(cause.getMessage(), cause); ++ } ++} +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 00e03a7..fd59aa1 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -65,7 +65,7 @@ import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.pkcs10.CertificationRequest; + import org.mozilla.jss.pkcs10.CertificationRequestInfo; + import org.mozilla.jss.pkix.cmc.CMCCertId; +-import org.mozilla.jss.pkix.cmc.CMCStatusInfo; ++import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; + import org.mozilla.jss.pkix.cmc.DecryptedPOP; + import org.mozilla.jss.pkix.cmc.EncryptedPOP; + import org.mozilla.jss.pkix.cmc.GetCert; +@@ -1609,14 +1609,15 @@ public class CMCRequest { + * + * @param prevResponse file + * @param privKey +- * @return encryptedPop and reqIdString in Object[] ++ * @return encryptedPop and reqIdOS (requestID in Octet String in Object[] + * @author cfu + */ + private static Object[] processEncryptedPopResponse( + String prevResponse) { + // the values to be returned + EncryptedPOP encryptedPop = null; +- String reqIdString = null; // capture the requestId; ++ String reqIdString = null; ++ OCTET_STRING reqIdOS = null; // capture the requestId; + + String method = "processEncryptedPopResponse: "; + System.out.println(method + " begins."); +@@ -1661,13 +1662,13 @@ public class CMCRequest { + TaggedAttribute taggedAttr = (TaggedAttribute) controlSequence.elementAt(i); + OBJECT_IDENTIFIER type = taggedAttr.getType(); + +- if (type.equals(OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo)) { +- System.out.println(method + "Control #" + i + ": CMCStatusInfo"); ++ if (type.equals(OBJECT_IDENTIFIER.id_cmc_statusInfoV2)) { ++ System.out.println(method + "Control #" + i + ": CMCStatusInfoV2"); + System.out.println(method + " OID: " + type.toString()); + SET sts = taggedAttr.getValues(); + int numSts = sts.size(); + for (int j = 0; j < numSts; j++) { +- CMCStatusInfo cst = (CMCStatusInfo) ASN1Util.decode(CMCStatusInfo.getTemplate(), ++ CMCStatusInfoV2 cst = (CMCStatusInfoV2) ASN1Util.decode(CMCStatusInfoV2.getTemplate(), + ASN1Util.encode(sts.elementAt(j))); + SEQUENCE seq = cst.getBodyList(); + StringBuilder s = new StringBuilder(" BodyList: "); +@@ -1677,7 +1678,7 @@ public class CMCRequest { + } + System.out.println(method + s); + int st = cst.getStatus(); +- if (st != CMCStatusInfo.SUCCESS && st != CMCStatusInfo.CONFIRM_REQUIRED) { ++ if (st != CMCStatusInfoV2.SUCCESS && st != CMCStatusInfoV2.CONFIRM_REQUIRED) { + String stString = cst.getStatusString(); + if (stString != null) + System.out.println(method + " Status String: " + stString); +@@ -1685,9 +1686,22 @@ public class CMCRequest { + OtherInfo.Type t = oi.getType(); + if (t == OtherInfo.FAIL) { + System.out.println(method + " OtherInfo type: FAIL"); +- System.out.println(method +- + " not what we expected, because encryptedPOP.enable is true!!!! exit now"); +- System.exit(1); ++ INTEGER failInfo = oi.getFailInfo(); ++ if (failInfo == null) { ++ System.out.println(method + "failInfo null...skipping"); ++ continue; ++ } ++ ++ if (failInfo.intValue() == OtherInfo.POP_REQUIRED) { ++ System.out.println(method + " failInfo=" + ++ OtherInfo.FAIL_INFO[failInfo.intValue()]); ++ System.out.println(method + " what we expected, as decryptedPOP.enable is true;"); ++ } else { ++ System.out.println(method + "failInfo=" + ++ OtherInfo.FAIL_INFO[failInfo.intValue()]); ++ System.out.println(method + " not what we expected when encryptedPOP.enable is true;"); ++ System.exit(1); ++ } + } else if (t == OtherInfo.PEND) { + System.out.println(method + " OtherInfo type: PEND"); + PendInfo pi = oi.getPendInfo(); +@@ -1711,9 +1725,8 @@ public class CMCRequest { + System.out.println(method + "missing pendToken in response"); + System.exit(1); + } +- System.out.println(method + " what we expected, as encryptedPOP.enable is true;"); + } +- } else if (st == CMCStatusInfo.SUCCESS) { ++ } else if (st == CMCStatusInfoV2.SUCCESS) { + System.out.println(method + " Status: SUCCESS"); + System.out.println( + method + " not what we expected, because encryptedPOP.enable is true!!!! exit now"); +@@ -1728,8 +1741,18 @@ public class CMCRequest { + + encryptedPop = (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(), + ASN1Util.encode(encryptedPOPvals.elementAt(0)))); +- System.out.println(method + "encryptedPOP decoded successfully"); +- ++ System.out.println(method + " encryptedPOP decoded successfully"); ++ ++ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_responseInfo)) { ++ System.out.println(method + "Control #" + i + ": CMC ResponseInfo"); ++ SET riVals = taggedAttr.getValues(); ++ reqIdOS = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(riVals.elementAt(0)))); ++ byte[] reqIdBA = reqIdOS.toByteArray(); ++ BigInteger reqIdBI = new BigInteger(reqIdBA); ++ ++ System.out.println(method + " requestID: " + reqIdBI.toString()); ++ + } // we don't expect any other controls + } //for + } catch (Exception e) { +@@ -1738,13 +1761,13 @@ public class CMCRequest { + } + + System.out.println(method + "ends"); +- return new Object[] { encryptedPop, reqIdString }; ++ return new Object[] { encryptedPop, reqIdOS }; + } + + /** + * constructDecryptedPopRequest constructs request PKIData for DecryptedPOP + * +- * @param encryptedPopInfo {EncryptedPOP, reqIdString} ++ * @param encryptedPopInfo {EncryptedPOP, reqIdOS} + * @param privKey + * @return request PKIData + * @author cfu +@@ -1764,8 +1787,8 @@ public class CMCRequest { + } + + EncryptedPOP encryptedPop = (EncryptedPOP) encryptedPopInfo[0]; +- String reqIdString = (String) encryptedPopInfo[1]; +- if ((encryptedPop == null) || (reqIdString == null)) { ++ OCTET_STRING reqIdOS = (OCTET_STRING) encryptedPopInfo[1]; ++ if ((encryptedPop == null) || (reqIdOS == null)) { + System.out.println(method + "encryptedPopInfo content encryptedPop and reqIdString cannot be null"); + System.exit(1); + } +@@ -1851,7 +1874,8 @@ public class CMCRequest { + int bpid = 1; + // now construct DecryptedPOP + System.out.println(method + "constructing DecryptedPOP..."); +- decryptedPop = new DecryptedPOP(new INTEGER(reqIdString), thePOPAlgID, new OCTET_STRING(popProofValue)); ++ ++ decryptedPop = new DecryptedPOP(new INTEGER(bpid++), thePOPAlgID, new OCTET_STRING(popProofValue)); + System.out.println(method + "DecryptedPOP constructed successfully"); + System.out.println(method + "adding decryptedPop control"); + TaggedAttribute decPop = new TaggedAttribute(new INTEGER(bpid++), +@@ -1865,6 +1889,13 @@ public class CMCRequest { + controlSeq.addElement(decPop); + System.out.println(method + "decryptedPop control added"); + ++ TaggedAttribute reqIdTA = ++ new TaggedAttribute(new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_regInfo, ++ reqIdOS); ++ controlSeq.addElement(reqIdTA); ++ System.out.println(method + "regInfo control added"); ++ + SEQUENCE otherMsgSeq = new SEQUENCE(); + + pkidata = new PKIData(controlSeq, reqSequence, new SEQUENCE(), otherMsgSeq); +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +index 4c74934..5224de8 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +@@ -19,6 +19,7 @@ package com.netscape.cmstools; + + import java.io.ByteArrayInputStream; + import java.io.FileInputStream; ++import java.math.BigInteger; + import java.text.SimpleDateFormat; + import java.util.Date; + import java.util.Locale; +@@ -33,7 +34,7 @@ import org.mozilla.jss.asn1.OCTET_STRING; + import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.pkix.cert.Certificate; +-import org.mozilla.jss.pkix.cmc.CMCStatusInfo; ++import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; + import org.mozilla.jss.pkix.cmc.EncryptedPOP; + import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.PendInfo; +@@ -113,13 +114,13 @@ public class CMCResponse { + TaggedAttribute taggedAttr = (TaggedAttribute) controlSequence.elementAt(i); + OBJECT_IDENTIFIER type = taggedAttr.getType(); + +- if (type.equals(OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo)) { +- System.out.println("Control #" + i + ": CMCStatusInfo"); ++ if (type.equals(OBJECT_IDENTIFIER.id_cmc_statusInfoV2)) { ++ System.out.println("Control #" + i + ": CMCStatusInfoV2"); + System.out.println(" OID: " + type.toString()); + SET sts = taggedAttr.getValues(); + int numSts = sts.size(); + for (int j = 0; j < numSts; j++) { +- CMCStatusInfo cst = (CMCStatusInfo) ASN1Util.decode(CMCStatusInfo.getTemplate(), ++ CMCStatusInfoV2 cst = (CMCStatusInfoV2) ASN1Util.decode(CMCStatusInfoV2.getTemplate(), + ASN1Util.encode(sts.elementAt(j))); + SEQUENCE seq = cst.getBodyList(); + +@@ -130,15 +131,23 @@ public class CMCResponse { + } + System.out.println(s); + int st = cst.getStatus(); +- if (st != CMCStatusInfo.SUCCESS && st != CMCStatusInfo.CONFIRM_REQUIRED) { ++ if (st != CMCStatusInfoV2.SUCCESS && st != CMCStatusInfoV2.CONFIRM_REQUIRED) { + String stString = cst.getStatusString(); + if (stString != null) + System.out.println(" Status String: " + stString); + OtherInfo oi = cst.getOtherInfo(); + OtherInfo.Type t = oi.getType(); +- if (t == OtherInfo.FAIL) ++ if (t == OtherInfo.FAIL) { + System.out.println(" OtherInfo type: FAIL"); +- else if (t == OtherInfo.PEND) { ++ INTEGER failInfo = oi.getFailInfo(); ++ if (failInfo == null) { ++ System.out.println("failInfo null...skipping"); ++ continue; ++ } ++ ++ System.out.println(" failInfo=" + ++ OtherInfo.FAIL_INFO[failInfo.intValue()]); ++ } else if (t == OtherInfo.PEND) { + System.out.println(" OtherInfo type: PEND"); + PendInfo pi = oi.getPendInfo(); + if (pi == null) { +@@ -163,7 +172,7 @@ public class CMCResponse { + } + + } +- } else if (st == CMCStatusInfo.SUCCESS) { ++ } else if (st == CMCStatusInfoV2.SUCCESS) { + System.out.println(" Status: SUCCESS"); + } + } +@@ -224,8 +233,17 @@ public class CMCResponse { + EncryptedPOP encryptedPOP = + (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(), + ASN1Util.encode(encryptedPOPvals.elementAt(0)))); +- System.out.println("after encryptedPOP encode"); ++ System.out.println(" encryptedPOP decoded"); ++ ++ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_responseInfo)) { ++ System.out.println("Control #" + i + ": CMC ResponseInfo"); ++ SET riVals = taggedAttr.getValues(); ++ OCTET_STRING reqIdOS = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(riVals.elementAt(0)))); ++ byte[] reqIdBA = reqIdOS.toByteArray(); ++ BigInteger reqIdBI = new BigInteger(reqIdBA); + ++ System.out.println(" requestID: " + reqIdBI.toString()); + } + } + } catch (Exception e) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 74da8e7..8f3e986 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -84,6 +84,12 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.profile.ECMCBadIdentityException; ++import com.netscape.certsrv.profile.ECMCBadMessageCheckException; ++import com.netscape.certsrv.profile.ECMCBadRequestException; ++import com.netscape.certsrv.profile.ECMCPopFailedException; ++import com.netscape.certsrv.profile.ECMCPopRequiredException; ++import com.netscape.certsrv.profile.ECMCUnsupportedExtException; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; +@@ -550,7 +556,7 @@ public abstract class EnrollProfile extends BasicProfile + throw new EProfileException(msg); + } + +- throw new EDeferException("EnrollProfile: submit: encryptedPOP defer request"); ++ throw new ECMCPopRequiredException(" Return with DecryptedPOP to complete"); + + } else { + // this profile executes request that is authenticated +@@ -726,6 +732,8 @@ public abstract class EnrollProfile extends BasicProfile + TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; + boolean id_cmc_decryptedPOP = false; + SET decPopVals = null; ++ boolean id_cmc_regInfo = false; ++ SET reqIdVals = null; + + boolean id_cmc_identification = false; + SET ident = null; +@@ -756,6 +764,10 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + " id_cmc_decryptedPOP found"); + id_cmc_decryptedPOP = true; + decPopVals = attributes[i].getValues(); ++ } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_regInfo)) { ++ CMS.debug(method + "id_cmc_regInfo found"); ++ id_cmc_regInfo = true; ++ reqIdVals = attributes[i].getValues(); + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identification)) { + CMS.debug(method + " id_cmc_identification found"); + id_cmc_identification = true; +@@ -796,11 +808,10 @@ public abstract class EnrollProfile extends BasicProfile + + msg = " id_cmc_identification attribute value not found in"; + CMS.debug(method + msg); +-/* +- throw new EProfileException( +- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ ++ throw new ECMCBadRequestException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + + msg); +-*/ + } else { + ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), + ASN1Util.encode(ident.elementAt(0)))); +@@ -812,11 +823,11 @@ public abstract class EnrollProfile extends BasicProfile + context.put("identification", bpids); + + CMS.debug(method + msg); +-/* +- throw new EProfileException( +- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ ++ throw new ECMCBadRequestException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + + msg); +-*/ ++ + } + } + +@@ -850,8 +861,8 @@ public abstract class EnrollProfile extends BasicProfile + method + msg); + audit(auditMessage); + +- throw new EProfileException( +- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ throw new ECMCBadIdentityException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + + msg); + } + +@@ -863,7 +874,7 @@ public abstract class EnrollProfile extends BasicProfile + + msg = " after verifyIdentityProofV2"; + CMS.debug(method + msg); +- throw new EProfileException(CMS.getUserMessage(locale, ++ throw new ECMCBadIdentityException(CMS.getUserMessage(locale, + "CMS_POI_VERIFICATION_ERROR") + msg); + } else { + CMS.debug(method + "passed verifyIdentityProofV2; Proof of Identity successful;"); +@@ -878,7 +889,7 @@ public abstract class EnrollProfile extends BasicProfile + + msg = " after verifyIdentityProof"; + CMS.debug(method + msg); +- throw new EProfileException(CMS.getUserMessage(locale, ++ throw new ECMCBadIdentityException(CMS.getUserMessage(locale, + "CMS_POI_VERIFICATION_ERROR") + msg); + } else { + CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); +@@ -894,20 +905,53 @@ public abstract class EnrollProfile extends BasicProfile + ILogger.FAILURE, + method + msg); + audit(auditMessage); +- throw new EProfileException(CMS.getUserMessage(locale, +- "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); ++ throw new ECMCBadRequestException(CMS.getUserMessage(locale, ++ "CMS_POI_VERIFICATION_ERROR") + ":" + msg); + } + + if (id_cmc_decryptedPOP) { + if (decPopVals != null) { ++ if (!id_cmc_regInfo) { ++ msg = "id_cmc_decryptedPOP must be accompanied by id_cmc_regInfo for request id per server/client agreement"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.PROOF_OF_POSSESSION, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); ++ ++ SEQUENCE bpids = getRequestBpids(reqSeq); ++ context.put("decryptedPOP", bpids); ++ throw new ECMCPopFailedException(CMS.getUserMessage(locale, ++ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); ++ } ++ ++ OCTET_STRING reqIdOS = ++ (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(reqIdVals.elementAt(0)))); + + DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), + ASN1Util.encode(decPopVals.elementAt(0)))); + CMS.debug(method + "DecryptedPOP encoded"); + +- Integer reqId = verifyDecryptedPOP(locale, decPop); ++ BigInteger reqId = verifyDecryptedPOP(locale, decPop, reqIdOS); + if (reqId != null) { + context.put("cmcDecryptedPopReqId", reqId); ++ } else { ++ msg = "DecryptedPOP failed to verify"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.PROOF_OF_POSSESSION, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); ++ ++ SEQUENCE bpids = getRequestBpids(reqSeq); ++ context.put("decryptedPOP", bpids); ++ throw new ECMCPopFailedException(CMS.getUserMessage(locale, ++ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); + } + } else { //decPopVals == null + msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; +@@ -915,12 +959,14 @@ public abstract class EnrollProfile extends BasicProfile + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.SUCCESS, ++ ILogger.FAILURE, + method + msg); + audit(auditMessage); + + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("decryptedPOP", bpids); ++ throw new ECMCPopFailedException(CMS.getUserMessage(locale, ++ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); + } + + // decryptedPOP is expected to return null; +@@ -967,9 +1013,9 @@ public abstract class EnrollProfile extends BasicProfile + } + } catch (Exception e) { + // unlikely to get here +- msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; +- CMS.debug(msg); +- throw new EProfileException(method + msg); ++ msg = " Failed to retrieve cmc.popLinkWitnessRequired"; ++ CMS.debug(method + msg); ++ throw new EProfileException( msg); + } + + int nummsgs = reqSeq.size(); +@@ -988,7 +1034,7 @@ public abstract class EnrollProfile extends BasicProfile + !context.containsKey("POPLinkWitness")) { + CMS.debug(method + "popLinkWitness(V2) required"); + if (randomSeed == null || ident_s == null) { +- msg = "no randomSeed or identification found needed for popLinkWitness(V2)"; ++ msg = "missing needed randomSeed or identification for popLinkWitness(V2)"; + CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_ID_POP_LINK_WITNESS, +@@ -998,7 +1044,8 @@ public abstract class EnrollProfile extends BasicProfile + audit(auditMessage); + + context.put("POPLinkWitnessV2", bpids); +- return null; ++ throw new ECMCBadRequestException(CMS.getUserMessage(locale, ++ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + ":" + msg); + } + + // verifyPOPLinkWitness() will determine if this is +@@ -1021,8 +1068,8 @@ public abstract class EnrollProfile extends BasicProfile + ILogger.FAILURE, + method + msg); + audit(auditMessage); +- throw new EProfileException(CMS.getUserMessage(locale, +- "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); ++ throw new ECMCBadRequestException(CMS.getUserMessage(locale, ++ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + ":" + msg); + } else { + msg = ": ident_s=" + ident_s; + auditMessage = CMS.getLogMessage( +@@ -1041,6 +1088,14 @@ public abstract class EnrollProfile extends BasicProfile + + CMS.debug(method + "ends"); + return msgs; ++ } catch (ECMCBadMessageCheckException e) { ++ throw new ECMCBadMessageCheckException(e); ++ } catch (ECMCBadIdentityException e) { ++ throw new ECMCBadIdentityException(e); ++ } catch (ECMCPopFailedException e) { ++ throw new ECMCPopFailedException(e); ++ } catch (ECMCBadRequestException e) { ++ throw new ECMCBadRequestException(e); + } catch (EProfileException e) { + throw new EProfileException(e); + } catch (Exception e) { +@@ -1056,34 +1111,28 @@ public abstract class EnrollProfile extends BasicProfile + * + * @author cfu + */ +- private Integer verifyDecryptedPOP(Locale locale, DecryptedPOP decPop) +- throws EProfileException { ++ private BigInteger verifyDecryptedPOP(Locale locale, ++ DecryptedPOP decPop, ++ OCTET_STRING reqIdOS) ++ throws EProfileException, ECMCPopFailedException { + String method = "EnrollProfile: verifyDecryptedPOP: "; + CMS.debug(method + "begins"); + String msg = ""; + +- if (decPop == null) { ++ if (decPop == null || reqIdOS == null) { + CMS.debug(method + "method parameters cannot be null"); + return null; + } + +- // iBody contains the request id +- INTEGER iBody = decPop.getBodyPartID(); +- if (iBody == null) { +- msg = method + "iBody null after decPop.getBodyPartID"; +- CMS.debug(msg); +- return null; +- } +- CMS.debug(method + "request id from decryptedPOP =" + +- iBody.toString()); +- Integer reqId = new Integer(iBody.toString()); ++ byte[] reqIdBA = reqIdOS.toByteArray(); ++ BigInteger reqIdBI = new BigInteger(reqIdBA); + + OCTET_STRING witness_os = decPop.getWitness(); + + IRequestQueue reqQueue = getRequestQueue(); + IRequest req = null; + try { +- req = reqQueue.findRequest(new RequestId(reqId)); ++ req = reqQueue.findRequest(new RequestId(reqIdBI)); + } catch (Exception e) { + msg = method + "after findRequest: " + e; + CMS.debug(msg); +@@ -1095,7 +1144,7 @@ public abstract class EnrollProfile extends BasicProfile + if (pop_encryptedData == null) { + msg = method + + "pop_encryptedData not found in request:" + +- reqId.toString(); ++ reqIdBI.toString(); + CMS.debug(msg); + return null; + } +@@ -1104,7 +1153,7 @@ public abstract class EnrollProfile extends BasicProfile + if (pop_sysPubEncryptedSession == null) { + msg = method + + "pop_sysPubEncryptedSession not found in request:" + +- reqId.toString(); ++ reqIdBI.toString(); + CMS.debug(msg); + return null; + } +@@ -1113,7 +1162,7 @@ public abstract class EnrollProfile extends BasicProfile + if (cmc_msg == null) { + msg = method + + "cmc_msg not found in request:" + +- reqId.toString(); ++ reqIdBI.toString(); + CMS.debug(msg); + return null; + } +@@ -1185,8 +1234,8 @@ public abstract class EnrollProfile extends BasicProfile + return null; + } + } catch (Exception e) { +- msg = method + e; +- CMS.debug(msg); ++ msg = e.toString(); ++ CMS.debug(method + msg); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + + e); +@@ -1198,7 +1247,7 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + "cmc_POPchallengeRequired set back to false"); + CMS.debug(method + "ends"); + +- return reqId; ++ return reqIdBI; + } + + /** +@@ -1645,7 +1694,9 @@ public abstract class EnrollProfile extends BasicProfile + "method=" + method); + audit(auditMessage); + } else { +- throw new EBaseException("failed to verify"); ++ msg = "IdentityProofV2 failed to verify"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); + } + return verified; + } catch (Exception e) { +@@ -1677,28 +1728,28 @@ public abstract class EnrollProfile extends BasicProfile + return false; + } + +- String token = tokenClass.getSharedToken(mCMCData); +- OCTET_STRING ostr = null; +- try { +- ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), +- ASN1Util.encode(vals.elementAt(0)))); +- } catch (InvalidBERException e) { +- CMS.debug(method + "Failed to decode the byte value."); +- return false; +- } +- byte[] b = ostr.toByteArray(); +- byte[] text = ASN1Util.encode(reqSeq); ++ String token = tokenClass.getSharedToken(mCMCData); ++ OCTET_STRING ostr = null; ++ try { ++ ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(vals.elementAt(0)))); ++ } catch (InvalidBERException e) { ++ CMS.debug(method + "Failed to decode the byte value."); ++ return false; ++ } ++ byte[] b = ostr.toByteArray(); ++ byte[] text = ASN1Util.encode(reqSeq); + +- verified = verifyDigest(token.getBytes(), text, b); +- if (verified) {// update auditSubjectID +- //placeholder. Should probably just disable this v1 method +- } +- return verified; ++ verified = verifyDigest(token.getBytes(), text, b); ++ if (verified) {// update auditSubjectID ++ //placeholder. Should probably just disable this v1 method ++ } ++ return verified; + } + + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, + IRequest req) +- throws EProfileException { ++ throws EProfileException, ECMCPopFailedException, ECMCBadRequestException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + +@@ -1832,7 +1883,7 @@ public abstract class EnrollProfile extends BasicProfile + fillCertReqMsg(locale, crm, info, req); + } else { + CMS.debug(method + " unsupported type (not CRMF or PKCS10)"); +- throw new EProfileException( ++ throw new ECMCBadRequestException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } +@@ -1951,7 +2002,7 @@ public abstract class EnrollProfile extends BasicProfile + + public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, + IRequest req) +- throws EProfileException { ++ throws EProfileException, ECMCUnsupportedExtException { + String method = "EnrollProfile: fillCertReqMsg: "; + try { + CMS.debug(method + "Start parseCertReqMsg "); +@@ -2111,7 +2162,7 @@ public abstract class EnrollProfile extends BasicProfile + } catch (IOException e) { + CMS.debug("EnrollProfile: Unable to fill certificate request message: " + e); + CMS.debug(e); +- throw new EProfileException( ++ throw new ECMCUnsupportedExtException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); + } catch (InvalidKeyException e) { + CMS.debug("EnrollProfile: Unable to fill certificate request message: " + e); +@@ -2175,7 +2226,7 @@ public abstract class EnrollProfile extends BasicProfile + } + + public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) +- throws EProfileException { ++ throws EProfileException, ECMCUnsupportedExtException { + String method = "EnrollProfile: fillPKCS10: "; + CMS.debug(method + "begins"); + X509Key key = pkcs10.getSubjectPublicKeyInfo(); +@@ -2234,7 +2285,7 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + "Finish parsePKCS10 - " + pkcs10.getSubjectName()); + } catch (IOException e) { + CMS.debug(method + "Unable to fill PKCS #10: " + e); +- throw new EProfileException( ++ throw new ECMCUnsupportedExtException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); + } catch (CertificateException e) { + CMS.debug(method + "Unable to fill PKCS #10: " + e); +@@ -2582,7 +2633,7 @@ public abstract class EnrollProfile extends BasicProfile + * verifyPOP - CRMF POP verification for signing keys + */ + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) +- throws EProfileException { ++ throws EProfileException, ECMCPopFailedException { + String method = "EnrollProfile: verifyPOP: "; + CMS.debug(method + "for signing keys begins."); + +@@ -2628,11 +2679,11 @@ public abstract class EnrollProfile extends BasicProfile + } + + private void popFailed(Locale locale, String auditSubjectID, String msg) +- throws EProfileException { ++ throws EProfileException, ECMCPopFailedException { + popFailed(locale, auditSubjectID, msg, null); + } + private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e) +- throws EProfileException { ++ throws EProfileException, ECMCPopFailedException { + + if (e != null) + msg = msg + e.toString(); +@@ -2645,10 +2696,10 @@ public abstract class EnrollProfile extends BasicProfile + audit(auditMessage); + + if (e != null) { +- throw new EProfileException(CMS.getUserMessage(locale, ++ throw new ECMCPopFailedException(CMS.getUserMessage(locale, + "CMS_POP_VERIFICATION_ERROR"), e); + } else { +- throw new EProfileException(CMS.getUserMessage(locale, ++ throw new ECMCPopFailedException(CMS.getUserMessage(locale, + "CMS_POP_VERIFICATION_ERROR")); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 067dce7..1e509d3 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -49,7 +49,7 @@ import org.mozilla.jss.crypto.SignatureAlgorithm; + import org.mozilla.jss.pkcs11.PK11PubKey; + import org.mozilla.jss.pkix.cert.Certificate; + import org.mozilla.jss.pkix.cmc.CMCCertId; +-import org.mozilla.jss.pkix.cmc.CMCStatusInfo; ++import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; + import org.mozilla.jss.pkix.cmc.EncryptedPOP; + import org.mozilla.jss.pkix.cmc.GetCert; + import org.mozilla.jss.pkix.cmc.OtherInfo; +@@ -117,13 +117,13 @@ public class CMCOutputTemplate { + + int bpid = 1; + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(code), null); +- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo( +- new INTEGER(CMCStatusInfo.FAILED), ++ new INTEGER(code), null, null); ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2( ++ new INTEGER(CMCStatusInfoV2.FAILED), + bpids, s, otherInfo); + TaggedAttribute tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + try { +@@ -166,6 +166,7 @@ public class CMCOutputTemplate { + // in rfc 2797: body list value is 1 + int bpid = 1; + SEQUENCE pending_bpids = null; ++ SEQUENCE popRequired_bpids = null; + SEQUENCE success_bpids = null; + SEQUENCE failed_bpids = null; + if (cert_request_type.equals("crmf") || +@@ -175,23 +176,24 @@ public class CMCOutputTemplate { + if (error_codes[0] == 2) { + PendInfo pendInfo = new PendInfo(reqId, new Date()); + otherInfo = new OtherInfo(OtherInfo.PEND, null, +- pendInfo); ++ pendInfo, null); + } else { + otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_REQUEST), null); ++ new INTEGER(OtherInfo.BAD_REQUEST), null, null); + } + + SEQUENCE bpids = new SEQUENCE(); + bpids.addElement(new INTEGER(1)); +- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, + bpids, (String) null, otherInfo); + TaggedAttribute tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } else if (cert_request_type.equals("cmc")) { + CMS.debug(method + " processing cmc"); + pending_bpids = new SEQUENCE(); ++ popRequired_bpids = new SEQUENCE(); + success_bpids = new SEQUENCE(); + failed_bpids = new SEQUENCE(); + EncryptedPOP encPop = null; +@@ -205,11 +207,15 @@ public class CMCOutputTemplate { + } else if (error_codes[i] == 2) { + pending_bpids.addElement(new INTEGER( + reqs[i].getExtDataInBigInteger("bodyPartId"))); ++ } else if (error_codes[i] == 4) { ++ popRequired_bpids.addElement(new INTEGER( ++ reqs[i].getExtDataInBigInteger("bodyPartId"))); + try { + encPop = constructEncryptedPop(reqs[i]); + } catch (Exception e) { + CMS.debug(method + e); +- return; ++ failed_bpids.addElement(new INTEGER( ++ reqs[i].getExtDataInBigInteger("bodyPartId"))); + } + } else { + failed_bpids.addElement(new INTEGER( +@@ -221,41 +227,41 @@ public class CMCOutputTemplate { + } + + TaggedAttribute tagattr = null; +- CMCStatusInfo cmcStatusInfo = null; ++ CMCStatusInfoV2 cmcStatusInfoV2 = null; + + SEQUENCE decryptedPOPBpids = (SEQUENCE) context.get("decryptedPOP"); + if (decryptedPOPBpids != null && decryptedPOPBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.POP_FAILED), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.POP_FAILED), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + decryptedPOPBpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + SEQUENCE identificationBpids = (SEQUENCE) context.get("identification"); + if (identificationBpids != null && identificationBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_IDENTITY), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + identificationBpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + SEQUENCE identityV2Bpids = (SEQUENCE) context.get("identityProofV2"); + if (identityV2Bpids != null && identityV2Bpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_IDENTITY), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + identityV2Bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + +@@ -263,41 +269,41 @@ public class CMCOutputTemplate { + SEQUENCE identityBpids = (SEQUENCE) context.get("identityProof"); + if (identityBpids != null && identityBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_IDENTITY), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + identityBpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2"); + if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_REQUEST), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_REQUEST), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + POPLinkWitnessV2Bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness"); + if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_REQUEST), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_REQUEST), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + POPLinkWitnessBpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + +- if (pending_bpids.size() > 0) { +- // handle encryptedPOP control first ++ if (popRequired_bpids.size() > 0) { ++ // handle encryptedPOP control + + if (encPop != null) { + CMS.debug(method + "adding encPop"); +@@ -309,17 +315,35 @@ public class CMCOutputTemplate { + CMS.debug(method + "encPop added"); + } + ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, ++ new INTEGER(OtherInfo.POP_REQUIRED), null, null); ++ cmcStatusInfoV2 = ++ new CMCStatusInfoV2(CMCStatusInfoV2.POP_REQUIRED, ++ popRequired_bpids, (String) null, otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); ++ controlSeq.addElement(tagattr); ++ ++ // add request id ++ byte[] reqId = reqs[0].getRequestId().toBigInteger().toByteArray(); ++ TaggedAttribute reqIdTA = ++ new TaggedAttribute(new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_responseInfo, ++ new OCTET_STRING(reqId)); ++ controlSeq.addElement(reqIdTA); ++ } ++ ++ if (pending_bpids.size() > 0) { + String reqId = reqs[0].getRequestId().toString(); +- OtherInfo otherInfo = null; + PendInfo pendInfo = new PendInfo(reqId, new Date()); +- otherInfo = new OtherInfo(OtherInfo.PEND, null, +- pendInfo); +- // cfu: inject POP_REQUIRED when working on V2 status +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.PEND, null, ++ pendInfo, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, + pending_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + +@@ -333,27 +357,27 @@ public class CMCOutputTemplate { + } + if (confirmRequired) { + CMS.debug(method + " confirmRequired in the request"); +- cmcStatusInfo = +- new CMCStatusInfo(CMCStatusInfo.CONFIRM_REQUIRED, ++ cmcStatusInfoV2 = ++ new CMCStatusInfoV2(CMCStatusInfoV2.CONFIRM_REQUIRED, + success_bpids, (String) null, null); + } else { +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, + success_bpids, (String) null, null); + } + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + if (failed_bpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_REQUEST), null); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ new INTEGER(OtherInfo.BAD_REQUEST), null, null); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + } +@@ -373,15 +397,15 @@ public class CMCOutputTemplate { + } catch (EBaseException ee) { + CMS.debug(method + ee.toString()); + OtherInfo otherInfo1 = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_CERT_ID), null); ++ new INTEGER(OtherInfo.BAD_CERT_ID), null, null); + SEQUENCE bpids1 = new SEQUENCE(); + bpids1.addElement(attr.getBodyPartID()); +- CMCStatusInfo cmcStatusInfo1 = new CMCStatusInfo( +- new INTEGER(CMCStatusInfo.FAILED), ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2( ++ new INTEGER(CMCStatusInfoV2.FAILED), + bpids1, null, otherInfo1); + TaggedAttribute tagattr1 = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo1); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr1); + } + } +@@ -537,7 +561,7 @@ public class CMCOutputTemplate { + } + + } else { +- msg = "popChallengeRequired required, but one more more of the pop_ data not found in request"; ++ msg = "popChallengeRequired, but one or more of the pop_ data not found in request"; + CMS.debug(method + msg); + throw new EBaseException(method + msg); + } +@@ -734,23 +758,23 @@ public class CMCOutputTemplate { + CMS.debug("CMCOutputTemplate: Certificate in the confirm acceptance control was not found"); + } + } +- CMCStatusInfo cmcStatusInfo = null; ++ CMCStatusInfoV2 cmcStatusInfoV2 = null; + if (confirmAccepted) { + CMS.debug("CMCOutputTemplate: Confirm Acceptance received. The certificate exists in the certificate repository."); +- cmcStatusInfo = +- new CMCStatusInfo(CMCStatusInfo.SUCCESS, seq, ++ cmcStatusInfoV2 = ++ new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, seq, + (String) null, null); + } else { + CMS.debug("CMCOutputTemplate: Confirm Acceptance received. The certificate does not exist in the certificate repository."); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +- new INTEGER(OtherInfo.BAD_CERT_ID), null); +- cmcStatusInfo = +- new CMCStatusInfo(CMCStatusInfo.FAILED, seq, ++ new INTEGER(OtherInfo.BAD_CERT_ID), null, null); ++ cmcStatusInfoV2 = ++ new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, seq, + (String) null, otherInfo); + } + TaggedAttribute statustagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(statustagattr); + } catch (Exception e) { + CMS.debug("CMCOutputTemplate exception: " + e.toString()); +@@ -825,28 +849,28 @@ public class CMCOutputTemplate { + } + + if (pending_bpids.size() > 0) { +- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, + pending_bpids, (String) null, null); + TaggedAttribute tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + if (success_bpids.size() > 0) { +- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, + pending_bpids, (String) null, null); + TaggedAttribute tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + + if (failed_bpids.size() > 0) { +- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, + pending_bpids, (String) null, null); + TaggedAttribute tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + } + +@@ -959,7 +983,7 @@ public class CMCOutputTemplate { + + if (attr != null) { + INTEGER attrbpid = attr.getBodyPartID(); +- CMCStatusInfo cmcStatusInfo = null; ++ CMCStatusInfoV2 cmcStatusInfoV2 = null; + SET vals = attr.getValues(); + if (vals.size() > 0) { + RevokeRequest revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), +@@ -988,14 +1012,14 @@ public class CMCOutputTemplate { + CMS.debug(method + "missing CMC signer principal"); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, + new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), +- null); ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, + otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1021,15 +1045,15 @@ public class CMCOutputTemplate { + if (!verifyRevRequestSignature(msgData)) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, + new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), +- null); ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, + (String) null, + otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1051,13 +1075,13 @@ public class CMCOutputTemplate { + if (tokenClass == null) { + CMS.debug(method + " Failed to retrieve shared secret plugin class"); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), +- null); ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1067,14 +1091,14 @@ public class CMCOutputTemplate { + + if (sharedSecret == null) { + CMS.debug("CMCOutputTemplate: shared secret not found."); +- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), +- null); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1088,14 +1112,14 @@ public class CMCOutputTemplate { + } else { + CMS.debug(method + + " Client and server shared secret are not the same, cannot revoke certificate."); +- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), +- null); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + audit(new CertStatusChangeRequestProcessedEvent( +@@ -1123,13 +1147,13 @@ public class CMCOutputTemplate { + + if (record == null) { + CMS.debug(method + " The certificate is not found"); +- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1138,11 +1162,11 @@ public class CMCOutputTemplate { + CMS.debug("CMCOutputTemplate: The certificate is already revoked."); + SEQUENCE success_bpids = new SEQUENCE(); + success_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, + success_bpids, (String) null, null); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + return bpid; + } +@@ -1159,14 +1183,14 @@ public class CMCOutputTemplate { + msg = "certificate principal and signer do not match"; + CMS.debug(method + msg); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), +- null); ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, msg, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, msg, + otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + audit(new CertStatusChangeRequestProcessedEvent( +@@ -1220,14 +1244,14 @@ public class CMCOutputTemplate { + CMS.debug("CMCOutputTemplate: revReq exception: " + + revReq.getExtDataInString(IRequest.ERROR)); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), +- null); ++ null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, + otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + audit(new CertStatusChangeRequestProcessedEvent( +@@ -1254,11 +1278,11 @@ public class CMCOutputTemplate { + CMS.debug(method + " Certificate revoked."); + SEQUENCE success_bpids = new SEQUENCE(); + success_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, + success_bpids, (String) null, null); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + auditApprovalStatus = RequestStatus.COMPLETE; +@@ -1272,13 +1296,13 @@ public class CMCOutputTemplate { + auditApprovalStatus)); + return bpid; + } else { +- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); + controlSeq.addElement(tagattr); + + audit(new CertStatusChangeRequestProcessedEvent( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java +index 4578a98..cfd42ad 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java +@@ -35,7 +35,7 @@ import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.crypto.DigestAlgorithm; + import org.mozilla.jss.crypto.SignatureAlgorithm; +-import org.mozilla.jss.pkix.cmc.CMCStatusInfo; ++import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; + import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.PendInfo; + import org.mozilla.jss.pkix.cmc.ResponseBody; +@@ -98,7 +98,7 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { + RequestId reqId = req.getRequestId(); + + fixed.set(ICMSTemplateFiller.REQUEST_ID, reqId); +- // set pendInfo, CMCStatusInfo ++ // set pendInfo, CMCStatusInfoV2 + IArgBlock httpParams = cmsReq.getHttpParams(); + + if (doFullResponse(httpParams)) { +@@ -115,12 +115,12 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { + for (int i = 0; i < reqIdArray.length; i++) { + bpids.addElement(new INTEGER(reqIdArray[i])); + } +- CMCStatusInfo cmcStatusInfo = new +- CMCStatusInfo(CMCStatusInfo.PENDING, bpids, ++ CMCStatusInfoV2 cmcStatusInfo = new ++ CMCStatusInfoV2(CMCStatusInfoV2.PENDING, bpids, + (String) null, otherInfo); + TaggedAttribute ta = new TaggedAttribute(new + INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, + cmcStatusInfo); + + controlSeq.addElement(ta); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 73195e9..d087162 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -19,6 +19,7 @@ package com.netscape.cms.servlet.profile; + + import java.io.InputStream; + import java.io.OutputStream; ++import java.math.BigInteger; + import java.security.cert.X509Certificate; + import java.util.Enumeration; + import java.util.Locale; +@@ -51,6 +52,11 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; ++import com.netscape.certsrv.profile.ECMCBadIdentityException; ++import com.netscape.certsrv.profile.ECMCBadMessageCheckException; ++import com.netscape.certsrv.profile.ECMCBadRequestException; ++import com.netscape.certsrv.profile.ECMCPopFailedException; ++import com.netscape.certsrv.profile.ECMCPopRequiredException; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; +@@ -502,8 +508,60 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + try { + reqs = profile.createRequests(ctx, locale); ++ } catch (ECMCBadMessageCheckException e) { ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ CMCOutputTemplate template = new CMCOutputTemplate(); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new INTEGER(0)); ++ UTF8String s = null; ++ try { ++ s = new UTF8String(e.toString()); ++ } catch (Exception ee) { ++ } ++ template.createFullResponseWithFailedStatus(response, seq, ++ OtherInfo.BAD_MESSAGE_CHECK, s); ++ return; ++ } catch (ECMCBadIdentityException e) { ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ CMCOutputTemplate template = new CMCOutputTemplate(); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new INTEGER(0)); ++ UTF8String s = null; ++ try { ++ s = new UTF8String(e.toString()); ++ } catch (Exception ee) { ++ } ++ template.createFullResponseWithFailedStatus(response, seq, ++ OtherInfo.BAD_IDENTITY, s); ++ return; ++ } catch (ECMCPopFailedException e) { ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ CMCOutputTemplate template = new CMCOutputTemplate(); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new INTEGER(0)); ++ UTF8String s = null; ++ try { ++ s = new UTF8String(e.toString()); ++ } catch (Exception ee) { ++ } ++ template.createFullResponseWithFailedStatus(response, seq, ++ OtherInfo.POP_FAILED, s); ++ return; ++ } catch (ECMCBadRequestException e) { ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ CMCOutputTemplate template = new CMCOutputTemplate(); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new INTEGER(0)); ++ UTF8String s = null; ++ try { ++ s = new UTF8String(e.toString()); ++ } catch (Exception ee) { ++ } ++ template.createFullResponseWithFailedStatus(response, seq, ++ OtherInfo.BAD_REQUEST, s); ++ return; + } catch (EProfileException e) { +- CMS.debug("ProfileSubmitCMCServlet: createRequests " + e.toString()); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -516,7 +574,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + OtherInfo.INTERNAL_CA_ERROR, s); + return; + } catch (Throwable e) { +- CMS.debug("ProfileSubmitCMCServlet: createRequests " + e.toString()); ++ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString()); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -570,7 +628,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + boolean isRevoke = false; + if (reqs == null) { + // handling DecryptedPOP request here +- Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); ++ BigInteger reqID = (BigInteger) context.get("cmcDecryptedPopReqId"); + if (reqID == null) { + CMS.debug("ProfileSubmitCMCServlet: revocation request"); + isRevoke = true; +@@ -683,8 +741,21 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + profile.populateInput(ctx, reqs[k]); + profile.populate(reqs[k]); ++ } catch (ECMCPopFailedException e) { ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); ++ CMCOutputTemplate template = new CMCOutputTemplate(); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new INTEGER(0)); ++ UTF8String s = null; ++ try { ++ s = new UTF8String(e.toString()); ++ } catch (Exception ee) { ++ } ++ template.createFullResponseWithFailedStatus(response, seq, ++ OtherInfo.POP_FAILED, s); ++ return; + } catch (EProfileException e) { +- CMS.debug("ProfileSubmitCMCServlet: populate " + e.toString()); ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -697,7 +768,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + OtherInfo.BAD_REQUEST, s); + return; + } catch (Throwable e) { +- CMS.debug("ProfileSubmitCMCServlet: populate " + e.toString()); ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); + // throw new IOException("Profile " + profileId + + // " cannot populate"); + CMCOutputTemplate template = new CMCOutputTemplate(); +@@ -780,6 +851,21 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + errorReason = CMS.getUserMessage(locale, + "CMS_PROFILE_REJECTED", + e.toString()); ++ } catch (ECMCPopRequiredException e) { ++ // return popRequired message to the user ++ CMS.debug("ProfileSubmitCMCServlet: popRequired; set request to PENDING"); ++ reqs[k].setRequestStatus(RequestStatus.PENDING); ++ // need to notify ++ INotify notify = profile.getRequestQueue().getPendingNotify(); ++ if (notify != null) { ++ notify.notify(reqs[k]); ++ } ++ ++ CMS.debug("ProfileSubmitCMCServlet: submit " + e.toString()); ++ errorCode = "4"; ++ errorReason = CMS.getUserMessage(locale, ++ "CMS_PROFILE_CMC_POP_REQUIRED", ++ e.toString()); + } catch (Throwable e) { + // return error to the user + CMS.debug("ProfileSubmitCMCServlet: submit " + e.toString()); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java +index 76700fe..5666c13 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java +@@ -48,7 +48,7 @@ import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.crypto.DigestAlgorithm; + import org.mozilla.jss.crypto.SignatureAlgorithm; +-import org.mozilla.jss.pkix.cmc.CMCStatusInfo; ++import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; + import org.mozilla.jss.pkix.cmc.PKIData; + import org.mozilla.jss.pkix.cmc.ResponseBody; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; +@@ -431,11 +431,11 @@ public class CheckRequest extends CMSServlet { + + if (bodyPartId != null) + bpids.addElement(bodyPartId); +- CMCStatusInfo cmcStatusInfo = new +- CMCStatusInfo(CMCStatusInfo.SUCCESS, bpids); ++ CMCStatusInfoV2 cmcStatusInfo = new ++ CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, bpids); + TaggedAttribute ta = new TaggedAttribute(new + INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, + cmcStatusInfo); + + controlSeq.addElement(ta); +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index ff56465..ed2a620 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -801,6 +801,7 @@ CMS_PROFILE_SUBJDIR_EMPTY_ATTRVAL=Attribute value should not be empty + CMS_PROFILE_CRL_DISTRIBUTION_POINTS=CRL Distribution Points + CMS_PROFILE_REJECTED=Request {0} Rejected - {1} + CMS_PROFILE_DEFERRED=Request Deferred - {0} ++CMS_PROFILE_CMC_POP_REQUIRED=Request Deferred due to missing POP - {0} + CMS_PROFILE_INTERNAL_ERROR=Request {0} - Server Internal Error + CMS_PROFILE_KEY_ID=Key ID + CMS_PROFILE_NOT_OWNER=Not Profile Owner +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch b/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch new file mode 100644 index 0000000..615721b --- /dev/null +++ b/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch @@ -0,0 +1,151 @@ +From cf8ba1882bd5349f53d3171824d1eb4c56bc7348 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 28 Aug 2017 23:50:33 +0200 +Subject: [PATCH] Displaying tokenType and tokenOrigin in TPS UI and CLI. + +The TPSCertService has been modified to include tokenType and +tokenOrigin fields in the returned token certificate data. The +TPS UI and CLI have been modified to display the fields. + +https://pagure.io/dogtagpki/issue/2793 + +Change-Id: I740fa69b81de3033e186f8d99c335814275b7218 +(cherry picked from commit 062c99a9012b2d7b00fabc2d2b565415800ce6a7) +--- + .../com/netscape/certsrv/tps/cert/TPSCertData.java | 52 +++++++++++++++++----- + .../com/netscape/cmstools/tps/cert/TPSCertCLI.java | 4 +- + 2 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java +index 7cefc791d..63ea26667 100644 +--- a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java ++++ b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java +@@ -53,10 +53,12 @@ public class TPSCertData { + String id; + String serialNumber; + String subject; ++ String userID; + String tokenID; ++ String origin; ++ String type; + String keyType; + String status; +- String userID; + Date createTime; + Date modifyTime; + +@@ -89,6 +91,15 @@ public class TPSCertData { + this.subject = subject; + } + ++ @XmlElement(name="UserID") ++ public String getUserID() { ++ return userID; ++ } ++ ++ public void setUserID(String userID) { ++ this.userID = userID; ++ } ++ + @XmlElement(name="TokenID") + public String getTokenID() { + return tokenID; +@@ -98,6 +109,24 @@ public class TPSCertData { + this.tokenID = tokenID; + } + ++ @XmlElement(name="Origin") ++ public String getOrigin() { ++ return origin; ++ } ++ ++ public void setOrigin(String origin) { ++ this.origin = origin; ++ } ++ ++ @XmlElement(name="Type") ++ public String getType() { ++ return type; ++ } ++ ++ public void setType(String type) { ++ this.type = type; ++ } ++ + @XmlElement(name="KeyType") + public String getKeyType() { + return keyType; +@@ -116,15 +145,6 @@ public class TPSCertData { + this.status = status; + } + +- @XmlElement(name="UserID") +- public String getUserID() { +- return userID; +- } +- +- public void setUserID(String userID) { +- this.userID = userID; +- } +- + @XmlElement(name="CreateTime") + public Date getCreateTime() { + return createTime; +@@ -161,10 +181,12 @@ public class TPSCertData { + result = prime * result + ((keyType == null) ? 0 : keyType.hashCode()); + result = prime * result + ((link == null) ? 0 : link.hashCode()); + result = prime * result + ((modifyTime == null) ? 0 : modifyTime.hashCode()); ++ result = prime * result + ((origin == null) ? 0 : origin.hashCode()); + result = prime * result + ((serialNumber == null) ? 0 : serialNumber.hashCode()); + result = prime * result + ((status == null) ? 0 : status.hashCode()); + result = prime * result + ((subject == null) ? 0 : subject.hashCode()); + result = prime * result + ((tokenID == null) ? 0 : tokenID.hashCode()); ++ result = prime * result + ((type == null) ? 0 : type.hashCode()); + result = prime * result + ((userID == null) ? 0 : userID.hashCode()); + return result; + } +@@ -203,6 +225,11 @@ public class TPSCertData { + return false; + } else if (!modifyTime.equals(other.modifyTime)) + return false; ++ if (origin == null) { ++ if (other.origin != null) ++ return false; ++ } else if (!origin.equals(other.origin)) ++ return false; + if (serialNumber == null) { + if (other.serialNumber != null) + return false; +@@ -223,6 +250,11 @@ public class TPSCertData { + return false; + } else if (!tokenID.equals(other.tokenID)) + return false; ++ if (type == null) { ++ if (other.type != null) ++ return false; ++ } else if (!type.equals(other.type)) ++ return false; + if (userID == null) { + if (other.userID != null) + return false; +diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java +index 835a522e1..db6867b2d 100644 +--- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java +@@ -53,10 +53,12 @@ public class TPSCertCLI extends CLI { + System.out.println(" Cert ID: " + cert.getID()); + if (cert.getSerialNumber() != null) System.out.println(" Serial Number: " + cert.getSerialNumber()); + if (cert.getSubject() != null) System.out.println(" Subject: " + cert.getSubject()); ++ if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); + if (cert.getTokenID() != null) System.out.println(" Token ID: " + cert.getTokenID()); ++ if (cert.getOrigin() != null) System.out.println(" Origin: " + cert.getOrigin()); ++ if (cert.getType() != null) System.out.println(" Type: " + cert.getType()); + if (cert.getKeyType() != null) System.out.println(" Key Type: " + cert.getKeyType()); + if (cert.getStatus() != null) System.out.println(" Status: " + cert.getStatus()); +- if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); + if (cert.getCreateTime() != null) System.out.println(" Create Time: " + cert.getCreateTime()); + if (cert.getModifyTime() != null) System.out.println(" Modify Time: " + cert.getModifyTime()); + +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-3DES-archival.patch b/SOURCES/pki-core-Fix-3DES-archival.patch new file mode 100644 index 0000000..a0099e8 --- /dev/null +++ b/SOURCES/pki-core-Fix-3DES-archival.patch @@ -0,0 +1,72 @@ +From 1d7117081ad3b623af3938595436a35873b0bac6 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 16 Jun 2017 14:48:27 -0400 +Subject: [PATCH 4/4] Fix 3DES archival + +A previous commit mistakenly conflated the wrapping parameters for +DES and DES3 cases, resulting in incorrect data being stored if the +storage was successful at all. This broke ipa vault and probably +also token key archival and recovery. + +This patch sets the right parameters for the 3DES case again. +Part of BZ# 1458043 + +Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4 +(cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf) +--- + .../src/netscape/security/util/WrappingParams.java | 23 ++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java +index cda8870..ded572f 100644 +--- a/base/util/src/netscape/security/util/WrappingParams.java ++++ b/base/util/src/netscape/security/util/WrappingParams.java +@@ -67,6 +67,10 @@ public class WrappingParams { + // New clients set this correctly. + // We'll assume the old DES3 wrapping here. + encrypt = EncryptionAlgorithm.DES_CBC_PAD; ++ } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) { ++ encrypt = EncryptionAlgorithm.DES3_CBC_PAD; ++ } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) { ++ encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; + } else { + encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); + } +@@ -135,23 +139,26 @@ public class WrappingParams { + payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + skLength = 128; +- } +- +- if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { ++ } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + skType = SymmetricKey.AES; + skKeyGenAlgorithm = KeyGenAlgorithm.AES; + payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + skLength = 128; +- } +- +- if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { ++ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { ++ skType = SymmetricKey.DES3; ++ skKeyGenAlgorithm = KeyGenAlgorithm.DES3; ++ skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; ++ payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; ++ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; ++ skLength = payloadEncryptionAlgorithm.getKeyStrength(); ++ } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { + skType = SymmetricKey.DES; + skKeyGenAlgorithm = KeyGenAlgorithm.DES; + skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; +- payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; +- skLength = 0; ++ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD; ++ skLength = payloadEncryptionAlgorithm.getKeyStrength(); + } + + if (priKeyAlgo.equals("EC")) { +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch b/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch new file mode 100644 index 0000000..8ae52e9 --- /dev/null +++ b/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch @@ -0,0 +1,59 @@ +From 4e76af1fe276a3b9b1392c97ef427a1ecfa42759 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 28 Aug 2017 14:43:55 +1000 +Subject: [PATCH] KeyClient: fix json encoding in Python 3 + +Fixes: https://pagure.io/dogtagpki/issue/2746 +Change-Id: Iec2912bb90192fec403ac94006ff5927d3526533 +(cherry picked from commit b654e60f20b9e83833313ab89006db8f063bff1f) +--- + base/common/python/pki/key.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index d2b82970e..a5fc7928c 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -668,7 +668,7 @@ class KeyClient(object): + raise TypeError("Must specify Client Key ID") + + if trans_wrapped_session_key is not None: +- twsk = base64.b64encode(trans_wrapped_session_key) ++ twsk = base64.b64encode(trans_wrapped_session_key).decode('ascii') + # noinspection PyUnusedLocal + request = SymKeyGenerationRequest( + client_key_id=client_key_id, +@@ -861,9 +861,9 @@ class KeyClient(object): + if not nonce_iv: + raise TypeError('Missing nonce IV') + +- data = base64.b64encode(encrypted_data) +- twsk = base64.b64encode(wrapped_session_key) +- symkey_params = base64.b64encode(nonce_iv) ++ data = base64.b64encode(encrypted_data).decode('ascii') ++ twsk = base64.b64encode(wrapped_session_key).decode('ascii') ++ symkey_params = base64.b64encode(nonce_iv).decode('ascii') + + request = KeyArchivalRequest(client_key_id=client_key_id, + data_type=data_type, +@@ -904,7 +904,7 @@ class KeyClient(object): + if pki_archive_options is None: + raise TypeError("No data provided to be archived") + +- data = base64.b64encode(pki_archive_options) ++ data = base64.b64encode(pki_archive_options).decode('ascii') + request = KeyArchivalRequest(client_key_id=client_key_id, + data_type=data_type, + pki_archive_options=data, +@@ -1022,7 +1022,7 @@ class KeyClient(object): + key_id=key_id, + request_id=request_id, + trans_wrapped_session_key=base64.b64encode( +- trans_wrapped_session_key), ++ trans_wrapped_session_key).decode('ascii'), + payload_encryption_oid=self.encrypt_alg_oid, + payload_wrapping_name=self.wrap_name + ) +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch b/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch new file mode 100644 index 0000000..374da35 --- /dev/null +++ b/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch @@ -0,0 +1,30 @@ +From 606027b188fee6d20c17323d7c464d6630024a20 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 23 Aug 2017 20:53:25 +1000 +Subject: [PATCH] Fix regression in lightweight CA replication + +Fixes: https://pagure.io/dogtagpki/issue/2796 +Change-Id: Ic5e42b80156f777299f4e487932305160c2d48f6 +--- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index eca8dddb6..2daf0d797 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2307,8 +2307,9 @@ public class CryptoUtil { + BIT_STRING encSymKey = encVal.getEncSymmKey(); + BIT_STRING encPrivKey = encVal.getEncValue(); + +- SymmetricKey sk = unwrap(token, SymmetricKey.Type.DES3, 0, null, unwrappingKey, encSymKey.getBits(), +- KeyWrapAlgorithm.RSA); ++ SymmetricKey sk = unwrap( ++ token, SymmetricKey.Type.DES3, 0, SymmetricKey.Usage.UNWRAP, ++ unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); + + ASN1Value v = algId.getParameters(); + v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch b/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch new file mode 100644 index 0000000..9d0628e --- /dev/null +++ b/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch @@ -0,0 +1,71 @@ +From ab0cb37875648abfc07e7d781fa91c368f67d313 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 25 Jul 2017 18:02:02 -0700 +Subject: [PATCH] Ticket #2788 Missing CN in user signing cert would cause + error in cmc user-signed This patch takes care of the issue that + CMCUserSignedAuth cannot handle cases when CN is not in the subjectDN + +Change-Id: Ieac0712d051dcb993498d9680f005c04158b5549 +(cherry picked from commit 507a8888b6eccfe716ca7bc4647f71cee973afcf) +--- + .../netscape/cms/authentication/CMCUserSignedAuth.java | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index e11a34427..7f872c83d 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -371,9 +371,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } else { + CMS.debug(method + "signed with user cert"); + userid = userToken.getInString("userid"); +- uid = userToken.getInString("cn"); ++ uid = userToken.getInString("id"); + if (userid == null && uid == null) { +- msg = " verifySignerInfo failure... missing userid and cn"; ++ msg = " verifySignerInfo failure... missing id"; + CMS.debug(method + msg); + throw new EBaseException(msg); + } +@@ -1069,7 +1069,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // cert subject principal later in CMCOutputTemplate + // in case of user signed revocation + auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal); +- auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName()); ++ auditContext.put(SessionContext.CMC_SIGNER_INFO, ++ cmcPrincipal.toString()); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { +@@ -1160,13 +1161,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + IAuthToken tempToken = new AuthToken(null); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); +- String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); +- CMS.debug(method + " Principal name = " + CN); ++ String ID = tempPrincipal.toString(); //tempToken.get("userid"); ++ CMS.debug(method + " Principal name = " + ID); + + BigInteger certSerial = x509Certs[0].getSerialNumber(); + CMS.debug(method + " verified cert serial=" + certSerial.toString()); + authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); +- tempToken.set("cn", CN); ++ tempToken.set("id", ID); + + s.close(); + return tempToken; +@@ -1221,9 +1222,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + netscape.security.x509.X500Name principal = + (X500Name) cert.getSubjectDN(); + +- String CN = principal.getCommonName(); +- CMS.debug(method + " Principal name = " + CN); +- auditContext.put(SessionContext.USER_ID, CN); ++ CMS.debug(method + " Principal name = " + principal.toString()); ++ auditContext.put(SessionContext.USER_ID, principal.toString()); + } + + public String[] getExtendedPluginInfo(Locale locale) { +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch b/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch new file mode 100644 index 0000000..d2b1f67 --- /dev/null +++ b/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch @@ -0,0 +1,102 @@ +From 887d70ce1b8c4a00f62c2b4eec24326e487da5bd Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 15 Jun 2017 12:38:26 +1000 +Subject: [PATCH 3/4] Fix regression in pkcs12 key bag creation + +Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12 +file handing to never deal with raw private key material. +PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, +or fail. This change missed this case where a PKCS #12 file is +loaded from file, possibly modified, then written back to a file, +without involving an NSSDB. One example is pkcs12-cert-del which +deletes a certificate and associated key from a PKCS #12 file. + +Fix the PKCS12Util.addKeyBag() method to use the stored +EncryptedPricateKeyInfo if available, otherwise export the +PrivateKey handle. + +Fixes: https://pagure.io/dogtagpki/issue/2741 +Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a +(cherry picked from commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de) +--- + .../src/netscape/security/pkcs/PKCS12Util.java | 58 ++++++++++++++-------- + 1 file changed, 37 insertions(+), 21 deletions(-) + +diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java +index 31c7126..1bc1bae 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java +@@ -102,33 +102,49 @@ public class PKCS12Util { + icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); + } + +- /** +- * Used during EXPORT to add a private key to the PKCS12. ++ /** Add a private key to the PKCS #12 object. ++ * ++ * The PKCS12KeyInfo object received comes about in two ++ * different scenarios: ++ * ++ * - The private key could be in encrypted byte[] form (e.g. ++ * when we have merely loaded a PKCS #12 file for inspection ++ * or e.g. to delete a certificate and its associated key). ++ * In this case we simply re-use this encrypted private key ++ * info byte[]. + * +- * The private key is exported directly from the token, into +- * an EncryptedPrivateKeyInfo value, then added as a +- * "Shrouded Key Bag" to the PKCS #12 object. Unencrypted +- * key material is never seen. ++ * - The private key could be a be an NSS PrivateKey handle. In ++ * this case we must export the PrivateKey from the token to ++ * obtain the EncryptedPrivateKeyInfo. ++ * ++ * The common final step is to add the encrypted private key ++ * data to a "Shrouded Key Bag" to the PKCS #12 object. ++ * Unencrypted key material is never seen. + */ + public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, + SEQUENCE encSafeContents) throws Exception { +- PrivateKey k = keyInfo.getPrivateKey(); +- if (k == null) { +- logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); +- return; +- } +- + logger.debug("Creating key bag for " + keyInfo.subjectDN); + +- PasswordConverter passConverter = new PasswordConverter(); +- byte[] epkiBytes = CryptoManager.getInstance() +- .getInternalKeyStorageToken() +- .getCryptoStore() +- .getEncryptedPrivateKeyInfo( +- /* NSS has a bug that causes any AES CBC encryption +- * to use AES-256, but AlgorithmID contains chosen +- * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k); ++ byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes(); ++ if (epkiBytes == null) { ++ PrivateKey k = keyInfo.getPrivateKey(); ++ if (k == null) { ++ logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); ++ return; ++ } ++ logger.debug("Encrypting private key for " + keyInfo.subjectDN); ++ ++ PasswordConverter passConverter = new PasswordConverter(); ++ epkiBytes = CryptoManager.getInstance() ++ .getInternalKeyStorageToken() ++ .getCryptoStore() ++ .getEncryptedPrivateKeyInfo( ++ /* NSS has a bug that causes any AES CBC encryption ++ * to use AES-256, but AlgorithmID contains chosen ++ * alg. To avoid mismatch, use AES_256_CBC. */ ++ passConverter, password, ++ EncryptionAlgorithm.AES_256_CBC, 0, k); ++ } + + SET keyAttrs = createKeyBagAttrs(keyInfo); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch b/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch new file mode 100644 index 0000000..f6f74f2 --- /dev/null +++ b/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch @@ -0,0 +1,37 @@ +From e5bd4436541b726f128afd18b113ff80ce18a6b5 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 16 Jun 2017 19:25:05 -0400 +Subject: [PATCH 1/4] Fix token enrollment and recovery ivs + +In encryption mode, the archival of the geenrated key uses the +wrapIV, while the recovery uses the encryptIV. To make sure +these are consistent, they need to be set to be the same. + +Bugzilla BZ #1458043 + +Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b +(cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c) +--- + base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 96d7aae..07333b7 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService { + + try { + params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); ++ ++ // In encrypt mode, the recovery side is doing a decrypt() using the ++ // encryption IV. To be sure this is successful, we will make sure' ++ // the IVs are the same. ++ params.setPayloadEncryptionIV(params.getPayloadWrappingIV()); ++ + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); + } catch (Exception e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch b/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch new file mode 100644 index 0000000..38d1c4e --- /dev/null +++ b/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch @@ -0,0 +1,34 @@ +From 09b673f3f4bbc5e9b70722bbe240e0347e3dd3fc Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 11 Aug 2017 15:17:09 +1000 +Subject: [PATCH] Fix FixDeploymentDescriptor upgrade script if source file is + missing + +On RHEL, the pki#admin.xml file may be absent, causing the +FixDeploymentDescriptor to break (and subsequent upgrade scriptlets +to not be executed). Add a check that the source file exists. + +Fixes: https://pagure.io/dogtagpki/issue/2789 +Change-Id: I686e8fae534f8044cb1ce40b31e2462c4f0ac988 +(cherry picked from commit d0a861923a27672d8633c87e21fb8596080e84af) +--- + base/server/upgrade/10.3.5/02-FixDeploymentDescriptor | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor +index 27c895980..858dbed43 100644 +--- a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor ++++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor +@@ -46,6 +46,9 @@ class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet): + source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml + target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml + ++ if not os.path.exists(source_xml): ++ return ++ + # if deployment descriptor doesn't exist, install the default + if not os.path.exists(target_xml): + self.copy_file(instance, source_xml, target_xml) +-- +2.13.5 + diff --git a/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch b/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch new file mode 100644 index 0000000..5d839da --- /dev/null +++ b/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch @@ -0,0 +1,97 @@ +From af96c3fc7cb41cbe6c14722418e132f5eadd93e1 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 29 Jun 2017 14:23:47 -0700 +Subject: [PATCH] SCP03 support: fix Key Changeover with HSM (RHCS) + +Ticket #2764. + +This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key changover where the master key resides on an HSM. + +(cherry picked from commit 7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e) +--- + .../cms/servlet/tks/SecureChannelProtocol.java | 29 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +index 0542470..c3b3952 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +@@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; + import org.mozilla.jss.crypto.SymmetricKeyDeriver; + import org.mozilla.jss.crypto.TokenException; + ++import sun.security.pkcs11.wrapper.PKCS11Constants; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.cmsutil.crypto.CryptoUtil; + +-import sun.security.pkcs11.wrapper.PKCS11Constants; +- + public class SecureChannelProtocol { + + static String sharedSecretKeyName = null; +@@ -1874,13 +1874,13 @@ public class SecureChannelProtocol { + kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3"); + } else if (protocol == PROTOCOL_THREE) { + CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!"); +- encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, ++ encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, + SecureChannelProtocol.encType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); +- macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, ++ macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, + SecureChannelProtocol.macType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); +- kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, ++ kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, + SecureChannelProtocol.kekType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); + } +@@ -1916,13 +1916,14 @@ public class SecureChannelProtocol { + } else { // protocol 3 + + CMS.debug(method + " Generating new card keys to upgrade to, protocol 3."); +- encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, ++ CMS.debug("tokenName: " + tokenName + " newTokenName: " + newTokenName); ++ encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, + SecureChannelProtocol.encType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); +- macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, ++ macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, + SecureChannelProtocol.macType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); +- kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, ++ kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, + SecureChannelProtocol.kekType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); + +@@ -1931,6 +1932,7 @@ public class SecureChannelProtocol { + old_kek_sym_key = this.computeSessionKey_SCP03(tokenName, oldMasterKeyName, oldKeyInfo, + SecureChannelProtocol.kekType, kekKeyArray, + keySet, CUIDValue, KDD, null, null, transportKeyName, params); ++ + } + + if (encKey == null || macKey == null || kekKey == null) { +@@ -2076,9 +2078,14 @@ public class SecureChannelProtocol { + encrypted_mac_key = this.wrapSessionKey(tokenName, macKey, wrappingKey); + encrypted_kek_key = this.wrapSessionKey(tokenName, kekKey, wrappingKey); + +- keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, tokenName); +- keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, tokenName); +- keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, tokenName); ++ try { ++ keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, encKey.getOwningToken().getName()); ++ keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, macKey.getOwningToken().getName()); ++ keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, kekKey.getOwningToken().getName()); ++ } catch (TokenException e) { ++ throw new EBaseException(method + e); ++ } ++ + + } else { + throw new EBaseException(method + " Invalid SCP version requested!"); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch b/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch new file mode 100644 index 0000000..6a28873 --- /dev/null +++ b/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch @@ -0,0 +1,77 @@ +From b16956b856e9bb8ffa8d2cd356f4120b36ebe6e9 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 6 Apr 2017 13:27:56 +1000 +Subject: [PATCH] KRA: use AES in PKCS #12 recovery for encrypted keys + +The KRA has two private key recovery code paths: one dealing with +keys wrapped to the storage key, and one dealing with symmetrically +encrypted keys. Each has a separate function for constructing a +PKCS #12 file for the recovered key. + +This commit updates the PKCS #12 generation for encrypted keys to +use AES encryption. From the KRA recovery process we start with a +byte[] of PrivateKeyInfo. The previous procedure used +EncryptedPrivateKeyInfo.createPBE(), the encryption algorithm being +PBEAlgorithm.PBE_SHA1_DES3_CBC. This commit changes the procedure +to use AES, using the new EncryptedPrivateKeyInfo.createPBES2() JSS +method and AES_128_CBC_PAD. + +The old codepath is retained and selected by the kra.legacyPKCS12 +CMS config. It is needed if the token/HSM does not support the +CKM_PKCS5_PBKD2 PKCS #11 mechanism. + +Fixes: https://pagure.io/dogtagpki/issue/2664 + +Change-Id: Ie292147caab357679b2be5cf3b6cd739e5bed8e0 +(cherry picked from commit ae97f21bf8d2ec83a410127872dd196a46f9dbbd) +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 24 +++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index 023eb8093..a7d639208 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -648,18 +648,36 @@ public class RecoveryService implements IService { + SEQUENCE safeContents = new SEQUENCE(); + PasswordConverter passConverter = new + PasswordConverter(); +- byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); +- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( ++ EncryptedPrivateKeyInfo epki = null; ++ ++ boolean legacyP12 = ++ CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); ++ ++ if (legacyP12) { ++ /* legacy mode may be required e.g. when token/HSM ++ * does not support CKM_PKCS5_PBKD2 mechanism */ ++ byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; ++ epki = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, pki); ++ } else { ++ epki = EncryptedPrivateKeyInfo.createPBES2( ++ 16, // saltLen ++ 2000, // kdfIterations ++ EncryptionAlgorithm.AES_128_CBC_PAD, ++ pass, ++ passConverter, ++ pki); ++ } ++ + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), + localKeyId); + SafeBag keyBag = new SafeBag( +- SafeBag.PKCS8_SHROUDED_KEY_BAG, key, ++ SafeBag.PKCS8_SHROUDED_KEY_BAG, epki, + keyAttrs); // ?? + + safeContents.addElement(keyBag); +-- +2.13.5 + diff --git a/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch b/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch new file mode 100644 index 0000000..e0b175d --- /dev/null +++ b/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch @@ -0,0 +1,162 @@ +From 137832b2892dfc596ed067a86242d341f2c325e7 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 14 Sep 2017 12:22:47 +1000 +Subject: [PATCH] Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31 + +For compatibility with OpenSSL and NSS >= 3.31, the passphrase must +not be BMPString-encoded when non-PKCS #12 PBE schemes such as +PBES2. + +Fixes: https://pagure.io/dogtagpki/issue/2809 + +Change-Id: Ic78ad337ac0b9b2f5d2e75581cc0ee55e6d82782 +(cherry picked from commit ed5cccefebf98e588a5385191e43f727349b54a9) +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 26 +++++++++++++++---- + .../cms/servlet/csadmin/ConfigurationUtils.java | 15 ++++++++--- + .../src/netscape/security/pkcs/PKCS12Util.java | 29 ++++++++++++++++++---- + 3 files changed, 57 insertions(+), 13 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index a7d639208..0d293e411 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -508,10 +508,21 @@ public class RecoveryService implements IService { + } + } else { + byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, ++ pass, + /* NSS has a bug that causes any AES CBC encryption + * to use AES-256, but AlgorithmID contains chosen + * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); ++ EncryptionAlgorithm.AES_256_CBC, ++ 0 /* iterations (use default) */, ++ priKey); + CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); + if (epkiBytes == null) { + CMS.debug("RecoverService: createPFX() epkiBytes null"); +@@ -646,8 +657,6 @@ public class RecoveryService implements IService { + pwd.toCharArray()); + + SEQUENCE safeContents = new SEQUENCE(); +- PasswordConverter passConverter = new +- PasswordConverter(); + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); +@@ -662,14 +671,21 @@ public class RecoveryService implements IService { + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + epki = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, +- pass, salt, 1, passConverter, pki); ++ pass, salt, 1, new PasswordConverter(), pki); + } else { + epki = EncryptedPrivateKeyInfo.createPBES2( + 16, // saltLen + 2000, // kdfIterations + EncryptionAlgorithm.AES_128_CBC_PAD, + pass, +- passConverter, ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, + pki); + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index ebade36bc..df3b4672d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -1058,9 +1058,18 @@ public class ConfigurationUtils { + // this is OK + } + +- // import private key into database +- store.importEncryptedPrivateKeyInfo( +- new PasswordConverter(), password, nickname, publicKey, epki); ++ try { ++ // first true without BMPString-encoding the passphrase. ++ store.importEncryptedPrivateKeyInfo( ++ null, password, nickname, publicKey, epki); ++ } catch (Exception e) { ++ // if that failed, try again with BMPString-encoded ++ // passphrase. This is required for PKCS #12 PBE ++ // schemes and for PKCS #12 files using PBES2 generated ++ // by NSS < 3.31 ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epki); ++ } + } + + CMS.debug("Importing new certificates:"); +diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java +index 1bc1baee5..1018b21f6 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java +@@ -134,16 +134,25 @@ public class PKCS12Util { + } + logger.debug("Encrypting private key for " + keyInfo.subjectDN); + +- PasswordConverter passConverter = new PasswordConverter(); + epkiBytes = CryptoManager.getInstance() + .getInternalKeyStorageToken() + .getCryptoStore() + .getEncryptedPrivateKeyInfo( ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, ++ password, + /* NSS has a bug that causes any AES CBC encryption + * to use AES-256, but AlgorithmID contains chosen + * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, password, +- EncryptionAlgorithm.AES_256_CBC, 0, k); ++ EncryptionAlgorithm.AES_256_CBC, ++ 0 /* iterations (default) */, ++ k); + } + + SET keyAttrs = createKeyBagAttrs(keyInfo); +@@ -616,8 +625,18 @@ public class PKCS12Util { + "No EncryptedPrivateKeyInfo for key '" + + keyInfo.subjectDN + "'; skipping key"); + } +- store.importEncryptedPrivateKeyInfo( +- new PasswordConverter(), password, nickname, publicKey, epkiBytes); ++ try { ++ // first true without BMPString-encoding the passphrase. ++ store.importEncryptedPrivateKeyInfo( ++ null, password, nickname, publicKey, epkiBytes); ++ } catch (Exception e) { ++ // if that failed, try again with BMPString-encoded ++ // passphrase. This is required for PKCS #12 PBE ++ // schemes and for PKCS #12 files using PBES2 generated ++ // by NSS < 3.31 ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epkiBytes); ++ } + + // delete the cert again (it will be imported again later + // with the correct nickname) +-- +2.13.5 + diff --git a/SOURCES/pki-core-SecurityDataRecoveryService.patch b/SOURCES/pki-core-SecurityDataRecoveryService.patch new file mode 100644 index 0000000..979abd5 --- /dev/null +++ b/SOURCES/pki-core-SecurityDataRecoveryService.patch @@ -0,0 +1,88 @@ +--- patch/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 04:56:02.188426066 +0200 ++++ pki/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 01:50:56.698341052 +0200 +@@ -17,6 +17,8 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.kra; + ++import java.math.BigInteger; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.dbs.keydb.KeyId; +@@ -41,6 +43,7 @@ public class SecurityDataRecoveryService + + private IKeyRecoveryAuthority kra = null; + private SecurityDataProcessor processor = null; ++ private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + + public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { + this.kra = kra; +@@ -65,8 +68,66 @@ public class SecurityDataRecoveryService + throws EBaseException { + + CMS.debug("SecurityDataRecoveryService.serviceRequest()"); +- processor.recover(request); +- kra.getRequestQueue().updateRequest(request); ++ ++ // parameters for auditing ++ String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); ++ BigInteger serialNumber = request.getExtDataInBigInteger("serialNumber"); ++ KeyId keyId = serialNumber != null ? new KeyId(serialNumber): null; ++ RequestId requestID = request.getRequestId(); ++ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); ++ ++ try { ++ processor.recover(request); ++ kra.getRequestQueue().updateRequest(request); ++ auditRecoveryRequestProcessed( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ requestID, ++ keyId, ++ null, ++ approvers); ++ } catch (EBaseException e) { ++ auditRecoveryRequestProcessed( ++ auditSubjectID, ++ ILogger.FAILURE, ++ requestID, ++ keyId, ++ e.getMessage(), ++ approvers); ++ throw e; ++ } + return false; //TODO: return true? + } ++ ++ private void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ ++ private void audit(String msg) { ++ if (signedAuditLogger == null) ++ return; ++ ++ signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, ++ null, ++ ILogger.S_SIGNED_AUDIT, ++ ILogger.LL_SECURITY, ++ msg); ++ } ++ ++ private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, ++ KeyId keyID, String reason, String recoveryAgents) { ++ audit(new SecurityDataRecoveryProcessedEvent( ++ subjectID, ++ status, ++ requestID, ++ keyID, ++ reason, ++ recoveryAgents)); ++ } + } diff --git a/SOURCES/pki-core-alpha.patch b/SOURCES/pki-core-alpha.patch new file mode 100644 index 0000000..8b8c196 --- /dev/null +++ b/SOURCES/pki-core-alpha.patch @@ -0,0 +1,18931 @@ +From 8d60caa44803915c153e1919ccaf08b166d38190 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 29 Mar 2017 03:36:39 +0200 +Subject: [PATCH 01/59] Removed duplicate PROP_ROLLOVER_INTERVAL constant. + +Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98 +--- + .../src/com/netscape/cms/logging/RollingLogFile.java | 18 +++++++++--------- + .../netscape/cms/servlet/admin/LogAdminServlet.java | 2 +- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +index 32568da..d84c441 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IExtendedPluginInfo; ++import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ELogException; +@@ -49,7 +50,6 @@ import com.netscape.cmsutil.util.Utils; + */ + public class RollingLogFile extends LogFile { + public static final String PROP_MAX_FILE_SIZE = "maxFileSize"; +- public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval"; + public static final String PROP_EXPIRATION_TIME = "expirationTime"; + + /** +@@ -116,7 +116,7 @@ public class RollingLogFile extends LogFile { + super.init(config); + + rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE), +- config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL), ++ config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), + config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); + } + +@@ -585,7 +585,7 @@ public class RollingLogFile extends LogFile { + Vector v = super.getDefaultParams(); + + v.addElement(PROP_MAX_FILE_SIZE + "="); +- v.addElement(PROP_ROLLOVER_INTERVAL + "="); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); + //v.addElement(PROP_EXPIRATION_TIME + "="); + return v; + } +@@ -596,15 +596,15 @@ public class RollingLogFile extends LogFile { + try { + v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024); + if (mRolloverInterval / 1000 <= 60 * 60) +- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly"); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly"); + else if (mRolloverInterval / 1000 <= 60 * 60 * 24) +- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily"); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Daily"); + else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7) +- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly"); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Weekly"); + else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30) +- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly"); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Monthly"); + else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366) +- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly"); ++ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Yearly"); + + //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000); + } catch (Exception e) { +@@ -622,7 +622,7 @@ public class RollingLogFile extends LogFile { + } + info.addElement(PROP_MAX_FILE_SIZE + + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); +- info.addElement(PROP_ROLLOVER_INTERVAL ++ info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); + info.addElement(PROP_EXPIRATION_TIME + + ";integer;The amount of time before a backed up log is removed in seconds"); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +index d665224..08c3293 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +@@ -1645,7 +1645,7 @@ public class LogAdminServlet extends AdminServlet { + + } + +- if (key.equals("rolloverInterval")) { ++ if (key.equals(Constants.PR_LOG_ROLLEROVER_INTERVAL)) { + if (val.equals("Hourly")) + val = Integer.toString(60 * 60); + else if (val.equals("Daily")) +-- +1.8.3.1 + + +From 939896c06013065a7566002a2708d4598d3d7b96 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 30 Mar 2017 07:08:52 +0200 +Subject: [PATCH 02/59] Removed duplicate PROP_MAX_FILE_SIZE constant. + +Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6 +--- + base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +index d84c441..4d29715 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils; + * @version $Revision$, $Date$ + */ + public class RollingLogFile extends LogFile { +- public static final String PROP_MAX_FILE_SIZE = "maxFileSize"; + public static final String PROP_EXPIRATION_TIME = "expirationTime"; + + /** +@@ -115,7 +114,7 @@ public class RollingLogFile extends LogFile { + EBaseException { + super.init(config); + +- rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE), ++ rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE), + config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), + config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); + } +@@ -584,7 +583,7 @@ public class RollingLogFile extends LogFile { + public Vector getDefaultParams() { + Vector v = super.getDefaultParams(); + +- v.addElement(PROP_MAX_FILE_SIZE + "="); ++ v.addElement(Constants.PR_LOG_MAXFILESIZE + "="); + v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); + //v.addElement(PROP_EXPIRATION_TIME + "="); + return v; +@@ -594,7 +593,7 @@ public class RollingLogFile extends LogFile { + Vector v = super.getInstanceParams(); + + try { +- v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024); ++ v.addElement(Constants.PR_LOG_MAXFILESIZE + "=" + mMaxFileSize / 1024); + if (mRolloverInterval / 1000 <= 60 * 60) + v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly"); + else if (mRolloverInterval / 1000 <= 60 * 60 * 24) +@@ -620,7 +619,7 @@ public class RollingLogFile extends LogFile { + if (!p[i].startsWith(IExtendedPluginInfo.HELP_TOKEN) && !p[i].startsWith(IExtendedPluginInfo.HELP_TEXT)) + info.addElement(p[i]); + } +- info.addElement(PROP_MAX_FILE_SIZE ++ info.addElement(Constants.PR_LOG_MAXFILESIZE + + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); + info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); +-- +1.8.3.1 + + +From 01b510f51992e04ffc84aefdd2d3e1f09b09b480 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 30 Mar 2017 22:57:19 +0200 +Subject: [PATCH 03/59] Removed duplicate PROP_EXPIRATION_TIME constant. + +Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3 +--- + base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 7 +++---- + .../cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java | 6 +++--- + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +index 4d29715..fb70f46 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils; + * @version $Revision$, $Date$ + */ + public class RollingLogFile extends LogFile { +- public static final String PROP_EXPIRATION_TIME = "expirationTime"; + + /** + * The default max file size in bytes +@@ -116,7 +115,7 @@ public class RollingLogFile extends LogFile { + + rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE), + config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), +- config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); ++ config.getString(Constants.PR_LOG_EXPIRED_TIME, EXPIRATION_TIME)); + } + + /** +@@ -585,7 +584,7 @@ public class RollingLogFile extends LogFile { + + v.addElement(Constants.PR_LOG_MAXFILESIZE + "="); + v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); +- //v.addElement(PROP_EXPIRATION_TIME + "="); ++ //v.addElement(Constants.PR_LOG_EXPIRED_TIME + "="); + return v; + } + +@@ -623,7 +622,7 @@ public class RollingLogFile extends LogFile { + + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); + info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); +- info.addElement(PROP_EXPIRATION_TIME ++ info.addElement(Constants.PR_LOG_EXPIRED_TIME + + ";integer;The amount of time before a backed up log is removed in seconds"); + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + //";configuration-logrules-rollinglogfile"); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +index 08c3293..13ba52c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +@@ -834,7 +834,7 @@ public class LogAdminServlet extends AdminServlet { + // files is no longer supported, it is still a required parameter + // that must be present during the creation and modification of + // custom log plugins. +- substore.put("expirationTime", "0"); ++ substore.put(Constants.PR_LOG_EXPIRED_TIME, "0"); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); +@@ -1591,7 +1591,7 @@ public class LogAdminServlet extends AdminServlet { + // files is no longer supported, it is still a required parameter + // that must be present during the creation and modification of + // custom log plugins. +- substore.put("expirationTime", "0"); ++ substore.put(Constants.PR_LOG_EXPIRED_TIME, "0"); + + // IMPORTANT: save a copy of the original log file path + origLogPath = substore.getString(Constants.PR_LOG_FILENAME); +@@ -1702,7 +1702,7 @@ public class LogAdminServlet extends AdminServlet { + } + } + /* +- if (key.equals("expirationTime")) { ++ if (key.equals(Constants.PR_LOG_EXPIRED_TIME)) { + String origVal = substore.getString(key); + + val = val.trim(); +-- +1.8.3.1 + + +From 1d3216aece7381cbac7b812dfbb969b466b31abe Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 30 Mar 2017 22:31:30 +0200 +Subject: [PATCH 04/59] Fixed default subsystems for top-level CLI commands. + +The top-level CLI commands have been modified to get the subsystem +name from the parent subsystem CLI if available, otherwise they +will use a hard-coded default value. + +https://pagure.io/dogtagpki/issue/2626 + +Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0 +--- + base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java | 10 ++++++++-- + base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 10 ++++++++-- + base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java | 9 +++++++-- + .../src/com/netscape/cmstools/system/SecurityDomainCLI.java | 10 ++++++++-- + base/java-tools/src/com/netscape/cmstools/user/UserCLI.java | 10 ++++++++-- + 5 files changed, 39 insertions(+), 10 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java +index 9687084..af117a6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java +@@ -32,6 +32,7 @@ import com.netscape.certsrv.cert.CertReviewResponse; + import com.netscape.certsrv.client.PKIClient; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + + /** + * @author Endi S. Dewata +@@ -81,8 +82,13 @@ public class CertCLI extends CLI { + PKIClient client = getClient(); + + // determine the subsystem +- String subsystem = client.getSubsystem(); +- if (subsystem == null) subsystem = "ca"; ++ String subsystem; ++ if (parent instanceof SubsystemCLI) { ++ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; ++ subsystem = subsystemCLI.getName(); ++ } else { ++ subsystem = "ca"; ++ } + + // create new cert client + certClient = new CertClient(client, subsystem); +diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +index bd4651d..5ccf70d 100644 +--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +@@ -26,6 +26,7 @@ import com.netscape.certsrv.group.GroupClient; + import com.netscape.certsrv.group.GroupData; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + + /** + * @author Endi S. Dewata +@@ -67,8 +68,13 @@ public class GroupCLI extends CLI { + PKIClient client = getClient(); + + // determine the subsystem +- String subsystem = client.getSubsystem(); +- if (subsystem == null) subsystem = "ca"; ++ String subsystem; ++ if (parent instanceof SubsystemCLI) { ++ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; ++ subsystem = subsystemCLI.getName(); ++ } else { ++ subsystem = "ca"; ++ } + + // create new group client + groupClient = new GroupClient(client, subsystem); +diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +index b9b27d1..d7c087f 100644 +--- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +@@ -27,6 +27,7 @@ import com.netscape.certsrv.system.SystemCertClient; + import com.netscape.certsrv.util.NSSCryptoProvider; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + import com.netscape.cmsutil.util.Utils; + + /** +@@ -78,9 +79,13 @@ public class KeyCLI extends CLI { + PKIClient client = getClient(); + + // determine the subsystem +- String subsystem = client.getSubsystem(); +- if (subsystem == null) ++ String subsystem; ++ if (parent instanceof SubsystemCLI) { ++ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; ++ subsystem = subsystemCLI.getName(); ++ } else { + subsystem = "kra"; ++ } + + // create new key client + keyClient = new KeyClient(client, subsystem); +diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java +index d9db91e..ea6cd29 100644 +--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java +@@ -25,6 +25,7 @@ import com.netscape.certsrv.system.SecurityDomainHost; + import com.netscape.certsrv.system.SecurityDomainSubsystem; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + + /** + * @author Endi S. Dewata +@@ -60,8 +61,13 @@ public class SecurityDomainCLI extends CLI { + PKIClient client = getClient(); + + // determine the subsystem +- String subsystem = client.getSubsystem(); +- if (subsystem == null) subsystem = "ca"; ++ String subsystem; ++ if (parent instanceof SubsystemCLI) { ++ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; ++ subsystem = subsystemCLI.getName(); ++ } else { ++ subsystem = "ca"; ++ } + + // create new security domain client + securityDomainClient = new SecurityDomainClient(client, subsystem); +diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +index 57a132c..1acbf0b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +@@ -27,6 +27,7 @@ import com.netscape.certsrv.user.UserData; + import com.netscape.certsrv.user.UserResource; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + + /** + * @author Endi S. Dewata +@@ -70,8 +71,13 @@ public class UserCLI extends CLI { + PKIClient client = getClient(); + + // determine the subsystem +- String subsystem = client.getSubsystem(); +- if (subsystem == null) subsystem = "ca"; ++ String subsystem; ++ if (parent instanceof SubsystemCLI) { ++ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; ++ subsystem = subsystemCLI.getName(); ++ } else { ++ subsystem = "ca"; ++ } + + // create new user client + userClient = new UserClient(client, subsystem); +-- +1.8.3.1 + + +From 269f7d62ab3c8d13f7746fccb69cb0b305c46fb9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Mar 2017 04:48:24 +0200 +Subject: [PATCH 05/59] Fixed pylint errors in pki.server.cli.subsystem. + +https://pagure.io/dogtagpki/issue/2627 + +Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd +--- + base/server/python/pki/server/cli/subsystem.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 04461f2..ee5d2d2 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -24,7 +24,6 @@ from __future__ import print_function + import getopt + import getpass + import os +-import string + import subprocess + import sys + from tempfile import mkstemp +@@ -789,7 +788,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + + # format cert data for LDAP database + lines = [data[i:i + 64] for i in range(0, len(data), 64)] +- data = string.join(lines, '\r\n') + '\r\n' ++ data = '\r\n'.join(lines) + '\r\n' + + if self.verbose: + print('Retrieving certificate request from CA database') +@@ -812,7 +811,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] +- request = string.join(lines, '') ++ request = ''.join(lines) + subsystem_cert['request'] = request + + else: +-- +1.8.3.1 + + +From 671157f430eb6fa46ad2132758e3d06f602724f4 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Mar 2017 05:05:37 +0200 +Subject: [PATCH 06/59] Fixed pylint error in pki.authority. + +https://pagure.io/dogtagpki/issue/2627 + +Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac +--- + base/common/python/pki/authority.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py +index 00c6fd9..f6880b5 100644 +--- a/base/common/python/pki/authority.py ++++ b/base/common/python/pki/authority.py +@@ -362,7 +362,7 @@ def main(): + try: + subca = ca_client.create_ca(data) + except ValueError as e: +- print(e.message) ++ print(e) + + # Get the host CA + print("Getting the host CA") +-- +1.8.3.1 + + +From 3e80b04c1de37568d304b2d76f324c026830fd11 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 31 Mar 2017 09:48:07 -0600 +Subject: [PATCH 08/59] Misc pylint, flake8 and tox fixes + +--- + base/common/python/pki/__init__.py | 5 ++--- + base/common/python/pki/authority.py | 2 ++ + base/common/python/pki/client.py | 1 + + base/common/python/pki/feature.py | 1 + + base/kra/functional/drmclient_deprecated.py | 3 ++- + base/kra/functional/drmtest.py | 2 +- + base/server/python/pki/server/__init__.py | 2 +- + base/server/python/pki/server/cli/kra.py | 2 +- + .../python/pki/server/deployment/pkiparser.py | 2 +- + base/server/python/pki/server/upgrade.py | 4 ++-- + pylint-build-scan.py | 1 + + tox.ini | 26 +++++++++++++--------- + 12 files changed, 31 insertions(+), 20 deletions(-) + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index 5d2a143..c015126 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -269,9 +269,8 @@ class RequestNotFoundException(ResourceNotFoundException): + class UserNotFoundException(ResourceNotFoundException): + """ User Not Found Exception: return code = 404 """ + +-""" +-Mapping from Java Server exception classes to python exception classes +-""" ++ ++# Mapping from Java Server exception classes to python exception classes + EXCEPTION_MAPPINGS = { + "com.netscape.certsrv.base.BadRequestException": BadRequestException, + "com.netscape.certsrv.base.ConflictingOperationException": +diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py +index f6880b5..9fa459c 100644 +--- a/base/common/python/pki/authority.py ++++ b/base/common/python/pki/authority.py +@@ -289,6 +289,7 @@ class AuthorityClient(object): + + self.connection.delete(url, headers) + ++ + encoder.NOTYPES['AuthorityData'] = AuthorityData + + +@@ -499,5 +500,6 @@ def main(): + print("-----------------------------------") + issue_cert_using_authority(cert_client, sub_subca.aid) + ++ + if __name__ == "__main__": + main() +diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py +index 3e819cf..90ca4fe 100644 +--- a/base/common/python/pki/client.py ++++ b/base/common/python/pki/client.py +@@ -224,5 +224,6 @@ def main(): + conn.set_authentication_cert('/root/temp4.pem') + print(conn.get("", headers).json()) + ++ + if __name__ == "__main__": + main() +diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py +index 0e5171d..1a2d402 100644 +--- a/base/common/python/pki/feature.py ++++ b/base/common/python/pki/feature.py +@@ -133,6 +133,7 @@ class FeatureClient(object): + headers=self.headers) + return FeatureCollection.from_json(response.json()) + ++ + encoder.NOTYPES['Feature'] = Feature + + +diff --git a/base/kra/functional/drmclient_deprecated.py b/base/kra/functional/drmclient_deprecated.py +index e333913..fe0f100 100644 +--- a/base/kra/functional/drmclient_deprecated.py ++++ b/base/kra/functional/drmclient_deprecated.py +@@ -1008,7 +1008,8 @@ class KRA: + self.debug('%s.recover_security_data()', self.fullname) + pass + +-""" Sample Test execution starts here """ ++ ++# Sample Test execution starts here + parser = argparse.ArgumentParser(description="Sample Test execution") + parser.add_argument( + '-d', +diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py +index 6853987..7e236ef 100755 +--- a/base/kra/functional/drmtest.py ++++ b/base/kra/functional/drmtest.py +@@ -302,7 +302,7 @@ def usage(): + print(' -P KRA server protocol (default: https).') + print(' -h KRA server hostname (default: localhost).') + print(' -p KRA server port (default: 8443).') +- print(' -n KRA agent certificate and private key (default: kraagent.pem).') # nopep8 ++ print(' -n KRA agent certificate and private key (default: kraagent.pem).') # noqa: E501 + print() + print(' --help Show this help message.') + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 70734c3..357bad3 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -469,7 +469,7 @@ class ExternalCert(object): + @functools.total_ordering + class PKIInstance(object): + +- def __init__(self, name, instanceType=10): # nopep8 ++ def __init__(self, name, instanceType=10): # noqa: N803 + + self.name = name + self.type = instanceType +diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py +index 5c9111d..5558d6a 100644 +--- a/base/server/python/pki/server/cli/kra.py ++++ b/base/server/python/pki/server/cli/kra.py +@@ -378,7 +378,7 @@ class KRADBVLVAddCLI(pki.cli.CLI): + print('KRA VLVs added to the database for ' + instance_name) + + except ldap.LDAPError as e: +- print("ERROR: " + e.message['desc']) ++ print("ERROR: {}".format(e)) + sys.exit(1) + + def add_vlv(self, subsystem, bind_dn, bind_password): +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 15e48ba..e05e0be 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -308,7 +308,7 @@ class PKIConfigParser: + + return value + +- def read_password(self, message, section=None, key=None, # nopep8 ++ def read_password(self, message, section=None, key=None, # noqa: N803 + verifyMessage=None): + message = ' ' * self.indent + message + ': ' + if verifyMessage is not None: # nopep8 +diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py +index 116ef3d..2c72e48 100644 +--- a/base/server/python/pki/server/upgrade.py ++++ b/base/server/python/pki/server/upgrade.py +@@ -155,8 +155,8 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + + class PKIServerUpgrader(pki.upgrade.PKIUpgrader): + +- def __init__(self, instanceName=None, instanceType=None, # nopep8 +- subsystemName=None, upgrade_dir=UPGRADE_DIR, # nopep8 ++ def __init__(self, instanceName=None, instanceType=None, # noqa: N803 ++ subsystemName=None, upgrade_dir=UPGRADE_DIR, # noqa: N803 + version=None, index=None, silent=False): + super(PKIServerUpgrader, self).__init__( + upgrade_dir, version, index, silent) +diff --git a/pylint-build-scan.py b/pylint-build-scan.py +index 3a7b473..a25bab7 100755 +--- a/pylint-build-scan.py ++++ b/pylint-build-scan.py +@@ -131,5 +131,6 @@ def main(): + + return subprocess.call(pylint, cwd=env['sitepackages']) + ++ + if __name__ == '__main__': + sys.exit(main()) +diff --git a/tox.ini b/tox.ini +index f73818d..7b3d1fd 100644 +--- a/tox.ini ++++ b/tox.ini +@@ -19,14 +19,23 @@ + # + + [tox] +-envlist = py27,py35,pep8,pep8py3,lint,lint3k,docs ++envlist = py27,py35,py36,,pep8,pep8py3,lint,lint3,docs + skip_missing_interpreters = true + ++[testenv:deps] ++deps = ++ lxml ++ pyldap ++ python-nss ++ requests ++ six ++ + [testenv] + # force installation of sphinx and lint in virtual env, otherwise + # the command pick up the `pki` package from the system's site packages. + install_command = pip install {opts} --force-reinstall --upgrade {packages} + deps = ++ {[testenv:deps]deps} + pytest + sitepackages = True + commands = +@@ -40,28 +49,24 @@ commands = + [testenv:lint] + basepython = python2.7 + deps = ++ {[testenv:deps]deps} + pylint + commands = +- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox +- +-[testenv:lint3k] +-basepython = python2.7 +-deps = +- pylint +-commands = +- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -- --py3k ++ {envpython} {toxinidir}/pylint-build-scan.py tox + + [testenv:lint3] + basepython = python3 + deps = ++ {[testenv:deps]deps} + pylint + commands = +- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox ++ {envpython} {toxinidir}/pylint-build-scan.py tox + + [testenv:pep8] + basepython = python2.7 + sitepackages = False + deps = ++ {[testenv:deps]deps} + flake8 + # flake8-import-order + pep8-naming +@@ -72,6 +77,7 @@ commands = + basepython = python3 + sitepackages = False + deps = ++ {[testenv:deps]deps} + flake8 + # flake8-import-order + pep8-naming +-- +1.8.3.1 + + +From 34fe01c204711f0ef02a43a9aba1bf5141465af9 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 31 Mar 2017 10:57:06 -0600 +Subject: [PATCH 10/59] Fix for pylint when using Python 3.6 + +Added 'pylint: disable=no-member' whenever module 're' +attempts to reference its 'MULTILINE' member. +--- + base/server/python/pki/server/__init__.py | 6 +++++- + base/server/python/pki/server/deployment/pkihelper.py | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 357bad3..5032274 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -858,7 +858,11 @@ class Tomcat(object): + output = output.decode('utf-8') + + # find "Server version: Apache Tomcat/." +- match = re.search(r'^Server version:[^/]*/(\d+).*$', output, re.MULTILINE) ++ match = re.search( ++ r'^Server version:[^/]*/(\d+).*$', ++ output, ++ re.MULTILINE # pylint: disable=no-member ++ ) + + if not match: + raise Exception('Unable to determine Tomcat version') +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 2e276f5..051778d 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -2721,7 +2721,11 @@ class Modutil: + output = output.decode('utf-8') + + # find modules from lines such as '1. NSS Internal PKCS #11 Module' +- modules = re.findall(r'^ +\d+\. +(.*)$', output, re.MULTILINE) ++ modules = re.findall( ++ r'^ +\d+\. +(.*)$', ++ output, ++ re.MULTILINE # pylint: disable=no-member ++ ) + + if modulename not in modules: + config.pki_log.info( +-- +1.8.3.1 + + +From 7fc7d3e8844d4992db60a637370b8599bff5a282 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Mar 2017 19:23:43 +0200 +Subject: [PATCH 11/59] Removed redundant Context attributes. + +All subclasses of PKIService have been modified to remove the +Context attribute since they have been declared in the base class. + +Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a +--- + .../org/dogtagpki/server/ca/rest/AuthorityService.java | 17 ----------------- + .../dogtagpki/server/ca/rest/CertRequestService.java | 17 ----------------- + .../src/org/dogtagpki/server/ca/rest/CertService.java | 17 ----------------- + .../dogtagpki/server/ca/rest/KRAConnectorService.java | 17 ----------------- + .../org/dogtagpki/server/ca/rest/ProfileService.java | 16 ---------------- + .../dogtagpki/server/kra/rest/KeyRequestService.java | 17 ----------------- + .../src/org/dogtagpki/server/kra/rest/KeyService.java | 17 ----------------- + .../cms/src/org/dogtagpki/server/rest/AuditService.java | 17 ----------------- + .../cms/src/org/dogtagpki/server/rest/GroupService.java | 17 ----------------- + .../dogtagpki/server/rest/SecurityDomainService.java | 17 ----------------- + .../src/org/dogtagpki/server/rest/SelfTestService.java | 17 ----------------- + .../org/dogtagpki/server/rest/SystemConfigService.java | 11 ----------- + .../cms/src/org/dogtagpki/server/rest/UserService.java | 17 ----------------- + .../dogtagpki/server/tks/rest/TPSConnectorService.java | 9 --------- + .../org/dogtagpki/server/tps/config/ConfigService.java | 17 ----------------- + .../org/dogtagpki/server/tps/rest/ActivityService.java | 17 ----------------- + .../dogtagpki/server/tps/rest/AuthenticatorService.java | 17 ----------------- + .../org/dogtagpki/server/tps/rest/ConnectorService.java | 17 ----------------- + .../server/tps/rest/ProfileMappingService.java | 17 ----------------- + .../org/dogtagpki/server/tps/rest/ProfileService.java | 17 ----------------- + .../org/dogtagpki/server/tps/rest/TPSCertService.java | 17 ----------------- + .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 ----------------- + 22 files changed, 359 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +index c734fbf..215d0fa 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +@@ -27,13 +27,8 @@ import java.util.LinkedHashMap; + import java.util.List; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; + import javax.ws.rs.core.GenericEntity; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.IAuthToken; +@@ -75,18 +70,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou + hostCA = (ICertificateAuthority) CMS.getSubsystem("ca"); + } + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG = + "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +index a0d36b9..a0f3d46 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +@@ -24,13 +24,8 @@ import java.util.ArrayList; + import java.util.Enumeration; + import java.util.List; + +-import javax.servlet.http.HttpServletRequest; + import javax.ws.rs.PathParam; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.jboss.resteasy.plugins.providers.atom.Link; + +@@ -81,18 +76,6 @@ import netscape.security.x509.X500Name; + */ + public class CertRequestService extends PKIService implements CertRequestResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public static final int DEFAULT_START = 0; + public static final int DEFAULT_PAGESIZE = 20; + public static final int DEFAULT_MAXRESULTS = 100; +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +index ebbab25..d5fe02f 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +@@ -34,12 +34,7 @@ import java.util.List; + import java.util.Map; + import java.util.Random; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.catalina.realm.GenericPrincipal; + import org.jboss.resteasy.plugins.providers.atom.Link; +@@ -94,18 +89,6 @@ import netscape.security.x509.X509Key; + */ + public class CertService extends PKIService implements CertResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + ICertificateAuthority authority; + ICertificateRepository repo; + Random random; +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java +index 4ef1b7e..24c33fa 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java +@@ -17,12 +17,7 @@ + // --- END COPYRIGHT BLOCK --- + package org.dogtagpki.server.ca.rest; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.BadRequestException; +@@ -38,18 +33,6 @@ import com.netscape.cms.servlet.base.PKIService; + */ + public class KRAConnectorService extends PKIService implements KRAConnectorResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + @Override + public Response addConnector(KRAConnectorInfo info) { + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index ba648a4..694fb92 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -32,11 +32,7 @@ import java.util.Map; + import java.util.Properties; + import java.util.Vector; + +-import javax.servlet.http.HttpServletRequest; + import javax.ws.rs.PathParam; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; + import javax.ws.rs.core.UriBuilder; + import javax.ws.rs.core.UriInfo; +@@ -90,18 +86,6 @@ import com.netscape.cmscore.base.SimpleProperties; + */ + public class ProfileService extends SubsystemService implements ProfileResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); + private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index 4138b38..e0c4ca9 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -25,13 +25,8 @@ import java.security.Principal; + import java.util.HashMap; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; + import javax.ws.rs.core.MultivaluedMap; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.mozilla.jss.crypto.SymmetricKey; + +@@ -67,18 +62,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil; + */ + public class KeyRequestService extends SubsystemService implements KeyRequestResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; + +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index e8cb6e9..e15b263 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -29,15 +29,10 @@ import java.util.Hashtable; + import java.util.Iterator; + import java.util.List; + +-import javax.servlet.http.HttpServletRequest; + import javax.ws.rs.Path; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; + import javax.ws.rs.core.MultivaluedMap; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; + import javax.ws.rs.core.UriBuilder; +-import javax.ws.rs.core.UriInfo; + + import org.jboss.resteasy.plugins.providers.atom.Link; + +@@ -82,18 +77,6 @@ import com.netscape.cmsutil.util.Utils; + */ + public class KeyService extends SubsystemService implements KeyResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; + private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE = +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +index 76a5396..9af95d9 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +@@ -26,12 +26,7 @@ import java.util.Map; + import java.util.TreeMap; + import java.util.TreeSet; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.jboss.resteasy.plugins.providers.atom.Link; +@@ -51,18 +46,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class AuditService extends SubsystemService implements AuditResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public AuditService() { + CMS.debug("AuditService.()"); + } +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +index 9d127c8..4ee2810 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +@@ -23,12 +23,7 @@ import java.net.URLEncoder; + import java.util.Enumeration; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.jboss.resteasy.plugins.providers.atom.Link; +@@ -58,18 +53,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class GroupService extends SubsystemService implements GroupResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + + public GroupData createGroupData(IGroup group) throws Exception { +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java +index 3d708eb..3dccea1 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java +@@ -17,12 +17,7 @@ + // --- END COPYRIGHT BLOCK --- + package org.dogtagpki.server.rest; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.PKIException; +@@ -37,18 +32,6 @@ import com.netscape.cms.servlet.csadmin.SecurityDomainProcessor; + */ + public class SecurityDomainService extends PKIService implements SecurityDomainResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + @Override + public Response getInstallToken(String hostname, String subsystem) { + CMS.debug("SecurityDomainService.getInstallToken(" + hostname + ", " + subsystem + ")"); +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java +index 9108a45..7cfe85f 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java +@@ -27,12 +27,7 @@ import java.util.ArrayList; + import java.util.Collection; + import java.util.Iterator; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.jboss.resteasy.plugins.providers.atom.Link; + +@@ -53,18 +48,6 @@ import com.netscape.cms.servlet.base.PKIService; + */ + public class SelfTestService extends PKIService implements SelfTestResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public SelfTestService() { + CMS.debug("SelfTestService.()"); + } +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 18263f7..27a6817 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -73,17 +67,6 @@ import netscape.security.x509.X509CertImpl; + * + */ + public class SystemConfigService extends PKIService implements SystemConfigResource { +- @Context +- public UriInfo uriInfo; +- +- @Context +- public HttpHeaders headers; +- +- @Context +- public Request request; +- +- @Context +- public HttpServletRequest servletRequest; + + public IConfigStore cs; + public String csType; +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +index 529c472..eeadba5 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +@@ -32,12 +32,7 @@ import java.util.Iterator; + import java.util.List; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.jboss.resteasy.plugins.providers.atom.Link; +@@ -84,18 +79,6 @@ import netscape.security.x509.X509CertImpl; + */ + public class UserService extends SubsystemService implements UserResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public final static String BACK_SLASH = "\\"; + public final static String SYSTEM_USER = "$System$"; + +diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java +index 9119d77..77aba1a 100644 +--- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java ++++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java +@@ -12,10 +12,7 @@ import java.util.Iterator; + import java.util.List; + import java.util.TreeSet; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.ArrayUtils; + import org.apache.commons.lang.StringUtils; +@@ -52,12 +49,6 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou + + IConfigStore cs = CMS.getConfigStore(); + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpServletRequest servletRequest; +- + public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + + @Override +diff --git a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java +index 8309a2f..e9590e6 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java +@@ -23,12 +23,7 @@ import java.net.URI; + import java.util.HashMap; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.jboss.resteasy.plugins.providers.atom.Link; + +@@ -45,18 +40,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class ConfigService extends SubsystemService implements ConfigResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public ConfigService() { + CMS.debug("ConfigService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java +index 90029ea..37a3083 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java +@@ -23,12 +23,7 @@ import java.net.URI; + import java.net.URLEncoder; + import java.util.Iterator; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.dbs.ActivityDatabase; +@@ -49,18 +44,6 @@ import com.netscape.cms.servlet.base.PKIService; + */ + public class ActivityService extends PKIService implements ActivityResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public ActivityService() { + CMS.debug("ActivityService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java +index 424cd14..50453ee 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java +@@ -26,12 +26,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.dogtagpki.server.tps.TPSSubsystem; +@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class AuthenticatorService extends SubsystemService implements AuthenticatorResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public AuthenticatorService() { + CMS.debug("AuthenticatorService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +index c789f14..01bc132 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +@@ -26,12 +26,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.dogtagpki.server.tps.TPSSubsystem; +@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class ConnectorService extends SubsystemService implements ConnectorResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public ConnectorService() { + CMS.debug("ConnectorService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java +index eca1803..2c070c0 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java +@@ -26,12 +26,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.dogtagpki.server.tps.TPSSubsystem; +@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class ProfileMappingService extends SubsystemService implements ProfileMappingResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public ProfileMappingService() { + CMS.debug("ProfileMappingService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java +index b769134..8058caf 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java +@@ -26,12 +26,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.dogtagpki.server.tps.TPSSubsystem; +@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; + */ + public class ProfileService extends SubsystemService implements ProfileResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public ProfileService() { + CMS.debug("ProfileService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java +index 074d3d0..9b62752 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java +@@ -25,12 +25,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.Map; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.dbs.TPSCertDatabase; +@@ -50,18 +45,6 @@ import com.netscape.cms.servlet.base.PKIService; + */ + public class TPSCertService extends PKIService implements TPSCertResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public TPSCertService() { + CMS.debug("TPSCertService.()"); + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +index a624e2a..f3d0d80 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +@@ -29,12 +29,7 @@ import java.util.Map; + import java.util.MissingResourceException; + import java.util.ResourceBundle; + +-import javax.servlet.http.HttpServletRequest; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.commons.lang.StringUtils; + import org.dogtagpki.server.tps.TPSSubsystem; +@@ -64,18 +59,6 @@ import netscape.ldap.LDAPException; + */ + public class TokenService extends SubsystemService implements TokenResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- + public TokenService() throws Exception { + CMS.debug("TokenService.()"); + } +-- +1.8.3.1 + + +From 6749f6bffe92743373d4b86bbd05e5a957e74d96 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Mar 2017 18:42:56 +0200 +Subject: [PATCH 12/59] Refactored AuditCLI. + +The AuditCLI has been modified to create the AuditClient with lazy +initialization. + +Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9 +--- + base/common/src/com/netscape/certsrv/tps/TPSClient.java | 2 -- + .../java-tools/src/com/netscape/cmstools/logging/AuditCLI.java | 10 +++++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java +index da00225..19273f7 100644 +--- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java ++++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java +@@ -23,7 +23,6 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.client.SubsystemClient; + import com.netscape.certsrv.group.GroupClient; + import com.netscape.certsrv.logging.ActivityClient; +-import com.netscape.certsrv.logging.AuditClient; + import com.netscape.certsrv.selftests.SelfTestClient; + import com.netscape.certsrv.tps.authenticator.AuthenticatorClient; + import com.netscape.certsrv.tps.cert.TPSCertClient; +@@ -46,7 +45,6 @@ public class TPSClient extends SubsystemClient { + + public void init() throws URISyntaxException { + addClient(new ActivityClient(client, name)); +- addClient(new AuditClient(client, name)); + addClient(new AuthenticatorClient(client, name)); + addClient(new TPSCertClient(client, name)); + addClient(new ConfigClient(client, name)); +diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +index 1e2273e..ff489dc 100644 +--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +@@ -27,16 +27,20 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.logging.AuditClient; + import com.netscape.certsrv.logging.AuditConfig; + import com.netscape.cmstools.cli.CLI; ++import com.netscape.cmstools.cli.SubsystemCLI; + + /** + * @author Endi S. Dewata + */ + public class AuditCLI extends CLI { + ++ public SubsystemCLI subsystemCLI; + public AuditClient auditClient; + +- public AuditCLI(CLI parent) { +- super("audit", "Audit management commands", parent); ++ public AuditCLI(SubsystemCLI subsystemCLI) { ++ super("audit", "Audit management commands", subsystemCLI); ++ ++ this.subsystemCLI = subsystemCLI; + + addModule(new AuditModifyCLI(this)); + addModule(new AuditShowCLI(this)); +@@ -52,7 +56,7 @@ public class AuditCLI extends CLI { + if (auditClient != null) return auditClient; + + PKIClient client = getClient(); +- auditClient = (AuditClient)parent.getClient("audit"); ++ auditClient = new AuditClient(client, subsystemCLI.getName()); + + return auditClient; + } +-- +1.8.3.1 + + +From 136d22953d05c459986a98465e4266bac37b44dc Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 29 Mar 2017 10:46:22 -0400 +Subject: [PATCH 14/59] Fix generation of CRMF request for ECC keys + +Old CRMFPopClients add the OID for ECC public keys in the encryption +algorithm OID for no obvious reason (considering the OID was never +read on the server side to begin with). + +Now that we do read and use that field, we need to set it properly, +and also special case on the server side to handle old clients. + +Change-Id: I0d753e572206e9062746c879ce683978e5e657bd +--- + .../src/com/netscape/cmstools/CRMFPopClient.java | 16 +--------------- + base/util/src/netscape/security/util/WrappingParams.java | 11 ++++++++++- + 2 files changed, 11 insertions(+), 16 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 901528c..9d81a72 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -562,7 +562,7 @@ public class CRMFPopClient { + } + + byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); +- AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv); ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); + WrappingParams params = getWrappingParams(encryptAlg, iv); + + PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( +@@ -600,20 +600,6 @@ public class CRMFPopClient { + } + } + +- private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv) +- throws Exception { +- AlgorithmIdentifier aid; +- if (algorithm.equals("rsa")) { +- aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); +- } else if (algorithm.equals("ec")) { +- // TODO(alee) figure out what this should be for ECC +- aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv)); +- } else { +- throw new Exception("Unknown algorithm: " + algorithm); +- } +- return aid; +- } +- + public OCTET_STRING createIDPOPLinkWitness() throws Exception { + + String secretValue = "testing"; +diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java +index b2814a3..8fe5df6 100644 +--- a/base/util/src/netscape/security/util/WrappingParams.java ++++ b/base/util/src/netscape/security/util/WrappingParams.java +@@ -58,7 +58,16 @@ public class WrappingParams { + + public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV) + throws NumberFormatException, NoSuchAlgorithmException { +- EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); ++ EncryptionAlgorithm encrypt = null; ++ OBJECT_IDENTIFIER eccOID = new OBJECT_IDENTIFIER("1.2.840.10045.2.1"); ++ if (encryptOID.equals(eccOID.toString())) { ++ // old CRMFPopClients send this OID for ECC Keys for no apparent reason. ++ // New clients set this correctly. ++ // We'll assume the old DES3 wrapping here. ++ encrypt = EncryptionAlgorithm.DES_CBC_PAD; ++ } else { ++ encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); ++ } + + KeyWrapAlgorithm wrap = null; + if (wrapName != null) { +-- +1.8.3.1 + + +From 2d77ca150ee17238f4b137e3987a69e888141d51 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 29 Mar 2017 12:27:46 -0400 +Subject: [PATCH 15/59] Change default key size for KRA storage unit to 128 + +Most of the research out there seems to indicate that AES-128 is +more than sufficient for security. Use this as default. + +Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e +--- + base/kra/shared/conf/CS.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 045a823..bd49a8d 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -279,7 +279,7 @@ kra.storageUnit.wrapping.0.payloadEncryptionIV=AQEBAQEBAQE= + kra.storageUnit.wrapping.0.payloadWrapAlgorithm=DES3/CBC/Pad + kra.storageUnit.wrapping.0.payloadWrapIV=AQEBAQEBAQE= + kra.storageUnit.wrapping.0.sessionKeyType=DESede +-kra.storageUnit.wrapping.1.sessionKeyLength=256 ++kra.storageUnit.wrapping.1.sessionKeyLength=128 + kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm=RSA + kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding + kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES +-- +1.8.3.1 + + +From 5dfd6e1c3cc38b5fbfdc4e96476934219f53e13f Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 3 Apr 2017 12:43:05 -0400 +Subject: [PATCH 16/59] Added python info client + +Add python client code to read from the InfoResource class and get +the server version. As the PKIConnection in the python client +currently requires a subsystem, it is difficult to add an infoclient +to an existing KRAClient (or any other client). + +To get around this, I modified the PKIConnection to allow using the +rootURI. + +Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97 +--- + base/common/python/pki/client.py | 51 ++++++++++++++++----- + base/common/python/pki/info.py | 98 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 138 insertions(+), 11 deletions(-) + create mode 100644 base/common/python/pki/info.py + +diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py +index 90ca4fe..805d0fa 100644 +--- a/base/common/python/pki/client.py ++++ b/base/common/python/pki/client.py +@@ -78,9 +78,8 @@ class PKIConnection: + self.port = port + self.subsystem = subsystem + +- self.serverURI = self.protocol + '://' + \ +- self.hostname + ':' + self.port + '/' + \ +- self.subsystem ++ self.rootURI = self.protocol + '://' + self.hostname + ':' + self.port ++ self.serverURI = self.rootURI + '/' + self.subsystem + + self.session = requests.Session() + self.session.trust_env = trust_env +@@ -125,7 +124,8 @@ class PKIConnection: + self.session.cert = pem_cert_path + + @catch_insecure_warning +- def get(self, path, headers=None, params=None, payload=None): ++ def get(self, path, headers=None, params=None, payload=None, ++ use_root_uri=False): + """ + Uses python-requests to issue a GET request to the server. + +@@ -137,12 +137,19 @@ class PKIConnection: + :type params: dict or bytes + :param payload: data to be sent in the body of the request + :type payload: dict, bytes, file-like object ++ :param use_root_uri: use root URI instead of subsystem URI as base ++ :type use_root_uri: boolean + :returns: request.response -- response from the server + :raises: Exception from python-requests in case the GET was not + successful, or returns an error code. + """ ++ if use_root_uri: ++ target_path = self.rootURI + path ++ else: ++ target_path = self.serverURI + path ++ + r = self.session.get( +- self.serverURI + path, ++ target_path, + verify=False, + headers=headers, + params=params, +@@ -151,7 +158,8 @@ class PKIConnection: + return r + + @catch_insecure_warning +- def post(self, path, payload, headers=None, params=None): ++ def post(self, path, payload, headers=None, params=None, ++ use_root_uri=False): + """ + Uses python-requests to issue a POST request to the server. + +@@ -163,12 +171,19 @@ class PKIConnection: + :type headers: dict + :param params: Query parameters for the POST request + :type params: dict or bytes ++ :param use_root_uri: use root URI instead of subsystem URI as base ++ :type use_root_uri: boolean + :returns: request.response -- response from the server + :raises: Exception from python-requests in case the POST was not + successful, or returns an error code. + """ ++ if use_root_uri: ++ target_path = self.rootURI + path ++ else: ++ target_path = self.serverURI + path ++ + r = self.session.post( +- self.serverURI + path, ++ target_path, + verify=False, + data=payload, + headers=headers, +@@ -177,7 +192,7 @@ class PKIConnection: + return r + + @catch_insecure_warning +- def put(self, path, payload, headers=None): ++ def put(self, path, payload, headers=None, use_root_uri=False): + """ + Uses python-requests to issue a PUT request to the server. + +@@ -187,16 +202,23 @@ class PKIConnection: + :type payload: dict, bytes, file-like object + :param headers: headers for the PUT request + :type headers: dict ++ :param use_root_uri: use root URI instead of subsystem URI as base ++ :type use_root_uri: boolean + :returns: request.response -- response from the server + :raises: Exception from python-requests in case the PUT was not + successful, or returns an error code. + """ +- r = self.session.put(self.serverURI + path, payload, headers=headers) ++ if use_root_uri: ++ target_path = self.rootURI + path ++ else: ++ target_path = self.serverURI + path ++ ++ r = self.session.put(target_path, payload, headers=headers) + r.raise_for_status() + return r + + @catch_insecure_warning +- def delete(self, path, headers=None): ++ def delete(self, path, headers=None, use_root_uri=False): + """ + Uses python-requests to issue a DEL request to the server. + +@@ -204,11 +226,18 @@ class PKIConnection: + :type path: str + :param headers: headers for the DEL request + :type headers: dict ++ :param use_root_uri: use root URI instead of subsystem URI as base ++ :type use_root_uri: boolean + :returns: request.response -- response from the server + :raises: Exception from python-requests in case the DEL was not + successful, or returns an error code. + """ +- r = self.session.delete(self.serverURI + path, headers=headers) ++ if use_root_uri: ++ target_path = self.rootURI + path ++ else: ++ target_path = self.serverURI + path ++ ++ r = self.session.delete(target_path, headers=headers) + r.raise_for_status() + return r + +diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py +new file mode 100644 +index 0000000..65d4825 +--- /dev/null ++++ b/base/common/python/pki/info.py +@@ -0,0 +1,98 @@ ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the Lesser GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2013 Red Hat, Inc. ++# All rights reserved. ++# ++# Author: ++# Ade Lee ++# ++""" ++Module containing the Python client classes for the InfoClient ++""" ++from six import iteritems ++ ++import pki ++ ++ ++class Info(object): ++ """ ++ This class encapsulates the parameters returned by the server's ++ InfoService. ++ """ ++ ++ json_attribute_names = { ++ 'Version': 'version', ++ 'Banner': 'banner' ++ } ++ ++ def __init__(self, version=None, banner=None): ++ """ Constructor """ ++ self.version = version ++ self.banner = banner ++ ++ @classmethod ++ def from_json(cls, attr_list): ++ """ Return Info from JSON dict """ ++ info = cls() ++ for k, v in iteritems(attr_list): ++ if k in Info.json_attribute_names: ++ setattr(info, Info.json_attribute_names[k], v) ++ else: ++ setattr(info, k, v) ++ return info ++ ++ ++class Version(object): ++ """ ++ This class encapsulates a version object as returned from ++ a Dogtag server and decomposes it into major, minor, etc. ++ """ ++ ++ def __init__(self, version_string): ++ for idx, val in enumerate(version_string.split('.')): ++ if idx == 0: ++ self.major = val ++ if idx == 1: ++ self.minor = val ++ if idx == 2: ++ self.patch = val ++ ++ ++class InfoClient(object): ++ """ ++ Class encapsulating and mirroring the functionality in the ++ InfoResource Java interface class defining the REST API for ++ server Info resources. ++ """ ++ ++ def __init__(self, connection): ++ """ Constructor """ ++ self.connection = connection ++ ++ @pki.handle_exceptions() ++ def get_info(self): ++ """ Return an Info object form a PKI server """ ++ ++ url = '/pki/rest/info' ++ headers = {'Content-type': 'application/json', ++ 'Accept': 'application/json'} ++ r = self.connection.get(url, headers, use_root_uri=True) ++ return Info.from_json(r.json()) ++ ++ @pki.handle_exceptions() ++ def get_version(self): ++ """ return Version object from server """ ++ version_string = self.get_info().version ++ return Version(version_string) +-- +1.8.3.1 + + +From a76ac1ca0472afb6931b9e3be156f1c057fcb161 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 3 Apr 2017 12:53:26 -0400 +Subject: [PATCH 17/59] Add util code to source environment files + +This is needed to set the same environment as the pki CLI +and pick up any client specific changes. + +Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc +--- + base/common/python/pki/util.py | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 68118f4..02ecde8 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -32,6 +32,11 @@ try: + except ImportError: + WindowsError = None + ++import subprocess ++ ++DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf', ++ '/etc/pki/pki.conf'] ++ + + def copy(source, dest): + """ +@@ -245,3 +250,26 @@ def copytree(src, dst, symlinks=False, ignore=None): + errors.extend((src, dst, str(why))) + if errors: + raise Error(errors) ++ ++ ++def read_environment_files(env_file_list=None): ++ if env_file_list is None: ++ env_file_list = DEFAULT_PKI_ENV_LIST ++ ++ file_command = '' ++ for env_file in env_file_list: ++ file_command += "source " + env_file + " && " ++ file_command += "env" ++ ++ command = [ ++ 'bash', ++ '-c', ++ file_command ++ ] ++ ++ env_vals = subprocess.check_output(command).split('\n') ++ ++ for env_val in env_vals: ++ (key, _, value) = env_val.partition("=") ++ os.environ[key] = value ++ +-- +1.8.3.1 + + +From 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 28 Mar 2017 00:15:28 +0200 +Subject: [PATCH 19/59] Added audit service and CLI to all subsystems. + +Previously the audit service and CLI were only available on TPS. +Now they have been added to all subsystems. + +Change-Id: I3b472254641eb887289c5122df390c46ccd97d47 +--- + base/ca/shared/conf/acl.properties | 5 +++++ + base/ca/shared/conf/auth-method.properties | 1 + + base/ca/shared/webapps/ca/WEB-INF/web.xml | 13 +++++++++++++ + base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java | 4 ++++ + base/java-tools/src/com/netscape/cmstools/cli/CACLI.java | 2 ++ + base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java | 2 ++ + base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java | 2 ++ + base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java | 2 ++ + base/kra/shared/conf/acl.properties | 5 +++++ + base/kra/shared/conf/auth-method.properties | 1 + + base/kra/shared/webapps/kra/WEB-INF/web.xml | 13 +++++++++++++ + .../src/org/dogtagpki/server/kra/rest/KRAApplication.java | 4 ++++ + base/ocsp/shared/conf/acl.properties | 5 +++++ + base/ocsp/shared/conf/auth-method.properties | 1 + + base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 13 +++++++++++++ + .../src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java | 4 ++++ + base/tks/shared/conf/acl.properties | 5 +++++ + base/tks/shared/conf/auth-method.properties | 1 + + base/tks/shared/webapps/tks/WEB-INF/web.xml | 13 +++++++++++++ + .../src/org/dogtagpki/server/tks/rest/TKSApplication.java | 4 ++++ + base/tps/shared/conf/acl.properties | 7 +++++-- + 21 files changed, 105 insertions(+), 2 deletions(-) + +diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties +index 8b3e9d0..c487e48 100644 +--- a/base/ca/shared/conf/acl.properties ++++ b/base/ca/shared/conf/acl.properties +@@ -7,6 +7,11 @@ + + account.login = certServer.ca.account,login + account.logout = certServer.ca.account,logout ++ ++# audit configuration ++audit.read = certServer.log.configuration,read ++audit.modify = certServer.log.configuration,modify ++ + certs = certServer.ca.certs,execute + certrequests = certServer.ca.certrequests,execute + groups = certServer.ca.groups,execute +diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties +index 8d67690..f7b203d 100644 +--- a/base/ca/shared/conf/auth-method.properties ++++ b/base/ca/shared/conf/auth-method.properties +@@ -8,6 +8,7 @@ + + default = * + account = certUserDBAuthMgr,passwdUserDBAuthMgr ++audit = certUserDBAuthMgr + authorities = certUserDBAuthMgr + certs = certUserDBAuthMgr + certrequests = certUserDBAuthMgr +diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml +index d887db4..bf8aed4 100644 +--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml ++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml +@@ -2417,6 +2417,19 @@ + + + ++ Audit ++ /rest/audit/* ++ ++ ++ * ++ ++ ++ CONFIDENTIAL ++ ++ ++ ++ ++ + Authority Services + /rest/authorities/* + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java +index b0fc73c..ae18e02 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java +@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; + + import org.dogtagpki.server.rest.ACLInterceptor; + import org.dogtagpki.server.rest.AccountService; ++import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; + import org.dogtagpki.server.rest.FeatureService; + import org.dogtagpki.server.rest.GroupService; +@@ -32,6 +33,9 @@ public class CAApplication extends Application { + // account + classes.add(AccountService.class); + ++ // audit ++ classes.add(AuditService.class); ++ + // installer + classes.add(CAInstallerService.class); + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java +index 2ec20dc..8e72405 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java +@@ -25,6 +25,7 @@ import com.netscape.cmstools.authority.AuthorityCLI; + import com.netscape.cmstools.cert.CertCLI; + import com.netscape.cmstools.feature.FeatureCLI; + import com.netscape.cmstools.group.GroupCLI; ++import com.netscape.cmstools.logging.AuditCLI; + import com.netscape.cmstools.profile.ProfileCLI; + import com.netscape.cmstools.selftests.SelfTestCLI; + import com.netscape.cmstools.system.KRAConnectorCLI; +@@ -41,6 +42,7 @@ public class CACLI extends SubsystemCLI { + super("ca", "CA management commands", parent); + + addModule(new AuthorityCLI(this)); ++ addModule(new AuditCLI(this)); + addModule(new CertCLI(this)); + addModule(new FeatureCLI(this)); + addModule(new GroupCLI(this)); +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java +index 2db85aa..190be11 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java +@@ -23,6 +23,7 @@ import com.netscape.certsrv.client.SubsystemClient; + import com.netscape.certsrv.kra.KRAClient; + import com.netscape.cmstools.group.GroupCLI; + import com.netscape.cmstools.key.KeyCLI; ++import com.netscape.cmstools.logging.AuditCLI; + import com.netscape.cmstools.selftests.SelfTestCLI; + import com.netscape.cmstools.user.UserCLI; + +@@ -36,6 +37,7 @@ public class KRACLI extends SubsystemCLI { + public KRACLI(CLI parent) { + super("kra", "KRA management commands", parent); + ++ addModule(new AuditCLI(this)); + addModule(new GroupCLI(this)); + addModule(new KeyCLI(this)); + addModule(new SelfTestCLI(this)); +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java +index 6348359..15ec5e3 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java +@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.client.SubsystemClient; + import com.netscape.certsrv.ocsp.OCSPClient; + import com.netscape.cmstools.group.GroupCLI; ++import com.netscape.cmstools.logging.AuditCLI; + import com.netscape.cmstools.selftests.SelfTestCLI; + import com.netscape.cmstools.user.UserCLI; + +@@ -35,6 +36,7 @@ public class OCSPCLI extends SubsystemCLI { + public OCSPCLI(CLI parent) { + super("ocsp", "OCSP management commands", parent); + ++ addModule(new AuditCLI(this)); + addModule(new GroupCLI(this)); + addModule(new SelfTestCLI(this)); + addModule(new UserCLI(this)); +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java +index 1afdf64..1e2db2c 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java +@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.client.SubsystemClient; + import com.netscape.certsrv.tks.TKSClient; + import com.netscape.cmstools.group.GroupCLI; ++import com.netscape.cmstools.logging.AuditCLI; + import com.netscape.cmstools.selftests.SelfTestCLI; + import com.netscape.cmstools.system.TPSConnectorCLI; + import com.netscape.cmstools.user.UserCLI; +@@ -36,6 +37,7 @@ public class TKSCLI extends SubsystemCLI { + public TKSCLI(CLI parent) { + super("tks", "TKS management commands", parent); + ++ addModule(new AuditCLI(this)); + addModule(new GroupCLI(this)); + addModule(new SelfTestCLI(this)); + addModule(new TPSConnectorCLI(this)); +diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties +index 3fde904..8cac3ee 100644 +--- a/base/kra/shared/conf/acl.properties ++++ b/base/kra/shared/conf/acl.properties +@@ -7,6 +7,11 @@ + + account.login = certServer.kra.account,login + account.logout = certServer.kra.account,logout ++ ++# audit configuration ++audit.read = certServer.log.configuration,read ++audit.modify = certServer.log.configuration,modify ++ + groups = certServer.kra.groups,execute + keys = certServer.kra.keys,execute + keyrequests = certServer.kra.keyrequests,execute +diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties +index 108448c..2944e49 100644 +--- a/base/kra/shared/conf/auth-method.properties ++++ b/base/kra/shared/conf/auth-method.properties +@@ -8,6 +8,7 @@ + + default = * + account = certUserDBAuthMgr,passwdUserDBAuthMgr ++audit = certUserDBAuthMgr + groups = certUserDBAuthMgr + keys = certUserDBAuthMgr + keyrequests = certUserDBAuthMgr +diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml +index ce0a51e..5b7031a 100644 +--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml ++++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml +@@ -1104,6 +1104,19 @@ + + + ++ ++ ++ Audit ++ /rest/audit/* ++ ++ ++ * ++ ++ ++ CONFIDENTIAL ++ ++ ++ + [PKI_OPEN_STANDALONE_COMMENT] + + +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java +index 773d8dd..6244270 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java +@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; + + import org.dogtagpki.server.rest.ACLInterceptor; + import org.dogtagpki.server.rest.AccountService; ++import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; + import org.dogtagpki.server.rest.GroupService; + import org.dogtagpki.server.rest.MessageFormatInterceptor; +@@ -31,6 +32,9 @@ public class KRAApplication extends Application { + // account + classes.add(AccountService.class); + ++ // audit ++ classes.add(AuditService.class); ++ + // installer + classes.add(KRAInstallerService.class); + +diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties +index 9528f11..26b212d 100644 +--- a/base/ocsp/shared/conf/acl.properties ++++ b/base/ocsp/shared/conf/acl.properties +@@ -7,6 +7,11 @@ + + account.login = certServer.ocsp.account,login + account.logout = certServer.ocsp.account,logout ++ ++# audit configuration ++audit.read = certServer.log.configuration,read ++audit.modify = certServer.log.configuration,modify ++ + groups = certServer.ocsp.groups,execute + selftests.read = certServer.ocsp.selftests,read + selftests.execute = certServer.ocsp.selftests,execute +diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties +index 9f5a7a1..98aee66 100644 +--- a/base/ocsp/shared/conf/auth-method.properties ++++ b/base/ocsp/shared/conf/auth-method.properties +@@ -8,6 +8,7 @@ + + default = * + account = certUserDBAuthMgr,passwdUserDBAuthMgr ++audit = certUserDBAuthMgr + groups = certUserDBAuthMgr + selftests = certUserDBAuthMgr + users = certUserDBAuthMgr +diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +index b8eccf1..e610800 100644 +--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml ++++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +@@ -726,6 +726,19 @@ + + + ++ ++ ++ Audit ++ /rest/audit/* ++ ++ ++ * ++ ++ ++ CONFIDENTIAL ++ ++ ++ + [PKI_OPEN_STANDALONE_COMMENT] + + +diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java +index 99fefae..8d6e4a9 100644 +--- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java ++++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java +@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; + + import org.dogtagpki.server.rest.ACLInterceptor; + import org.dogtagpki.server.rest.AccountService; ++import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; + import org.dogtagpki.server.rest.GroupService; + import org.dogtagpki.server.rest.MessageFormatInterceptor; +@@ -31,6 +32,9 @@ public class OCSPApplication extends Application { + // account + classes.add(AccountService.class); + ++ // audit ++ classes.add(AuditService.class); ++ + // installer + classes.add(OCSPInstallerService.class); + +diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties +index d2c2372..7146d38 100644 +--- a/base/tks/shared/conf/acl.properties ++++ b/base/tks/shared/conf/acl.properties +@@ -7,6 +7,11 @@ + + account.login = certServer.tks.account,login + account.logout = certServer.tks.account,logout ++ ++# audit configuration ++audit.read = certServer.log.configuration,read ++audit.modify = certServer.log.configuration,modify ++ + groups = certServer.tks.groups,execute + selftests.read = certServer.tks.selftests,read + selftests.execute = certServer.tks.selftests,execute +diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties +index fe91b90..cc80825 100644 +--- a/base/tks/shared/conf/auth-method.properties ++++ b/base/tks/shared/conf/auth-method.properties +@@ -8,6 +8,7 @@ + + default = * + account = certUserDBAuthMgr,passwdUserDBAuthMgr ++audit = certUserDBAuthMgr + groups = certUserDBAuthMgr + selftests = certUserDBAuthMgr + tpsconnectors = certUserDBAuthMgr +diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml +index 2d4c029..18c85a3 100644 +--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml ++++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml +@@ -406,6 +406,19 @@ + + + ++ Audit ++ /rest/audit/* ++ ++ ++ * ++ ++ ++ CONFIDENTIAL ++ ++ ++ ++ ++ + Self Tests + /rest/selftests/* + +diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java +index 278076d..ca19e38 100644 +--- a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java ++++ b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java +@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; + + import org.dogtagpki.server.rest.ACLInterceptor; + import org.dogtagpki.server.rest.AccountService; ++import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; + import org.dogtagpki.server.rest.GroupService; + import org.dogtagpki.server.rest.MessageFormatInterceptor; +@@ -26,6 +27,9 @@ public class TKSApplication extends Application { + // account + classes.add(AccountService.class); + ++ // audit ++ classes.add(AuditService.class); ++ + // installer + classes.add(TKSInstallerService.class); + +diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties +index 2d2dc71..1c581b3 100644 +--- a/base/tps/shared/conf/acl.properties ++++ b/base/tps/shared/conf/acl.properties +@@ -8,8 +8,11 @@ + + account.login = certServer.tps.account,login + account.logout = certServer.tps.account,logout +-audit.read = certServer.tps.audit,read +-audit.modify = certServer.tps.audit,modify ++ ++# audit configuration ++audit.read = certServer.log.configuration,read ++audit.modify = certServer.log.configuration,modify ++ + authenticators.read = certServer.tps.authenticators,read + authenticators.add = certServer.tps.authenticators,add + authenticators.modify = certServer.tps.authenticators,modify +-- +1.8.3.1 + + +From 0b91066c5c5cb20e63d79d58a12a46e2069a11af Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 30 Mar 2017 17:12:02 +0200 +Subject: [PATCH 20/59] Added PKIRESTProvider. + +A new PKIRESTProvider has been added to send and receive +StreamingOutput object through REST API. + +Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e +--- + base/CMakeLists.txt | 7 ++ + base/ca/src/CMakeLists.txt | 7 -- + base/common/src/CMakeLists.txt | 2 +- + .../com/netscape/certsrv/client/PKIConnection.java | 4 +- + .../netscape/certsrv/client/PKIRESTProvider.java | 118 +++++++++++++++++++++ + base/java-tools/src/CMakeLists.txt | 7 -- + base/server/cms/src/CMakeLists.txt | 7 -- + 7 files changed, 128 insertions(+), 24 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java + +diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt +index d2ea9a5..4140adb 100644 +--- a/base/CMakeLists.txt ++++ b/base/CMakeLists.txt +@@ -30,6 +30,13 @@ find_file(SLF4J_JDK14_JAR + /usr/share/java/slf4j + ) + ++find_file(COMMONS_IO_JAR ++ NAMES ++ commons-io.jar ++ PATHS ++ /usr/share/java ++) ++ + find_file(JACKSON_CORE_JAR + NAMES + jackson-core-asl.jar +diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt +index 4982ef8..b23782d 100644 +--- a/base/ca/src/CMakeLists.txt ++++ b/base/ca/src/CMakeLists.txt +@@ -24,13 +24,6 @@ find_file(COMMONS_CODEC_JAR + /usr/share/java + ) + +-find_file(COMMONS_IO_JAR +- NAMES +- commons-io.jar +- PATHS +- /usr/share/java +-) +- + find_file(COMMONS_LANG_JAR + NAMES + commons-lang.jar +diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt +index c08d1b7..705d62c 100644 +--- a/base/common/src/CMakeLists.txt ++++ b/base/common/src/CMakeLists.txt +@@ -103,7 +103,7 @@ javac(pki-certsrv-classes + CLASSPATH + ${SLF4J_API_JAR} + ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR} +- ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ++ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR} + ${APACHE_COMMONS_LANG_JAR} + ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR} + ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR} +diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +index b75e332..c2ffd09 100644 +--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java ++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +@@ -76,7 +76,6 @@ import org.jboss.resteasy.client.jaxrs.ResteasyClient; + import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; + import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget; + import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; +-import org.jboss.resteasy.spi.ResteasyProviderFactory; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NotInitializedException; + import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; +@@ -95,7 +94,6 @@ public class PKIConnection { + + ApacheHttpClient4Engine engine; + ResteasyClient resteasyClient; +- ResteasyProviderFactory providerFactory; + + int requestCounter; + int responseCounter; +@@ -204,7 +202,9 @@ public class PKIConnection { + }); + + engine = new ApacheHttpClient4Engine(httpClient); ++ + resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build(); ++ resteasyClient.register(PKIRESTProvider.class); + } + + public boolean isVerbose() { +diff --git a/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java +new file mode 100644 +index 0000000..4018da3 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java +@@ -0,0 +1,118 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.client; ++ ++import java.io.File; ++import java.io.FileInputStream; ++import java.io.FileOutputStream; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.lang.annotation.Annotation; ++import java.lang.reflect.Type; ++ ++import javax.ws.rs.Consumes; ++import javax.ws.rs.Produces; ++import javax.ws.rs.WebApplicationException; ++import javax.ws.rs.core.MediaType; ++import javax.ws.rs.core.MultivaluedMap; ++import javax.ws.rs.core.StreamingOutput; ++import javax.ws.rs.ext.MessageBodyReader; ++import javax.ws.rs.ext.MessageBodyWriter; ++import javax.ws.rs.ext.Provider; ++ ++import org.apache.commons.io.IOUtils; ++ ++@Provider ++@Consumes(MediaType.APPLICATION_OCTET_STREAM) ++@Produces(MediaType.APPLICATION_OCTET_STREAM) ++public class PKIRESTProvider implements MessageBodyReader, MessageBodyWriter { ++ ++ @Override ++ public boolean isReadable( ++ Class type, ++ Type genericType, ++ Annotation[] annotations, ++ MediaType mediaType) { ++ ++ return true; ++ } ++ ++ @Override ++ public StreamingOutput readFrom( ++ Class type, ++ Type genericType, ++ Annotation[] annotations, ++ MediaType mediaType, ++ MultivaluedMap httpHeaders, ++ InputStream entityStream) throws IOException, WebApplicationException { ++ ++ final File file = File.createTempFile("PKIRESTProvider-", ".tmp"); ++ file.deleteOnExit(); ++ ++ FileOutputStream out = new FileOutputStream(file); ++ IOUtils.copy(entityStream, out); ++ ++ return new StreamingOutput() { ++ ++ @Override ++ public void write(OutputStream out) throws IOException, WebApplicationException { ++ FileInputStream in = new FileInputStream(file); ++ IOUtils.copy(in, out); ++ } ++ ++ public void finalize() { ++ file.delete(); ++ } ++ }; ++ } ++ ++ @Override ++ public long getSize( ++ StreamingOutput out, ++ Class type, ++ Type genericType, ++ Annotation[] annotations, ++ MediaType mediaType) { ++ ++ return -1; ++ } ++ ++ @Override ++ public boolean isWriteable( ++ Class type, ++ Type genericType, ++ Annotation[] annotations, ++ MediaType mediaType) { ++ ++ return true; ++ } ++ ++ @Override ++ public void writeTo( ++ StreamingOutput so, ++ Class type, ++ Type genericType, ++ Annotation[] annotations, ++ MediaType mediaType, ++ MultivaluedMap httpHeaders, ++ OutputStream entityStream) throws IOException, WebApplicationException { ++ ++ so.write(entityStream); ++ } ++} +diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt +index c2f54d4..7c57eaa 100644 +--- a/base/java-tools/src/CMakeLists.txt ++++ b/base/java-tools/src/CMakeLists.txt +@@ -37,13 +37,6 @@ find_file(COMMONS_CODEC_JAR + /usr/share/java + ) + +-find_file(COMMONS_IO_JAR +- NAMES +- commons-io.jar +- PATHS +- /usr/share/java +-) +- + find_file(XALAN_JAR + NAMES + xalan-j2.jar +diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt +index c66227c..e72a821 100644 +--- a/base/server/cms/src/CMakeLists.txt ++++ b/base/server/cms/src/CMakeLists.txt +@@ -30,13 +30,6 @@ find_file(COMMONS_HTTPCLIENT_JAR + /usr/share/java + ) + +-find_file(COMMONS_IO_JAR +- NAMES +- commons-io.jar +- PATHS +- /usr/share/java +-) +- + find_file(COMMONS_LANG_JAR + NAMES + commons-lang.jar +-- +1.8.3.1 + + +From 6a682f8e56c982ed0e0810326e71f9de23347590 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 4 Apr 2017 14:52:37 -0400 +Subject: [PATCH 24/59] Fix pylint errors + +--- + base/common/python/pki/info.py | 2 ++ + base/common/python/pki/util.py | 1 - + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py +index 65d4825..b4da8b0 100644 +--- a/base/common/python/pki/info.py ++++ b/base/common/python/pki/info.py +@@ -21,6 +21,8 @@ + """ + Module containing the Python client classes for the InfoClient + """ ++from __future__ import absolute_import ++from __future__ import print_function + from six import iteritems + + import pki +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 02ecde8..0765bcf 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -272,4 +272,3 @@ def read_environment_files(env_file_list=None): + for env_val in env_vals: + (key, _, value) = env_val.partition("=") + os.environ[key] = value +- +-- +1.8.3.1 + + +From 88cd07655268831e14e7cd4f6f6a65e331f86583 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 28 Mar 2017 21:02:22 +0200 +Subject: [PATCH 25/59] Added CLIs to access audit log files. + +New pki audit commands have been added to list and retrieve audit +log files. + +Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5 +--- + base/ca/shared/conf/acl.properties | 3 + + .../com/netscape/certsrv/logging/AuditClient.java | 11 ++ + .../com/netscape/certsrv/logging/AuditFile.java | 123 +++++++++++++++++++++ + .../certsrv/logging/AuditFileCollection.java | 38 +++++++ + .../netscape/certsrv/logging/AuditResource.java | 19 +++- + .../com/netscape/cmstools/logging/AuditCLI.java | 11 ++ + .../cmstools/logging/AuditFileFindCLI.java | 90 +++++++++++++++ + .../cmstools/logging/AuditFileRetrieveCLI.java | 87 +++++++++++++++ + base/kra/shared/conf/acl.properties | 3 + + base/ocsp/shared/conf/acl.properties | 3 + + .../com/netscape/cms/servlet/base/PKIService.java | 1 + + .../org/dogtagpki/server/rest/AuditService.java | 107 ++++++++++++++++++ + base/tks/shared/conf/acl.properties | 3 + + base/tps/shared/conf/acl.properties | 3 + + 14 files changed, 501 insertions(+), 1 deletion(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFile.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java + create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java + create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java + +diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties +index c487e48..a8fe65c 100644 +--- a/base/ca/shared/conf/acl.properties ++++ b/base/ca/shared/conf/acl.properties +@@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout + audit.read = certServer.log.configuration,read + audit.modify = certServer.log.configuration,modify + ++# audit logs ++audit-log.read = certServer.log.content.signedAudit,read ++ + certs = certServer.ca.certs,execute + certrequests = certServer.ca.certrequests,execute + groups = certServer.ca.groups,execute +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java +index 018850c..9451e83 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.logging; + import java.net.URISyntaxException; + + import javax.ws.rs.core.Response; ++import javax.ws.rs.core.StreamingOutput; + + import com.netscape.certsrv.client.Client; + import com.netscape.certsrv.client.PKIClient; +@@ -54,4 +55,14 @@ public class AuditClient extends Client { + Response response = resource.changeAuditStatus(action); + return client.getEntity(response, AuditConfig.class); + } ++ ++ public AuditFileCollection findAuditFiles() { ++ Response response = resource.findAuditFiles(); ++ return client.getEntity(response, AuditFileCollection.class); ++ } ++ ++ public StreamingOutput getAuditFile(String filename) throws Exception { ++ Response response = resource.getAuditFile(filename); ++ return client.getEntity(response, StreamingOutput.class); ++ } + } +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java +new file mode 100644 +index 0000000..0edfc3a +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java +@@ -0,0 +1,123 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.certsrv.logging; ++ ++import java.io.StringReader; ++import java.io.StringWriter; ++ ++import javax.xml.bind.JAXBContext; ++import javax.xml.bind.Marshaller; ++import javax.xml.bind.Unmarshaller; ++import javax.xml.bind.annotation.XmlAccessType; ++import javax.xml.bind.annotation.XmlAccessorType; ++import javax.xml.bind.annotation.XmlAttribute; ++import javax.xml.bind.annotation.XmlElement; ++import javax.xml.bind.annotation.XmlRootElement; ++ ++/** ++ * @author Endi S. Dewata ++ */ ++@XmlRootElement(name="AuditFile") ++@XmlAccessorType(XmlAccessType.NONE) ++public class AuditFile { ++ ++ String name; ++ Long size; ++ ++ @XmlAttribute(name="name") ++ public String getName() { ++ return name; ++ } ++ ++ public void setName(String name) { ++ this.name = name; ++ } ++ ++ @XmlElement(name="Size") ++ public Long getSize() { ++ return size; ++ } ++ ++ public void setSize(Long size) { ++ this.size = size; ++ } ++ ++ @Override ++ public int hashCode() { ++ final int prime = 31; ++ int result = 1; ++ result = prime * result + ((name == null) ? 0 : name.hashCode()); ++ result = prime * result + ((size == null) ? 0 : size.hashCode()); ++ return result; ++ } ++ ++ @Override ++ public boolean equals(Object obj) { ++ if (this == obj) ++ return true; ++ if (obj == null) ++ return false; ++ if (getClass() != obj.getClass()) ++ return false; ++ AuditFile other = (AuditFile) obj; ++ if (name == null) { ++ if (other.name != null) ++ return false; ++ } else if (!name.equals(other.name)) ++ return false; ++ if (size == null) { ++ if (other.size != null) ++ return false; ++ } else if (!size.equals(other.size)) ++ return false; ++ return true; ++ } ++ ++ public String toString() { ++ try { ++ Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller(); ++ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); ++ ++ StringWriter sw = new StringWriter(); ++ marshaller.marshal(this, sw); ++ return sw.toString(); ++ ++ } catch (Exception e) { ++ throw new RuntimeException(e); ++ } ++ } ++ ++ public static AuditFile valueOf(String string) throws Exception { ++ Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller(); ++ return (AuditFile)unmarshaller.unmarshal(new StringReader(string)); ++ } ++ ++ public static void main(String args[]) throws Exception { ++ ++ AuditFile before = new AuditFile(); ++ before.setName("audit.log"); ++ before.setSize(1024l); ++ ++ String string = before.toString(); ++ System.out.println(string); ++ ++ AuditFile after = AuditFile.valueOf(string); ++ System.out.println(before.equals(after)); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java +new file mode 100644 +index 0000000..e5c4e20 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java +@@ -0,0 +1,38 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.certsrv.logging; ++ ++import java.util.Collection; ++ ++import javax.xml.bind.annotation.XmlElementRef; ++import javax.xml.bind.annotation.XmlRootElement; ++ ++import com.netscape.certsrv.base.DataCollection; ++ ++/** ++ * @author Endi S. Dewata ++ */ ++@XmlRootElement(name="AuditFiles") ++public class AuditFileCollection extends DataCollection { ++ ++ @XmlElementRef ++ public Collection getEntries() { ++ return super.getEntries(); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java +index 9b14986..4d33735 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java +@@ -20,8 +20,12 @@ package com.netscape.certsrv.logging; + import javax.ws.rs.GET; + import javax.ws.rs.POST; + import javax.ws.rs.Path; ++import javax.ws.rs.PathParam; ++import javax.ws.rs.Produces; + import javax.ws.rs.QueryParam; ++import javax.ws.rs.core.MediaType; + import javax.ws.rs.core.Response; ++import javax.ws.rs.core.StreamingOutput; + + import org.jboss.resteasy.annotations.ClientResponseType; + +@@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH; + */ + @Path("audit") + @AuthMethodMapping("audit") +-@ACLMapping("audit.read") + public interface AuditResource { + + @GET + @ClientResponseType(entityType=AuditConfig.class) ++ @ACLMapping("audit.read") + public Response getAuditConfig(); + + @PATCH +@@ -52,4 +56,17 @@ public interface AuditResource { + @ACLMapping("audit.modify") + public Response changeAuditStatus( + @QueryParam("action") String action); ++ ++ @GET ++ @Path("files") ++ @ClientResponseType(entityType=AuditFileCollection.class) ++ @ACLMapping("audit-log.read") ++ public Response findAuditFiles(); ++ ++ @GET ++ @Path("files/{filename}") ++ @Produces(MediaType.APPLICATION_OCTET_STREAM) ++ @ClientResponseType(entityType=StreamingOutput.class) ++ @ACLMapping("audit-log.read") ++ public Response getAuditFile(@PathParam("filename") String filename); + } +diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +index ff489dc..06ba040 100644 +--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +@@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link; + import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.logging.AuditClient; + import com.netscape.certsrv.logging.AuditConfig; ++import com.netscape.certsrv.logging.AuditFile; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.SubsystemCLI; + +@@ -42,8 +43,13 @@ public class AuditCLI extends CLI { + + this.subsystemCLI = subsystemCLI; + ++ // audit configuration + addModule(new AuditModifyCLI(this)); + addModule(new AuditShowCLI(this)); ++ ++ // audit files ++ addModule(new AuditFileFindCLI(this)); ++ addModule(new AuditFileRetrieveCLI(this)); + } + + @Override +@@ -83,4 +89,9 @@ public class AuditCLI extends CLI { + System.out.println(" Link: " + link.getHref()); + } + } ++ ++ public static void printAuditFile(AuditFile auditFile) { ++ System.out.println(" File name: " + auditFile.getName()); ++ System.out.println(" Size: " + auditFile.getSize()); ++ } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java +new file mode 100644 +index 0000000..5ae9ce7 +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java +@@ -0,0 +1,90 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.logging; ++ ++import java.util.Collection; ++ ++import org.apache.commons.cli.CommandLine; ++ ++import com.netscape.certsrv.logging.AuditClient; ++import com.netscape.certsrv.logging.AuditFile; ++import com.netscape.certsrv.logging.AuditFileCollection; ++import com.netscape.cmstools.cli.CLI; ++import com.netscape.cmstools.cli.MainCLI; ++ ++/** ++ * @author Endi S. Dewata ++ */ ++public class AuditFileFindCLI extends CLI { ++ ++ public AuditCLI auditCLI; ++ ++ public AuditFileFindCLI(AuditCLI auditCLI) { ++ super("file-find", "Find audit files", auditCLI); ++ this.auditCLI = auditCLI; ++ ++ createOptions(); ++ } ++ ++ public void printHelp() { ++ formatter.printHelp(getFullName() + " [OPTIONS...]", options); ++ } ++ ++ public void createOptions() { ++ options.addOption(null, "help", false, "Show help message."); ++ } ++ ++ public void execute(String[] args) throws Exception { ++ ++ CommandLine cmd = parser.parse(options, args); ++ ++ if (cmd.hasOption("help")) { ++ printHelp(); ++ return; ++ } ++ ++ String[] cmdArgs = cmd.getArgs(); ++ ++ if (cmdArgs.length > 0) { ++ throw new Exception("Too many arguments specified."); ++ } ++ ++ AuditClient auditClient = auditCLI.getAuditClient(); ++ AuditFileCollection response = auditClient.findAuditFiles(); ++ ++ MainCLI.printMessage(response.getTotal() + " entries matched"); ++ if (response.getTotal() == 0) return; ++ ++ Collection entries = response.getEntries(); ++ boolean first = true; ++ ++ for (AuditFile auditFile : entries) { ++ ++ if (first) { ++ first = false; ++ } else { ++ System.out.println(); ++ } ++ ++ AuditCLI.printAuditFile(auditFile); ++ } ++ ++ MainCLI.printMessage("Number of entries returned " + entries.size()); ++ } ++} +diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java +new file mode 100644 +index 0000000..07af3a4 +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java +@@ -0,0 +1,87 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.logging; ++ ++import java.io.FileOutputStream; ++import java.io.OutputStream; ++ ++import javax.ws.rs.core.StreamingOutput; ++ ++import org.apache.commons.cli.CommandLine; ++import org.apache.commons.cli.Option; ++ ++import com.netscape.certsrv.logging.AuditClient; ++import com.netscape.cmstools.cli.CLI; ++ ++/** ++ * @author Endi S. Dewata ++ */ ++public class AuditFileRetrieveCLI extends CLI { ++ ++ public AuditCLI auditCLI; ++ ++ public AuditFileRetrieveCLI(AuditCLI auditCLI) { ++ super("file-retrieve", "Retrieve audit file", auditCLI); ++ this.auditCLI = auditCLI; ++ ++ createOptions(); ++ } ++ ++ public void printHelp() { ++ formatter.printHelp(getFullName() + " [OPTIONS...]", options); ++ } ++ ++ public void createOptions() { ++ Option option = new Option(null, "output", true, "Output file."); ++ option.setArgName("path"); ++ options.addOption(option); ++ ++ options.addOption(null, "help", false, "Show help message."); ++ } ++ ++ public void execute(String[] args) throws Exception { ++ ++ CommandLine cmd = parser.parse(options, args); ++ ++ if (cmd.hasOption("help")) { ++ printHelp(); ++ return; ++ } ++ ++ String[] cmdArgs = cmd.getArgs(); ++ ++ if (cmdArgs.length < 1) { ++ throw new Exception("Missing audit file name."); ++ ++ } if (cmdArgs.length > 1) { ++ throw new Exception("Too many arguments specified."); ++ } ++ ++ String filename = cmdArgs[0]; ++ String output = cmd.getOptionValue("output"); ++ if (output == null) output = filename; ++ ++ AuditClient auditClient = auditCLI.getAuditClient(); ++ StreamingOutput so = auditClient.getAuditFile(filename); ++ ++ try (OutputStream out = new FileOutputStream(output)) { ++ so.write(out); ++ } ++ } ++} +diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties +index 8cac3ee..bcb1456 100644 +--- a/base/kra/shared/conf/acl.properties ++++ b/base/kra/shared/conf/acl.properties +@@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout + audit.read = certServer.log.configuration,read + audit.modify = certServer.log.configuration,modify + ++# audit logs ++audit-log.read = certServer.log.content.signedAudit,read ++ + groups = certServer.kra.groups,execute + keys = certServer.kra.keys,execute + keyrequests = certServer.kra.keyrequests,execute +diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties +index 26b212d..e8188b8 100644 +--- a/base/ocsp/shared/conf/acl.properties ++++ b/base/ocsp/shared/conf/acl.properties +@@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout + audit.read = certServer.log.configuration,read + audit.modify = certServer.log.configuration,modify + ++# audit logs ++audit-log.read = certServer.log.content.signedAudit,read ++ + groups = certServer.ocsp.groups,execute + selftests.read = certServer.ocsp.selftests,read + selftests.execute = certServer.ocsp.selftests,execute +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +index 8dfbef1..e023aa6 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +@@ -59,6 +59,7 @@ public class PKIService { + MediaType.APPLICATION_XML_TYPE, + MediaType.APPLICATION_JSON_TYPE, + MediaType.APPLICATION_FORM_URLENCODED_TYPE, ++ MediaType.APPLICATION_OCTET_STREAM_TYPE, + MediaType.valueOf("application/pkix-cert"), + MediaType.valueOf("application/pkcs7-mime"), + MediaType.valueOf("application/x-pem-file") +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +index 9af95d9..7bb048f 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +@@ -18,16 +18,27 @@ + + package org.dogtagpki.server.rest; + ++import java.io.File; ++import java.io.FileInputStream; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; + import java.io.UnsupportedEncodingException; + import java.net.URI; ++import java.util.ArrayList; + import java.util.Collection; ++import java.util.Collections; + import java.util.HashMap; ++import java.util.List; + import java.util.Map; + import java.util.TreeMap; + import java.util.TreeSet; + ++import javax.ws.rs.WebApplicationException; + import javax.ws.rs.core.Response; ++import javax.ws.rs.core.StreamingOutput; + ++import org.apache.commons.io.IOUtils; + import org.apache.commons.lang.StringUtils; + import org.jboss.resteasy.plugins.providers.atom.Link; + +@@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.PKIException; ++import com.netscape.certsrv.base.ResourceNotFoundException; + import com.netscape.certsrv.logging.AuditConfig; ++import com.netscape.certsrv.logging.AuditFile; ++import com.netscape.certsrv.logging.AuditFileCollection; + import com.netscape.certsrv.logging.AuditResource; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.SubsystemService; +@@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource { + } + } + ++ public File getCurrentLogFile() { ++ IConfigStore cs = CMS.getConfigStore(); ++ String filename = cs.get("log.instance.SignedAudit.fileName"); ++ return new File(filename); ++ } ++ ++ public File getLogDirectory() { ++ File file = getCurrentLogFile(); ++ return file.getParentFile(); ++ } ++ ++ public List getLogFiles() { ++ ++ List filenames = new ArrayList<>(); ++ ++ File currentFile = getCurrentLogFile(); ++ String currentFilename = currentFile.getName(); ++ File logDir = currentFile.getParentFile(); ++ ++ // add all log files except the current one ++ for (String filename : logDir.list()) { ++ if (filename.equals(currentFilename)) continue; ++ filenames.add(filename); ++ } ++ ++ // sort log files in ascending order ++ Collections.sort(filenames); ++ ++ // add the current log file last (i.e. newest) ++ filenames.add(currentFilename); ++ ++ List files = new ArrayList<>(); ++ for (String filename : filenames) { ++ files.add(new File(logDir, filename)); ++ } ++ ++ return files; ++ } ++ ++ @Override ++ public Response findAuditFiles() { ++ ++ AuditFileCollection response = new AuditFileCollection(); ++ ++ List files = getLogFiles(); ++ ++ CMS.debug("Audit files:"); ++ for (File file : files) { ++ String name = file.getName(); ++ CMS.debug(" - " + name); ++ ++ AuditFile auditFile = new AuditFile(); ++ auditFile.setName(name); ++ auditFile.setSize(file.length()); ++ ++ response.addEntry(auditFile); ++ } ++ ++ response.setTotal(files.size()); ++ ++ return createOKResponse(response); ++ } ++ ++ @Override ++ public Response getAuditFile(String filename) { ++ ++ // make sure filename does not contain path ++ if (!new File(filename).getName().equals(filename)) { ++ CMS.debug("Invalid file name: " + filename); ++ throw new BadRequestException("Invalid file name: " + filename); ++ } ++ ++ File logDir = getLogDirectory(); ++ File file = new File(logDir, filename); ++ ++ if (!file.exists()) { ++ throw new ResourceNotFoundException("File not found: " + filename); ++ } ++ ++ StreamingOutput so = new StreamingOutput() { ++ ++ @Override ++ public void write(OutputStream out) throws IOException, WebApplicationException { ++ ++ try (InputStream is = new FileInputStream(file)) { ++ IOUtils.copy(is, out); ++ } ++ } ++ }; ++ ++ return createOKResponse(so); ++ } ++ + /* + * in case of failure, "info" should be in the params + */ +diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties +index 7146d38..5c072c7 100644 +--- a/base/tks/shared/conf/acl.properties ++++ b/base/tks/shared/conf/acl.properties +@@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout + audit.read = certServer.log.configuration,read + audit.modify = certServer.log.configuration,modify + ++# audit logs ++audit-log.read = certServer.log.content.signedAudit,read ++ + groups = certServer.tks.groups,execute + selftests.read = certServer.tks.selftests,read + selftests.execute = certServer.tks.selftests,execute +diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties +index 1c581b3..6b51485 100644 +--- a/base/tps/shared/conf/acl.properties ++++ b/base/tps/shared/conf/acl.properties +@@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout + audit.read = certServer.log.configuration,read + audit.modify = certServer.log.configuration,modify + ++# audit logs ++audit-log.read = certServer.log.content.signedAudit,read ++ + authenticators.read = certServer.tps.authenticators,read + authenticators.add = certServer.tps.authenticators,add + authenticators.modify = certServer.tps.authenticators,modify +-- +1.8.3.1 + + +From 4ab0608cbda0c9336c5eb9ea40a7d3ca769ab17b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 4 Apr 2017 17:53:53 +0200 +Subject: [PATCH 26/59] Fixed PKIServerSocketListener. + +The PKIServerSocketListener.alertReceived() has been fixed to +generate audit log when the SSL socket is closed by the client. + +The log message has been modified to include the reason for the +termination. + +https://pagure.io/dogtagpki/issue/2602 + +Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988 +--- + .../dogtagpki/server/PKIServerSocketListener.java | 39 +++++++++++++++++++++- + base/server/cmsbundle/src/LogMessages.properties | 2 +- + 2 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +index f147c77..adba676 100644 +--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java ++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +@@ -41,6 +41,42 @@ public class PKIServerSocketListener implements SSLSocketListener { + + @Override + public void alertReceived(SSLAlertEvent event) { ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); ++ InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); ++ InetAddress serverAddress = socket.getLocalAddress(); ++ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ String subjectID = subjectDN == null ? "" : subjectDN.toString(); ++ ++ int description = event.getDescription(); ++ String reason = SSLAlertDescription.valueOf(description).toString(); ++ ++ logger.debug("SSL alert received:"); ++ logger.debug(" - client: " + clientAddress); ++ logger.debug(" - server: " + serverAddress); ++ logger.debug(" - reason: " + reason); ++ ++ IAuditor auditor = CMS.getAuditor(); ++ ++ String auditMessage = CMS.getLogMessage( ++ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", ++ clientIP, ++ serverIP, ++ subjectID, ++ reason); ++ ++ auditor.log(auditMessage); ++ ++ } catch (Exception e) { ++ e.printStackTrace(); ++ } + } + + @Override +@@ -75,7 +111,8 @@ public class PKIServerSocketListener implements SSLSocketListener { + "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", + clientIP, + serverIP, +- subjectID); ++ subjectID, ++ reason); + + auditor.log(auditMessage); + +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index dde53ba..7572db4 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2737,7 +2737,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ + # separated by + (if more than one name;;value pair) of config params changed + # + LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ +-:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success] access session terminated ++:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success][Info={3}] access session terminated + + + ########################### +-- +1.8.3.1 + + +From 8463f5f791ced714d64ff891dc015666a971454b Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 3 Apr 2017 12:56:48 -0400 +Subject: [PATCH 27/59] Add python-cryptography crypto provider + +The python-cryptography provider is added. It will use AES +mechanisms by default. The eventual goal is to use this +provider by default, and to obsolete the NSS CryptoProvider. + +Added some methods to determine which crypto keyset levels are +supported by the crypto provider. + +Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819 +--- + base/common/python/pki/crypto.py | 206 ++++++++++++++++++++++++++++++++++++--- + base/common/python/pki/util.py | 6 +- + 2 files changed, 196 insertions(+), 16 deletions(-) + +diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py +index 86fa16e..b767abd 100644 +--- a/base/common/python/pki/crypto.py ++++ b/base/common/python/pki/crypto.py +@@ -23,13 +23,21 @@ Module containing crypto classes. + """ + from __future__ import absolute_import + import abc +-import nss.nss as nss + import os +-import six + import shutil + import subprocess + import tempfile + ++import nss.nss as nss ++import six ++from cryptography.hazmat.backends import default_backend ++from cryptography.hazmat.primitives.ciphers import ( ++ Cipher, algorithms, modes ++) ++from cryptography.hazmat.primitives import padding ++from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 ++import cryptography.x509 ++ + + class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + """ +@@ -43,30 +51,32 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + @abc.abstractmethod + def initialize(self): + """ Initialization code """ +- pass + +- @staticmethod + @abc.abstractmethod +- def generate_nonce_iv(mechanism): ++ def get_supported_algorithm_keyset(self): ++ """ returns highest supported algorithm keyset """ ++ ++ @abc.abstractmethod ++ def set_algorithm_keyset(self, level): ++ """ sets required keyset """ ++ ++ @abc.abstractmethod ++ def generate_nonce_iv(self, mechanism): + """ Create a random initialization vector """ +- pass + + @abc.abstractmethod + def generate_symmetric_key(self, mechanism=None, size=0): + """ Generate and return a symmetric key """ +- pass + + @abc.abstractmethod + def generate_session_key(self): + """ Generate a session key to be used for wrapping data to the DRM + This must return a 3DES 168 bit key """ +- pass + + @abc.abstractmethod + def symmetric_wrap(self, data, wrapping_key, mechanism=None, + nonce_iv=None): + """ encrypt data using a symmetric key (wrapping key)""" +- pass + + @abc.abstractmethod + def symmetric_unwrap(self, data, wrapping_key, mechanism=None, +@@ -77,7 +87,6 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + The mechanism is the type of key used to do the wrapping. It defaults + to a 56 bit DES3 key. + """ +- pass + + @abc.abstractmethod + def asymmetric_wrap(self, data, wrapping_cert, mechanism=None): +@@ -86,12 +95,10 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + The mechanism is the type of symmetric key, which defaults to a 56 bit + DES3 key. + """ +- pass + + # abc.abstractmethod + def get_cert(self, cert_nick): + """ Get the certificate for the specified cert_nick. """ +- pass + + + class NSSCryptoProvider(CryptoProvider): +@@ -152,6 +159,18 @@ class NSSCryptoProvider(CryptoProvider): + """ + nss.nss_init(self.certdb_dir) + ++ def get_supported_algorithm_keyset(self): ++ """ returns highest supported algorithm keyset """ ++ return 0 ++ ++ def set_algorithm_keyset(self, level): ++ """ sets required keyset """ ++ if level > 0: ++ raise Exception("Invalid keyset") ++ ++ # basically, do what we have always done, no need to set anything ++ # special here. ++ + def import_cert(self, cert_nick, cert, trust=',,'): + """ Import a certificate into the nss database + """ +@@ -170,8 +189,7 @@ class NSSCryptoProvider(CryptoProvider): + '-i', cert_file.name] + subprocess.check_call(command) + +- @staticmethod +- def generate_nonce_iv(mechanism=nss.CKM_DES3_CBC_PAD): ++ def generate_nonce_iv(self, mechanism=nss.CKM_DES3_CBC_PAD): + """ Create a random initialization vector """ + iv_length = nss.get_iv_length(mechanism) + if iv_length > 0: +@@ -237,6 +255,8 @@ class NSSCryptoProvider(CryptoProvider): + """ + :param data Data to be wrapped + :param wrapping_key Symmetric key to wrap data ++ :param mechanism Mechanism to user when wrapping ++ :param nonce_iv Nonce to use when wrapping + + Wrap (encrypt) data using the supplied symmetric key + """ +@@ -255,6 +275,7 @@ class NSSCryptoProvider(CryptoProvider): + """ + :param data Data to be unwrapped + :param wrapping_key Symmetric key to unwrap data ++ :param mechanism Mechanism to use when wrapping + :param nonce_iv iv data + + Unwrap (decrypt) data using the supplied symmetric key +@@ -288,3 +309,160 @@ class NSSCryptoProvider(CryptoProvider): + Searches NSS database and returns SecItem object for this certificate. + """ + return nss.find_cert_from_nickname(cert_nick) ++ ++ ++class CryptographyCryptoProvider(CryptoProvider): ++ """ ++ Class that defines python-cryptography implementation of CryptoProvider. ++ Requires a PEM file containing the agent cert to be initialized. ++ ++ Note that all inputs and outputs are unencoded. ++ """ ++ ++ def __init__(self, transport_cert_nick, transport_cert, ++ backend=default_backend()): ++ """ Initialize python-cryptography ++ """ ++ super(CryptographyCryptoProvider, self).__init__() ++ self.certs = {} ++ ++ if not isinstance(transport_cert, cryptography.x509.Certificate): ++ # it's a file name ++ with open(transport_cert, 'r') as f: ++ transport_pem = f.read() ++ transport_cert = cryptography.x509.load_pem_x509_certificate( ++ transport_pem, ++ backend) ++ ++ self.certs[transport_cert_nick] = transport_cert ++ ++ # default to AES ++ self.encrypt_alg = algorithms.AES ++ self.encrypt_mode = modes.CBC ++ self.encrypt_size = 128 ++ self.backend = backend ++ ++ def initialize(self): ++ """ ++ Any operations here that need to be performed before crypto ++ operations. ++ """ ++ pass ++ ++ def get_supported_algorithm_keyset(self): ++ """ returns highest supported algorithm keyset """ ++ return 1 ++ ++ def set_algorithm_keyset(self, level): ++ """ sets required keyset """ ++ if level > 1: ++ raise ValueError("Invalid keyset") ++ elif level == 1: ++ self.encrypt_alg = algorithms.AES ++ self.encrypt_mode = modes.CBC ++ self.encrypt_size = 128 ++ elif level == 0: ++ self.encrypt_alg = algorithms.TripleDES ++ self.encrypt_mode = modes.CBC ++ self.encrypt_size = 168 ++ ++ def generate_nonce_iv(self, mechanism='AES'): ++ """ Create a random initialization vector """ ++ return os.urandom(self.encrypt_alg.block_size // 8) ++ ++ def generate_symmetric_key(self, mechanism=None, size=0): ++ """ Returns a symmetric key. ++ """ ++ if mechanism is None: ++ size = self.encrypt_size // 8 ++ return os.urandom(size) ++ ++ def generate_session_key(self): ++ """ Returns a session key to be used when wrapping secrets for the DRM. ++ """ ++ return self.generate_symmetric_key() ++ ++ def symmetric_wrap(self, data, wrapping_key, mechanism=None, ++ nonce_iv=None): ++ """ ++ :param data Data to be wrapped ++ :param wrapping_key Symmetric key to wrap data ++ :param mechanism Mechanism to use for wrapping key ++ :param nonce_iv Nonce for initialization vector ++ ++ Wrap (encrypt) data using the supplied symmetric key ++ """ ++ # TODO(alee) Not sure yet how to handle non-default mechanisms ++ # For now, lets just ignore them ++ ++ if wrapping_key is None: ++ raise ValueError("Wrapping key must be provided") ++ ++ if self.encrypt_mode.name == "CBC": ++ padder = padding.PKCS7(self.encrypt_alg.block_size).padder() ++ padded_data = padder.update(data) + padder.finalize() ++ data = padded_data ++ else: ++ raise ValueError('Only CBC mode is currently supported') ++ ++ cipher = Cipher(self.encrypt_alg(wrapping_key), ++ self.encrypt_mode(nonce_iv), ++ backend=self.backend) ++ ++ encryptor = cipher.encryptor() ++ ct = encryptor.update(data) + encryptor.finalize() ++ return ct ++ ++ def symmetric_unwrap(self, data, wrapping_key, ++ mechanism=None, nonce_iv=None): ++ """ ++ :param data Data to be unwrapped ++ :param wrapping_key Symmetric key to unwrap data ++ :param mechanism Mechanism to use when unwrapping ++ :param nonce_iv iv data ++ ++ Unwrap (decrypt) data using the supplied symmetric key ++ """ ++ ++ # TODO(alee) As above, no idea what to do with mechanism ++ # ignoring for now. ++ ++ if wrapping_key is None: ++ raise ValueError("Wrapping key must be provided") ++ ++ cipher = Cipher(self.encrypt_alg(wrapping_key), ++ self.encrypt_mode(nonce_iv), ++ backend=self.backend) ++ ++ decryptor = cipher.decryptor() ++ unwrapped = decryptor.update(data) + decryptor.finalize() ++ ++ if self.encrypt_mode.name == 'CBC': ++ unpadder = padding.PKCS7(self.encrypt_alg.block_size).unpadder() ++ unpadded = unpadder.update(unwrapped) + unpadder.finalize() ++ unwrapped = unpadded ++ else: ++ raise ValueError('Only CBC mode is currently supported') ++ ++ return unwrapped ++ ++ def asymmetric_wrap(self, data, wrapping_cert, ++ mechanism=None): ++ """ ++ :param data Data to be wrapped ++ :param wrapping_cert Public key to wrap data ++ :param mechanism algorithm of symmetric key to be wrapped ++ ++ Wrap (encrypt) data using the supplied asymmetric key ++ """ ++ public_key = wrapping_cert.public_key() ++ return public_key.encrypt( ++ data, ++ PKCS1v15() ++ ) ++ ++ def get_cert(self, cert_nick): ++ """ ++ :param cert_nick Nickname for the certificate to be returned. ++ """ ++ return self.certs[cert_nick] +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 0765bcf..0de13fd 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -34,8 +34,10 @@ except ImportError: + + import subprocess + +-DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf', +- '/etc/pki/pki.conf'] ++DEFAULT_PKI_ENV_LIST = [ ++ '/usr/share/pki/etc/pki.conf', ++ '/etc/pki/pki.conf', ++] + + + def copy(source, dest): +-- +1.8.3.1 + + +From a1e30184b675c69fa858eb4fb85a6d358deb9bf1 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 3 Apr 2017 13:00:03 -0400 +Subject: [PATCH 28/59] Add code in KRA python client to support multiple + crypto algorithms + +Added code to: +* Add an InfoClient to the KRAClient +* Check the server, client and crypto provider keyset levels and + select the highest possible level accordingly. +* Added new fields as returned by the server for retrieval. +* Added new fields to KeyRecoveryRequest as added in AES changes. + +Changes to decode keywrapped symmetirc and asymmetric keys will +be added in subsequent patches. Right now, encrypt/decrypt works. + +Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d +--- + base/common/python/pki/info.py | 52 +++++++++++++++----- + base/common/python/pki/key.py | 105 ++++++++++++++++++++++++++++++++++------- + base/common/python/pki/kra.py | 23 ++++++--- + 3 files changed, 144 insertions(+), 36 deletions(-) + +diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py +index b4da8b0..f4ab68c 100644 +--- a/base/common/python/pki/info.py ++++ b/base/common/python/pki/info.py +@@ -56,20 +56,38 @@ class Info(object): + return info + + +-class Version(object): +- """ +- This class encapsulates a version object as returned from +- a Dogtag server and decomposes it into major, minor, etc. +- """ ++class Version(tuple): ++ __slots__ = () ++ ++ def __new__(cls, version): ++ parts = [int(p) for p in version.split('.')] ++ if len(parts) < 3: ++ parts.extend([0] * (3 - len(parts))) ++ if len(parts) > 3: ++ raise ValueError(version) ++ return tuple.__new__(cls, tuple(parts)) ++ ++ def __str__(self): ++ return '{}.{}.{}'.format(*self) ++ ++ def __repr__(self): ++ return "".format(*self) + +- def __init__(self, version_string): +- for idx, val in enumerate(version_string.split('.')): +- if idx == 0: +- self.major = val +- if idx == 1: +- self.minor = val +- if idx == 2: +- self.patch = val ++ def __getnewargs__(self): ++ # pickle support ++ return str(self) ++ ++ @property ++ def major(self): ++ return self[0] ++ ++ @property ++ def minor(self): ++ return self[1] ++ ++ @property ++ def patchlevel(self): ++ return self[2] + + + class InfoClient(object): +@@ -98,3 +116,11 @@ class InfoClient(object): + """ return Version object from server """ + version_string = self.get_info().version + return Version(version_string) ++ ++ ++if __name__ == '__main__': ++ print(Version('10')) ++ print(Version('10.1')) ++ print(Version('10.1.1')) ++ print(tuple(Version('10.1.1'))) ++ print(Version('10.1.1.1')) +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index da4efd6..6c5641a 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -27,12 +27,15 @@ from __future__ import absolute_import + from __future__ import print_function + import base64 + import json ++import os + + from six import iteritems + from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 + + import pki + import pki.encoder as encoder ++from pki.info import Version ++import pki.util + + + # should be moved to request.py +@@ -58,7 +61,10 @@ class KeyData(object): + json_attribute_names = { + 'nonceData': 'nonce_data', + 'wrappedPrivateData': 'wrapped_private_data', +- 'requestID': 'request_id' ++ 'requestID': 'request_id', ++ 'encryptAlgorithmOID': 'encrypt_algorithm_oid', ++ 'wrapAlgorithm': 'wrap_algorithm', ++ 'publicKey': 'public_key' + } + + # pylint: disable=C0103 +@@ -69,6 +75,10 @@ class KeyData(object): + self.request_id = None + self.size = None + self.wrapped_private_data = None ++ self.encrypt_algorithm_oid = None ++ self.wrap_algorithm = None ++ self.public_key = None ++ self.type = None + + @classmethod + def from_json(cls, attr_list): +@@ -102,6 +112,11 @@ class Key(object): + self.algorithm = key_data.algorithm + self.size = key_data.size + ++ self.encrypt_algorithm_oid = getattr( ++ key_data, "encrypt_algorithm_oid", None) ++ self.wrap_algorithm = getattr(key_data, "wrap_algorithm", None) ++ self.public_key = getattr(key_data, "public_key", None) ++ + # To store the unwrapped key information. + # The decryption takes place on the client side. + self.data = None +@@ -341,7 +356,8 @@ class KeyRecoveryRequest(pki.ResourceMessage): + trans_wrapped_session_key=None, + session_wrapped_passphrase=None, + nonce_data=None, certificate=None, +- passphrase=None): ++ passphrase=None, payload_wrapping_name=None, ++ payload_encryption_oid=None): + """ Constructor """ + pki.ResourceMessage.__init__( + self, +@@ -354,6 +370,8 @@ class KeyRecoveryRequest(pki.ResourceMessage): + self.add_attribute("certificate", certificate) + self.add_attribute("passphrase", passphrase) + self.add_attribute("keyId", key_id) ++ self.add_attribute("payloadWrappingName", payload_wrapping_name) ++ self.add_attribute("payloadEncryptionOID", payload_encryption_oid) + + + class SymKeyGenerationRequest(pki.ResourceMessage): +@@ -443,8 +461,10 @@ class KeyClient(object): + + # default session key wrapping algorithm + DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" ++ AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" + +- def __init__(self, connection, crypto, transport_cert_nick=None): ++ def __init__(self, connection, crypto, transport_cert_nick=None, ++ info_client=None): + """ Constructor """ + self.connection = connection + self.headers = {'Content-type': 'application/json', +@@ -459,6 +479,10 @@ class KeyClient(object): + else: + self.transport_cert = None + ++ self.info_client = info_client ++ self.encrypt_alg_oid = None ++ self.set_crypto_algorithms() ++ + def set_transport_cert(self, transport_cert_nick): + """ Set the transport certificate for crypto operations """ + if transport_cert_nick is None: +@@ -467,6 +491,44 @@ class KeyClient(object): + self.transport_cert = self.crypto.get_cert(transport_cert_nick) + + @pki.handle_exceptions() ++ def set_crypto_algorithms(self): ++ server_keyset = self.get_server_keyset() ++ client_keyset = self.get_client_keyset() ++ crypto_keyset = self.crypto.get_supported_algorithm_keyset() ++ keyset_id = min([server_keyset, client_keyset, crypto_keyset]) ++ ++ # set keyset in crypto provider ++ self.crypto.set_algorithm_keyset(keyset_id) ++ ++ # set keyset related constants needed in KeyClient ++ if keyset_id == 0: ++ self.encrypt_alg_oid = self.DES_EDE3_CBC_OID ++ else: ++ self.encrypt_alg_oid = self.AES_128_CBC_OID ++ ++ def get_client_keyset(self): ++ # get client keyset ++ pki.util.read_environment_files() ++ client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET') ++ if client_keyset is not None: ++ return client_keyset ++ return 0 ++ ++ def get_server_keyset(self): ++ # get server keyset id ++ server_version = Version("0.0.0") ++ try: ++ server_version = self.info_client.get_version() ++ except Exception: # pylint: disable=W0703 ++ # TODO(alee) tighten up the exception here ++ pass ++ ++ if server_version >= (10, 4): ++ return 1 ++ ++ return 0 ++ ++ @pki.handle_exceptions() + def list_keys(self, client_key_id=None, status=None, max_results=None, + max_time=None, start=None, size=None, realm=None): + """ List/Search archived secrets in the DRM. +@@ -785,7 +847,8 @@ class KeyClient(object): + raise TypeError('Missing wrapped session key') + + if not algorithm_oid: +- algorithm_oid = KeyClient.DES_EDE3_CBC_OID ++ algorithm_oid = KeyClient.AES_128_CBC_OID ++ # algorithm_oid = KeyClient.DES_EDE3_CBC_OID + + if not nonce_iv: + raise TypeError('Missing nonce IV') +@@ -910,7 +973,7 @@ class KeyClient(object): + approval is required, then the KeyData will include the secret. + + * If the key cannot be retrieved synchronously - ie. if more than one +- approval is needed, then the KeyData obect will include the request ++ approval is needed, then the KeyData object will include the request + ID for a recovery request that was created on the server. When that + request is approved, callers can retrieve the key using + retrieve_key() and setting the request_id. +@@ -951,7 +1014,9 @@ class KeyClient(object): + key_id=key_id, + request_id=request_id, + trans_wrapped_session_key=base64.b64encode( +- trans_wrapped_session_key)) ++ trans_wrapped_session_key), ++ payload_encryption_oid=self.encrypt_alg_oid ++ ) + + key = self.retrieve_key_data(request) + if not key_provided and key.encrypted_data is not None: +@@ -982,12 +1047,13 @@ class KeyClient(object): + + 1) A passphrase is provided by the caller. + +- In this case, CryptoProvider methods will be called to create the data +- to securely send the passphrase to the DRM. Basically, three pieces of +- data will be sent: ++ In this case, CryptoProvider methods will be called to create the ++ data to securely send the passphrase to the DRM. Basically, three ++ pieces of data will be sent: + +- - the passphrase wrapped by a 168 bit 3DES symmetric key (the session +- key). This is referred to as the parameter session_wrapped_passphrase. ++ - the passphrase wrapped by a 168 bit 3DES symmetric key (the ++ session key). This is referred to as the parameter ++ session_wrapped_passphrase. + + - the session key wrapped with the public key in the DRM transport + certificate. This is referred to as the trans_wrapped_session_key. +@@ -999,9 +1065,10 @@ class KeyClient(object): + 2) The caller provides the trans_wrapped_session_key, + session_wrapped_passphrase and nonce_data. + +- In this case, the data will simply be passed to the DRM. The function +- will return the secret encrypted by the passphrase using PBE Encryption. +- The secret will still need to be decrypted by the caller. ++ In this case, the data will simply be passed to the DRM. ++ The function will return the secret encrypted by the passphrase ++ using PBE Encryption. The secret will still need to be decrypted ++ by the caller. + + The function will return the tuple (KeyData, None) + """ +@@ -1053,12 +1120,18 @@ def main(): + usages = [SymKeyGenerationRequest.DECRYPT_USAGE, + SymKeyGenerationRequest.ENCRYPT_USAGE] + gen_request = SymKeyGenerationRequest(client_key_id, 128, "AES", usages) +- print(json.dumps(gen_request, cls=encoder.CustomTypeEncoder, sort_keys=True)) ++ print(json.dumps(gen_request, ++ cls=encoder.CustomTypeEncoder, ++ sort_keys=True)) + + print("printing key recovery request") + key_request = KeyRecoveryRequest("25", "MX12345BBBAAA", None, + "1234ABC", None, None) +- print(json.dumps(key_request, cls=encoder.CustomTypeEncoder, sort_keys=True)) ++ print(json.dumps( ++ key_request, ++ cls=encoder.CustomTypeEncoder, ++ sort_keys=True) ++ ) + + print("printing key archival request") + archival_request = KeyArchivalRequest(client_key_id, "symmetricKey", +diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py +index b98f856..6b2de63 100644 +--- a/base/common/python/pki/kra.py ++++ b/base/common/python/pki/kra.py +@@ -26,6 +26,7 @@ KeyRequestResource REST APIs. + """ + + from __future__ import absolute_import ++from pki.info import InfoClient + import pki.key as key + + from pki.systemcert import SystemCertClient +@@ -41,18 +42,26 @@ class KRAClient(object): + """ Constructor + + :param connection - PKIConnection object with DRM connection info. +- :param crypto - CryptoProvider object. NSSCryptoProvider is provided by +- default. If a different crypto implementation is ++ :param crypto - CryptoProvider object. NSSCryptoProvider is provided ++ by default. If a different crypto implementation is + desired, a different subclass of CryptoProvider must be + provided. + :param transport_cert_nick - identifier for the DRM transport + certificate. This will be passed to the +- CryptoProvider.get_cert() command to get a representation +- of the transport certificate usable for crypto ops. +- Note that for NSS databases, the database must have been +- initialized beforehand. ++ CryptoProvider.get_cert() command to get a ++ representation of the transport certificate usable for ++ crypto ops. ++ ++ Note that for NSS databases, the database must have ++ been initialized beforehand. + """ + self.connection = connection + self.crypto = crypto +- self.keys = key.KeyClient(connection, crypto, transport_cert_nick) ++ self.info = InfoClient(connection) ++ self.keys = key.KeyClient( ++ connection, ++ crypto, ++ transport_cert_nick, ++ self.info ++ ) + self.system_certs = SystemCertClient(connection) +-- +1.8.3.1 + + +From 60f0adb9205d5c7d4d9294ca620530ff3df2000e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 04:48:07 +0100 +Subject: [PATCH 31/59] Added SSLSocketListener for PKIConnection. + +To help troubleshooting the PKIConnection has been modified to +register an SSL socket listener which will display SSL alerts +that it has received or sent. + +https://pagure.io/dogtagpki/issue/2625 + +Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83 +--- + .../com/netscape/certsrv/client/PKIConnection.java | 40 ++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +index c2ffd09..d5e4c00 100644 +--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java ++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +@@ -78,8 +78,13 @@ import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget; + import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NotInitializedException; ++import org.mozilla.jss.ssl.SSLAlertDescription; ++import org.mozilla.jss.ssl.SSLAlertEvent; ++import org.mozilla.jss.ssl.SSLAlertLevel; + import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; ++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; + import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketListener; + + import com.netscape.certsrv.base.PKIException; + +@@ -352,6 +357,41 @@ public class PKIConnection { + socket.setClientCertNickname(certNickname); + } + ++ socket.addSocketListener(new SSLSocketListener() { ++ ++ @Override ++ public void alertReceived(SSLAlertEvent event) { ++ ++ int intLevel = event.getLevel(); ++ SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel); ++ ++ int intDescription = event.getDescription(); ++ SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription); ++ ++ if (level == SSLAlertLevel.FATAL || verbose) { ++ System.err.println(level + ": SSL alert received: " + description); ++ } ++ } ++ ++ @Override ++ public void alertSent(SSLAlertEvent event) { ++ ++ int intLevel = event.getLevel(); ++ SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel); ++ ++ int intDescription = event.getDescription(); ++ SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription); ++ ++ if (level == SSLAlertLevel.FATAL || verbose) { ++ System.err.println(level + ": SSL alert sent: " + description); ++ } ++ } ++ ++ @Override ++ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { ++ } ++ ++ }); + return socket; + } + +-- +1.8.3.1 + + +From 0409bfa35601a0b59f75c05cf8a34aed6514fc24 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 8 Apr 2017 09:04:54 +0200 +Subject: [PATCH 32/59] Fixed pki user and group commands. + +The UserCLI and GroupCLI have been fixed to use the subsystem name +in the client configuration object if available. + +https://pagure.io/dogtagpki/issue/2626 + +Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f +--- + base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 3 ++- + base/java-tools/src/com/netscape/cmstools/user/UserCLI.java | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +index 5ccf70d..95eb3a2 100644 +--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +@@ -73,7 +73,8 @@ public class GroupCLI extends CLI { + SubsystemCLI subsystemCLI = (SubsystemCLI)parent; + subsystem = subsystemCLI.getName(); + } else { +- subsystem = "ca"; ++ subsystem = client.getSubsystem(); ++ if (subsystem == null) subsystem = "ca"; + } + + // create new group client +diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +index 1acbf0b..affda9c 100644 +--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +@@ -76,7 +76,8 @@ public class UserCLI extends CLI { + SubsystemCLI subsystemCLI = (SubsystemCLI)parent; + subsystem = subsystemCLI.getName(); + } else { +- subsystem = "ca"; ++ subsystem = client.getSubsystem(); ++ if (subsystem == null) subsystem = "ca"; + } + + // create new user client +-- +1.8.3.1 + + +From 0c8aedd8a79841751005c531cf6cfbc08a4fd4dd Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 8 Apr 2017 09:05:48 +0200 +Subject: [PATCH 33/59] Deprecated -t option for pki CLI. + +The MainCLI has been modified to generate a deprecation warning +for the -t option. + +Change-Id: I28ac45954a900f6944528ef52913982d72896c92 +--- + base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index d7aa54c..1b9c569 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -124,12 +124,12 @@ public class MainCLI extends CLI { + + public void printVersion() { + Package pkg = MainCLI.class.getPackage(); +- System.out.println("PKI Command-Line Interface "+pkg.getImplementationVersion()); ++ System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion()); + } + + public void printHelp() { + +- formatter.printHelp(name+" [OPTIONS..] [ARGS..]", options); ++ formatter.printHelp(name + " [OPTIONS..] [ARGS..]", options); + System.out.println(); + + int leftPadding = 1; +@@ -169,7 +169,7 @@ public class MainCLI extends CLI { + option.setArgName("port"); + options.addOption(option); + +- option = new Option("t", true, "Subsystem type"); ++ option = new Option("t", true, "Subsystem type (deprecated)"); + option.setArgName("type"); + options.addOption(option); + +@@ -340,8 +340,10 @@ public class MainCLI extends CLI { + if (uri == null) + uri = protocol + "://" + hostname + ":" + port; + +- if (subsystem != null) ++ if (subsystem != null) { ++ System.err.println("WARNING: The -t option has been deprecated. Use pki " + subsystem + " command instead."); + uri = uri + "/" + subsystem; ++ } + + config.setServerURI(uri); + +-- +1.8.3.1 + + +From 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 7 Apr 2017 19:45:10 +0200 +Subject: [PATCH 34/59] Added FIPS-compliant password generator. + +A new function has been added to generate a random password that +meets FIPS requirements for a strong password. This function is +used to generate NSS database password during installation. + +https://pagure.io/dogtagpki/issue/2556 + +Change-Id: I64dd36125ec968f6253f90835e6065325d720032 +--- + base/common/python/pki/__init__.py | 63 ++++++++++++++++++++++ + .../python/pki/server/deployment/pkiparser.py | 12 +---- + 2 files changed, 65 insertions(+), 10 deletions(-) + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index c015126..1fc5385 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -26,7 +26,9 @@ from __future__ import print_function + + from functools import wraps + import os ++import random + import re ++import string + import sys + + import requests +@@ -124,6 +126,67 @@ def implementation_version(): + raise Exception('Missing implementation version.') + + ++def generate_password(): ++ """ ++ This function generates FIPS-compliant password. ++ ++ See sftk_newPinCheck() in the following file: ++ https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c ++ ++ The minimum password length is FIPS_MIN_PIN Unicode characters. ++ ++ The password must contain at least 3 character classes: ++ * digits (string.digits) ++ * ASCII lowercase letters (string.ascii_lowercase) ++ * ASCII uppercase letters (string.ascii_uppercase) ++ * ASCII non-alphanumeric characters (string.punctuation) ++ * non-ASCII characters ++ ++ If an ASCII uppercase letter is the first character of the password, ++ the uppercase letter is not counted toward its character class. ++ ++ If a digit is the last character of the password, the digit is not ++ counted toward its character class. ++ ++ The FIPS_MIN_PIN is defined in the following file: ++ https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h ++ ++ #define FIPS_MIN_PIN 7 ++ """ ++ ++ rnd = random.SystemRandom() ++ ++ valid_chars = string.digits +\ ++ string.ascii_lowercase +\ ++ string.ascii_uppercase +\ ++ string.punctuation ++ ++ chars = [] ++ ++ # add 1 random char from each char class to meet ++ # the minimum number of char class requirement ++ chars.append(rnd.choice(string.digits)) ++ chars.append(rnd.choice(string.ascii_lowercase)) ++ chars.append(rnd.choice(string.ascii_uppercase)) ++ chars.append(rnd.choice(string.punctuation)) ++ ++ # add 6 additional random chars ++ chars.extend(rnd.choice(valid_chars) for i in range(6)) ++ ++ # randomize the char order ++ rnd.shuffle(chars) ++ ++ # add 2 random chars at the beginning and the end ++ # to maintain the minimum number of char class ++ chars.insert(0, rnd.choice(valid_chars)) ++ chars.append(rnd.choice(valid_chars)) ++ ++ # final password is 12 chars ++ password = ''.join(chars) ++ ++ return password ++ ++ + # pylint: disable=R0903 + class Attribute(object): + """ +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index e05e0be..df04ff8 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -583,12 +583,6 @@ class PKIConfigParser: + + self.deployer.flatten_master_dict() + +- # Generate random 'pin's for use as security database passwords +- # and add these to the "sensitive" key value pairs read in from +- # the configuration file +- pin_low = 100000000000 +- pin_high = 999999999999 +- + instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) + instance.load() + +@@ -604,11 +598,9 @@ class PKIConfigParser: + + # otherwise, generate a random password + else: +- self.mdict['pki_pin'] = \ +- random.randint(pin_low, pin_high) ++ self.mdict['pki_pin'] = pki.generate_password() + +- self.mdict['pki_client_pin'] = \ +- random.randint(pin_low, pin_high) ++ self.mdict['pki_client_pin'] = pki.generate_password() + + pkilogging.sensitive_parameters = \ + self.mdict['sensitive_parameters'].split() +-- +1.8.3.1 + + +From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 11 Apr 2017 18:04:41 +0200 +Subject: [PATCH 35/59] Added pki-server -audit-file-find CLI. + +A new pki-server -audit-file-find CLI has been added +to list audit log files on the server. + +Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f +--- + base/server/python/pki/server/__init__.py | 14 ++++ + base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++ + base/server/python/pki/server/cli/ca.py | 2 + + base/server/python/pki/server/cli/kra.py | 2 + + base/server/python/pki/server/cli/ocsp.py | 2 + + base/server/python/pki/server/cli/tks.py | 2 + + base/server/python/pki/server/cli/tps.py | 2 + + 7 files changed, 133 insertions(+) + create mode 100644 base/server/python/pki/server/cli/audit.py + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 5032274..112dcbf 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -389,6 +389,20 @@ class PKISubsystem(object): + + pki.util.customize_file(input_file, output_file, params) + ++ def get_audit_log_files(self): ++ ++ current_file_path = self.config['log.instance.SignedAudit.fileName'] ++ (log_dir, current_file) = os.path.split(current_file_path) ++ ++ # sort log files based on timestamp ++ files = [f for f in os.listdir(log_dir) if f != current_file] ++ files.sort() ++ ++ # put the current log file at the end ++ files.append(current_file) ++ ++ return files ++ + def __repr__(self): + return str(self.instance) + '/' + self.name + +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +new file mode 100644 +index 0000000..3bb9d5f +--- /dev/null ++++ b/base/server/python/pki/server/cli/audit.py +@@ -0,0 +1,109 @@ ++# Authors: ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++# ++ ++from __future__ import absolute_import ++from __future__ import print_function ++import getopt ++import sys ++ ++import pki.cli ++ ++ ++class AuditCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditCLI, self).__init__( ++ 'audit', 'Audit management commands') ++ ++ self.parent = parent ++ self.add_module(AuditFileFindCLI(self)) ++ ++ ++class AuditFileFindCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditFileFindCLI, self).__init__( ++ 'file-find', 'Find audit log files') ++ ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, args): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.print_help() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.print_help() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = self.parent.parent.name ++ subsystem = instance.get_subsystem(subsystem_name) ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance %s.' ++ % (subsystem_name.upper(), instance_name)) ++ sys.exit(1) ++ ++ log_files = subsystem.get_audit_log_files() ++ ++ self.print_message('%s entries matched' % len(log_files)) ++ ++ first = True ++ for filename in log_files: ++ if first: ++ first = False ++ else: ++ print() ++ ++ print(' File name: %s' % filename) +diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py +index 1d1c00f..550e511 100644 +--- a/base/server/python/pki/server/cli/ca.py ++++ b/base/server/python/pki/server/cli/ca.py +@@ -28,6 +28,7 @@ import sys + import tempfile + + import pki.cli ++import pki.server.cli.audit + + + class CACLI(pki.cli.CLI): +@@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI): + + self.add_module(CACertCLI()) + self.add_module(CACloneCLI()) ++ self.add_module(pki.server.cli.audit.AuditCLI(self)) + + + class CACertCLI(pki.cli.CLI): +diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py +index 5558d6a..3724014 100644 +--- a/base/server/python/pki/server/cli/kra.py ++++ b/base/server/python/pki/server/cli/kra.py +@@ -32,6 +32,7 @@ import tempfile + import time + + import pki.cli ++import pki.server.cli.audit + + + KRA_VLVS = ['allKeys', 'kraAll', +@@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI): + + self.add_module(KRACloneCLI()) + self.add_module(KRADBCLI()) ++ self.add_module(pki.server.cli.audit.AuditCLI(self)) + + + class KRACloneCLI(pki.cli.CLI): +diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py +index 246f593..3e9b6aa 100644 +--- a/base/server/python/pki/server/cli/ocsp.py ++++ b/base/server/python/pki/server/cli/ocsp.py +@@ -28,6 +28,7 @@ import sys + import tempfile + + import pki.cli ++import pki.server.cli.audit + + + class OCSPCLI(pki.cli.CLI): +@@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI): + 'ocsp', 'OCSP management commands') + + self.add_module(OCSPCloneCLI()) ++ self.add_module(pki.server.cli.audit.AuditCLI(self)) + + + class OCSPCloneCLI(pki.cli.CLI): +diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py +index 2c4157a..0e6a998 100644 +--- a/base/server/python/pki/server/cli/tks.py ++++ b/base/server/python/pki/server/cli/tks.py +@@ -28,6 +28,7 @@ import sys + import tempfile + + import pki.cli ++import pki.server.cli.audit + + + class TKSCLI(pki.cli.CLI): +@@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI): + 'tks', 'TKS management commands') + + self.add_module(TKSCloneCLI()) ++ self.add_module(pki.server.cli.audit.AuditCLI(self)) + + + class TKSCloneCLI(pki.cli.CLI): +diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py +index 1f71b8e..03df8de 100644 +--- a/base/server/python/pki/server/cli/tps.py ++++ b/base/server/python/pki/server/cli/tps.py +@@ -32,6 +32,7 @@ import tempfile + import time + + import pki.cli ++import pki.server.cli.audit + + + TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif' +@@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI): + + self.add_module(TPSCloneCLI()) + self.add_module(TPSDBCLI()) ++ self.add_module(pki.server.cli.audit.AuditCLI(self)) + + + class TPSCloneCLI(pki.cli.CLI): +-- +1.8.3.1 + + +From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 11 Apr 2017 18:04:41 +0200 +Subject: [PATCH 36/59] Added pki-server -audit-file-verify CLI. + +A new pki-server -audit-file-verify CLI has been added +to verify audit log files on the server. + +Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f +--- + base/server/python/pki/server/__init__.py | 5 ++ + base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++ + 2 files changed, 96 insertions(+) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 112dcbf..8898654 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -389,6 +389,11 @@ class PKISubsystem(object): + + pki.util.customize_file(input_file, output_file, params) + ++ def get_audit_log_dir(self): ++ ++ current_file_path = self.config['log.instance.SignedAudit.fileName'] ++ return os.path.dirname(current_file_path) ++ + def get_audit_log_files(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +index 3bb9d5f..0833ca8 100644 +--- a/base/server/python/pki/server/cli/audit.py ++++ b/base/server/python/pki/server/cli/audit.py +@@ -21,7 +21,11 @@ + from __future__ import absolute_import + from __future__ import print_function + import getopt ++import os ++import shutil ++import subprocess + import sys ++import tempfile + + import pki.cli + +@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI): + + self.parent = parent + self.add_module(AuditFileFindCLI(self)) ++ self.add_module(AuditFileVerifyCLI(self)) + + + class AuditFileFindCLI(pki.cli.CLI): +@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI): + print() + + print(' File name: %s' % filename) ++ ++ ++class AuditFileVerifyCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditFileVerifyCLI, self).__init__( ++ 'file-verify', 'Verify audit log files') ++ ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, args): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.print_help() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.print_help() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = self.parent.parent.name ++ subsystem = instance.get_subsystem(subsystem_name) ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance %s.' ++ % (subsystem_name.upper(), instance_name)) ++ sys.exit(1) ++ ++ log_dir = subsystem.get_audit_log_dir() ++ log_files = subsystem.get_audit_log_files() ++ signing_cert = subsystem.get_subsystem_cert('audit_signing') ++ ++ tmpdir = tempfile.mkdtemp() ++ ++ try: ++ file_list = os.path.join(tmpdir, 'audit.txt') ++ ++ with open(file_list, 'w') as f: ++ for filename in log_files: ++ f.write(os.path.join(log_dir, filename) + '\n') ++ ++ cmd = ['AuditVerify', ++ '-d', instance.nssdb_dir, ++ '-n', signing_cert['nickname'], ++ '-a', file_list] ++ ++ if self.verbose: ++ print('Command: %s' % ' '.join(cmd)) ++ ++ subprocess.call(cmd) ++ ++ finally: ++ shutil.rmtree(tmpdir) +-- +1.8.3.1 + + +From 77d2064858e4623fa25f4986647f318d8bf8a6f7 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 7 Apr 2017 12:23:47 -0400 +Subject: [PATCH 37/59] Add KRAInfo resource + +This resource (which will be accessed at /kra/rest/info) +will initially return the mechanism for archival or retrieval. + +This is needed by clients to know how to package secrets when +archiving. + +Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec +--- + .../src/com/netscape/certsrv/kra/KRAClient.java | 3 + + base/common/src/org/dogtagpki/common/KRAInfo.java | 136 +++++++++++++++++++++ + .../src/org/dogtagpki/common/KRAInfoClient.java | 48 ++++++++ + .../src/org/dogtagpki/common/KRAInfoResource.java | 40 ++++++ + .../dogtagpki/server/kra/rest/KRAApplication.java | 4 + + .../org/dogtagpki/server/rest/KRAInfoService.java | 67 ++++++++++ + 6 files changed, 298 insertions(+) + create mode 100644 base/common/src/org/dogtagpki/common/KRAInfo.java + create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoClient.java + create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoResource.java + create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java + +diff --git a/base/common/src/com/netscape/certsrv/kra/KRAClient.java b/base/common/src/com/netscape/certsrv/kra/KRAClient.java +index 1eb102f..9440174 100644 +--- a/base/common/src/com/netscape/certsrv/kra/KRAClient.java ++++ b/base/common/src/com/netscape/certsrv/kra/KRAClient.java +@@ -1,5 +1,7 @@ + package com.netscape.certsrv.kra; + ++import org.dogtagpki.common.KRAInfoClient; ++ + import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.client.SubsystemClient; + import com.netscape.certsrv.group.GroupClient; +@@ -22,5 +24,6 @@ public class KRAClient extends SubsystemClient { + addClient(new SelfTestClient(client, name)); + addClient(new SystemCertClient(client, name)); + addClient(new UserClient(client, name)); ++ addClient(new KRAInfoClient(client, name)); + } + } +diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java +new file mode 100644 +index 0000000..e17bd64 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/KRAInfo.java +@@ -0,0 +1,136 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import java.io.StringReader; ++import java.io.StringWriter; ++ ++import javax.xml.bind.JAXBContext; ++import javax.xml.bind.Marshaller; ++import javax.xml.bind.Unmarshaller; ++import javax.xml.bind.annotation.XmlElement; ++import javax.xml.bind.annotation.XmlRootElement; ++ ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.base.ResourceMessage; ++ ++/** ++ * @author Ade Lee ++ */ ++@XmlRootElement(name="KRAInfo") ++public class KRAInfo extends ResourceMessage { ++ ++ private static Logger logger = LoggerFactory.getLogger(Info.class); ++ ++ public static Marshaller marshaller; ++ public static Unmarshaller unmarshaller; ++ ++ static { ++ try { ++ marshaller = JAXBContext.newInstance(KRAInfo.class).createMarshaller(); ++ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); ++ unmarshaller = JAXBContext.newInstance(KRAInfo.class).createUnmarshaller(); ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ String archivalMechanism; ++ String recoveryMechanism; ++ ++ @XmlElement(name="ArchivalMechanism") ++ public String getArchivalMechanism() { ++ return archivalMechanism; ++ } ++ ++ public void setArchivalMechanism(String archivalMechanism) { ++ this.archivalMechanism = archivalMechanism; ++ } ++ ++ @XmlElement(name="RecoveryMechanism") ++ public String getRecoveryMechanism() { ++ return recoveryMechanism; ++ } ++ ++ public void setRecoveryMechanism(String recoveryMechanism) { ++ this.recoveryMechanism = recoveryMechanism; ++ } ++ ++ @Override ++ public int hashCode() { ++ final int prime = 31; ++ int result = super.hashCode(); ++ result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); ++ result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode()); ++ return result; ++ } ++ ++ @Override ++ public boolean equals(Object obj) { ++ if (this == obj) ++ return true; ++ if (!super.equals(obj)) ++ return false; ++ if (getClass() != obj.getClass()) ++ return false; ++ KRAInfo other = (KRAInfo) obj; ++ if (archivalMechanism == null) { ++ if (other.archivalMechanism != null) ++ return false; ++ } else if (!archivalMechanism.equals(other.archivalMechanism)) ++ return false; ++ if (recoveryMechanism == null) { ++ if (other.recoveryMechanism != null) ++ return false; ++ } else if (!recoveryMechanism.equals(other.recoveryMechanism)) ++ return false; ++ return true; ++ } ++ ++ public String toString() { ++ try { ++ StringWriter sw = new StringWriter(); ++ marshaller.marshal(this, sw); ++ return sw.toString(); ++ ++ } catch (Exception e) { ++ throw new RuntimeException(e); ++ } ++ } ++ ++ public static KRAInfo valueOf(String string) throws Exception { ++ return (KRAInfo)unmarshaller.unmarshal(new StringReader(string)); ++ } ++ ++ public static void main(String args[]) throws Exception { ++ ++ KRAInfo before = new KRAInfo(); ++ before.setArchivalMechanism("encrypt"); ++ before.setRecoveryMechanism("keywrap"); ++ ++ String string = before.toString(); ++ System.out.println(string); ++ ++ KRAInfo after = KRAInfo.valueOf(string); ++ System.out.println(before.equals(after)); ++ } ++} ++ +diff --git a/base/common/src/org/dogtagpki/common/KRAInfoClient.java b/base/common/src/org/dogtagpki/common/KRAInfoClient.java +new file mode 100644 +index 0000000..c998401 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/KRAInfoClient.java +@@ -0,0 +1,48 @@ ++//--- BEGIN COPYRIGHT BLOCK --- ++//This program is free software; you can redistribute it and/or modify ++//it under the terms of the GNU General Public License as published by ++//the Free Software Foundation; version 2 of the License. ++// ++//This program is distributed in the hope that it will be useful, ++//but WITHOUT ANY WARRANTY; without even the implied warranty of ++//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++//GNU General Public License for more details. ++// ++//You should have received a copy of the GNU General Public License along ++//with this program; if not, write to the Free Software Foundation, Inc., ++//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++//(C) 2017 Red Hat, Inc. ++//All rights reserved. ++//--- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import java.net.URISyntaxException; ++ ++import javax.ws.rs.core.Response; ++ ++import com.netscape.certsrv.client.Client; ++import com.netscape.certsrv.client.PKIClient; ++ ++/** ++ * @author Ade Lee ++ */ ++public class KRAInfoClient extends Client { ++ ++ public KRAInfoResource resource; ++ ++ public KRAInfoClient(PKIClient client, String subsystem) throws URISyntaxException { ++ super(client, subsystem, "info"); ++ init(); ++ } ++ ++ public void init() throws URISyntaxException { ++ resource = createProxy(KRAInfoResource.class); ++ } ++ ++ public KRAInfo getInfo() throws Exception { ++ Response response = resource.getInfo(); ++ return client.getEntity(response, KRAInfo.class); ++ } ++} +diff --git a/base/common/src/org/dogtagpki/common/KRAInfoResource.java b/base/common/src/org/dogtagpki/common/KRAInfoResource.java +new file mode 100644 +index 0000000..540e3a6 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/KRAInfoResource.java +@@ -0,0 +1,40 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import javax.ws.rs.GET; ++import javax.ws.rs.Path; ++import javax.ws.rs.core.Response; ++ ++import org.jboss.resteasy.annotations.ClientResponseType; ++ ++/** ++ * @author Ade Lee ++ */ ++@Path("info") ++public interface KRAInfoResource { ++ ++ String ENCRYPT_MECHANISM = "encrypt"; ++ String KEYWRAP_MECHANISM = "keywrap"; ++ ++ @GET ++ @ClientResponseType(entityType=KRAInfo.class) ++ public Response getInfo() throws Exception; ++} ++ +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java +index 6244270..a1f58a8 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java +@@ -10,6 +10,7 @@ import org.dogtagpki.server.rest.AccountService; + import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; + import org.dogtagpki.server.rest.GroupService; ++import org.dogtagpki.server.rest.KRAInfoService; + import org.dogtagpki.server.rest.MessageFormatInterceptor; + import org.dogtagpki.server.rest.PKIExceptionMapper; + import org.dogtagpki.server.rest.SecurityDomainService; +@@ -67,6 +68,9 @@ public class KRAApplication extends Application { + // exception mapper + classes.add(PKIExceptionMapper.class); + ++ // info service ++ classes.add(KRAInfoService.class); ++ + // interceptors + singletons.add(new SessionContextInterceptor()); + singletons.add(new AuthMethodInterceptor()); +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +new file mode 100644 +index 0000000..c4b3252 +--- /dev/null ++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +@@ -0,0 +1,67 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.server.rest; ++ ++import javax.servlet.http.HttpSession; ++import javax.ws.rs.core.Response; ++ ++import org.dogtagpki.common.KRAInfo; ++import org.dogtagpki.common.KRAInfoResource; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.cms.servlet.base.PKIService; ++ ++/** ++ * @author Ade Lee ++ */ ++public class KRAInfoService extends PKIService implements KRAInfoResource { ++ ++ private static Logger logger = LoggerFactory.getLogger(InfoService.class); ++ ++ @Override ++ public Response getInfo() throws Exception { ++ ++ HttpSession session = servletRequest.getSession(); ++ logger.debug("KRAInfoService.getInfo(): session: " + session.getId()); ++ ++ KRAInfo info = new KRAInfo(); ++ info.setArchivalMechanism(getArchivalMechanism()); ++ info.setRecoveryMechanism(getRecoveryMechanism()); ++ ++ ++ return createOKResponse(info); ++ } ++ ++ String getArchivalMechanism() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ return encrypt_archival ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; ++ } ++ ++ String getRecoveryMechanism() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); ++ return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; ++ } ++} ++ +-- +1.8.3.1 + + +From 24d7e952e4f048fcb58dcd1b33009e92afde365d Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 7 Apr 2017 16:52:31 -0400 +Subject: [PATCH 38/59] Add CAInfo resource + +This resource (which will be accessed at /ca/rest/info) +will initially return the mechanism for archival. + +This is needed by clients to know how to package secrets when +archiving. We may add the transport cert later. + +Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b +--- + .../dogtagpki/server/ca/rest/CAApplication.java | 4 + + base/common/src/org/dogtagpki/common/CAInfo.java | 119 +++++++++++++++++++++ + .../src/org/dogtagpki/common/CAInfoClient.java | 49 +++++++++ + .../src/org/dogtagpki/common/CAInfoResource.java | 37 +++++++ + .../org/dogtagpki/server/rest/CAInfoService.java | 64 +++++++++++ + 5 files changed, 273 insertions(+) + create mode 100644 base/common/src/org/dogtagpki/common/CAInfo.java + create mode 100644 base/common/src/org/dogtagpki/common/CAInfoClient.java + create mode 100644 base/common/src/org/dogtagpki/common/CAInfoResource.java + create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java +index ae18e02..45881b9 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java +@@ -9,6 +9,7 @@ import org.dogtagpki.server.rest.ACLInterceptor; + import org.dogtagpki.server.rest.AccountService; + import org.dogtagpki.server.rest.AuditService; + import org.dogtagpki.server.rest.AuthMethodInterceptor; ++import org.dogtagpki.server.rest.CAInfoService; + import org.dogtagpki.server.rest.FeatureService; + import org.dogtagpki.server.rest.GroupService; + import org.dogtagpki.server.rest.MessageFormatInterceptor; +@@ -65,6 +66,9 @@ public class CAApplication extends Application { + // features + classes.add(FeatureService.class); + ++ // info service ++ classes.add(CAInfoService.class); ++ + // security domain + IConfigStore cs = CMS.getConfigStore(); + +diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java +new file mode 100644 +index 0000000..89255ed +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/CAInfo.java +@@ -0,0 +1,119 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import java.io.StringReader; ++import java.io.StringWriter; ++ ++import javax.xml.bind.JAXBContext; ++import javax.xml.bind.Marshaller; ++import javax.xml.bind.Unmarshaller; ++import javax.xml.bind.annotation.XmlElement; ++import javax.xml.bind.annotation.XmlRootElement; ++ ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.base.ResourceMessage; ++ ++/** ++ * @author Ade Lee ++ */ ++@XmlRootElement(name="CAInfo") ++public class CAInfo extends ResourceMessage { ++ ++ private static Logger logger = LoggerFactory.getLogger(Info.class); ++ ++ public static Marshaller marshaller; ++ public static Unmarshaller unmarshaller; ++ ++ static { ++ try { ++ marshaller = JAXBContext.newInstance(CAInfo.class).createMarshaller(); ++ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); ++ unmarshaller = JAXBContext.newInstance(CAInfo.class).createUnmarshaller(); ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ String archivalMechanism; ++ ++ @XmlElement(name="ArchivalMechanism") ++ public String getArchivalMechanism() { ++ return archivalMechanism; ++ } ++ ++ public void setArchivalMechanism(String archivalMechanism) { ++ this.archivalMechanism = archivalMechanism; ++ } ++ ++ @Override ++ public int hashCode() { ++ final int prime = 31; ++ int result = super.hashCode(); ++ result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); ++ return result; ++ } ++ ++ @Override ++ public boolean equals(Object obj) { ++ if (this == obj) ++ return true; ++ if (!super.equals(obj)) ++ return false; ++ if (getClass() != obj.getClass()) ++ return false; ++ CAInfo other = (CAInfo) obj; ++ if (archivalMechanism == null) { ++ if (other.archivalMechanism != null) ++ return false; ++ } else if (!archivalMechanism.equals(other.archivalMechanism)) ++ return false; ++ return true; ++ } ++ ++ public String toString() { ++ try { ++ StringWriter sw = new StringWriter(); ++ marshaller.marshal(this, sw); ++ return sw.toString(); ++ ++ } catch (Exception e) { ++ throw new RuntimeException(e); ++ } ++ } ++ ++ public static CAInfo valueOf(String string) throws Exception { ++ return (CAInfo)unmarshaller.unmarshal(new StringReader(string)); ++ } ++ ++ public static void main(String args[]) throws Exception { ++ ++ CAInfo before = new CAInfo(); ++ before.setArchivalMechanism("encrypt"); ++ ++ String string = before.toString(); ++ System.out.println(string); ++ ++ CAInfo after = CAInfo.valueOf(string); ++ System.out.println(before.equals(after)); ++ } ++} ++ +diff --git a/base/common/src/org/dogtagpki/common/CAInfoClient.java b/base/common/src/org/dogtagpki/common/CAInfoClient.java +new file mode 100644 +index 0000000..859c829 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/CAInfoClient.java +@@ -0,0 +1,49 @@ ++//--- BEGIN COPYRIGHT BLOCK --- ++//This program is free software; you can redistribute it and/or modify ++//it under the terms of the GNU General Public License as published by ++//the Free Software Foundation; version 2 of the License. ++// ++//This program is distributed in the hope that it will be useful, ++//but WITHOUT ANY WARRANTY; without even the implied warranty of ++//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++//GNU General Public License for more details. ++// ++//You should have received a copy of the GNU General Public License along ++//with this program; if not, write to the Free Software Foundation, Inc., ++//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++//(C) 2017 Red Hat, Inc. ++//All rights reserved. ++//--- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import java.net.URISyntaxException; ++ ++import javax.ws.rs.core.Response; ++ ++import com.netscape.certsrv.client.Client; ++import com.netscape.certsrv.client.PKIClient; ++ ++/** ++ * @author Ade Lee ++ */ ++public class CAInfoClient extends Client { ++ ++ public CAInfoResource resource; ++ ++ public CAInfoClient(PKIClient client, String subsystem) throws URISyntaxException { ++ super(client, subsystem, "info"); ++ init(); ++ } ++ ++ public void init() throws URISyntaxException { ++ resource = createProxy(CAInfoResource.class); ++ } ++ ++ public CAInfo getInfo() throws Exception { ++ Response response = resource.getInfo(); ++ return client.getEntity(response, CAInfo.class); ++ } ++} ++ +diff --git a/base/common/src/org/dogtagpki/common/CAInfoResource.java b/base/common/src/org/dogtagpki/common/CAInfoResource.java +new file mode 100644 +index 0000000..6c18cd5 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/CAInfoResource.java +@@ -0,0 +1,37 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import javax.ws.rs.GET; ++import javax.ws.rs.Path; ++import javax.ws.rs.core.Response; ++ ++import org.jboss.resteasy.annotations.ClientResponseType; ++ ++/** ++ * @author Ade Lee ++ */ ++@Path("info") ++public interface CAInfoResource { ++ ++ @GET ++ @ClientResponseType(entityType=CAInfo.class) ++ public Response getInfo() throws Exception; ++} ++ +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +new file mode 100644 +index 0000000..975ad61 +--- /dev/null ++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +@@ -0,0 +1,64 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.server.rest; ++ ++import javax.servlet.http.HttpSession; ++import javax.ws.rs.core.Response; ++ ++import org.dogtagpki.common.CAInfo; ++import org.dogtagpki.common.CAInfoResource; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.cms.servlet.base.PKIService; ++ ++/** ++ * @author Ade Lee ++ */ ++public class CAInfoService extends PKIService implements CAInfoResource { ++ ++ private static Logger logger = LoggerFactory.getLogger(InfoService.class); ++ ++ @Override ++ public Response getInfo() throws Exception { ++ ++ HttpSession session = servletRequest.getSession(); ++ logger.debug("CAInfoService.getInfo(): session: " + session.getId()); ++ ++ CAInfo info = new CAInfo(); ++ String archivalMechanism = getArchivalMechanism(); ++ ++ if (archivalMechanism != null) ++ info.setArchivalMechanism(getArchivalMechanism()); ++ ++ return createOKResponse(info); ++ } ++ ++ String getArchivalMechanism() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); ++ if (!kra_present) return null; ++ ++ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; ++ } ++} +-- +1.8.3.1 + + +From 2a73c978784d58b11375aa724cbd2c04607eafc1 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 01:51:40 +0200 +Subject: [PATCH 40/59] Added audit event constants for SSL session. + +Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f +--- + .../src/com/netscape/certsrv/logging/AuditEvent.java | 14 ++++++++++---- + base/server/cms/src/com/netscape/cms/logging/LogFile.java | 4 +--- + .../src/org/dogtagpki/server/PKIServerSocketListener.java | 9 +++++---- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 8ae5cd6..b409a12 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,10 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + +- /** +- * +- */ ++ public final static String ACCESS_SESSION_ESTABLISH_FAILURE = ++ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE"; ++ public final static String ACCESS_SESSION_ESTABLISH_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS"; ++ public final static String ACCESS_SESSION_TERMINATED = ++ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED"; ++ public final static String AUDIT_LOG_SIGNING = ++ "LOGGING_SIGNED_AUDIT_SIGNING_3"; ++ + private static final long serialVersionUID = -844306657733902324L; ++ private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; + + protected Object mParams[] = null; + +@@ -54,7 +61,6 @@ public class AuditEvent implements IBundleLogEvent { + * The bundle name for this event. + */ + private String mBundleName = LogResources.class.getName(); +- private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; + + /** + * Constructs a message event +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index 9d19edd..fdf3f83 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -104,8 +104,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + + private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP = + "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; +- private final static String LOGGING_SIGNED_AUDIT_SIGNING = +- "LOGGING_SIGNED_AUDIT_SIGNING_3"; + private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN = + "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; + private final static String LOG_SIGNED_AUDIT_EXCEPTION = +@@ -723,7 +721,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + // so as to avoid infinite recursiveness of calling + // the log() method + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SIGNING, ++ AuditEvent.AUDIT_LOG_SIGNING, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + base64Encode(sigBytes)); +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +index adba676..7016bc8 100644 +--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java ++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +@@ -33,6 +33,7 @@ import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + + public class PKIServerSocketListener implements SSLSocketListener { +@@ -66,7 +67,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + IAuditor auditor = CMS.getAuditor(); + + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", ++ AuditEvent.ACCESS_SESSION_TERMINATED, + clientIP, + serverIP, + subjectID, +@@ -108,7 +109,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { + + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", ++ AuditEvent.ACCESS_SESSION_TERMINATED, + clientIP, + serverIP, + subjectID, +@@ -119,7 +120,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + } else { + + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE", ++ AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE, + clientIP, + serverIP, + subjectID, +@@ -157,7 +158,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + IAuditor auditor = CMS.getAuditor(); + + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS", ++ AuditEvent.ACCESS_SESSION_ESTABLISH_SUCCESS, + clientIP, + serverIP, + subjectID); +-- +1.8.3.1 + + +From e22d0e99aa33bccc3e4041f5ed501fedf0dcae49 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 02:28:31 +0200 +Subject: [PATCH 41/59] Added audit event constants for TPS. + +Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb +--- + .../dogtagpki/server/ca/rest/AuthorityService.java | 7 +-- + .../com/netscape/certsrv/logging/AuditEvent.java | 51 ++++++++++++++++++++++ + .../cms/servlet/base/SubsystemService.java | 3 +- + .../server/tps/processor/TPSEnrollProcessor.java | 15 +++++----- + .../server/tps/processor/TPSPinResetProcessor.java | 5 ++- + .../server/tps/processor/TPSProcessor.java | 23 ++++++------ + .../server/tps/rest/AuthenticatorService.java | 3 +- + .../server/tps/rest/ConnectorService.java | 3 +- + .../server/tps/rest/ProfileMappingService.java | 3 +- + .../dogtagpki/server/tps/rest/ProfileService.java | 3 +- + .../dogtagpki/server/tps/rest/TokenService.java | 5 ++- + 11 files changed, 86 insertions(+), 35 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +index 215d0fa..7ba9596 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.ca.IssuerUnavailableException; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.SubsystemService; + import com.netscape.cmsutil.util.Utils; +@@ -70,10 +71,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou + hostCA = (ICertificateAuthority) CMS.getSubsystem("ca"); + } + +- private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG = +- "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; +- +- + @Override + public Response listCAs() { + List results = new ArrayList<>(); +@@ -373,7 +370,7 @@ public class AuthorityService extends SubsystemService implements AuthorityResou + String status, String op, String id, + Map params) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG, ++ AuditEvent.AUTHORITY_CONFIG, + auditor.getSubjectID(), + status, + auditor.getParamString(ScopeDef.SC_AUTHORITY, op, id, params)); +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index b409a12..abe16b6 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,57 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String TOKEN_CERT_ENROLLMENT = ++ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; ++ public final static String TOKEN_CERT_RENEWAL = ++ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9"; ++ public final static String TOKEN_CERT_RETRIEVAL = ++ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9"; ++ public final static String TOKEN_KEY_RECOVERY = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10"; ++ public final static String TOKEN_CERT_STATUS_CHANGE_REQUEST = ++ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10"; ++ public final static String TOKEN_PIN_RESET_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6"; ++ public final static String TOKEN_PIN_RESET_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6"; ++ public final static String TOKEN_OP_REQUEST = ++ "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6"; ++ public final static String TOKEN_FORMAT_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; ++ public final static String TOKEN_FORMAT_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; ++ public final static String TOKEN_APPLET_UPGRADE_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; ++ public final static String TOKEN_APPLET_UPGRADE_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; ++ public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; ++ public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; ++ public final static String TOKEN_KEY_CHANGEOVER_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; ++ public final static String TOKEN_AUTH_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; ++ public final static String TOKEN_AUTH_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9"; ++ public final static String CONFIG_TOKEN_GENERAL = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5"; ++ public final static String CONFIG_TOKEN_PROFILE = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6"; ++ public final static String CONFIG_TOKEN_MAPPING_RESOLVER = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6"; ++ public final static String CONFIG_TOKEN_AUTHENTICATOR = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6"; ++ public final static String CONFIG_TOKEN_CONNECTOR = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6"; ++ public final static String CONFIG_TOKEN_RECORD = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6"; ++ public final static String TOKEN_STATE_CHANGE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8"; ++ public final static String AUTHORITY_CONFIG = ++ "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; ++ + public final static String ACCESS_SESSION_ESTABLISH_FAILURE = + "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE"; + public final static String ACCESS_SESSION_ESTABLISH_SUCCESS = +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +index 48c985c..30d6b9c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authorization.IAuthzSubsystem; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + +@@ -94,7 +95,7 @@ public class SubsystemService extends PKIService { + public void auditConfigTokenGeneral(String status, String service, Map params, String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5", ++ AuditEvent.CONFIG_TOKEN_GENERAL, + servletRequest.getUserPrincipal().getName(), + status, + service, +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +index 672f53d..118bf50 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +@@ -15,12 +15,6 @@ import java.util.Map; + import java.util.Random; + import java.util.zip.DataFormatException; + +-import netscape.security.provider.RSAPublicKey; +-//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +-import netscape.security.util.BigInt; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.X509CertImpl; +- + import org.dogtagpki.server.tps.TPSSession; + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.TPSTokenPolicy; +@@ -59,20 +60,21 @@ import org.mozilla.jss.pkcs11.PK11PubKey; + import org.mozilla.jss.pkcs11.PK11RSAPublicKey; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.provider.RSAPublicKey; + //import org.mozilla.jss.pkcs11.PK11ECPublicKey; + import netscape.security.util.BigInt; + import netscape.security.x509.RevocationReason; + import netscape.security.x509.X509CertImpl; + import sun.security.pkcs11.wrapper.PKCS11Constants; + + public class TPSEnrollProcessor extends TPSProcessor { + + public TPSEnrollProcessor(TPSSession session) { +@@ -3688,13 +3688,13 @@ public class TPSEnrollProcessor extends TPSProcessor { + String auditType = ""; + switch (op) { + case "retrieval": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9"; ++ auditType = AuditEvent.TOKEN_CERT_RETRIEVAL; + break; + case "renewal": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9"; ++ auditType = AuditEvent.TOKEN_CERT_RENEWAL; + break; + default: +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; ++ auditType = AuditEvent.TOKEN_CERT_ENROLLMENT; + } + + String auditMessage = CMS.getLogMessage( +@@ -3724,7 +3724,7 @@ public class TPSEnrollProcessor extends TPSProcessor { + serialNum = serial.toString(); + + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10", ++ AuditEvent.TOKEN_KEY_RECOVERY, + (session != null) ? session.getIpAddress() : null, + subjectID, + aInfo.getCUIDhexStringPlain(), +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +index fe3f801..b309657 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +@@ -33,6 +33,7 @@ import org.dogtagpki.tps.msg.BeginOpMsg; + import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.tps.token.TokenStatus; + + public class TPSPinResetProcessor extends TPSProcessor { +@@ -197,10 +198,10 @@ public class TPSPinResetProcessor extends TPSProcessor { + String auditType = ""; + switch (status) { + case "success": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6"; ++ auditType = AuditEvent.TOKEN_PIN_RESET_SUCCESS; + break; + default: +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6"; ++ auditType = AuditEvent.TOKEN_PIN_RESET_FAILURE; + } + + String auditMessage = CMS.getLogMessage( +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 7d17f36..910a263 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -93,14 +93,15 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.cms.servlet.tks.SecureChannelProtocol; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + + import netscape.security.x509.RevocationReason; + + public class TPSProcessor { + + public static final int RESULT_NO_ERROR = 0; +@@ -4054,9 +4055,9 @@ public class TPSProcessor { + String status, + String authMgrId) { + +- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; ++ String auditType = AuditEvent.TOKEN_AUTH_FAILURE; + if (status.equals("success")) +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9"; ++ auditType = AuditEvent.TOKEN_AUTH_SUCCESS; + + String auditMessage = CMS.getLogMessage( + auditType, +@@ -4078,7 +4079,7 @@ public class TPSProcessor { + protected void auditOpRequest(String op, AppletInfo aInfo, + String status, + String info) { +- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6"; ++ String auditType = AuditEvent.TOKEN_OP_REQUEST; + + String auditMessage = CMS.getLogMessage( + auditType, +@@ -4100,10 +4101,10 @@ public class TPSProcessor { + String auditType = ""; + switch (status) { + case "success": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; ++ auditType = AuditEvent.TOKEN_FORMAT_SUCCESS; + break; + default: +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; ++ auditType = AuditEvent.TOKEN_FORMAT_FAILURE; + } + + String auditMessage = CMS.getLogMessage( +@@ -4129,10 +4130,10 @@ public class TPSProcessor { + String auditType = ""; + switch (status) { + case "success": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; ++ auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS; + break; + default: +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; ++ auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE; + } + + String auditMessage = CMS.getLogMessage( +@@ -4154,7 +4155,7 @@ public class TPSProcessor { + String newKeyVersion, + String info) { + +- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; ++ String auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_REQUIRED; + + String auditMessage = CMS.getLogMessage( + auditType, +@@ -4180,10 +4181,10 @@ public class TPSProcessor { + String auditType = ""; + switch (status) { + case "success": +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; ++ auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; + break; + default: +- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; ++ auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE; + } + + String auditMessage = CMS.getLogMessage( +@@ -4212,7 +4213,7 @@ public class TPSProcessor { + String caConnId, + String info) { + +- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10"; ++ String auditType = AuditEvent.TOKEN_CERT_STATUS_CHANGE_REQUEST; + /* + * requestType is "revoke", "on-hold", or "off-hold" + */ +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java +index 50453ee..6efe4cb 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.authenticator.AuthenticatorCollection; + import com.netscape.certsrv.tps.authenticator.AuthenticatorData; +@@ -474,7 +475,7 @@ public class AuthenticatorService extends SubsystemService implements Authentica + Map params, String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6", ++ AuditEvent.CONFIG_TOKEN_AUTHENTICATOR, + servletRequest.getUserPrincipal().getName(), + status, + service, +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +index 01bc132..3e1e5df 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.connector.ConnectorCollection; + import com.netscape.certsrv.tps.connector.ConnectorData; +@@ -471,7 +472,7 @@ public class ConnectorService extends SubsystemService implements ConnectorResou + String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6", ++ AuditEvent.CONFIG_TOKEN_CONNECTOR, + servletRequest.getUserPrincipal().getName(), + status, + service, +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java +index 2c070c0..9bbb616 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.profile.ProfileMappingCollection; + import com.netscape.certsrv.tps.profile.ProfileMappingData; +@@ -448,7 +449,7 @@ public class ProfileMappingService extends SubsystemService implements ProfileMa + public void auditMappingResolverChange(String status, String service, String resolverID, Map params, + String info) { + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6", ++ AuditEvent.CONFIG_TOKEN_MAPPING_RESOLVER, + servletRequest.getUserPrincipal().getName(), + status, + service, +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java +index 8058caf..43e14be 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.profile.ProfileCollection; + import com.netscape.certsrv.tps.profile.ProfileData; +@@ -470,7 +471,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6", ++ AuditEvent.CONFIG_TOKEN_PROFILE, + servletRequest.getUserPrincipal().getName(), + status, + service, +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +index f3d0d80..73d0a64 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.dbs.EDBException; + import com.netscape.certsrv.dbs.IDBVirtualList; + import com.netscape.certsrv.ldap.LDAPExceptionConverter; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.tps.token.TokenCollection; + import com.netscape.certsrv.tps.token.TokenData; +@@ -814,7 +815,7 @@ public class TokenService extends SubsystemService implements TokenResource { + String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6", ++ AuditEvent.CONFIG_TOKEN_RECORD, + servletRequest.getUserPrincipal().getName(), + status, + service, +@@ -832,7 +833,7 @@ public class TokenService extends SubsystemService implements TokenResource { + String newReason, Map params, String info) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8", ++ AuditEvent.TOKEN_STATE_CHANGE, + servletRequest.getUserPrincipal().getName(), + status, + oldState.toString(), +-- +1.8.3.1 + + +From d2838897eb2ef43f538a1c57e6195292237aa28c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 02:46:49 +0200 +Subject: [PATCH 42/59] Reorganized audit event constants for KRA. + +Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 28 ++++++++++++++++++++++ + .../src/com/netscape/kra/AsymKeyGenService.java | 5 ++-- + .../com/netscape/kra/SecurityDataProcessor.java | 12 +++------- + .../kra/src/com/netscape/kra/SymKeyGenService.java | 6 ++--- + .../server/kra/rest/KeyRequestService.java | 26 +++++--------------- + .../org/dogtagpki/server/kra/rest/KeyService.java | 10 +++----- + .../servlet/csadmin/SecurityDomainProcessor.java | 8 +++---- + .../cms/servlet/csadmin/UpdateDomainXML.java | 7 +++--- + .../cms/servlet/csadmin/UpdateNumberRange.java | 9 ++++--- + .../com/netscape/cmscore/session/SessionTimer.java | 6 ++--- + 10 files changed, 56 insertions(+), 61 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index abe16b6..dc632c3 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,34 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String SECURITY_DOMAIN_UPDATE = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; ++ public final static String CONFIG_SERIAL_NUMBER = ++ "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; ++ ++ public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; ++ public static final String SECURITY_DATA_ARCHIVAL_REQUEST = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; ++ public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; ++ public static final String SECURITY_DATA_RECOVERY_REQUEST = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; ++ public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; ++ public final static String SECURITY_DATA_RETRIEVE_KEY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; ++ public final static String KEY_STATUS_CHANGE = ++ "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; ++ public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; ++ public static final String SYMKEY_GENERATION_REQUEST = ++ "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; ++ public static final String ASYMKEY_GENERATION_REQUEST = ++ "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; ++ public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; ++ + public final static String TOKEN_CERT_ENROLLMENT = + "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; + public final static String TOKEN_CERT_RENEWAL = +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index a731fb1..75e340c 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -35,6 +35,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.key.AsymKeyGenerationRequest; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -63,8 +64,6 @@ public class AsymKeyGenService implements IService { + private IKeyRecoveryAuthority kra = null; + private IStorageKeyUnit storageUnit = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; + + public AsymKeyGenService(IKeyRecoveryAuthority kra) { + this.kra = kra; +@@ -233,7 +232,7 @@ public class AsymKeyGenService implements IService { + String clientKeyID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED, ++ AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 3475eae..78d64c5 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -38,6 +38,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; +@@ -65,13 +66,6 @@ public class SecurityDataProcessor { + private static boolean allowEncDecrypt_archival = false; + private static boolean allowEncDecrypt_recovery = false; + +- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; +- +- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; +- +- + public SecurityDataProcessor(IKeyRecoveryAuthority kra) { + this.kra = kra; + transportUnit = kra.getTransportKeyUnit(); +@@ -779,7 +773,7 @@ public class SecurityDataProcessor { + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), +@@ -791,7 +785,7 @@ public class SecurityDataProcessor { + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, ++ AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index 9c50eb3..f700a79 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -34,6 +34,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.key.SymKeyGenerationRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -60,9 +61,6 @@ public class SymKeyGenService implements IService { + private IStorageKeyUnit mStorageUnit = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + +- private final static String LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; +- + public SymKeyGenService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mStorageUnit = kra.getStorageKeyUnit(); +@@ -252,7 +250,7 @@ public class SymKeyGenService implements IService { + private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED, ++ AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index e0c4ca9..38f7e93 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -48,6 +48,7 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.key.KeyRequestResponse; + import com.netscape.certsrv.key.SymKeyGenerationRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestNotFoundException; +@@ -62,21 +63,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil; + */ + public class KeyRequestService extends SubsystemService implements KeyRequestResource { + +- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; +- +- private static final String LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST = +- "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; +- +- private static final String LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST = +- "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; +- +- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; +- +- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; +- + public static final int DEFAULT_START = 0; + public static final int DEFAULT_PAGESIZE = 20; + public static final int DEFAULT_MAXRESULTS = 100; +@@ -349,7 +335,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + + public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, ++ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, + getRequestor(), + status, + requestId.toString(), +@@ -359,7 +345,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + + public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST, ++ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST, + getRequestor(), + status, + requestId != null? requestId.toString(): "null", +@@ -369,7 +355,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + + public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST, ++ AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST, + getRequestor(), + status, + requestId != null? requestId.toString(): "null", +@@ -379,7 +365,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + + public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST, ++ AuditEvent.SYMKEY_GENERATION_REQUEST, + getRequestor(), + status, + requestId != null ? requestId.toString() : "null", +@@ -389,7 +375,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + + public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST, ++ AuditEvent.ASYMKEY_GENERATION_REQUEST, + getRequestor(), + status, + requestId != null ? requestId.toString() : "null", +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index e15b263..7a21971 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -60,6 +60,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; + import com.netscape.certsrv.key.KeyResource; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.IKeyService; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -77,11 +78,6 @@ import com.netscape.cmsutil.util.Utils; + */ + public class KeyService extends SubsystemService implements KeyResource { + +- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE = +- "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; +- + public static final int DEFAULT_MAXRESULTS = 100; + public static final int DEFAULT_MAXTIME = 10; + public static final String ATTR_SERIALNO = "serialNumber"; +@@ -606,7 +602,7 @@ public class KeyService extends SubsystemService implements KeyResource { + + public void auditRetrieveKey(String status, String reason) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY, ++ AuditEvent.SECURITY_DATA_RETRIEVE_KEY, + servletRequest.getUserPrincipal().getName(), + status, + requestId != null ? requestId.toString(): "null", +@@ -628,7 +624,7 @@ public class KeyService extends SubsystemService implements KeyResource { + public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, + String newKeyStatus, String info) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE, ++ AuditEvent.KEY_STATUS_CHANGE, + servletRequest.getUserPrincipal().getName(), + status, + keyID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +index 3a2b694..69e76fc 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +@@ -43,6 +43,7 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.base.UnauthorizedException; + import com.netscape.certsrv.ldap.ILdapConnFactory; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.system.DomainInfo; + import com.netscape.certsrv.system.InstallToken; +@@ -64,9 +65,6 @@ import netscape.ldap.LDAPSearchResults; + */ + public class SecurityDomainProcessor extends CAProcessor { + +- public final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = +- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; +- + public final static String[] TYPES = { "CA", "KRA", "OCSP", "TKS", "RA", "TPS" }; + + Random random = new Random(); +@@ -128,7 +126,7 @@ public class SecurityDomainProcessor extends CAProcessor { + + if (status == ISecurityDomainSessionTable.SUCCESS) { + message = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, ++ AuditEvent.SECURITY_DOMAIN_UPDATE, + user, + ILogger.SUCCESS, + auditParams); +@@ -136,7 +134,7 @@ public class SecurityDomainProcessor extends CAProcessor { + + } else { + message = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, ++ AuditEvent.SECURITY_DOMAIN_UPDATE, + user, + ILogger.FAILURE, + auditParams); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +index 1a23823..bed4357 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +@@ -47,6 +47,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ldap.ILdapConnFactory; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.base.UserInfo; +@@ -62,8 +63,6 @@ public class UpdateDomainXML extends CMSServlet { + private static final long serialVersionUID = 4059169588555717548L; + private final static String SUCCESS = "0"; + private final static String FAILED = "1"; +- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = +- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = + "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; + +@@ -501,14 +500,14 @@ public class UpdateDomainXML extends CMSServlet { + + if (status.equals(SUCCESS)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, ++ AuditEvent.SECURITY_DOMAIN_UPDATE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); + } else { + // what if already exists or already deleted + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, ++ AuditEvent.SECURITY_DOMAIN_UPDATE, + auditSubjectID, + ILogger.FAILURE, + auditParams); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java +index e068bd4..2586da2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java +@@ -37,6 +37,7 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.dbs.repository.IRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.base.UserInfo; +@@ -52,8 +53,6 @@ public class UpdateNumberRange extends CMSServlet { + private static final long serialVersionUID = -1584171713024263331L; + private final static String SUCCESS = "0"; + private final static String AUTH_FAILURE = "2"; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER = +- "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; + + public UpdateNumberRange() { + super(); +@@ -208,7 +207,7 @@ public class UpdateNumberRange extends CMSServlet { + CMS.debug("UpdateNumberRange::process() - " + + "beginNum is null!"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, ++ AuditEvent.CONFIG_SERIAL_NUMBER, + auditSubjectID, + ILogger.FAILURE, + auditParams); +@@ -240,7 +239,7 @@ public class UpdateNumberRange extends CMSServlet { + "+endNumber;;" + endNum.toString(radix); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, ++ AuditEvent.CONFIG_SERIAL_NUMBER, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -251,7 +250,7 @@ public class UpdateNumberRange extends CMSServlet { + CMS.debug(e); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, ++ AuditEvent.CONFIG_SERIAL_NUMBER, + auditSubjectID, + ILogger.FAILURE, + auditParams); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java +index 0f79fc4..c6db131 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java +@@ -23,14 +23,12 @@ import java.util.TimerTask; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.ISecurityDomainSessionTable; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + + public class SessionTimer extends TimerTask { + private ISecurityDomainSessionTable m_sessiontable = null; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = +- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; +- + public SessionTimer(ISecurityDomainSessionTable table) { + super(); + m_sessiontable = table; +@@ -61,7 +59,7 @@ public class SessionTimer extends TimerTask { + // audit message + String auditParams = "operation;;expire_token+token;;" + sessionId; + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, ++ AuditEvent.SECURITY_DOMAIN_UPDATE, + "system", + ILogger.SUCCESS, + auditParams); +-- +1.8.3.1 + + +From f0eedf609ef2042915556738dafba0fa9d8da6cc Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 03:11:51 +0200 +Subject: [PATCH 43/59] Reorganized audit event constants for TKS. + +Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 25 ++++++++ + .../com/netscape/cms/servlet/tks/TokenServlet.java | 73 ++++++---------------- + 2 files changed, 44 insertions(+), 54 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index dc632c3..8abb9a5 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,31 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String COMPUTE_RANDOM_DATA_REQUEST = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; ++ public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; ++ public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; ++ public final static String COMPUTE_SESSION_KEY_REQUEST = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. ++ public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. ++ public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. ++ public final static String DIVERSIFY_KEY_REQUEST = ++ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. ++ public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. ++ public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. ++ public final static String ENCRYPT_DATA_REQUEST = ++ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. ++ public final static String ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12"; ++ public final static String ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13"; ++ + public final static String SECURITY_DOMAIN_UPDATE = + "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; + public final static String CONFIG_SERIAL_NUMBER = +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +index 6a17466..3915b73 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IPrettyPrintFormat; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -75,42 +76,6 @@ public class TokenServlet extends CMSServlet { + String mCurrentUID = null; + IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); + +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = +- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. +- +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. +- +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. +- +- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = +- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. +- +- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. +- +- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. +- +- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = +- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. +- +- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12"; +- +- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13"; +- +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST = +- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; +- +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; +- +- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; +- + // Derivation Constants for SCP02 + public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; + public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; +@@ -404,7 +369,7 @@ public class TokenServlet extends CMSServlet { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, +@@ -834,7 +799,7 @@ public class TokenServlet extends CMSServlet { + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { +@@ -854,7 +819,7 @@ public class TokenServlet extends CMSServlet { + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + } + +@@ -922,7 +887,7 @@ public class TokenServlet extends CMSServlet { + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, +@@ -1492,7 +1457,7 @@ public class TokenServlet extends CMSServlet { + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { +@@ -1514,7 +1479,7 @@ public class TokenServlet extends CMSServlet { + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + + } +@@ -1635,7 +1600,7 @@ public class TokenServlet extends CMSServlet { + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST, ++ AuditEvent.DIVERSIFY_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, +@@ -1924,7 +1889,7 @@ public class TokenServlet extends CMSServlet { + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); ++ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); + } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +@@ -1946,7 +1911,7 @@ public class TokenServlet extends CMSServlet { + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); ++ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); + } + + audit(auditMessage); +@@ -2011,7 +1976,7 @@ public class TokenServlet extends CMSServlet { + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST, ++ AuditEvent.ENCRYPT_DATA_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, +@@ -2262,7 +2227,7 @@ public class TokenServlet extends CMSServlet { + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); ++ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); + } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +@@ -2281,7 +2246,7 @@ public class TokenServlet extends CMSServlet { + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); ++ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); + } + + audit(auditMessage); +@@ -2344,7 +2309,7 @@ public class TokenServlet extends CMSServlet { + CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); + + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST, ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, + ILogger.SUCCESS, + agentId); + +@@ -2403,13 +2368,13 @@ public class TokenServlet extends CMSServlet { + + if (status.equals("0")) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, + ILogger.SUCCESS, + status, + agentId); + } else { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, + ILogger.FAILURE, + status, + agentId, +@@ -2533,7 +2498,7 @@ public class TokenServlet extends CMSServlet { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, + ILogger.SUCCESS, +@@ -2956,7 +2921,7 @@ public class TokenServlet extends CMSServlet { + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { +@@ -2973,7 +2938,7 @@ public class TokenServlet extends CMSServlet { + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + errorMsg // Error + }; +- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + + } +-- +1.8.3.1 + + +From e770f3a4ff34c27bc698d47aedc518a7ae6b31f9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 03:54:29 +0200 +Subject: [PATCH 44/59] Reorganized audit event constants for OCSP. + +Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 17 ++++++++++++ + .../com/netscape/cms/authentication/CMCAuth.java | 25 +++++++++--------- + .../netscape/cms/servlet/ocsp/AddCAServlet.java | 22 +++++++--------- + .../netscape/cms/servlet/ocsp/AddCRLServlet.java | 30 ++++++++++------------ + .../netscape/cms/servlet/ocsp/RemoveCAServlet.java | 17 ++++-------- + 5 files changed, 56 insertions(+), 55 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 8abb9a5..bc892a9 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,23 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String CRL_RETRIEVAL = ++ "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; ++ public final static String CRL_VALIDATION = ++ "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; ++ public final static String OCSP_ADD_CA_REQUEST = ++ "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3"; ++ public final static String OCSP_ADD_CA_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3"; ++ public final static String OCSP_REMOVE_CA_REQUEST = ++ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3"; ++ public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3"; ++ public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; ++ public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = ++ "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; ++ + public final static String COMPUTE_RANDOM_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; + public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 8523189..02aceb4 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IExtendedPluginInfo; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; +@@ -181,8 +182,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + "enrollment"; + private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = + "revocation"; +- private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = +- "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; + + ///////////////////// + // default methods // +@@ -266,7 +265,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -285,7 +284,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -334,7 +333,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + !cmcReq.hasContent()) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -380,7 +379,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + !ci.hasContent()) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -561,7 +560,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -615,7 +614,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -640,7 +639,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -656,7 +655,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.SUCCESS, + auditReqType, +@@ -669,7 +668,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (EMissingCredential eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -683,7 +682,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (EInvalidCredentials eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +@@ -697,7 +696,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } catch (EBaseException eAudit3) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java +index f19a9d6..0088e92 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java +@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ocsp.IDefStore; +@@ -69,11 +70,6 @@ public class AddCAServlet extends CMSServlet { + private String mFormPath = null; + private IOCSPAuthority mOCSPAuthority = null; + +- private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST = +- "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3"; +- private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3"; +- + public AddCAServlet() { + super(); + } +@@ -162,7 +158,7 @@ public class AddCAServlet extends CMSServlet { + + if (b64 == null) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST, ++ AuditEvent.OCSP_ADD_CA_REQUEST, + auditSubjectID, + ILogger.FAILURE, + ILogger.SIGNED_AUDIT_EMPTY_VALUE); +@@ -175,7 +171,7 @@ public class AddCAServlet extends CMSServlet { + auditCA = Cert.normalizeCertStr(Cert.stripCertBrackets(b64.trim())); + // record the fact that a request to add CA is made + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST, ++ AuditEvent.OCSP_ADD_CA_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditCA); +@@ -184,7 +180,7 @@ public class AddCAServlet extends CMSServlet { + + if (b64.indexOf(BEGIN_HEADER) == -1) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditCASubjectDN); +@@ -195,7 +191,7 @@ public class AddCAServlet extends CMSServlet { + } + if (b64.indexOf(END_HEADER) == -1) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditCASubjectDN); +@@ -216,7 +212,7 @@ public class AddCAServlet extends CMSServlet { + if (cert == null) { + CMS.debug("AddCAServlet::process() - cert is null!"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditCASubjectDN); +@@ -245,7 +241,7 @@ public class AddCAServlet extends CMSServlet { + auditCASubjectDN = leafCert.getSubjectDN().getName(); + } catch (Exception e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditCASubjectDN); +@@ -270,7 +266,7 @@ public class AddCAServlet extends CMSServlet { + rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded()); + } catch (Exception e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditCASubjectDN); +@@ -282,7 +278,7 @@ public class AddCAServlet extends CMSServlet { + defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec); + log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName()); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, ++ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditCASubjectDN); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java +index 386ce93..5b4f624 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java +@@ -40,6 +40,7 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; + import com.netscape.certsrv.dbs.repository.IRepositoryRecord; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ocsp.IDefStore; +@@ -77,11 +78,6 @@ public class AddCRLServlet extends CMSServlet { + private String mFormPath = null; + private IOCSPAuthority mOCSPAuthority = null; + +- private final static String LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL = +- "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; +- private final static String LOGGING_SIGNED_AUDIT_CRL_VALIDATION = +- "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; +- + public AddCRLServlet() { + super(); + } +@@ -153,7 +149,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -181,7 +177,7 @@ public class AddCRLServlet extends CMSServlet { + if (b64 == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -216,7 +212,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -237,7 +233,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -253,7 +249,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -290,7 +286,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.SUCCESS, + auditCRLNum); +@@ -304,7 +300,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -329,7 +325,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, ++ AuditEvent.CRL_VALIDATION, + auditSubjectID, + ILogger.FAILURE); + +@@ -383,7 +379,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, ++ AuditEvent.CRL_VALIDATION, + auditSubjectID, + ILogger.SUCCESS); + +@@ -400,7 +396,7 @@ public class AddCRLServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, ++ AuditEvent.CRL_VALIDATION, + auditSubjectID, + ILogger.FAILURE); + +@@ -547,7 +543,7 @@ public class AddCRLServlet extends CMSServlet { + if (!CRLFetched) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, ++ AuditEvent.CRL_RETRIEVAL, + auditSubjectID, + ILogger.FAILURE, + auditCRLNum); +@@ -557,7 +553,7 @@ public class AddCRLServlet extends CMSServlet { + if (!CRLValidated) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, ++ AuditEvent.CRL_VALIDATION, + auditSubjectID, + ILogger.FAILURE); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java +index 55f688a..b6352a1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java +@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ocsp.IDefStore; + import com.netscape.certsrv.ocsp.IOCSPAuthority; +@@ -56,14 +57,6 @@ public class RemoveCAServlet extends CMSServlet { + private String mFormPath = null; + private IOCSPAuthority mOCSPAuthority = null; + +- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST = +- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3"; +- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3"; +- +- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; +- + public RemoveCAServlet() { + super(); + } +@@ -151,7 +144,7 @@ public class RemoveCAServlet extends CMSServlet { + + if (caID == null) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, + auditSubjectID, + ILogger.FAILURE, + ILogger.SIGNED_AUDIT_EMPTY_VALUE); +@@ -160,7 +153,7 @@ public class RemoveCAServlet extends CMSServlet { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST, ++ AuditEvent.OCSP_REMOVE_CA_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + caID); +@@ -175,7 +168,7 @@ public class RemoveCAServlet extends CMSServlet { + } catch (EBaseException e) { + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, + auditSubjectID, + ILogger.FAILURE, + caID); +@@ -188,7 +181,7 @@ public class RemoveCAServlet extends CMSServlet { + CMS.debug("RemoveCAServlet::process: CRL IssuingPoint for CA successfully removed: " + caID); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + caID); +-- +1.8.3.1 + + +From 0afe49b7b758d46f8bc0ca87cf2124e90084ebce Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 04:13:14 +0200 +Subject: [PATCH 45/59] Reorganized audit event constants for authentication. + +Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049 +--- + .../dogtagpki/server/ca/rest/ProfileService.java | 5 +-- + .../com/netscape/certsrv/logging/AuditEvent.java | 19 ++++++++++ + .../netscape/cms/profile/common/EnrollProfile.java | 8 ++-- + .../netscape/cms/profile/input/EnrollInput.java | 8 ++-- + .../cms/src/com/netscape/cms/realm/PKIRealm.java | 14 +++---- + .../netscape/cms/servlet/admin/AdminServlet.java | 43 +++++++++------------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 27 +++++--------- + .../cms/servlet/connector/ConnectorServlet.java | 19 +++++----- + .../cms/servlet/processors/CAProcessor.java | 31 ++++++---------- + .../cms/servlet/processors/CRMFProcessor.java | 12 +++--- + .../cms/servlet/profile/ProfileApproveServlet.java | 21 +++++------ + .../org/dogtagpki/server/rest/ACLInterceptor.java | 24 +++++------- + 12 files changed, 106 insertions(+), 125 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index 694fb92..eae68ef 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.UnauthorizedException; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; +@@ -89,8 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource + private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); + private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + +- private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL = +- "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = + "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; + +@@ -1189,7 +1188,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + + public void auditProfileChangeState(String profileId, String op, String status) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditor.getSubjectID(), + status, + profileId, +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index bc892a9..82cb77f 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,25 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String AUTHZ_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; ++ public final static String AUTHZ_SUCCESS_INFO = ++ "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5"; ++ public final static String AUTHZ_FAIL = ++ "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; ++ public final static String AUTHZ_FAIL_INFO = ++ "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5"; ++ public final static String INTER_BOUNDARY = ++ "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; ++ public final static String AUTH_FAIL = ++ "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; ++ public final static String AUTH_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; ++ public final static String CERT_PROFILE_APPROVAL = ++ "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; ++ public final static String PROOF_OF_POSSESSION = ++ "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; ++ + public final static String CRL_RETRIEVAL = + "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; + public final static String CRL_VALIDATION = +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index f4a59d2..0ec3c94 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -76,6 +76,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; +@@ -121,9 +122,6 @@ public abstract class EnrollProfile extends BasicProfile + + private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = +- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; +- + private PKIData mCMCData; + + public EnrollProfile() { +@@ -2073,7 +2071,7 @@ public abstract class EnrollProfile extends BasicProfile + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS); + audit(auditMessage); +@@ -2093,7 +2091,7 @@ public abstract class EnrollProfile extends BasicProfile + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + +diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +index f246951..81e71c4 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java ++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +@@ -30,6 +30,7 @@ import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; +@@ -48,9 +49,6 @@ import com.netscape.cmsutil.crypto.CryptoUtil; + */ + public abstract class EnrollInput implements IProfileInput { + +- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = +- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; +- + protected IConfigStore mConfig = null; + protected Vector mValueNames = new Vector(); + protected Vector mConfigNames = new Vector(); +@@ -219,7 +217,7 @@ public abstract class EnrollInput implements IProfileInput { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS); + audit(auditMessage); +@@ -230,7 +228,7 @@ public abstract class EnrollInput implements IProfileInput { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + +diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +index 1933601..28fb0b9 100644 +--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java ++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +@@ -16,6 +16,7 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authentication.ICertUserDBAuthentication; + import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -35,11 +36,6 @@ import netscape.security.x509.X509CertImpl; + + public class PKIRealm extends RealmBase { + protected ILogger signedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; +- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; +- + @Override + protected String getName() { + return "PKIRealm"; +@@ -66,7 +62,7 @@ public class PKIRealm extends RealmBase { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); +@@ -77,7 +73,7 @@ public class PKIRealm extends RealmBase { + } catch (Throwable e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID, +@@ -126,7 +122,7 @@ public class PKIRealm extends RealmBase { + CMS.debug("PKIRealm: User ID: " + username); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); +@@ -137,7 +133,7 @@ public class PKIRealm extends RealmBase { + } catch (Throwable e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index ab7af9e..0350e38 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.EUsrGrpException; +@@ -121,14 +122,6 @@ public class AdminServlet extends HttpServlet { + public static final String CERT_ATTR = + "javax.servlet.request.X509Certificate"; + +- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; +- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = + "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + private final static String CERTUSERDB = +@@ -307,7 +300,7 @@ public class AdminServlet extends HttpServlet { + if (allCerts == null || allCerts.length == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -399,7 +392,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -409,7 +402,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +@@ -433,7 +426,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -443,7 +436,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +@@ -469,7 +462,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -479,7 +472,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +@@ -505,7 +498,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -515,7 +508,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +@@ -535,7 +528,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID(), + ILogger.SUCCESS, + CERTUSERDB); +@@ -544,7 +537,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID(), + ILogger.SUCCESS, + PASSWDUSERDB); +@@ -555,7 +548,7 @@ public class AdminServlet extends HttpServlet { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +@@ -565,7 +558,7 @@ public class AdminServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +@@ -654,7 +647,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -677,7 +670,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -698,7 +691,7 @@ public class AdminServlet extends HttpServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -720,7 +713,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index ab9b936..01f9f07 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -64,6 +64,7 @@ import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; +@@ -244,14 +245,6 @@ public abstract class CMSServlet extends HttpServlet { + private IUGSubsystem mUG = (IUGSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_UG); + +- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; +- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = + "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + +@@ -1801,7 +1794,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditAuthMgrID); +@@ -1812,7 +1805,7 @@ public abstract class CMSServlet extends HttpServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditAuthMgrID, +@@ -1837,7 +1830,7 @@ public abstract class CMSServlet extends HttpServlet { + authzToken = mAuthz.authorize(authzMgrName, authToken, exp); + if (authzToken != null) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +@@ -1855,7 +1848,7 @@ public abstract class CMSServlet extends HttpServlet { + audit(auditMessage); + } else { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -1874,7 +1867,7 @@ public abstract class CMSServlet extends HttpServlet { + return authzToken; + } catch (Exception e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -1971,7 +1964,7 @@ public abstract class CMSServlet extends HttpServlet { + if (authzTok != null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +@@ -1990,7 +1983,7 @@ public abstract class CMSServlet extends HttpServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -2012,7 +2005,7 @@ public abstract class CMSServlet extends HttpServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -2033,7 +2026,7 @@ public abstract class CMSServlet extends HttpServlet { + } catch (Exception eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index e6dfbc4..014db79 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.connector.IPKIMessage; + import com.netscape.certsrv.connector.IRequestEncoder; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; +@@ -97,8 +98,6 @@ public class ConnectorServlet extends CMSServlet { + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; +- private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS = +- "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; + private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +@@ -479,7 +478,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.FAILURE, + auditProtectionMethod, +@@ -501,7 +500,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.SUCCESS, + auditProtectionMethod, +@@ -699,7 +698,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.SUCCESS, + auditProtectionMethod, +@@ -921,7 +920,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.SUCCESS, + auditProtectionMethod, +@@ -934,7 +933,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.FAILURE, + auditProtectionMethod, +@@ -947,7 +946,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.FAILURE, + auditProtectionMethod, +@@ -960,7 +959,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.FAILURE, + auditProtectionMethod, +@@ -980,7 +979,7 @@ public class ConnectorServlet extends CMSServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, ++ AuditEvent.INTER_BOUNDARY, + auditSubjectID, + ILogger.FAILURE, + auditProtectionMethod, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 62b9a7c..d5a9c4d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.profile.IProfile; +@@ -118,14 +119,6 @@ public class CAProcessor extends Processor { + + public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; +- public final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; +- public final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; +- public final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; +- public final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; + public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = + "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = +@@ -498,7 +491,7 @@ public class CAProcessor extends Processor { + + authSubjectID += " : " + uid_cred; + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + authSubjectID, + ILogger.FAILURE, + authMgrID, +@@ -512,7 +505,7 @@ public class CAProcessor extends Processor { + + authSubjectID += " : " + uid_cred; + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + authSubjectID, + ILogger.FAILURE, + authMgrID, +@@ -534,7 +527,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + authSubjectID, + ILogger.SUCCESS, + authMgrID); +@@ -669,7 +662,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, ++ AuditEvent.AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditAuthMgrID); +@@ -680,7 +673,7 @@ public class CAProcessor extends Processor { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTH_FAIL, ++ AuditEvent.AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditAuthMgrID, +@@ -730,7 +723,7 @@ public class CAProcessor extends Processor { + authzToken = authz.authorize(authzMgrName, authToken, exp); + if (authzToken != null) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +@@ -748,7 +741,7 @@ public class CAProcessor extends Processor { + audit(auditMessage); + } else { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -767,7 +760,7 @@ public class CAProcessor extends Processor { + return authzToken; + } catch (EBaseException e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -863,7 +856,7 @@ public class CAProcessor extends Processor { + if (authzTok != null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +@@ -882,7 +875,7 @@ public class CAProcessor extends Processor { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +@@ -904,7 +897,7 @@ public class CAProcessor extends Processor { + } catch (Exception eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java +index 1da0cf3..70a4a42 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.cms.servlet.base.CMSServlet; +@@ -68,9 +69,6 @@ public class CRMFProcessor extends PKIProcessor { + + private boolean enforcePop = false; + +- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = +- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; +- + public CRMFProcessor() { + super(); + } +@@ -118,7 +116,7 @@ public class CRMFProcessor extends PKIProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS); + +@@ -131,7 +129,7 @@ public class CRMFProcessor extends PKIProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + +@@ -148,7 +146,7 @@ public class CRMFProcessor extends PKIProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + +@@ -161,7 +159,7 @@ public class CRMFProcessor extends PKIProcessor { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, ++ AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java +index 89ba1bd..f56c378 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java +@@ -32,6 +32,7 @@ import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.authorization.EAuthzAccessDenied; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IPolicyConstraint; +@@ -60,8 +61,6 @@ public class ProfileApproveServlet extends ProfileServlet { + private static final String PROP_AUTHORITY_ID = "authorityId"; + private String mAuthorityId = null; + +- private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL = +- "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; + private final static String OP_APPROVE = "approve"; + private final static String OP_DISAPPROVE = "disapprove"; + +@@ -134,7 +133,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -168,7 +167,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -198,7 +197,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -222,7 +221,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -244,7 +243,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -277,7 +276,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -298,7 +297,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.SUCCESS, + auditProfileID, +@@ -316,7 +315,7 @@ public class ProfileApproveServlet extends ProfileServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +@@ -329,7 +328,7 @@ public class ProfileApproveServlet extends ProfileServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, ++ AuditEvent.CERT_PROFILE_APPROVAL, + auditSubjectID, + ILogger.FAILURE, + auditProfileID, +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +index 8e02ec2..86996d5 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +@@ -45,6 +45,7 @@ import com.netscape.certsrv.authorization.EAuthzUnknownRealm; + import com.netscape.certsrv.authorization.IAuthzSubsystem; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.ForbiddenException; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.realm.PKIPrincipal; + +@@ -54,11 +55,6 @@ import com.netscape.cms.realm.PKIPrincipal; + @Provider + public class ACLInterceptor implements ContainerRequestFilter { + protected ILogger signedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = +- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5"; +- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = +- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5"; +- + private final static String LOGGING_ACL_PARSING_ERROR = "internal error: ACL parsing error"; + private final static String LOGGING_NO_ACL_ACCESS_ALLOWED = "no ACL configured; OK"; + private final static String LOGGING_MISSING_AUTH_TOKEN = "auth token not found"; +@@ -178,7 +174,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + // store a message in the signed audit log file + // although if it didn't pass authentication, it should not have gotten here + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + null, // resource +@@ -195,7 +191,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: No ACL mapping; authz not required."); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS_INFO, + auditSubjectID, + ILogger.SUCCESS, + null, //resource +@@ -219,7 +215,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + } catch (IOException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + null, //resource +@@ -236,7 +232,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: No ACL configuration."); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS_INFO, + auditSubjectID, + ILogger.SUCCESS, + null, //resource +@@ -252,7 +248,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: Invalid ACL mapping."); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + null, //resource +@@ -279,7 +275,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: " + info); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + values[0], // resource +@@ -296,7 +292,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: " + info); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + values[0], // resource +@@ -309,7 +305,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + String info = e.getMessage(); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, ++ AuditEvent.AUTHZ_FAIL_INFO, + auditSubjectID, + ILogger.FAILURE, + values[0], // resource +@@ -323,7 +319,7 @@ public class ACLInterceptor implements ContainerRequestFilter { + // Allow request. + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, ++ AuditEvent.AUTHZ_SUCCESS_INFO, + auditSubjectID, + ILogger.SUCCESS, + values[0], // resource +-- +1.8.3.1 + + +From 6b9aee2d0a37cb7e8b93614b693cda0e6c410d9b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 04:33:11 +0200 +Subject: [PATCH 46/59] Reorganized audit event constants for CA. + +Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 11 +++ + .../netscape/cms/profile/common/EnrollProfile.java | 8 +- + .../cms/servlet/cert/CMCRevReqServlet.java | 26 +++---- + .../netscape/cms/servlet/cert/CertProcessor.java | 7 +- + .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 23 +++--- + .../netscape/cms/servlet/cert/DoUnrevokeTPS.java | 17 ++--- + .../netscape/cms/servlet/cert/EnrollServlet.java | 46 ++++++------ + .../cms/servlet/cert/RequestProcessor.java | 9 ++- + .../cms/servlet/cert/RevocationProcessor.java | 10 +-- + .../cms/servlet/cert/scep/CRSEnrollment.java | 3 +- + .../cms/servlet/connector/ConnectorServlet.java | 15 ++-- + .../cms/servlet/processors/CAProcessor.java | 2 - + .../servlet/profile/ProfileSubmitCMCServlet.java | 12 ++- + .../cms/servlet/request/ProcessCertReq.java | 85 +++++++++++----------- + 14 files changed, 128 insertions(+), 146 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 82cb77f..39314df 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String NON_PROFILE_CERT_REQUEST = ++ "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; ++ public final static String PROFILE_CERT_REQUEST = ++ "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; ++ public final static String CERT_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; ++ public final static String CERT_STATUS_CHANGE_REQUEST = ++ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; ++ public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; ++ + public final static String AUTHZ_SUCCESS = + "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; + public final static String AUTHZ_SUCCESS_INFO = +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 0ec3c94..370cc33 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -120,8 +120,6 @@ import netscape.security.x509.X509Key; + public abstract class EnrollProfile extends BasicProfile + implements IEnrollProfile { + +- private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = +- "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + private PKIData mCMCData; + + public EnrollProfile() { +@@ -1915,7 +1913,7 @@ public abstract class EnrollProfile extends BasicProfile + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1928,7 +1926,7 @@ public abstract class EnrollProfile extends BasicProfile + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1941,7 +1939,7 @@ public abstract class EnrollProfile extends BasicProfile + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +index 71c10ea..f4d7f8f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +@@ -53,6 +53,7 @@ import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertRecordList; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.publish.IPublisherProcessor; +@@ -92,11 +93,6 @@ public class CMCRevReqServlet extends CMSServlet { + private final static String REVOKE = "revoke"; + private final static String ON_HOLD = "on-hold"; + private final static int ON_HOLD_REASON = 6; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; +- + // http params + public static final String SERIAL_NO = TOKEN_CERT_SERIAL; + public static final String REASON_CODE = "reasonCode"; +@@ -546,7 +542,7 @@ public class CMCRevReqServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -815,7 +811,7 @@ public class CMCRevReqServlet extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -832,7 +828,7 @@ public class CMCRevReqServlet extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -849,7 +845,7 @@ public class CMCRevReqServlet extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -870,7 +866,7 @@ public class CMCRevReqServlet extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -887,7 +883,7 @@ public class CMCRevReqServlet extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -909,7 +905,7 @@ public class CMCRevReqServlet extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -926,7 +922,7 @@ public class CMCRevReqServlet extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -945,7 +941,7 @@ public class CMCRevReqServlet extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -962,7 +958,7 @@ public class CMCRevReqServlet extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index 47b5222..0534f90 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -30,6 +30,7 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.cert.CertEnrollmentRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.ERejectException; +@@ -230,7 +231,7 @@ public class CertProcessor extends CAProcessor { + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -266,7 +267,7 @@ public class CertProcessor extends CAProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -284,7 +285,7 @@ public class CertProcessor extends CAProcessor { + req.setExtData(IRequest.ERROR_CODE, errorCode); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +index 79eba99..68ac6da 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +@@ -46,6 +46,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.publish.IPublisherProcessor; +@@ -89,10 +90,6 @@ public class DoRevokeTPS extends CMSServlet { + private final static String REVOKE = "revoke"; + private final static String ON_HOLD = "on-hold"; + private final static int ON_HOLD_REASON = 6; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + + public DoRevokeTPS() { + super(); +@@ -433,7 +430,7 @@ public class DoRevokeTPS extends CMSServlet { + CMS.debug(method + "Only have previously revoked certs in the list."); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -450,7 +447,7 @@ public class DoRevokeTPS extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -475,7 +472,7 @@ public class DoRevokeTPS extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -561,7 +558,7 @@ public class DoRevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -752,7 +749,7 @@ public class DoRevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -770,7 +767,7 @@ public class DoRevokeTPS extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -787,7 +784,7 @@ public class DoRevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -809,7 +806,7 @@ public class DoRevokeTPS extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -826,7 +823,7 @@ public class DoRevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java +index 39ccb49..30bde76 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java +@@ -30,7 +30,7 @@ import javax.servlet.ServletException; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.x509.X509CertImpl; ++import org.dogtagpki.server.connector.IRemoteRequest; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; +@@ -43,6 +43,7 @@ import com.netscape.certsrv.ca.ICRLIssuingPoint; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.publish.IPublisherProcessor; +@@ -53,7 +54,7 @@ import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.common.ECMSGWException; + +-import org.dogtagpki.server.connector.IRemoteRequest; ++import netscape.security.x509.X509CertImpl; + + /** + * 'Unrevoke' a certificate. (For certificates that are on-hold only, +@@ -78,10 +79,6 @@ public class DoUnrevokeTPS extends CMSServlet { + + private final static String OFF_HOLD = "off-hold"; + private final static int OFF_HOLD_REASON = 6; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + + public DoUnrevokeTPS() { + super(); +@@ -268,7 +265,7 @@ public class DoUnrevokeTPS extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -465,7 +462,7 @@ public class DoUnrevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -482,7 +479,7 @@ public class DoUnrevokeTPS extends CMSServlet { + // store a "CERT_STATUS_CHANGE_REQUEST" failure + // message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -499,7 +496,7 @@ public class DoUnrevokeTPS extends CMSServlet { + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +index 91caccf..3757967 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +@@ -58,6 +58,7 @@ import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertRecordList; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; +@@ -153,11 +154,6 @@ public class EnrollServlet extends CMSServlet { + + "indeterminate reason for inability to process " + + "cert request due to an EBaseException" + }; +- private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = +- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; +- + private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; + private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; + +@@ -766,7 +762,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -829,7 +825,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -872,7 +868,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -912,7 +908,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -969,7 +965,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1072,7 +1068,7 @@ public class EnrollServlet extends CMSServlet { + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1102,7 +1098,7 @@ public class EnrollServlet extends CMSServlet { + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1129,7 +1125,7 @@ public class EnrollServlet extends CMSServlet { + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1177,7 +1173,7 @@ public class EnrollServlet extends CMSServlet { + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1230,7 +1226,7 @@ public class EnrollServlet extends CMSServlet { + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1279,7 +1275,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1322,7 +1318,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1337,7 +1333,7 @@ public class EnrollServlet extends CMSServlet { + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1374,7 +1370,7 @@ public class EnrollServlet extends CMSServlet { + // (automated "agent" cert request processed + // - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1388,7 +1384,7 @@ public class EnrollServlet extends CMSServlet { + + // (automated "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1408,7 +1404,7 @@ public class EnrollServlet extends CMSServlet { + if (completed == false) { + // (automated "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1464,7 +1460,7 @@ public class EnrollServlet extends CMSServlet { + for (int i = 0; i < issuedCerts.length; i++) { + // (automated "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1487,7 +1483,7 @@ public class EnrollServlet extends CMSServlet { + for (int i = 0; i < issuedCerts.length; i++) { + // (automated "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1504,7 +1500,7 @@ public class EnrollServlet extends CMSServlet { + + // (automated "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1520,7 +1516,7 @@ public class EnrollServlet extends CMSServlet { + // store a message in the signed audit log file + // (automated "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index 436e7a9..474a2e5 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -40,6 +40,7 @@ import com.netscape.certsrv.ca.AuthorityID; + import com.netscape.certsrv.ca.CANotFoundException; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.cert.CertReviewResponse; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; +@@ -283,7 +284,7 @@ public class RequestProcessor extends CertProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -319,7 +320,7 @@ public class RequestProcessor extends CertProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -399,7 +400,7 @@ public class RequestProcessor extends CertProcessor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -411,7 +412,7 @@ public class RequestProcessor extends CertProcessor { + } catch (EProfileException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java +index ffcda63..b90966e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.dbs.certdb.CertId; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.publish.IPublisherProcessor; +@@ -62,11 +63,6 @@ public class RevocationProcessor extends CertProcessor { + public final static String ON_HOLD = "on-hold"; + public final static String OFF_HOLD = "off-hold"; + +- public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; +- public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; +- + long startTime; + + ICertificateAuthority authority; +@@ -486,7 +482,7 @@ public class RevocationProcessor extends CertProcessor { + return; + + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST, + auditor.getSubjectID(), + status, + requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), +@@ -510,7 +506,7 @@ public class RevocationProcessor extends CertProcessor { + || requestStatus == RequestStatus.CANCELED)) return; + + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditor.getSubjectID(), + status, + requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +index c2c6cde..150c36f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +@@ -73,6 +73,7 @@ import com.netscape.certsrv.base.ISubsystem; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.ldap.ILdapConnFactory; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; +@@ -1495,7 +1496,7 @@ public class CRSEnrollment extends HttpServlet { + + // perform audit log + String auditMessage = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5", ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + httpReq.getRemoteAddr(), + ILogger.FAILURE, + req.getTransactionID(), +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index 014db79..2299e60 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -98,11 +98,6 @@ public class ConnectorServlet extends CMSServlet { + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; +- private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = +- "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; +- + private final static byte EOL[] = { Character.LINE_SEPARATOR }; + + public ConnectorServlet() { +@@ -554,7 +549,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -568,7 +563,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -582,7 +577,7 @@ public class ConnectorServlet extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, ++ AuditEvent.PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -636,7 +631,7 @@ public class ConnectorServlet extends CMSServlet { + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -657,7 +652,7 @@ public class ConnectorServlet extends CMSServlet { + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index d5a9c4d..5669233 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -117,8 +117,6 @@ public class CAProcessor extends Processor { + public static final String ACL_INFO = "ACLinfo"; + public static final String PROFILE_SUB_ID = "profileSubId"; + +- public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; + public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = + "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index c233e41..fd155a6 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -44,6 +44,7 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; +@@ -83,9 +84,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + private String mProfileSubId = null; + private String requestB64 = null; + +- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; +- + public ProfileSubmitCMCServlet() { + } + +@@ -682,7 +680,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -738,7 +736,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + if (errorCode.equals("1")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -753,7 +751,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } else if (errorCode.equals("3")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -787,7 +785,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +index 367c558..d15774e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +@@ -35,21 +35,6 @@ import javax.servlet.ServletOutputStream; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.extensions.NSCertTypeExtension; +-import netscape.security.extensions.PresenceServerExtension; +-import netscape.security.util.DerValue; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateAlgorithmId; +-import netscape.security.x509.CertificateExtensions; +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.CertificateVersion; +-import netscape.security.x509.Extension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.IAuthToken; +@@ -62,6 +47,7 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.ICMSRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.publish.IPublisherProcessor; +@@ -80,6 +66,21 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; + import com.netscape.cms.servlet.common.ECMSGWException; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.extensions.NSCertTypeExtension; ++import netscape.security.extensions.PresenceServerExtension; ++import netscape.security.util.DerValue; ++import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.BasicConstraintsExtension; ++import netscape.security.x509.CertificateAlgorithmId; ++import netscape.security.x509.CertificateExtensions; ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.CertificateVersion; ++import netscape.security.x509.Extension; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++ + /** + * Agent operations on Certificate requests. This servlet is used + * by an Agent to approve, reject, reassign, or change a certificate +@@ -170,10 +171,6 @@ public class ProcessCertReq extends CMSServlet { + + "indeterminate reason for inability to process " + + "cert request due to a NoSuchAlgorithmException" + }; +- private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = +- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; +- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; + + /** + * Process request. +@@ -457,7 +454,7 @@ public class ProcessCertReq extends CMSServlet { + if (toDo.equals(SIGNED_AUDIT_CLONING)) { + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -468,7 +465,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -479,7 +476,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -490,7 +487,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -940,7 +937,7 @@ public class ProcessCertReq extends CMSServlet { + // (one for each manual "agent" + // cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -984,7 +981,7 @@ public class ProcessCertReq extends CMSServlet { + // (manual "agent" cert request processed + // - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1109,7 +1106,7 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1171,7 +1168,7 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1238,7 +1235,7 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -1271,7 +1268,7 @@ public class ProcessCertReq extends CMSServlet { + if (toDo.equals(SIGNED_AUDIT_CLONING)) { + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1282,7 +1279,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1293,7 +1290,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1304,7 +1301,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1324,7 +1321,7 @@ public class ProcessCertReq extends CMSServlet { + if (toDo.equals(SIGNED_AUDIT_CLONING)) { + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1335,7 +1332,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1346,7 +1343,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1357,7 +1354,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1378,7 +1375,7 @@ public class ProcessCertReq extends CMSServlet { + if (toDo.equals(SIGNED_AUDIT_CLONING)) { + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1389,7 +1386,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1400,7 +1397,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1411,7 +1408,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1432,7 +1429,7 @@ public class ProcessCertReq extends CMSServlet { + if (toDo.equals(SIGNED_AUDIT_CLONING)) { + // ("agent" cert request for "cloning") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, ++ AuditEvent.NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1443,7 +1440,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1454,7 +1451,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -1465,7 +1462,7 @@ public class ProcessCertReq extends CMSServlet { + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, ++ AuditEvent.CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +-- +1.8.3.1 + + +From e0b3e36b6737e872e479624780497373765600f4 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 04:58:25 +0200 +Subject: [PATCH 47/59] Reorganized additional audit event constants for KRA. + +Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8 +--- + base/ca/src/com/netscape/ca/CAService.java | 67 +++++++++++----------- + .../com/netscape/certsrv/logging/AuditEvent.java | 27 +++++++++ + .../src/com/netscape/kra/EnrollmentService.java | 32 +++++------ + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 42 +++++--------- + .../src/com/netscape/kra/NetkeyKeygenService.java | 31 +++------- + .../com/netscape/kra/TokenKeyRecoveryService.java | 36 ++++++------ + .../cms/profile/common/CAEnrollProfile.java | 12 ++-- + .../cms/servlet/admin/CMSAdminServlet.java | 11 ++-- + .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 11 +--- + .../src/com/netscape/cms/servlet/key/GetPk12.java | 11 +--- + .../cms/servlet/key/GrantAsyncRecovery.java | 10 ++-- + .../netscape/cms/servlet/key/GrantRecovery.java | 12 ++-- + 12 files changed, 138 insertions(+), 164 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 31df153..5b364b8 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -31,33 +31,6 @@ import java.util.Enumeration; + import java.util.Hashtable; + import java.util.Vector; + +-import netscape.security.extensions.CertInfo; +-import netscape.security.util.BigInt; +-import netscape.security.util.DerValue; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CRLExtensions; +-import netscape.security.x509.CRLReasonExtension; +-import netscape.security.x509.CertificateAlgorithmId; +-import netscape.security.x509.CertificateChain; +-import netscape.security.x509.CertificateExtensions; +-import netscape.security.x509.CertificateIssuerName; +-import netscape.security.x509.CertificateSerialNumber; +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.Extension; +-import netscape.security.x509.LdapV3DNStrConverter; +-import netscape.security.x509.PKIXExtensions; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.RevokedCertImpl; +-import netscape.security.x509.SerialNumber; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X500NameAttrMap; +-import netscape.security.x509.X509CRLImpl; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +-import netscape.security.x509.X509ExtensionException; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.authority.ICertAuthority; +@@ -77,6 +50,7 @@ import com.netscape.certsrv.dbs.ModificationSet; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertRecordList; + import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; +@@ -95,6 +69,33 @@ import com.netscape.cmscore.dbs.RevocationInfo; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.extensions.CertInfo; ++import netscape.security.util.BigInt; ++import netscape.security.util.DerValue; ++import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.BasicConstraintsExtension; ++import netscape.security.x509.CRLExtensions; ++import netscape.security.x509.CRLReasonExtension; ++import netscape.security.x509.CertificateAlgorithmId; ++import netscape.security.x509.CertificateChain; ++import netscape.security.x509.CertificateExtensions; ++import netscape.security.x509.CertificateIssuerName; ++import netscape.security.x509.CertificateSerialNumber; ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.Extension; ++import netscape.security.x509.LdapV3DNStrConverter; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.RevokedCertImpl; ++import netscape.security.x509.SerialNumber; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X500NameAttrMap; ++import netscape.security.x509.X509CRLImpl; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++import netscape.security.x509.X509ExtensionException; ++ + /** + * Request Service for CertificateAuthority. + */ +@@ -115,8 +116,6 @@ public class CAService implements ICAService, IService { + private Hashtable mCRLIssuingPoints = new Hashtable(); + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + + public CAService(ICertificateAuthority ca) { + mCA = ca; +@@ -422,7 +421,7 @@ public class CAService implements ICAService, IService { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -441,7 +440,7 @@ public class CAService implements ICAService, IService { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -459,7 +458,7 @@ public class CAService implements ICAService, IService { + if (request.getExtDataInString(IRequest.ERROR) != null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -486,7 +485,7 @@ public class CAService implements ICAService, IService { + if (!(type.equals(IRequest.REVOCATION_REQUEST) || + type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -506,7 +505,7 @@ public class CAService implements ICAService, IService { + type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 39314df..dc434fa 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,33 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String PRIVATE_KEY_ARCHIVE_REQUEST = ++ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; ++ public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; ++ public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; ++ public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; ++ public final static String SERVER_SIDE_KEYGEN_REQUEST = ++ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; ++ public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; ++ public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = ++ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; ++ public final static String KEY_RECOVERY_REQUEST = ++ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; ++ public final static String KEY_RECOVERY_REQUEST_ASYNC = ++ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; ++ public final static String KEY_RECOVERY_AGENT_LOGIN = ++ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; ++ public final static String KEY_RECOVERY_REQUEST_PROCESSED = ++ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; ++ public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = ++ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; ++ public final static String KEY_GEN_ASYMMETRIC = ++ "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; ++ + public final static String NON_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; + public final static String PROFILE_CERT_REQUEST = +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index 36a809b..d2748a2 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -48,6 +48,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.ProofOfArchival; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.IEnrollProfile; +@@ -102,11 +103,6 @@ public class EnrollmentService implements IService { + private IStorageKeyUnit mStorageUnit = null; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; +- + /** + * Constructs request processor. + *

+@@ -205,7 +201,7 @@ public class EnrollmentService implements IService { + } catch (IOException e) { + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -253,7 +249,7 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -289,7 +285,7 @@ public class EnrollmentService implements IService { + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -331,7 +327,7 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -352,7 +348,7 @@ public class EnrollmentService implements IService { + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -377,7 +373,7 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -412,7 +408,7 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -439,7 +435,7 @@ public class EnrollmentService implements IService { + } catch (InvalidKeyException e) { + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -489,7 +485,7 @@ public class EnrollmentService implements IService { + rec.getSerialNumber().toString())); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -511,7 +507,7 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); + // TODO(alee) Set correct audit message here + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -529,7 +525,7 @@ public class EnrollmentService implements IService { + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -586,7 +582,7 @@ public class EnrollmentService implements IService { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -597,7 +593,7 @@ public class EnrollmentService implements IService { + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 64680ed..b6e4376 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.IKeyService; + import com.netscape.certsrv.listeners.EListenersException; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.ARequestNotifier; + import com.netscape.certsrv.request.IPolicy; +@@ -137,19 +138,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; +- + /** + * Constructs an escrow authority. + *

+@@ -777,7 +765,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -787,7 +775,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -808,7 +796,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); +@@ -817,7 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); +@@ -859,7 +847,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, ++ AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -869,7 +857,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, ++ AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -1049,7 +1037,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, ++ AuditEvent.KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -1059,7 +1047,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, ++ AuditEvent.KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -1083,7 +1071,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -1097,7 +1085,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -1110,7 +1098,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -1178,7 +1166,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -1192,7 +1180,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -1205,7 +1193,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 3f5e32f..665ff19 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -91,22 +92,6 @@ public class NetkeyKeygenService implements IService { + public final static String ATTR_PROOF_OF_ARCHIVAL = + "proofOfArchival"; + +- // private +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; +- // these need to be defined in LogMessages_en.properties later when we do this +- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; +- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; +- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; + private IKeyRecoveryAuthority mKRA = null; + private ITransportKeyUnit mTransportUnit = null; + private IStorageKeyUnit mStorageUnit = null; +@@ -384,7 +369,7 @@ public class NetkeyKeygenService implements IService { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, ++ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST, + agentId, + ILogger.SUCCESS, + auditSubjectID); +@@ -455,7 +440,7 @@ public class NetkeyKeygenService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, + agentId, + ILogger.FAILURE, + auditSubjectID); +@@ -487,7 +472,7 @@ public class NetkeyKeygenService implements IService { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, + agentId, + ILogger.SUCCESS, + auditSubjectID, +@@ -550,7 +535,7 @@ public class NetkeyKeygenService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + agentId, + ILogger.FAILURE, + auditSubjectID, +@@ -561,7 +546,7 @@ public class NetkeyKeygenService implements IService { + } else { + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + agentId, + ILogger.SUCCESS, + auditSubjectID, +@@ -586,7 +571,7 @@ public class NetkeyKeygenService implements IService { + // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + agentId, + ILogger.SUCCESS, + auditSubjectID, +@@ -680,7 +665,7 @@ public class NetkeyKeygenService implements IService { + CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + agentId, + ILogger.SUCCESS, + PubKey); +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index b084964..b710291 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -89,11 +90,6 @@ public class TokenKeyRecoveryService implements IService { + private IStorageKeyUnit mStorageUnit = null; + private ITransportKeyUnit mTransportUnit = null; + +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; +- +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + /** +@@ -271,7 +267,7 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService: not receive des key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -289,7 +285,7 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); + request.setExtData(IRequest.RESULT, Integer.valueOf(3)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -310,7 +306,7 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("cert mapping failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(5)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -323,7 +319,7 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService: mapCert failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(6)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -362,7 +358,7 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -375,7 +371,7 @@ public class TokenKeyRecoveryService implements IService { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -409,7 +405,7 @@ public class TokenKeyRecoveryService implements IService { + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -424,7 +420,7 @@ public class TokenKeyRecoveryService implements IService { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -447,7 +443,7 @@ public class TokenKeyRecoveryService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -477,7 +473,7 @@ public class TokenKeyRecoveryService implements IService { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -503,7 +499,7 @@ public class TokenKeyRecoveryService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -533,7 +529,7 @@ public class TokenKeyRecoveryService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -561,7 +557,7 @@ public class TokenKeyRecoveryService implements IService { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, ++ AuditEvent.KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -573,7 +569,7 @@ public class TokenKeyRecoveryService implements IService { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -588,7 +584,7 @@ public class TokenKeyRecoveryService implements IService { + } + request.setExtData("public_key", PubKey); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, ++ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +index 44c1245..02aa8c8 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +@@ -29,6 +29,7 @@ import com.netscape.certsrv.ca.AuthorityID; + import com.netscape.certsrv.ca.ICAService; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.connector.IConnector; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; +@@ -49,9 +50,6 @@ import netscape.security.x509.X509CertInfo; + */ + public class CAEnrollProfile extends EnrollProfile { + +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; +- + public CAEnrollProfile() { + } + +@@ -120,7 +118,7 @@ public class CAEnrollProfile extends EnrollProfile { + "not configured"); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -135,7 +133,7 @@ public class CAEnrollProfile extends EnrollProfile { + // check response + if (!request.isSuccess()) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +@@ -153,7 +151,7 @@ public class CAEnrollProfile extends EnrollProfile { + } + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, +@@ -170,7 +168,7 @@ public class CAEnrollProfile extends EnrollProfile { + CMS.debug(e); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, ++ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index 2c3c6be..3e73dc6 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -60,6 +60,7 @@ import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ocsp.IOCSPAuthority; + import com.netscape.certsrv.ra.IRegistrationAuthority; +@@ -109,8 +110,6 @@ public final class CMSAdminServlet extends AdminServlet { + "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY = + "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; +- private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC = +- "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; + private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = + "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; + private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = +@@ -1142,7 +1141,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (nickname.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, ++ AuditEvent.KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); +@@ -1205,7 +1204,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, ++ AuditEvent.KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); +@@ -1217,7 +1216,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, ++ AuditEvent.KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); +@@ -1229,7 +1228,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, ++ AuditEvent.KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +index 773b91e..f0065e1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -64,12 +65,6 @@ public class GetAsyncPk12 extends CMSServlet { + + private com.netscape.certsrv.kra.IKeyService mService = null; + +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; +- +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; +- + private String mFormPath = null; + + /** +@@ -213,7 +208,7 @@ public class GetAsyncPk12 extends CMSServlet { + mRenderResult = false; + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + agent, + ILogger.SUCCESS, + reqID, +@@ -239,7 +234,7 @@ public class GetAsyncPk12 extends CMSServlet { + + if ((agent != null) && (reqID != null)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + agent, + ILogger.FAILURE, + reqID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +index c79a82f..9bb52cd 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -63,12 +64,6 @@ public class GetPk12 extends CMSServlet { + + private com.netscape.certsrv.kra.IKeyService mService = null; + +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; +- +- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; +- + private String mFormPath = null; + + /** +@@ -207,7 +202,7 @@ public class GetPk12 extends CMSServlet { + mRenderResult = false; + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + agent, + ILogger.SUCCESS, + recoveryID, +@@ -233,7 +228,7 @@ public class GetPk12 extends CMSServlet { + + if ((agent != null) && (recoveryID != null)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + agent, + ILogger.FAILURE, + recoveryID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java +index 4100391..c410525 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java +@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyService; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -61,9 +62,6 @@ public class GrantAsyncRecovery extends CMSServlet { + private IKeyService mService = null; + private String mFormPath = null; + +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; +- + /** + * Constructs EA servlet. + */ +@@ -237,7 +235,7 @@ public class GrantAsyncRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.SUCCESS, + auditRequestID, +@@ -250,7 +248,7 @@ public class GrantAsyncRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRequestID, +@@ -262,7 +260,7 @@ public class GrantAsyncRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRequestID, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java +index 9d57fbe..47054d9 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyService; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -64,9 +65,6 @@ public class GrantRecovery extends CMSServlet { + private IKeyService mService = null; + private String mFormPath = null; + +- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; +- + /** + * Constructs EA servlet. + */ +@@ -243,7 +241,7 @@ public class GrantRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -266,7 +264,7 @@ public class GrantRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +@@ -279,7 +277,7 @@ public class GrantRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +@@ -291,7 +289,7 @@ public class GrantRecovery extends CMSServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, ++ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +-- +1.8.3.1 + + +From 20a307e4683e62b033f7662ed4aa2f18dfad6226 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 05:23:15 +0200 +Subject: [PATCH 48/59] Reorganized audit event constants for configuration. + +Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542 +--- + .../dogtagpki/server/ca/rest/ProfileService.java | 5 +- + .../com/netscape/certsrv/logging/AuditEvent.java | 37 ++++++ + .../src/com/netscape/certsrv/logging/IAuditor.java | 3 - + .../cms/src/com/netscape/cms/logging/LogFile.java | 10 +- + .../com/netscape/cms/logging/RollingLogFile.java | 8 +- + .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +-- + .../cms/servlet/admin/ACLAdminServlet.java | 38 +++---- + .../netscape/cms/servlet/admin/AdminServlet.java | 10 +- + .../cms/servlet/admin/AuthAdminServlet.java | 96 ++++++++-------- + .../netscape/cms/servlet/admin/CAAdminServlet.java | 50 ++++----- + .../cms/servlet/admin/CMSAdminServlet.java | 86 +++++++------- + .../cms/servlet/admin/GroupMemberProcessor.java | 4 +- + .../cms/servlet/admin/KRAAdminServlet.java | 8 +- + .../cms/servlet/admin/LogAdminServlet.java | 113 +++++++++---------- + .../cms/servlet/admin/OCSPAdminServlet.java | 22 ++-- + .../cms/servlet/admin/PolicyAdminServlet.java | 62 +++++------ + .../cms/servlet/admin/ProfileAdminServlet.java | 124 ++++++++++----------- + .../cms/servlet/admin/UsrGrpAdminServlet.java | 120 ++++++++++---------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 17 ++- + .../netscape/cms/servlet/csadmin/RegisterUser.java | 14 +-- + .../servlet/csadmin/SecurityDomainProcessor.java | 4 +- + .../cms/servlet/csadmin/UpdateDomainXML.java | 11 +- + .../cms/servlet/processors/CAProcessor.java | 14 +-- + .../org/dogtagpki/server/rest/AuditService.java | 3 +- + .../org/dogtagpki/server/rest/GroupService.java | 4 +- + .../src/org/dogtagpki/server/rest/UserService.java | 6 +- + .../src/com/netscape/cmscore/cert/CertUtils.java | 18 ++- + .../cmscore/selftests/SelfTestSubsystem.java | 9 +- + 28 files changed, 445 insertions(+), 465 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index eae68ef..be61892 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -90,9 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource + private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); + private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = +- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; +- + @Override + public Response listProfiles(Integer start, Integer size) { + +@@ -1198,7 +1195,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + + public void auditProfileChange(String scope, String type, String id, String status, Map params) { + String msg = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditor.getSubjectID(), + status, + auditor.getParamString(scope, type, id, params)); +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index dc434fa..716e0d4 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -35,6 +35,43 @@ import com.netscape.certsrv.base.MessageFormatter; + */ + public class AuditEvent implements IBundleLogEvent { + ++ public final static String AUDIT_LOG_STARTUP = ++ "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; ++ public final static String AUDIT_LOG_SHUTDOWN = ++ "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; ++ public final static String CIMC_CERT_VERIFICATION = ++ "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; ++ public final static String ROLE_ASSUME = ++ "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; ++ public final static String CONFIG_CERT_POLICY = ++ "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3"; ++ public final static String CONFIG_CERT_PROFILE = ++ "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; ++ public final static String CONFIG_CRL_PROFILE = ++ "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3"; ++ public final static String CONFIG_OCSP_PROFILE = ++ "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3"; ++ public final static String CONFIG_AUTH = ++ "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3"; ++ public final static String CONFIG_ROLE = ++ "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; ++ public final static String CONFIG_ACL = ++ "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3"; ++ public final static String CONFIG_SIGNED_AUDIT = ++ "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; ++ public final static String CONFIG_ENCRYPTION = ++ "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; ++ public final static String CONFIG_TRUSTED_PUBLIC_KEY = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; ++ public final static String CONFIG_DRM = ++ "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; ++ public final static String SELFTESTS_EXECUTION = ++ "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; ++ public final static String AUDIT_LOG_DELETE = ++ "LOGGING_SIGNED_AUDIT_LOG_DELETE_3"; ++ public final static String LOG_PATH_CHANGE = ++ "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; ++ + public final static String PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = +diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java +index 1d31a8c..216015f 100644 +--- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java ++++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java +@@ -25,9 +25,6 @@ import java.util.Map; + */ + public interface IAuditor { + +- public final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = +- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; +- + public final static String SIGNED_AUDIT_SCOPE = "Scope"; + public final static String SIGNED_AUDIT_OPERATION = "Operation"; + public final static String SIGNED_AUDIT_RESOURCE = "Resource"; +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index fdf3f83..989fece 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -102,10 +102,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + static final String PROP_BUFFER_SIZE = "bufferSize"; + static final String PROP_FLUSH_INTERVAL = "flushInterval"; + +- private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP = +- "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; +- private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN = +- "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; + private final static String LOG_SIGNED_AUDIT_EXCEPTION = + "LOG_SIGNED_AUDIT_EXCEPTION_1"; + +@@ -647,12 +643,12 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + try { + setupSigning(); + audit(CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP, ++ AuditEvent.AUDIT_LOG_STARTUP, + ILogger.SYSTEM_UID, + ILogger.SUCCESS)); + } catch (EBaseException e) { + audit(CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP, ++ AuditEvent.AUDIT_LOG_STARTUP, + ILogger.SYSTEM_UID, + ILogger.FAILURE)); + throw e; +@@ -872,7 +868,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + + // log signed audit shutdown success + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN, ++ AuditEvent.AUDIT_LOG_SHUTDOWN, + ILogger.SYSTEM_UID, + ILogger.SUCCESS); + +diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +index fb70f46..5d2cdd9 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IExtendedPluginInfo; + import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ELogException; + import com.netscape.certsrv.logging.ILogEvent; +@@ -95,9 +96,6 @@ public class RollingLogFile extends LogFile { + */ + private Object mExpLock = new Object(); + +- private final static String LOGGING_SIGNED_AUDIT_LOG_DELETE = +- "LOGGING_SIGNED_AUDIT_LOG_DELETE_3"; +- + /** + * Construct a RollingLogFile + */ +@@ -351,14 +349,14 @@ public class RollingLogFile extends LogFile { + if (file.exists()) { + // log failure in deleting an expired signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_DELETE, ++ AuditEvent.AUDIT_LOG_DELETE, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + fullname); + } else { + // log success in deleting an expired signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_DELETE, ++ AuditEvent.AUDIT_LOG_DELETE, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + fullname); +diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +index b1da188..2f47efa 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java ++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.ConflictingOperationException; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IEnrollProfile; +@@ -55,9 +56,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private Vector mConfigNames = new Vector(); + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = +- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; +- + public SubsystemGroupUpdater() { + } + +@@ -166,7 +164,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + system.addUser(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -196,7 +194,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + system.addUserCert(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -209,7 +207,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); +@@ -240,7 +238,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + system.modifyGroup(group); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -253,7 +251,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString()); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java +index 1244da1..8c5da18 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java +@@ -38,6 +38,7 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.evaluators.IAccessEvaluator; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + + /** +@@ -55,9 +56,6 @@ public class ACLAdminServlet extends AdminServlet { + private final static String INFO = "ACLAdminServlet"; + private IAuthzManager mAuthzMgr = null; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL = +- "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3"; +- + /** + * initialize the servlet. + *

    +@@ -338,7 +336,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -363,7 +361,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -377,7 +375,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -404,7 +402,7 @@ public class ACLAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -502,7 +500,7 @@ public class ACLAdminServlet extends AdminServlet { + if (type == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -544,7 +542,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -567,7 +565,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -587,7 +585,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -612,7 +610,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -635,7 +633,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -660,7 +658,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -683,7 +681,7 @@ public class ACLAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -741,7 +739,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -762,7 +760,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -797,7 +795,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -812,7 +810,7 @@ public class ACLAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -836,7 +834,7 @@ public class ACLAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ACL, ++ AuditEvent.CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 0350e38..089fcbe 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -122,8 +122,6 @@ public class AdminServlet extends HttpServlet { + public static final String CERT_ATTR = + "javax.servlet.request.X509Certificate"; + +- private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = +- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + private final static String CERTUSERDB = + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID; + private final static String PASSWDUSERDB = +@@ -657,7 +655,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -680,7 +678,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -701,7 +699,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -723,7 +721,7 @@ public class AdminServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.SUCCESS, + auditGroups(auditSubjectID)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java +index 71cf8a2..253a9cd 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java +@@ -43,6 +43,7 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.ldap.ILdapAuthInfo; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + + /** +@@ -66,9 +67,6 @@ public class AuthAdminServlet extends AdminServlet { + "PASSWORD_CACHE_ADD"; + private final static String EDIT = ";" + Constants.EDIT; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH = +- "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3"; +- + public AuthAdminServlet() { + super(); + } +@@ -382,7 +380,7 @@ public class AuthAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -399,7 +397,7 @@ public class AuthAdminServlet extends AdminServlet { + if (mAuths.getPlugins().containsKey(id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -419,7 +417,7 @@ public class AuthAdminServlet extends AdminServlet { + if (classPath == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -436,7 +434,7 @@ public class AuthAdminServlet extends AdminServlet { + classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -464,7 +462,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -478,7 +476,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IllegalArgumentException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -496,7 +494,7 @@ public class AuthAdminServlet extends AdminServlet { + if (IAuthManager.class.isAssignableFrom(newImpl) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -511,7 +509,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (NullPointerException e) { // unlikely, only if newImpl null. + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -534,7 +532,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -559,7 +557,7 @@ public class AuthAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -583,7 +581,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -638,7 +636,7 @@ public class AuthAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -655,7 +653,7 @@ public class AuthAdminServlet extends AdminServlet { + if (mAuths.getInstances().containsKey(id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -676,7 +674,7 @@ public class AuthAdminServlet extends AdminServlet { + if (implname == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -703,7 +701,7 @@ public class AuthAdminServlet extends AdminServlet { + if (plugin == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -756,7 +754,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -774,7 +772,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (InstantiationException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -791,7 +789,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IllegalAccessException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -813,7 +811,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -832,7 +830,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -859,7 +857,7 @@ public class AuthAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -871,7 +869,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -883,7 +881,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -986,7 +984,7 @@ public class AuthAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1011,7 +1009,7 @@ public class AuthAdminServlet extends AdminServlet { + if (mAuths.getPlugins().containsKey(id) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1034,7 +1032,7 @@ public class AuthAdminServlet extends AdminServlet { + if (authMgr.getImplName() == id) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1063,7 +1061,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1078,7 +1076,7 @@ public class AuthAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1102,7 +1100,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1158,7 +1156,7 @@ public class AuthAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1183,7 +1181,7 @@ public class AuthAdminServlet extends AdminServlet { + if (mAuths.getInstances().containsKey(id) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1216,7 +1214,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1238,7 +1236,7 @@ public class AuthAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1262,7 +1260,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1409,7 +1407,7 @@ public class AuthAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1434,7 +1432,7 @@ public class AuthAdminServlet extends AdminServlet { + if (!mAuths.getInstances().containsKey(id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1453,7 +1451,7 @@ public class AuthAdminServlet extends AdminServlet { + if (implname == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1472,7 +1470,7 @@ public class AuthAdminServlet extends AdminServlet { + if (plugin == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1548,7 +1546,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1566,7 +1564,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (InstantiationException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1583,7 +1581,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IllegalAccessException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1606,7 +1604,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1625,7 +1623,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1652,7 +1650,7 @@ public class AuthAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1664,7 +1662,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1676,7 +1674,7 @@ public class AuthAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, ++ AuditEvent.CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java +index 09c77e5..5ece2c8 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequestListener; + import com.netscape.cmsutil.util.Utils; +@@ -62,9 +63,6 @@ public class CAAdminServlet extends AdminServlet { + + private final static String INFO = "CAAdminServlet"; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE = +- "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3"; +- + private ICertificateAuthority mCA = null; + protected static final String PROP_ENABLED = "enabled"; + +@@ -537,7 +535,7 @@ public class CAAdminServlet extends AdminServlet { + if (ipId == null || ipId.length() == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -554,7 +552,7 @@ public class CAAdminServlet extends AdminServlet { + if (desc == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -587,7 +585,7 @@ public class CAAdminServlet extends AdminServlet { + if (ipId.equals(name)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -601,7 +599,7 @@ public class CAAdminServlet extends AdminServlet { + if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -615,7 +613,7 @@ public class CAAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -626,7 +624,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -638,7 +636,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -693,7 +691,7 @@ public class CAAdminServlet extends AdminServlet { + if (ipId == null || ipId.length() == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -710,7 +708,7 @@ public class CAAdminServlet extends AdminServlet { + if (desc == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -762,7 +760,7 @@ public class CAAdminServlet extends AdminServlet { + if (!done) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -776,7 +774,7 @@ public class CAAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -787,7 +785,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -799,7 +797,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -869,7 +867,7 @@ public class CAAdminServlet extends AdminServlet { + if (!done) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -884,7 +882,7 @@ public class CAAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -895,7 +893,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -907,7 +905,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1039,7 +1037,7 @@ public class CAAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1050,7 +1048,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1062,7 +1060,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1246,7 +1244,7 @@ public class CAAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1260,7 +1258,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1272,7 +1270,7 @@ public class CAAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, ++ AuditEvent.CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index 3e73dc6..229c377 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -106,14 +106,6 @@ public final class CMSAdminServlet extends AdminServlet { + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static byte EOL[] = { Character.LINE_SEPARATOR }; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION = +- "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY = +- "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; +- private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = +- "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; +- private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = +- "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; + + // CMS must be instantiated before this admin servlet. + +@@ -574,7 +566,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (tokenizer.countTokens() != 2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, ++ AuditEvent.CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -599,7 +591,7 @@ public final class CMSAdminServlet extends AdminServlet { + } else + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, ++ AuditEvent.CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -636,7 +628,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, ++ AuditEvent.CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -648,7 +640,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, ++ AuditEvent.CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -660,7 +652,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, ++ AuditEvent.CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1494,7 +1486,7 @@ public final class CMSAdminServlet extends AdminServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1514,7 +1506,7 @@ public final class CMSAdminServlet extends AdminServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1534,7 +1526,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (nickname.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1781,7 +1773,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1794,7 +1786,7 @@ public final class CMSAdminServlet extends AdminServlet { + CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1807,7 +1799,7 @@ public final class CMSAdminServlet extends AdminServlet { + CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1900,7 +1892,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (certpath == null || certpath.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1934,7 +1926,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException ee) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1964,7 +1956,7 @@ public final class CMSAdminServlet extends AdminServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2193,7 +2185,7 @@ public final class CMSAdminServlet extends AdminServlet { + verified = true; + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.SUCCESS, + nickname); +@@ -2203,7 +2195,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (Exception e) { + CMS.debug(e); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.FAILURE, + nickname); +@@ -2213,7 +2205,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2230,7 +2222,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2242,7 +2234,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2319,7 +2311,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (certpath == null || certpath.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2352,7 +2344,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException ee) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2386,7 +2378,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2405,7 +2397,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2426,7 +2418,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2437,7 +2429,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2449,7 +2441,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2952,7 +2944,7 @@ public final class CMSAdminServlet extends AdminServlet { + jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust); + } catch (EBaseException e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2964,7 +2956,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -3020,7 +3012,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -3032,7 +3024,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -3044,7 +3036,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, ++ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -3132,7 +3124,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3185,7 +3177,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3215,7 +3207,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3268,7 +3260,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3316,7 +3308,7 @@ public final class CMSAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.SUCCESS); + +@@ -3336,7 +3328,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (EMissingSelfTestException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3347,7 +3339,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (ESelfTestException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +@@ -3358,7 +3350,7 @@ public final class CMSAdminServlet extends AdminServlet { + } catch (IOException eAudit3) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java +index f974db4..00f960e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java +@@ -43,8 +43,8 @@ import com.netscape.certsrv.group.GroupMemberCollection; + import com.netscape.certsrv.group.GroupMemberData; + import com.netscape.certsrv.group.GroupNotFoundException; + import com.netscape.certsrv.group.GroupResource; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; +-import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -388,6 +388,6 @@ public class GroupMemberProcessor extends Processor { + } + + public void audit(String type, String id, Map params, String status) { +- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); ++ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java +index 3f9f558..5583d12 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java +@@ -32,6 +32,7 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + + /** +@@ -54,9 +55,6 @@ public class KRAAdminServlet extends AdminServlet { + + private IKeyRecoveryAuthority mKRA = null; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM = +- "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; +- + /** + * Constructs KRA servlet. + */ +@@ -204,7 +202,7 @@ public class KRAAdminServlet extends AdminServlet { + mKRA.setNoOfRequiredAgents(number); + } catch (NumberFormatException e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_DRM, ++ AuditEvent.CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -218,7 +216,7 @@ public class KRAAdminServlet extends AdminServlet { + commit(true); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_DRM, ++ AuditEvent.CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +index 13ba52c..c424520 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ELogException; + import com.netscape.certsrv.logging.ELogNotFound; + import com.netscape.certsrv.logging.ELogPluginNotFound; +@@ -64,10 +65,6 @@ public class LogAdminServlet extends AdminServlet { + private ILogSubsystem mSys = null; + + private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit"; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT = +- "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; +- private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE = +- "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + + /** + * Constructs Log servlet. +@@ -439,7 +436,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -458,7 +455,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -479,7 +476,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -508,7 +505,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -524,7 +521,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -544,7 +541,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -561,7 +558,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -588,7 +585,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -612,7 +609,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -637,7 +634,7 @@ public class LogAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -709,7 +706,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -727,7 +724,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -744,7 +741,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -766,7 +763,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -789,7 +786,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -849,7 +846,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -868,7 +865,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -887,7 +884,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -912,7 +909,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -928,7 +925,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -950,7 +947,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -974,7 +971,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -999,7 +996,7 @@ public class LogAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1103,7 +1100,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1122,7 +1119,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1158,7 +1155,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1175,7 +1172,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1200,7 +1197,7 @@ public class LogAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1265,7 +1262,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1283,7 +1280,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1308,7 +1305,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1339,7 +1336,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1356,7 +1353,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1381,7 +1378,7 @@ public class LogAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1472,7 +1469,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1491,7 +1488,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1512,7 +1509,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1534,7 +1531,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1673,7 +1670,7 @@ public class LogAdminServlet extends AdminServlet { + // file (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -1686,7 +1683,7 @@ public class LogAdminServlet extends AdminServlet { + // file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1775,7 +1772,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -1801,7 +1798,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1827,7 +1824,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -1852,7 +1849,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1878,7 +1875,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -1903,7 +1900,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1937,7 +1934,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -1962,7 +1959,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1996,7 +1993,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.SUCCESS, + logType, +@@ -2021,7 +2018,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2042,7 +2039,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -2067,7 +2064,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2088,7 +2085,7 @@ public class LogAdminServlet extends AdminServlet { + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, ++ AuditEvent.LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, +@@ -2113,7 +2110,7 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, ++ AuditEvent.CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java +index a7ff922..ee1c3a2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java +@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ocsp.IOCSPAuthority; + import com.netscape.certsrv.ocsp.IOCSPStore; +@@ -57,9 +58,6 @@ public class OCSPAdminServlet extends AdminServlet { + + private final static String INFO = "OCSPAdminServlet"; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE = +- "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3"; +- + private IOCSPAuthority mOCSP = null; + + public OCSPAdminServlet() { +@@ -256,7 +254,7 @@ public class OCSPAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -267,7 +265,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -279,7 +277,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -368,7 +366,7 @@ public class OCSPAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -379,7 +377,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -391,7 +389,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -503,7 +501,7 @@ public class OCSPAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -514,7 +512,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -526,7 +524,7 @@ public class OCSPAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, ++ AuditEvent.CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java +index 1fe9c87..7a09e83 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java +@@ -41,6 +41,7 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.ra.IRegistrationAuthority; + +@@ -83,9 +84,6 @@ public class PolicyAdminServlet extends AdminServlet { + public static String COMMA = ","; + public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY = +- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3"; +- + /** + * Constructs administration servlet. + */ +@@ -506,7 +504,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -522,7 +520,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -535,7 +533,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -547,7 +545,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -628,7 +626,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -644,7 +642,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (classPath == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -659,7 +657,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -670,7 +668,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -682,7 +680,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -735,7 +733,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -751,7 +749,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -764,7 +762,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -776,7 +774,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -875,7 +873,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -892,7 +890,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (implName == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -925,7 +923,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -956,7 +954,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -967,7 +965,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -979,7 +977,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1032,7 +1030,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (policyOrder == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1047,7 +1045,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1058,7 +1056,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1070,7 +1068,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1123,7 +1121,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1140,7 +1138,7 @@ public class PolicyAdminServlet extends AdminServlet { + if (implName == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1172,7 +1170,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1208,7 +1206,7 @@ public class PolicyAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1219,7 +1217,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1231,7 +1229,7 @@ public class PolicyAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, ++ AuditEvent.CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java +index b418baf..c4b40c0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java +@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IPolicyConstraint; +@@ -88,9 +89,6 @@ public class ProfileAdminServlet extends AdminServlet { + public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; + public static String BAD_CONFIGURATION_VAL = "Invalid configuration value."; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = +- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; +- + /** + * Constructs administration servlet. + */ +@@ -425,7 +423,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -475,7 +473,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -492,7 +490,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -503,7 +501,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -566,7 +564,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -599,7 +597,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -617,7 +615,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -628,7 +626,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -691,7 +689,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -725,7 +723,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -743,7 +741,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -754,7 +752,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -826,7 +824,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -848,7 +846,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -863,7 +861,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -874,7 +872,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -948,7 +946,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -965,7 +963,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (EBaseException e1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -980,7 +978,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -991,7 +989,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1065,7 +1063,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1082,7 +1080,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (EBaseException e1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1097,7 +1095,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1108,7 +1106,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1170,7 +1168,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1219,7 +1217,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1233,7 +1231,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1244,7 +1242,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1306,7 +1304,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1356,7 +1354,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1371,7 +1369,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1382,7 +1380,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1444,7 +1442,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1488,7 +1486,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1502,7 +1500,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1513,7 +1511,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1575,7 +1573,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1607,7 +1605,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1621,7 +1619,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1632,7 +1630,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1694,7 +1692,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1727,7 +1725,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1741,7 +1739,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1752,7 +1750,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1814,7 +1812,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1861,7 +1859,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1876,7 +1874,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1887,7 +1885,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2278,7 +2276,7 @@ public class ProfileAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2294,7 +2292,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (EProfileException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2307,7 +2305,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2318,7 +2316,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2391,7 +2389,7 @@ public class ProfileAdminServlet extends AdminServlet { + if (id == null || id.trim().equals("") || !isValidId(id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2441,7 +2439,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2480,7 +2478,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2493,7 +2491,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2504,7 +2502,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2563,7 +2561,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2591,7 +2589,7 @@ public class ProfileAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2607,7 +2605,7 @@ public class ProfileAdminServlet extends AdminServlet { + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, ++ AuditEvent.CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +index cce1ce3..1c38b88 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +@@ -48,6 +48,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.password.IPasswordCheck; +@@ -87,9 +88,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + + private final static String BACK_SLASH = "\\"; + +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = +- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; +- + private IUGSubsystem mMgr = null; + + private static String[] mMultiRoleGroupEnforceList = null; +@@ -682,7 +680,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -701,7 +699,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -720,7 +718,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -743,7 +741,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -770,7 +768,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (!passwdCheck.isGoodPassword(pword)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -823,7 +821,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -846,7 +844,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -872,7 +870,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -886,7 +884,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -907,7 +905,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -921,7 +919,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -933,7 +931,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -993,7 +991,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1016,7 +1014,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1056,7 +1054,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (p7certs.length == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1091,7 +1089,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1157,7 +1155,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1173,7 +1171,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1195,7 +1193,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1211,7 +1209,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1227,7 +1225,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1241,7 +1239,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (ConflictingOperationException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1257,7 +1255,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1283,7 +1281,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1346,7 +1344,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1368,7 +1366,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1386,7 +1384,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1400,7 +1398,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1426,7 +1424,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1497,7 +1495,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1519,7 +1517,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1539,7 +1537,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1561,7 +1559,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1573,7 +1571,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception ex) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1587,7 +1585,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1599,7 +1597,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1660,7 +1658,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1698,7 +1696,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1710,7 +1708,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1725,7 +1723,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1737,7 +1735,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1798,7 +1796,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1817,7 +1815,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1828,7 +1826,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1840,7 +1838,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1903,7 +1901,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1956,7 +1954,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -1980,7 +1978,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -1993,7 +1991,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2008,7 +2006,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2020,7 +2018,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2152,7 +2150,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2176,7 +2174,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2201,7 +2199,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (!passwdCheck.isGoodPassword(pword)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2232,7 +2230,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); +@@ -2246,7 +2244,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2260,7 +2258,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +@@ -2272,7 +2270,7 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index 01f9f07..c7fc03b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -245,9 +245,6 @@ public abstract class CMSServlet extends HttpServlet { + private IUGSubsystem mUG = (IUGSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_UG); + +- private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = +- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; +- + public CMSServlet() { + } + +@@ -1840,7 +1837,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.SUCCESS, + auditGroupID); +@@ -1857,7 +1854,7 @@ public abstract class CMSServlet extends HttpServlet { + audit(auditMessage); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroupID); +@@ -1876,7 +1873,7 @@ public abstract class CMSServlet extends HttpServlet { + audit(auditMessage); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroupID); +@@ -1974,7 +1971,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.SUCCESS, + auditGroups(auditSubjectID)); +@@ -1993,7 +1990,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -2015,7 +2012,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -2036,7 +2033,7 @@ public abstract class CMSServlet extends HttpServlet { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +index 74197a4..f02932e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.authorization.EAuthzAccessDenied; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.ICertUserLocator; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -65,9 +66,6 @@ public class RegisterUser extends CMSServlet { + private final static String SUCCESS = "0"; + private final static String AUTH_FAILURE = "2"; + private String mGroupName = null; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = +- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; +- + public RegisterUser() { + super(); + } +@@ -202,7 +200,7 @@ public class RegisterUser extends CMSServlet { + ugsys.addUser(user); + CMS.debug("RegisterUser created user " + uid); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -227,7 +225,7 @@ public class RegisterUser extends CMSServlet { + ugsys.addUserCert(user); + CMS.debug("RegisterUser added user certificate"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -237,7 +235,7 @@ public class RegisterUser extends CMSServlet { + } catch (Exception eee) { + CMS.debug("RegisterUser error " + eee.toString()); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); +@@ -270,7 +268,7 @@ public class RegisterUser extends CMSServlet { + CMS.debug("RegisterUser modified group"); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); +@@ -279,7 +277,7 @@ public class RegisterUser extends CMSServlet { + } + } catch (Exception e) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +index 69e76fc..cd769db 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +@@ -90,7 +90,7 @@ public class SecurityDomainProcessor extends CAProcessor { + + if (!ugSubsystem.isMemberOf(user, group)) { + String message = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + user, + ILogger.FAILURE, + group); +@@ -100,7 +100,7 @@ public class SecurityDomainProcessor extends CAProcessor { + } + + String message = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + user, + ILogger.SUCCESS, + group); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +index bed4357..5872ab0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +@@ -63,9 +63,6 @@ public class UpdateDomainXML extends CMSServlet { + private static final long serialVersionUID = 4059169588555717548L; + private final static String SUCCESS = "0"; + private final static String FAILED = "1"; +- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = +- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; +- + public UpdateDomainXML() { + super(); + } +@@ -372,7 +369,7 @@ public class UpdateDomainXML extends CMSServlet { + status2 = remove_from_ldap(adminUserDN); + if (status2.equals(SUCCESS)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + userAuditParams); +@@ -388,13 +385,13 @@ public class UpdateDomainXML extends CMSServlet { + status2 = modify_ldap(dn, mod); + if (status2.equals(SUCCESS)) { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + userAuditParams); + } else { + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + userAuditParams); +@@ -402,7 +399,7 @@ public class UpdateDomainXML extends CMSServlet { + audit(auditMessage); + } else { // error deleting user + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ++ AuditEvent.CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + userAuditParams); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 5669233..ad79cbb 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -117,8 +117,6 @@ public class CAProcessor extends Processor { + public static final String ACL_INFO = "ACLinfo"; + public static final String PROFILE_SUB_ID = "profileSubId"; + +- public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = +- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = + "requestNotes"; + +@@ -731,7 +729,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.SUCCESS, + auditGroupID); +@@ -748,7 +746,7 @@ public class CAProcessor extends Processor { + audit(auditMessage); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroupID); +@@ -767,7 +765,7 @@ public class CAProcessor extends Processor { + audit(auditMessage); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroupID); +@@ -864,7 +862,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.SUCCESS, + auditGroups(auditSubjectID)); +@@ -883,7 +881,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +@@ -905,7 +903,7 @@ public class CAProcessor extends Processor { + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, ++ AuditEvent.ROLE_ASSUME, + auditID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +index 7bb048f..2d5b371 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.base.ResourceNotFoundException; + import com.netscape.certsrv.logging.AuditConfig; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFile; + import com.netscape.certsrv.logging.AuditFileCollection; + import com.netscape.certsrv.logging.AuditResource; +@@ -412,7 +413,7 @@ public class AuditService extends SubsystemService implements AuditResource { + public void auditTPSConfigSignedAudit(String status, Map params) { + + String msg = CMS.getLogMessage( +- "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3", ++ AuditEvent.CONFIG_SIGNED_AUDIT, + servletRequest.getUserPrincipal().getName(), + status, + auditor.getParamString(null, params)); +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +index 4ee2810..4aa0209 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +@@ -40,7 +40,7 @@ import com.netscape.certsrv.group.GroupData; + import com.netscape.certsrv.group.GroupMemberData; + import com.netscape.certsrv.group.GroupNotFoundException; + import com.netscape.certsrv.group.GroupResource; +-import com.netscape.certsrv.logging.IAuditor; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IGroupConstants; +@@ -432,6 +432,6 @@ public class GroupService extends SubsystemService implements GroupResource { + } + + public void audit(String type, String id, Map params, String status) { +- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); ++ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); + } + } +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +index eeadba5..e10c4f5 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +@@ -52,7 +52,7 @@ import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.dbs.certdb.CertId; + import com.netscape.certsrv.group.GroupMemberData; +-import com.netscape.certsrv.logging.IAuditor; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.password.IPasswordCheck; + import com.netscape.certsrv.user.UserCertCollection; +@@ -1227,10 +1227,10 @@ public class UserService extends SubsystemService implements UserResource { + } + + public void auditUser(String type, String id, Map params, String status) { +- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); ++ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); + } + + public void auditUserCert(String type, String id, Map params, String status) { +- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); ++ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); + } + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +index 400ad0c..e1c4c76 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +@@ -41,6 +41,7 @@ import org.mozilla.jss.CryptoManager.CertificateUsage; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.cmsutil.util.Utils; + +@@ -84,9 +85,6 @@ public class CertUtils { + "-----END CERTIFICATE REVOCATION LIST-----"; + + protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = +- "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; +- + /** + * Remove the header and footer in the PKCS10 request. + */ +@@ -911,7 +909,7 @@ public class CertUtils { + if (subsysType == null) { + CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +@@ -936,7 +934,7 @@ public class CertUtils { + verifySystemCertByNickname(nickname, certusage); + + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + nickname); +@@ -947,7 +945,7 @@ public class CertUtils { + CMS.debug("CertUtils: verifySystemCertsByTag() failed: " + + e.toString()); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +@@ -1009,7 +1007,7 @@ public class CertUtils { + if (subsysType.equals("")) { + CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +@@ -1022,7 +1020,7 @@ public class CertUtils { + if (subsysType == null) { + CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +@@ -1036,7 +1034,7 @@ public class CertUtils { + CMS.debug("CertUtils: verifySystemCerts() " + + subsysType + ".cert.list not defined in CS.cfg. System certificates verification not done"); + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +@@ -1056,7 +1054,7 @@ public class CertUtils { + } catch (Exception e) { + // audit here + auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, ++ AuditEvent.CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 4ddb42c..95556b9 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -96,9 +96,6 @@ public class SelfTestSubsystem + private static final String ELEMENT_DELIMITER = ":"; + private static final String CRITICAL = "critical"; + +- private static final String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = +- "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; +- + ///////////////////// + // default methods // + ///////////////////// +@@ -1809,7 +1806,7 @@ public class SelfTestSubsystem + + // store a message in the signed audit log file + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + ILogger.SYSTEM_UID, + ILogger.SUCCESS); + +@@ -1819,7 +1816,7 @@ public class SelfTestSubsystem + + // store a message in the signed audit log file + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + ILogger.SYSTEM_UID, + ILogger.FAILURE); + +@@ -1832,7 +1829,7 @@ public class SelfTestSubsystem + + // store a message in the signed audit log file + String auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ AuditEvent.SELFTESTS_EXECUTION, + ILogger.SYSTEM_UID, + ILogger.FAILURE); + +-- +1.8.3.1 + + +From eb7c9139c1ab017a8749d87e163e9dcc42037fb2 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 11 Apr 2017 14:18:32 -0400 +Subject: [PATCH 49/59] Modified CRMFPopClient to use correct wrapping for + encrypt case + +When the server cannot do key wrapping using the AES KeyWrap, +probably because the backend HSM cannot do key wrapping, then +there is a setting to allow it to use encrypt/decrypt instead. + +If the key wrap algorithm is something simple like 3DES or AES-CBC, +then the client can just use key wrapping to wrap the key on its +token, and the server can use an encryption algorithm to decrypt. +The client does not need to know that the server cannot handle a +key wrap, because keywrapping and encryption are pretty much the +same mechanism - just either in server memory or not. + +When we do key wrapping using AES KeyWrap though, there is no +corresponding encryption algorithm used to decrypt. So the server +cannot simply decrypt a message wrapped with AES Keywrap (or at least +not in any obvious way). So in this case, the client needs to know +if the server can handle keywrap. + +The patch therefore does the following: +1. For CRMFPopClient, adds a command line option to specify if key + wrapping or encryption is required. +2. Reads an environment variable if no option is provided. +3. If encryption is specified, uses key wrapping using AES-CBC + which can be decrypted on the server side. +4. For cert-client, contacts the server to determine from the + CAInfoResource if keywrapping is supported. + +Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c +--- + .../src/com/netscape/certsrv/key/KeyClient.java | 3 ++ + .../netscape/certsrv/util/NSSCryptoProvider.java | 2 +- + .../src/com/netscape/cmstools/CRMFPopClient.java | 43 +++++++++++++++++++--- + .../cmstools/client/ClientCertRequestCLI.java | 28 ++++++++++++-- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 16 +------- + 5 files changed, 69 insertions(+), 23 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java +index 750d270..dea44b1 100644 +--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java ++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java +@@ -27,6 +27,7 @@ import java.util.List; + import javax.ws.rs.core.Response; + + import org.dogtagpki.common.Info; ++import org.dogtagpki.common.KRAInfoResource; + import org.dogtagpki.common.Version; + import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.KeyWrapAlgorithm; +@@ -49,6 +50,7 @@ public class KeyClient extends Client { + + public KeyResource keyClient; + public KeyRequestResource keyRequestClient; ++ public KRAInfoResource kraInfoClient; + + private CryptoProvider crypto; + private String transportCert; +@@ -92,6 +94,7 @@ public class KeyClient extends Client { + public void init() throws URISyntaxException { + keyClient = createProxy(KeyResource.class); + keyRequestClient = createProxy(KeyRequestResource.class); ++ kraInfoClient = createProxy(KRAInfoResource.class); + } + + public CryptoProvider getCrypto() { +diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java +index 1d2edbc..be8dd24 100644 +--- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java ++++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java +@@ -140,7 +140,7 @@ public class NSSCryptoProvider extends CryptoProvider { + if (token == null) { + throw new NotInitializedException(); + } +- return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm); ++ return CryptoUtil.encryptPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm); + } + + @Override +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 9d81a72..c5da9cf 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -40,6 +40,7 @@ import org.apache.http.HttpResponse; + import org.apache.http.client.methods.HttpGet; + import org.apache.http.impl.client.DefaultHttpClient; + import org.apache.http.util.EntityUtils; ++import org.dogtagpki.common.KRAInfoResource; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ASN1Util; + import org.mozilla.jss.asn1.BIT_STRING; +@@ -182,6 +183,10 @@ public class CRMFPopClient { + option.setArgName("extractable"); + options.addOption(option); + ++ option = new Option("g", true, "KeyWrap"); ++ option.setArgName("keyWrap"); ++ options.addOption(option); ++ + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "help", false, "Show help message."); + +@@ -210,6 +215,9 @@ public class CRMFPopClient { + System.out.println(" - POP_NONE: without POP"); + System.out.println(" - POP_SUCCESS: with valid POP"); + System.out.println(" - POP_FAIL: with invalid POP (for testing)"); ++ System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); ++ System.out.println(" - true: use a key wrapping algorithm"); ++ System.out.println(" - false: use an encryption algorithm"); + System.out.println(" -b PEM transport certificate (default: transport.txt)"); + System.out.println(" -v, --verbose Run in verbose mode."); + System.out.println(" --help Show help message."); +@@ -302,6 +310,16 @@ public class CRMFPopClient { + int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); + int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + ++ boolean keyWrap = true; ++ if (cmd.hasOption("g")) { ++ keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); ++ } else { ++ String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); ++ if (useKeyWrap != null) { ++ keyWrap = Boolean.parseBoolean(useKeyWrap); ++ } ++ } ++ + String output = cmd.getOptionValue("o"); + + String hostPort = cmd.getOptionValue("m"); +@@ -440,8 +458,11 @@ public class CRMFPopClient { + String kid = CryptoUtil.byte2string(id); + System.out.println("Keypair private key id: " + kid); + ++ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : ++ KRAInfoResource.ENCRYPT_MECHANISM; + if (verbose) System.out.println("Creating certificate request"); +- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); ++ CertRequest certRequest = client.createCertRequest( ++ token, transportCert, algorithm, keyPair, subject, archivalMechanism); + + ProofOfPossession pop = null; + +@@ -550,7 +571,8 @@ public class CRMFPopClient { + X509Certificate transportCert, + String algorithm, + KeyPair keyPair, +- Name subject) throws Exception { ++ Name subject, ++ String archivalMechanism) throws Exception { + EncryptionAlgorithm encryptAlg = null; + String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); + +@@ -563,7 +585,7 @@ public class CRMFPopClient { + + byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); + AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); +- WrappingParams params = getWrappingParams(encryptAlg, iv); ++ WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); + + PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( + token, +@@ -583,12 +605,23 @@ public class CRMFPopClient { + return new CertRequest(new INTEGER(1), certTemplate, seq); + } + +- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception { ++ private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, ++ String archivalMechanism) throws Exception { + if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { ++ KeyWrapAlgorithm wrapAlg = null; ++ IVParameterSpec wrapIVS = null; ++ if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { ++ // We will use AES_CBC_PAD as the a key wrap mechanism. This ++ // can be decrypted using the same mechanism on the server. ++ wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; ++ wrapIVS = new IVParameterSpec(wrapIV); ++ } else { ++ wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; ++ } + return new WrappingParams( + SymmetricKey.AES, KeyGenAlgorithm.AES, 128, + KeyWrapAlgorithm.RSA, encryptAlg, +- KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null); ++ wrapAlg, wrapIVS, wrapIVS); + } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { + return new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +index 6562699..8ca857b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +@@ -29,6 +29,8 @@ import java.util.Vector; + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; + import org.apache.commons.io.FileUtils; ++import org.dogtagpki.common.CAInfoClient; ++import org.dogtagpki.common.KRAInfoResource; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.Signature; +@@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI { + CryptoManager manager = CryptoManager.getInstance(); + X509Certificate transportCert = manager.importCACertPackage(transportCertData); + ++ // get archival mechanism ++ CAInfoClient infoClient = new CAInfoClient(client, "ca"); ++ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ try { ++ archivalMechanism = infoClient.getInfo().getArchivalMechanism(); ++ } catch (Exception e) { ++ // this could be an older server, check for environment variable. ++ String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); ++ if (useKeyWrapping != null) { ++ if (Boolean.parseBoolean(useKeyWrapping)) { ++ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ } else { ++ archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; ++ } ++ } ++ } ++ + csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, +- algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop); ++ algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, ++ archivalMechanism); + + } else { + throw new Exception("Unknown request type: " + requestType); +@@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI { + boolean temporary, + int sensitive, + int extractable, +- boolean withPop ++ boolean withPop, ++ String archivalMechanism + ) throws Exception { + + CryptoManager manager = CryptoManager.getInstance(); +@@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI { + throw new Exception("Unknown algorithm: " + algorithm); + } + +- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); ++ CertRequest certRequest = client.createCertRequest( ++ token, transportCert, algorithm, keyPair, subject, archivalMechanism); + + ProofOfPossession pop = null; + if (withPop) { +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 3588852..d22856d 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -1962,7 +1962,7 @@ public class CryptoUtil { + return decodedData; + } + +- public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, ++ public static byte[] encryptPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, + EncryptionAlgorithm alg) + throws NoSuchAlgorithmException, TokenException, InvalidKeyException, + InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException { +@@ -2010,17 +2010,6 @@ public class CryptoUtil { + return encodePKIArchiveOptions(opts); + } + +- /* Used to create PKIArchiveOptions for wrapped symmetric key */ +- public static PKIArchiveOptions createPKIArchiveOptions( +- CryptoToken token, +- PublicKey wrappingKey, +- SymmetricKey data, +- WrappingParams params, +- AlgorithmIdentifier aid) throws Exception { +- return createPKIArchiveOptionsInternal( +- token, wrappingKey, null, null, data, params, aid); +- } +- + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, +@@ -2068,10 +2057,9 @@ public class CryptoUtil { + params.getSkLength(), + null, + false); +- + byte[] key_data; + if (passphraseData != null) { +- key_data = wrapPassphrase( ++ key_data = encryptPassphrase( + token, + passphraseData, + params.getPayloadEncryptionIV(), +-- +1.8.3.1 + + +From d9d8b19bef7c91c2e3d33618869ea6426ecb4a36 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 21:44:31 +0200 +Subject: [PATCH 50/59] Updated CMS.getLogMessage(). + +The CMS.getLogMessage() has been generalized to take an array of +Objects instead of Strings. + +Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231 +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 2 +- + base/common/src/com/netscape/certsrv/apps/ICMSEngine.java | 2 +- + base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 2 +- + base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index d2210df..8f1d648 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -701,7 +701,7 @@ public final class CMS { + * @param p an array of parameters + * @return localized log message + */ +- public static String getLogMessage(String msgID, String p[]) { ++ public static String getLogMessage(String msgID, Object p[]) { + return _engine.getLogMessage(msgID, p); + } + +diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +index 97fc467..3655b03 100644 +--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java ++++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +@@ -334,7 +334,7 @@ public interface ICMSEngine extends ISubsystem { + * @param p an array of parameters + * @return localized log message + */ +- public String getLogMessage(String msgID, String p[]); ++ public String getLogMessage(String msgID, Object p[]); + + /** + * Retrieves the centralized log message from LogMessages.properties. +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index 90ee8b9..ef9a6a2 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -1583,7 +1583,7 @@ public class CMSEngine implements ICMSEngine { + return getUserMessage(locale, msgID, params); + } + +- public String getLogMessage(String msgID, String params[]) { ++ public String getLogMessage(String msgID, Object params[]) { + ResourceBundle rb = ResourceBundle.getBundle( + "LogMessages"); + String msg = rb.getString(msgID); +diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +index d6305cb..dd28adb 100644 +--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java ++++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +@@ -211,7 +211,7 @@ public class CMSEngineDefaultStub implements ICMSEngine { + return null; + } + +- public String getLogMessage(String msgID, String p[]) { ++ public String getLogMessage(String msgID, Object p[]) { + return null; + } + +-- +1.8.3.1 + + +From 92b68d7ab3f58ad80a545f550f0598de2c43da2c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 13 Apr 2017 01:45:37 +0200 +Subject: [PATCH 51/59] Added methods to log AuditEvent object. + +New audit(AuditEvent) methods have been added alongside the +existing audit(String) methods. + +Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54 +--- + base/ca/src/com/netscape/ca/CAService.java | 10 ++++++++++ + .../src/com/netscape/kra/AsymKeyGenService.java | 10 ++++++++++ + .../src/com/netscape/kra/EnrollmentService.java | 10 ++++++++++ + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 10 ++++++++++ + .../src/com/netscape/kra/NetkeyKeygenService.java | 10 ++++++++++ + .../com/netscape/kra/SecurityDataProcessor.java | 10 ++++++++++ + .../kra/src/com/netscape/kra/SymKeyGenService.java | 10 ++++++++++ + .../com/netscape/kra/TokenKeyRecoveryService.java | 9 +++++++++ + .../com/netscape/cms/authentication/CMCAuth.java | 10 ++++++++++ + .../cms/src/com/netscape/cms/logging/LogFile.java | 10 ++++++++++ + .../netscape/cms/profile/common/BasicProfile.java | 11 +++++++++++ + .../netscape/cms/profile/input/EnrollInput.java | 10 ++++++++++ + .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +++++++++++-- + .../cms/src/com/netscape/cms/realm/PKIRealm.java | 10 ++++++++++ + .../com/netscape/cms/servlet/base/CMSServlet.java | 10 ++++++++++ + .../cms/servlet/connector/ConnectorServlet.java | 10 ++++++++++ + .../cms/servlet/processors/CAProcessor.java | 10 ++++++++++ + .../cms/servlet/processors/PKIProcessor.java | 23 ++++++++++++++++------ + .../org/dogtagpki/server/rest/ACLInterceptor.java | 10 ++++++++++ + .../src/com/netscape/cmscore/cert/CertUtils.java | 10 ++++++++++ + .../src/com/netscape/cmscore/logging/Auditor.java | 11 +++++++++++ + .../cmscore/selftests/SelfTestSubsystem.java | 10 ++++++++++ + .../server/tps/processor/TPSProcessor.java | 10 ++++++++++ + 23 files changed, 240 insertions(+), 8 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 5b364b8..2ad1967 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -1177,6 +1177,16 @@ public class CAService implements ICAService, IService { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index 75e340c..bd2be70 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -228,6 +228,16 @@ public class AsymKeyGenService implements IService { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, + String clientKeyID, + String keyID, String reason) { +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index d2748a2..7c179d4 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -1034,4 +1034,14 @@ public class EnrollmentService implements IService { + ILogger.LL_SECURITY, + msg); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index b6e4376..1df04db 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -1570,6 +1570,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 665ff19..4926873 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -708,4 +708,14 @@ public class NetkeyKeygenService implements IService { + ILogger.LL_SECURITY, + msg); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 78d64c5..05dccb9 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -770,6 +770,16 @@ public class SecurityDataProcessor { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index f700a79..0dfd3a2 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -247,6 +247,16 @@ public class SymKeyGenService implements IService { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index b710291..67f4dc6 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -733,4 +733,13 @@ public class TokenKeyRecoveryService implements IService { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 02aceb4..b898353 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -1073,6 +1073,16 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index 989fece..772607e 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -1541,4 +1541,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + ILogger.LL_SECURITY, + msg); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +index ff97bfa..e6fc045 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +@@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.NameValuePairs; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; +@@ -1173,6 +1174,16 @@ public abstract class BasicProfile implements IProfile { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +index 81e71c4..84a6398 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java ++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +@@ -263,6 +263,16 @@ public abstract class EnrollInput implements IProfileInput { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +index 2f47efa..7daa8e4 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java ++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +@@ -21,8 +21,6 @@ import java.util.Enumeration; + import java.util.Locale; + import java.util.Vector; + +-import netscape.security.x509.X509CertImpl; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.ConflictingOperationException; + import com.netscape.certsrv.base.EBaseException; +@@ -42,6 +40,8 @@ import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; + ++import netscape.security.x509.X509CertImpl; ++ + /** + * This updater class will create the new user to the subsystem group and + * then add the subsystem certificate to the user. +@@ -279,6 +279,16 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + private String auditSubjectID() { + if (mSignedAuditLogger == null) { + return null; +diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +index 28fb0b9..bcd3ff8 100644 +--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java ++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +@@ -227,4 +227,14 @@ public class PKIRealm extends RealmBase { + ILogger.LL_SECURITY, + msg); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index c7fc03b..a007a00 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -2068,6 +2068,16 @@ public abstract class CMSServlet extends HttpServlet { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index 2299e60..13c732b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -1025,6 +1025,16 @@ public class ConnectorServlet extends CMSServlet { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Profile ID + * +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index ad79cbb..8c4fef1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -945,6 +945,16 @@ public class CAProcessor extends Processor { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Requester ID + * +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java +index bea8993..e6ee2db 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java +@@ -23,12 +23,6 @@ import java.util.Date; + + import javax.servlet.http.HttpServletRequest; + +-import netscape.security.x509.CertificateExtensions; +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertInfo; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.IAuthToken; +@@ -36,11 +30,18 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.request.IRequest; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.ECMSGWException; + ++import netscape.security.x509.CertificateExtensions; ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ + /** + * Process Certificate Requests + * +@@ -316,6 +317,16 @@ public class PKIProcessor implements IPKIProcessor { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +index 86996d5..331bae1 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +@@ -351,4 +351,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + ILogger.LL_SECURITY, + msg); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +index e1c4c76..6691f7a 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +@@ -1102,4 +1102,14 @@ public class CertUtils { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java +index 8c99e67..48dfe3a 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java +@@ -24,6 +24,7 @@ import java.util.Map; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.Constants; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -218,4 +219,14 @@ public class Auditor implements IAuditor { + ILogger.LL_SECURITY, + message); + } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ log(message); ++ } + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 95556b9..6ee3176 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -127,6 +127,16 @@ public class SelfTestSubsystem + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * This helper method returns the "full" property name (the corresponding + * substore name prepended in front of the plugin/parameter name). This +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 910a263..0cfac59 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -4264,6 +4264,16 @@ public class TPSProcessor { + msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + public static void main(String[] args) { + } + +-- +1.8.3.1 + + +From 164087b1fc302dd8b125cd52e9e55f54ea97e09d Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 24 Mar 2017 15:56:17 -0700 +Subject: [PATCH 52/59] SCP03 support for g&d sc 7 card. + +This allows the use of the g&d 7 card. +This will require the following: + +1. An out of band method is needed to generate an AES based master key. +We do not as of yet have support with tkstool for this: + +Ex: + +/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 + +2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: + +Ex: + +tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings +tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. +tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset +tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. +tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. +tks.defKeySet._010=## +tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings +tks.defKeySet._013=## Smart Cafe 6 settings: +tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv +tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv +tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 +tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 +tks.defKeySet._018=##Smart Cafe 7 settings: +tks.defKeySet._019=## tks.defKeySet.prot3.divers=none +tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none +tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES +tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES +tks.defKeySet._023=## +tks.defKeySet._024=## +--- + .../src/com/netscape/cms/servlet/tks/GPParams.java | 21 ++++ + .../netscape/cms/servlet/tks/NistSP800_108KDF.java | 114 +++++---------------- + .../cms/servlet/tks/SecureChannelProtocol.java | 107 ++++++++++++++----- + .../com/netscape/cms/servlet/tks/TokenServlet.java | 20 ++++ + base/tks/shared/conf/CS.cfg | 24 +++++ + base/tps/shared/conf/CS.cfg | 2 +- + 6 files changed, 174 insertions(+), 114 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java +index f16481b..bda4e66 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java +@@ -30,6 +30,8 @@ public class GPParams { + public static String DIVER_NONE = "none"; + public static String DIVER_VISA2 = "visa2"; + public static String NIST_SP800 = "nistsp_800"; ++ public static String AES = "AES"; ++ public static String DES3 ="DES3"; + + public GPParams() { + } +@@ -39,6 +41,25 @@ public class GPParams { + //Diversification scheme for just version one or developer keys + private String version1DiversificationScheme; + ++ private String devKeyType; ++ private String masterKeyType; ++ ++ public String getDevKeyType() { ++ return devKeyType; ++ } ++ ++ public String getMasterKeyType() { ++ return masterKeyType; ++ } ++ ++ public void setDevKeyType(String newType) { ++ devKeyType = newType; ++ } ++ ++ public void setMasterKeyType(String newType) { ++ masterKeyType = newType; ++ } ++ + public boolean isDiversEmv() { + if (DIVER_EMV.equalsIgnoreCase(diversificationScheme)) + return true; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java +index ad4a370..1f2c1b5 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java +@@ -461,8 +461,8 @@ public class NistSP800_108KDF extends KDF { + // Collection of informal invocations of api used to create various session keys + // Done with test data. + public static void main(String[] args) { +-/* +- Options options = new Options(); ++ ++ /* Options options = new Options(); + + options.addOption("d", true, "Directory for tokendb"); + +@@ -474,15 +474,20 @@ public class NistSP800_108KDF extends KDF { + (byte) 0x4f }; + + byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 }; +- byte test_kdd[] = { (byte)0x00, (byte)0x00, (byte)0x50, (byte)0x24,(byte) 0x97,(byte) 0x00,(byte) 0x74, (byte) 0xA9, (byte)0x72,(byte)0x71 }; ++ byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 }; ++ + ++ byte test_host_challenge[] = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 }; ++ byte test_card_challenge[] = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89}; + +- byte test_host_challenge[] = { 0x06 ,(byte)0xA4 ,0x46 ,0x57 ,(byte) 0x8B ,0x65 ,0x48 ,0x51 }; +- byte test_card_challenge[] = { (byte) 0xAD ,(byte) 0x2E ,(byte)0xD0 ,0x1E ,0x7C ,0x2D ,0x0C ,0x6F}; ++ byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB }; ++ byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 }; + +- byte test_key_info[] = { (byte) 0x02,(byte) 03,(byte) 00 }; ++ byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 }; + byte test_old_key_info[] = {0x01,0x03,0x00}; + ++ byte test_sequence_counter[] = { 0x00 ,0x00 ,0x06 }; ++ + try { + CommandLineParser parser = new DefaultParser(); + CommandLine cmd = parser.parse(options, args); +@@ -500,11 +505,6 @@ public class NistSP800_108KDF extends KDF { + SymmetricKey macKey = null; + SymmetricKey kekKey = null; + +- SymmetricKey putEncKey = null; +- SymmetricKey putMacKey = null; +- SymmetricKey putKekKey = null; +- +- SymmetricKey tempKey = null; + + try { + CryptoManager.initialize(db_dir); +@@ -512,113 +512,55 @@ public class NistSP800_108KDF extends KDF { + + CryptoToken token = cm.getInternalKeyStorageToken(); + +- KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.AES); +- +- SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4]; +- usages[0] = SymmetricKey.Usage.WRAP; +- usages[1] = SymmetricKey.Usage.UNWRAP; +- usages[2] = SymmetricKey.Usage.ENCRYPT; +- usages[3] = SymmetricKey.Usage.DECRYPT; +- +- kg.setKeyUsages(usages); +- kg.temporaryKeys(true); +- kg.initialize(128); +- tempKey = kg.generate(); +- +- +- Cipher encryptor = token.getCipherContext(EncryptionAlgorithm.AES_128_CBC); +- +- int ivLength = EncryptionAlgorithm.AES_128_CBC.getIVLength(); +- byte[] iv = null; +- +- if (ivLength > 0) { +- iv = new byte[ivLength]; // all zeroes +- } +- +- encryptor.initEncrypt(tempKey, new IVParameterSpec(iv)); +- byte[] wrappedKey = encryptor.doFinal(devKey); +- +- KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.AES_CBC); +- keyWrap.initUnwrap(tempKey, new IVParameterSpec(iv)); +- +- encKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); +- macKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); +- kekKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); +- + String transportName = "TPS-dhcp-16-206.sjc.redhat.com-8443 sharedSecret"; + SecureChannelProtocol prot = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); + + SymmetricKey masterKey = SecureChannelProtocol.getSymKeyByName(token,"new_master"); + + GPParams params = new GPParams(); +- params.setVersion1DiversificationScheme("visa2"); +- params.setDiversificationScheme("visa2"); +- +- putEncKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, +- SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, null, null, +- transportName,params); +- +- putMacKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, +- SecureChannelProtocol.macType, devKey, "defKeySet", test_cuid, test_kdd, null, null, +- transportName,params); +- +- putKekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, +- SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, null, null, +- transportName,params); ++ params.setVersion1DiversificationScheme("emv"); ++ params.setDiversificationScheme("emv"); ++ params.setDevKeyType(GPParams.AES); ++ params.setMasterKeyType(GPParams.AES); + + //create test session keys +- encKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, +- SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, ++ encKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, ++ SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, + transportName,params); + +- macKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, +- SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, ++ macKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, ++ SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, + transportName,params); + +- kekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, +- SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, ++ kekKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, ++ SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, + transportName,params); + + System.out.println("masterKey: " + masterKey); + + System.out.println("\n"); + +- SecureChannelProtocol.debugByteArray(putEncKey.getKeyData(), " derived putEnc session key data: "); +- SecureChannelProtocol.debugByteArray(putMacKey.getKeyData(), " derived putMac session key data: "); +- SecureChannelProtocol.debugByteArray(putKekKey.getKeyData(), " derived putKek session key data: "); +- +- System.out.println("\n"); + + SecureChannelProtocol.debugByteArray(encKey.getKeyData(), " derived enc session key data: "); + SecureChannelProtocol.debugByteArray(macKey.getKeyData(), " derived mac session key data: "); + SecureChannelProtocol.debugByteArray(kekKey.getKeyData(), " derived kek session key data: "); + +- ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); +- try { +- contextStream.write(test_host_challenge); +- contextStream.write(test_card_challenge); +- } catch (IOException e) { +- } +- +- StandardKDF standard = new StandardKDF(prot); + + ByteArrayOutputStream testContext = new ByteArrayOutputStream(); + +- testContext.write(test_host_challenge); +- testContext.write(test_card_challenge); ++ testContext.write(test_host_challenge_1); ++ testContext.write(test_card_challenge_1); ++ ++ SecureChannelProtocol.debugByteArray(testContext.toByteArray(), "Test context bytes: "); + +- NistSP800_108KDF nistKdf = new NistSP800_108KDF(prot); + +- byte[] finalEncBytes = nistKdf.kdf_AES_CMAC_SCP03(encKey, testContext.toByteArray(), (byte) 0x04, 16); +- byte[] finalMacBytes = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), (byte) 0x06, 16); ++ NistSP800_108KDF nistKdf = new NistSP800_108KDF(prot); + +- SymmetricKey sEnc = prot.unwrapAESSymKeyOnToken(token, finalEncBytes, false); +- SymmetricKey sMac = macKey = prot.unwrapAESSymKeyOnToken(token, finalMacBytes, false); + +- byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8); ++ byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8); + SecureChannelProtocol.debugByteArray(cardCryptoVerify, " calculated card cryptogram"); + +- byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8); ++ byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8); + SecureChannelProtocol.debugByteArray(hostCrypto, " calculated host cryptogram"); + + } catch (AlreadyInitializedException e) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +index 371e734..ef0c61b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +@@ -36,6 +36,7 @@ public class SecureChannelProtocol { + static String sharedSecretKeyName = null; + static String masterKeyPrefix = null; + ++ static final int DEF_AES_KEYLENGTH = 16; + static final int KEYLENGTH = 16; + static final int PREFIXLENGHT = 128; + static final int DES2_LENGTH = 16; +@@ -288,7 +289,9 @@ public class SecureChannelProtocol { + + { + String finalKeyType = keyType; +- SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray); ++ String devKeyType = params.getDevKeyType(); ++ CMS.debug(method + " Developer key set case: incoming dev key type: " + devKeyType); ++ SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,devKeyType); + + StandardKDF standard = new StandardKDF(this); + SymmetricKey divKey = null; +@@ -297,22 +300,31 @@ public class SecureChannelProtocol { + + //Consult the config to determine with diversification method to use. + if (params.isVer1DiversNone()) { ++ CMS.debug(method + " No diversifcation requested. "); + noDivers = true; + } else if (params.isVer1DiversEmv()) { ++ CMS.debug(method + " EMV diversification requested. "); + keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType); + } else if (params.isVer1DiversVisa2()) { ++ CMS.debug(method + " Visa2 diversification requested."); + keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType); + } else { + throw new EBaseException(method + " Invalid diversification method!"); + } + + //Obtain the card key,it may just be the raw developer key +- if (noDivers == true) { +- divKey = unwrapAESSymKeyOnToken(token, devKeyArray, false); ++ if (noDivers == true || GPParams.AES.equalsIgnoreCase(devKeyType)) { ++ divKey = devSymKey; + } else { + + // The g&d calls for computing the aes card key with DES, it will then be treated as aes +- divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token); ++ // Right now if the dev key type is AES, we do not support any diversification ++ ++ if (GPParams.DES3.equalsIgnoreCase(devKeyType)) { ++ divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token); ++ } else { ++ throw new EBaseException(method + " Invalid devolper key type. Does not support diversification: "+ devKeyType); ++ } + } + + NistSP800_108KDF nistKdf = new NistSP800_108KDF(this); +@@ -338,22 +350,35 @@ public class SecureChannelProtocol { + + masterKey = getSymKeyByName(token, keyNameStr); + ++ String masterKeyType = params.getMasterKeyType(); ++ ++ CMS.debug(method + " Master key case: requested master key type: " + masterKeyType); ++ + StandardKDF standard = new StandardKDF(this); + + byte[] keyDiversified = null; + + if (params.isDiversNone()) { +- throw new EBaseException(method + " No diversification requested in master key mode. Aborting..."); ++ if (GPParams.AES.equalsIgnoreCase(masterKeyType)) { ++ CMS.debug(method + " Master key case: no diversification requested: With master key type of AES "); ++ } ++ else { ++ throw new EBaseException(method + " No diversification requested in master key mode. With master key type of DES3: Aborting..."); ++ } + } //Allow choice of emv or standard diversification + else if (params.isDiversEmv()) { + keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType); + } else if (params.isDiversVisa2()) { + keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType); + } +- + SymmetricKey divKey = null; + +- divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token); ++ if(GPParams.AES.equalsIgnoreCase(masterKeyType)) { ++ CMS.debug(method + " master key case with AES type."); ++ divKey = masterKey; ++ } else { ++ divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token); ++ } + + NistSP800_108KDF nistKdf = new NistSP800_108KDF(this); + // The kek session key does not call for derivation +@@ -488,11 +513,11 @@ public class SecureChannelProtocol { + + String finalKeyType = keyType; + +- SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray); ++ SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,"DES3"); + + // Create the auth with is the same as enc, might need it later. + if (keyType.equals(encType)) { +- returnDeveloperSymKey(token, authType, keySet, devKeyArray); ++ returnDeveloperSymKey(token, authType, keySet, devKeyArray,"DES3"); + } + + if (noDerive == true) { +@@ -672,14 +697,25 @@ public class SecureChannelProtocol { + From that point it is a simple matter of retrieving the desired key from the token. + No security advantage is implied or desired here. + */ +- public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray) ++ public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray, String keyAlg) + throws EBaseException { + + SymmetricKey devKey = null; + + String method = "SecureChannelProtocol.returnDeveloperSymKey:"; + +- String devKeyName = keySet + "-" + keyType + "Key"; ++ boolean isAES = false; ++ String finalAlg = null; ++ if(keyAlg == null) { ++ finalAlg = "DES3"; ++ } ++ ++ if(keyAlg.equalsIgnoreCase("AES")) { ++ isAES = true; ++ finalAlg = "AES"; ++ } ++ ++ String devKeyName = keySet + "-" + keyType + "Key" + "-" + finalAlg; + CMS.debug(method + " entering.. searching for key: " + devKeyName); + + if (token == null || keyType == null || keySet == null) { +@@ -706,22 +742,31 @@ public class SecureChannelProtocol { + + CMS.debug(method + " inputKeyArray.length: " + inputLen); + +- if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) { +- throw new EBaseException(method + "invalid input key length!"); +- } ++ if (!isAES) { ++ if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) { ++ throw new EBaseException(method + "invalid input key length!"); ++ } ++ ++ if (inputLen == DES2_LENGTH) { ++ des3InputKey = new byte[DES3_LENGTH]; ++ System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH); ++ System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES); ++ ++ } else { ++ System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH); ++ } ++ ++ SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": "); + +- if (inputLen == DES2_LENGTH) { +- des3InputKey = new byte[DES3_LENGTH]; +- System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH); +- System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES); ++ devKey = unwrapSymKeyOnToken(token, des3InputKey, true); + + } else { +- System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH); +- } + +- SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": "); ++ if(inputLen == DEF_AES_KEYLENGTH) { // support 128 bits for now ++ devKey = unwrapAESSymKeyOnToken(token, inputKeyArray, true); ++ } ++ } + +- devKey = unwrapSymKeyOnToken(token, des3InputKey, true); + devKey.setNickName(devKeyName); + } else { + CMS.debug(method + " Found sym key: " + devKeyName); +@@ -1823,9 +1868,9 @@ public class SecureChannelProtocol { + //This is the case where we revert to the original developer key set or key set 1 + if (protocol == PROTOCOL_ONE) { + CMS.debug(method + " Special case returning to the dev key set (1) for DiversifyKey, protocol 1!"); +- encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null); +- macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null); +- kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null); ++ encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null,"DES3"); ++ macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null,"DES3"); ++ kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3"); + } else if (protocol == PROTOCOL_THREE) { + CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!"); + encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, +@@ -1920,7 +1965,15 @@ public class SecureChannelProtocol { + + CMS.debug(method + " old kek sym key is null"); + +- old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray); ++ String devKeyType = null; ++ ++ if(protocol == PROTOCOL_THREE) { ++ devKeyType = params.getDevKeyType(); ++ } else { ++ devKeyType = "DES3"; ++ } ++ ++ old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray, devKeyType); + + output = createKeySetDataWithSymKeys(newKeyVersion, (byte[]) null, + old_kek_sym_key, +@@ -2070,7 +2123,7 @@ public class SecureChannelProtocol { + throw new EBaseException(method + " Can't compose final output byte array!"); + } + +- //SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: "); ++ SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: "); + CMS.debug(method + " returning output"); + + return output; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +index 3915b73..1377055 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +@@ -3184,6 +3184,26 @@ public class TokenServlet extends CMSServlet { + params.setVersion1DiversificationScheme(diversVer1Keys); + CMS.debug(method + " Version 1 keys Divers: " + divers); + ++ String keyType = null; ++ try { ++ keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); ++ } catch (EBaseException e) { ++ } ++ ++ CMS.debug(method + " devKeyType: " + keyType); ++ ++ params.setDevKeyType(keyType); ++ ++ try { ++ keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); ++ } catch (EBaseException e) { ++ } ++ ++ params.setMasterKeyType(keyType); ++ ++ CMS.debug(method + " masterKeyType: " + keyType); ++ ++ + return params; + } + +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index 0eea3e9..45716d2 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -340,11 +340,35 @@ tks.defKeySet._001=## Axalto default key set: + tks.defKeySet._002=## + tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: + tks.defKeySet._004=## ++tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings ++tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. ++tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset ++tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. ++tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. ++tks.defKeySet._010=## ++tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings ++tks.defKeySet._013=## Smart Cafe 6 settings: ++tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv ++tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv ++tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 ++tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 ++tks.defKeySet._018=##Smart Cafe 7 settings: ++tks.defKeySet._019=## tks.defKeySet.prot3.divers=none ++tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none ++tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES ++tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES ++tks.defKeySet._023=## ++tks.defKeySet._024=## + tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f + tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f + tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f + tks.defKeySet.nistSP800-108KdfOnKeyVersion=00 + tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false ++tks.defKeySet.prot3.divers=emv ++tks.defKeySet.prot3.diversVer1Keys=emv ++tks.defKeySet.prot3.devKeyType=DES3 ++tks.defKeySet.prot3.masterKeyType=DES3 ++ + tks.jForte._000=## + tks.jForte._001=## SAFLink's jForte default key set: + tks.jForte._002=## +diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg +index 8d667f5..2d9057a 100644 +--- a/base/tps/shared/conf/CS.cfg ++++ b/base/tps/shared/conf/CS.cfg +@@ -10,7 +10,7 @@ applet._001=# applet information + applet._002=# SAF Key: + applet._003=# applet.aid.cardmgr_instance=A0000001510000 + applet._004=# Stock RSA,KeyRecover applet : 1.4.58768072.ijc +-applet._005=# Beta RSA/KeyRecovery/GP211/SCP02 applet : 1.5.558cdcff.ijc ++applet._005=# RSA/KeyRecovery/GP211/SCP02, SCP03 applet : 1.5.558cdcff.ijc + applet._006=# Use GP211 applet only with SCP02 card + applet._007=######################################### + applet.aid.cardmgr_instance=A0000000030000 +-- +1.8.3.1 + + +From 7672b543f8c62da34f0bb11be17d5e6d336cb2da Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 11 Apr 2017 23:04:34 -0400 +Subject: [PATCH 53/59] Fix python issues identified in review + +subprocess returns bytes in Python 3. Make sure to +decode first when returning env variables. + +Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d +--- + base/common/python/pki/util.py | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 0de13fd..5832f55 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -258,10 +258,9 @@ def read_environment_files(env_file_list=None): + if env_file_list is None: + env_file_list = DEFAULT_PKI_ENV_LIST + +- file_command = '' +- for env_file in env_file_list: +- file_command += "source " + env_file + " && " +- file_command += "env" ++ file_command = ' && '.join( ++ 'source {}'.format(env_file) for env_file in env_file_list) ++ file_command += ' && env' + + command = [ + 'bash', +@@ -269,7 +268,7 @@ def read_environment_files(env_file_list=None): + file_command + ] + +- env_vals = subprocess.check_output(command).split('\n') ++ env_vals = subprocess.check_output(command).decode('utf-8').split('\n') + + for env_val in env_vals: + (key, _, value) = env_val.partition("=") +-- +1.8.3.1 + + +From af1ad849c62fb76915142796ead7677abd5896f3 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 11 Apr 2017 09:28:15 +0200 +Subject: [PATCH 54/59] Add Travis CI to compose core RPM packages + +The command "./scripts/compose_pki_core_packages rpms" is tested on +Fedora 25, 26 and rawhide. On 25 and 26, the COPR @pki/10.4 is enabled +to provide additional build dependencies. + +Travis Ci is configured to use pre-populated Docker images from +https://github.com/dogtagpki/pki-ci-containers . The images contain +build dependencies. + +Signed-off-by: Christian Heimes +--- + .travis.test | 31 +++++++++++++++++++++++++++++++ + .travis.yml | 20 ++++++++++++++++++++ + 2 files changed, 51 insertions(+) + create mode 100755 .travis.test + create mode 100644 .travis.yml + +diff --git a/.travis.test b/.travis.test +new file mode 100755 +index 0000000..ca81022 +--- /dev/null ++++ b/.travis.test +@@ -0,0 +1,31 @@ ++#!/bin/bash ++set -ex ++ ++WORKDIR="${BUILDDIR:-/tmp/builddir}" ++BUILDUSER=builduser ++BUILDUSER_UID=${UID:-1000} ++BUILDUSER_GID=${GID:-1000} ++ ++. /etc/os-release ++ ++echo "$NAME $VERSION $1" ++ ++## compose_pki_core_packages doesn't run as root, create a build user ++groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER} ++useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER} ++ ++## chown workdir and enter pki dir ++chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR} ++cd ${WORKDIR}/pki ++ ++## prepare additional build dependencies ++dnf copr -y enable @pki/10.4 ++dnf builddep -y ./specs/pki-core.spec ++ ++# update, container might be outdated ++dnf update -y ++ ++## run tox and build ++# run make with --quiet to reduce log verbosity. Travis CI has a log limit ++# of 10,000 lines. ++sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms +diff --git a/.travis.yml b/.travis.yml +new file mode 100644 +index 0000000..2e1a69f +--- /dev/null ++++ b/.travis.yml +@@ -0,0 +1,20 @@ ++sudo: required ++language: python ++ ++services: ++ - docker ++ ++env: ++ - CONTAINER=dogtagpki/pki-ci-containers:f25_104 ++ - CONTAINER=dogtagpki/pki-ci-containers:f26_104 ++ - CONTAINER=dogtagpki/pki-ci-containers:rawhide ++ ++script: ++ - docker pull $CONTAINER ++ - > ++ docker run ++ -v $(pwd):/tmp/workdir/pki ++ -e UID=$(id -u) ++ -e GID=$(id -g) ++ $CONTAINER ++ /tmp/workdir/pki/.travis.test $CONTAINER +-- +1.8.3.1 + + +From c381566ddf1f4f05330063bb012d59e5c1753b13 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 13 Apr 2017 08:13:26 +0200 +Subject: [PATCH 55/59] Fixed ClientIP field in SSL session audit log. + +The PKIServerSocketListener has been fixed to obtain the correct +client IP address from SSL socket. + +https://pagure.io/dogtagpki/issue/2602 + +Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba +--- + .../cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +index 7016bc8..093776f 100644 +--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java ++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +@@ -18,8 +18,6 @@ + package org.dogtagpki.server; + + import java.net.InetAddress; +-import java.net.InetSocketAddress; +-import java.net.SocketAddress; + import java.security.Principal; + + import org.mozilla.jss.crypto.X509Certificate; +@@ -45,8 +43,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + try { + SSLSocket socket = event.getSocket(); + +- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); +- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); ++ InetAddress clientAddress = socket.getInetAddress(); + InetAddress serverAddress = socket.getLocalAddress(); + String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); +@@ -85,8 +82,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + try { + SSLSocket socket = event.getSocket(); + +- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); +- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); ++ InetAddress clientAddress = socket.getInetAddress(); + InetAddress serverAddress = socket.getLocalAddress(); + String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); +@@ -139,8 +135,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + try { + SSLSocket socket = event.getSocket(); + +- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); +- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); ++ InetAddress clientAddress = socket.getInetAddress(); + InetAddress serverAddress = socket.getLocalAddress(); + String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); +-- +1.8.3.1 + + +From 716dca464943a22eb6588187fba9fad85e1c1345 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 6 Apr 2017 17:09:39 -0400 +Subject: [PATCH 56/59] Fix symkey retrieval in python client + +Keys (like symmetric keys and asymmetric keys) are returned +from the KRA either encrypted or key wrapped. Because the +AES keywrapping algorithm cannot be decrypted using AES CBC, +we need special logic to unwrap the keys. + +The flow here is as follows: +1. When a key retrieval request is sent to the server, + the client sends the encryption and key wrapping + algorithms it requires the key to be wrapped along + with the wrapping key. +2. If no encryption algorithm or key wrap algorithm is + recieved, the server assumes its talking to an old + client and uses DES3. +3. The key is retrieved and (on server's choice) is wrapped + or encrypted. The return package will have either + encryption or key wrap algorithm set (depending on how + the key was encrypted/wrapped.) +4. client uses that to determine how to unwrap key. + +This patch: +1. Makes sure the key wrap algorithm requested by client + is passed through and used to wrap the retrieved key. +2. Adds logic in the python client to unwrap/decrypt. +3. As python-cryptography does not yet support + AES KeyWrap with padding, the python client is configured + to request AES-CBC by default. + +Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1 +--- + base/common/python/pki/crypto.py | 51 +++++++++++++- + base/common/python/pki/key.py | 56 ++++++++++++--- + .../src/com/netscape/certsrv/key/KeyClient.java | 4 ++ + .../com/netscape/kra/SecurityDataProcessor.java | 79 ++++++++++++++++++---- + .../netscape/cms/servlet/key/KeyRequestDAO.java | 9 +++ + 5 files changed, 173 insertions(+), 26 deletions(-) + +diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py +index b767abd..0891acd 100644 +--- a/base/common/python/pki/crypto.py ++++ b/base/common/python/pki/crypto.py +@@ -34,10 +34,21 @@ from cryptography.hazmat.backends import default_backend + from cryptography.hazmat.primitives.ciphers import ( + Cipher, algorithms, modes + ) ++from cryptography.hazmat.primitives import keywrap + from cryptography.hazmat.primitives import padding + from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 + import cryptography.x509 + ++# encryption algorithms OIDs ++DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" ++AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" ++ ++# Wrap Algorithm names as defined by JSS. ++WRAP_AES_CBC_PAD = "AES/CBC/PKCS5Padding" ++WRAP_AES_KEY_WRAP = "AES KeyWrap" ++WRAP_AES_KEY_WRAP_PAD = "AES KeyWrap/Padding" ++WRAP_DES3_CBC_PAD = "DES3/CBC/Pad" ++ + + class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + """ +@@ -96,7 +107,11 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): + DES3 key. + """ + +- # abc.abstractmethod ++ @abc.abstractmethod ++ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): ++ """ Unwrap data that has been key wrapped using AES KeyWrap """ ++ ++ @abc.abstractmethod + def get_cert(self, cert_nick): + """ Get the certificate for the specified cert_nick. """ + +@@ -302,6 +317,18 @@ class NSSCryptoProvider(CryptoProvider): + public_key = wrapping_cert.subject_public_key_info.public_key + return nss.pub_wrap_sym_key(mechanism, public_key, data) + ++ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): ++ """ ++ :param mechanism Key wrapping mechanism ++ :param data: Data to be unwrapped ++ :param wrapping_key: Wrapping Key ++ :param nonce_iv Nonce data ++ :return: Unwrapped data ++ ++ Return unwrapped data for data wrapped using AES KeyWrap ++ """ ++ raise NotImplementedError() ++ + def get_cert(self, cert_nick): + """ + :param cert_nick Nickname for the certificate to be returned +@@ -461,6 +488,28 @@ class CryptographyCryptoProvider(CryptoProvider): + PKCS1v15() + ) + ++ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): ++ """ ++ :param mechanism key wrapping mechanism ++ :param data: data to unwrap ++ :param wrapping_key: AES key used to wrap data ++ :param nonce_iv Nonce data ++ :return: unwrapped data ++ ++ Unwrap the encrypted data which has been wrapped using a ++ KeyWrap mechanism. ++ """ ++ if mechanism == WRAP_AES_CBC_PAD or mechanism == WRAP_DES3_CBC_PAD: ++ return self.symmetric_unwrap( ++ data, ++ wrapping_key, ++ nonce_iv=nonce_iv) ++ ++ if mechanism == WRAP_AES_KEY_WRAP: ++ return keywrap.aes_key_unwrap(wrapping_key, data, self.backend) ++ ++ raise ValueError("Unsupported key wrap algorithm: " + mechanism) ++ + def get_cert(self, cert_nick): + """ + :param cert_nick Nickname for the certificate to be returned. +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index 6c5641a..e782d54 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -33,6 +33,7 @@ from six import iteritems + from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 + + import pki ++import pki.crypto + import pki.encoder as encoder + from pki.info import Version + import pki.util +@@ -459,10 +460,6 @@ class KeyClient(object): + RSA_ALGORITHM = "RSA" + DSA_ALGORITHM = "DSA" + +- # default session key wrapping algorithm +- DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" +- AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" +- + def __init__(self, connection, crypto, transport_cert_nick=None, + info_client=None): + """ Constructor """ +@@ -481,6 +478,7 @@ class KeyClient(object): + + self.info_client = info_client + self.encrypt_alg_oid = None ++ self.wrap_name = None + self.set_crypto_algorithms() + + def set_transport_cert(self, transport_cert_nick): +@@ -502,9 +500,14 @@ class KeyClient(object): + + # set keyset related constants needed in KeyClient + if keyset_id == 0: +- self.encrypt_alg_oid = self.DES_EDE3_CBC_OID ++ self.encrypt_alg_oid = pki.crypto.DES_EDE3_CBC_OID ++ self.wrap_name = pki.crypto.WRAP_DES3_CBC_PAD + else: +- self.encrypt_alg_oid = self.AES_128_CBC_OID ++ self.encrypt_alg_oid = pki.crypto.AES_128_CBC_OID ++ # Note: AES_KEY_WRAP_PAD is not yet supported by ++ # python cryptography. Therefore we will default ++ # to AES_CBC_PAD instead ++ self.wrap_name = pki.crypto.WRAP_AES_CBC_PAD + + def get_client_keyset(self): + # get client keyset +@@ -847,7 +850,7 @@ class KeyClient(object): + raise TypeError('Missing wrapped session key') + + if not algorithm_oid: +- algorithm_oid = KeyClient.AES_128_CBC_OID ++ algorithm_oid = pki.crypto.AES_128_CBC_OID + # algorithm_oid = KeyClient.DES_EDE3_CBC_OID + + if not nonce_iv: +@@ -1015,16 +1018,47 @@ class KeyClient(object): + request_id=request_id, + trans_wrapped_session_key=base64.b64encode( + trans_wrapped_session_key), +- payload_encryption_oid=self.encrypt_alg_oid ++ payload_encryption_oid=self.encrypt_alg_oid, ++ payload_wrapping_name=self.wrap_name + ) + + key = self.retrieve_key_data(request) + if not key_provided and key.encrypted_data is not None: +- key.data = self.crypto.symmetric_unwrap( ++ self.process_returned_key(key, session_key) ++ return key ++ ++ @pki.handle_exceptions() ++ def process_returned_key(self, key, session_key): ++ """ ++ Decrypt the returned key and place in key.data ++ ++ The data will either by encrypted using an encryption algorithm - ++ in which case, the key data will contain an encryption algorithm OID, ++ or it will be key wrapped - in which case, the key data will contain ++ a key wrap mechanism name. ++ ++ Only one of these should be present. If we are talking to an older ++ server, and none is present, we will assume encryption. ++ """ ++ if key.wrap_algorithm is not None: ++ if key.encrypt_algorithm_oid is not None: ++ raise ValueError( ++ "Both encryptOID and wrapping name have been set " + ++ "in server response" ++ ) ++ # do key unwrapping here ++ key.data = self.crypto.key_unwrap( ++ key.wrap_algorithm, + key.encrypted_data, + session_key, +- nonce_iv=key.nonce_data) +- return key ++ key.nonce_data) ++ return ++ ++ # do decryption ++ key.data = self.crypto.symmetric_unwrap( ++ key.encrypted_data, ++ session_key, ++ nonce_iv=key.nonce_data) + + @pki.handle_exceptions() + def retrieve_key_by_passphrase(self, key_id=None, request_id=None, +diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java +index dea44b1..2c99e1c 100644 +--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java ++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java +@@ -465,6 +465,7 @@ public class KeyClient extends Client { + recoveryRequest.setRequestId(requestId); + recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); ++ recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString()); + + Key data = retrieveKeyData(recoveryRequest); + processKeyData(data, sessionKey); +@@ -503,6 +504,7 @@ public class KeyClient extends Client { + recoveryRequest.setKeyId(keyId); + recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); ++ recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString()); + + return retrieveKeyData(recoveryRequest); + } +@@ -562,6 +564,7 @@ public class KeyClient extends Client { + data.setSessionWrappedPassphrase(Utils.base64encode(sessionWrappedPassphrase)); + data.setNonceData(Utils.base64encode(nonceData)); + data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); ++ data.setPayloadWrappingName(wrapAlgorithm.toString()); + + return retrieveKeyData(data); + } +@@ -610,6 +613,7 @@ public class KeyClient extends Client { + data.setKeyId(keyId); + data.setRequestId(requestId); + data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); ++ data.setPayloadWrappingName(wrapAlgorithm.toString()); + + if (transWrappedSessionKey != null) { + data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 05dccb9..4659901 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -402,26 +402,34 @@ public class SecurityDataProcessor { + String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); + + byte[] iv = null; ++ byte[] iv_wrap = null; + try { +- iv = generate_iv(payloadEncryptOID, transportUnit.getOldWrappingParams()); ++ iv = generate_iv( ++ payloadEncryptOID, ++ transportUnit.getOldWrappingParams().getPayloadEncryptionAlgorithm()); ++ iv_wrap = generate_wrap_iv( ++ payloadWrapName, ++ transportUnit.getOldWrappingParams().getPayloadWrapAlgorithm()); + } catch (Exception e1) { + throw new EBaseException("Failed to generate IV when wrapping secret", e1); + } +- String ivStr = Utils.base64encode(iv); ++ String ivStr = iv != null? Utils.base64encode(iv): null; ++ String ivStr_wrap = iv_wrap != null ? Utils.base64encode(iv_wrap): null; + + WrappingParams wrapParams = null; + if (payloadEncryptOID == null) { ++ // talking to an old server, use 3DES + wrapParams = transportUnit.getOldWrappingParams(); + wrapParams.setPayloadEncryptionIV(new IVParameterSpec(iv)); +- wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv)); ++ wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv_wrap)); + } else { + try { + wrapParams = new WrappingParams( + payloadEncryptOID, + payloadWrapName, + transportKeyAlgo, +- new IVParameterSpec(iv), +- null); ++ iv != null? new IVParameterSpec(iv): null, ++ iv_wrap != null? new IVParameterSpec(iv_wrap): null); + } catch (Exception e) { + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), + "Cannot generate wrapping params"); +@@ -597,7 +605,7 @@ public class SecurityDataProcessor { + //secret has wrapped using a key wrapping algorithm + params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(true)); + if (wrapParams.getPayloadWrappingIV() != null) { +- params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); ++ params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr_wrap); + } + } + +@@ -614,17 +622,60 @@ public class SecurityDataProcessor { + return false; //return true ? TODO + } + +- private byte[] generate_iv(String oid, WrappingParams old) throws Exception { ++ /*** ++ * This method returns an IV for the Encryption Algorithm referenced in OID. ++ * If the oid is null, we return an IV for the default encryption algorithm. ++ * The method checks to see if the encryption algorithm requires an IV by checking ++ * the parameterClasses() for the encryption algorithm. ++ * ++ * @param oid -- OID of encryption algorithm (as a string) ++ * @param defaultAlg -- default encryption algorithm ++ * @return -- initialization vector or null if none needed ++ * @throws Exception if algorithm is not found, or if default and OID are null. ++ * (ie. algorithm is unknown) ++ */ ++ private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception { + int numBytes = 0; +- if (oid != null) { +- numBytes = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)).getIVLength(); +- } else { +- // old client (OID not provided) +- numBytes = old.getPayloadEncryptionAlgorithm().getIVLength(); ++ EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)): ++ defaultAlg; ++ ++ if (alg == null) { ++ throw new EBaseException("Cannot determine encryption algorithm to generate IV"); ++ }; ++ ++ if (alg.getParameterClasses() == null) ++ return null; ++ ++ numBytes = alg.getIVLength(); ++ return (new SecureRandom()).generateSeed(numBytes); ++ } ++ ++ /*** ++ * This method returns an IV for the KeyWrap algorithm referenced in wrapName. ++ * If the wrapName is null, we return an IV for the default wrap algorithm. ++ * The method checks to see if the key wrap algorithm requires an IV by checking ++ * the parameterClasses() for the key wrap algorithm. ++ * ++ * @param wrapName -- name of the key wrap algorithm (as defined in JSS) ++ * @param defaultAlg -- default wrapping parameters ++ * @return -- initialization vector or null if none needed ++ * @throws Exception if algorithm is not found, or if default and OID are null. ++ * (ie. algorithm is unknown) ++ */ ++ private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception { ++ int numBytes = 0; ++ KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) : ++ defaultAlg; ++ ++ if (alg == null) { ++ throw new EBaseException("Cannot determine keywrap algorithm to generate IV"); + } + +- SecureRandom rnd = new SecureRandom(); +- return rnd.generateSeed(numBytes); ++ if (alg.getParameterClasses() == null) ++ return null; ++ ++ numBytes = alg.getBlockSize(); ++ return (new SecureRandom()).generateSeed(numBytes); + } + + public SymmetricKey recoverSymKey(KeyRecord keyRecord) +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java +index b2008f2..5ffb36b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java +@@ -283,6 +283,10 @@ public class KeyRequestDAO extends CMSRequestDAO { + if (encryptOID != null) + request.setExtData(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); + ++ String wrapName = data.getPayloadWrappingName(); ++ if (wrapName != null) ++ request.setExtData(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName); ++ + return request; + } + +@@ -294,6 +298,7 @@ public class KeyRequestDAO extends CMSRequestDAO { + String wrappedPassPhraseStr = data.getSessionWrappedPassphrase(); + String nonceDataStr = data.getNonceData(); + String encryptOID = data.getPaylodEncryptionOID(); ++ String wrapName = data.getPayloadWrappingName(); + + if (wrappedPassPhraseStr != null) { + requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr); +@@ -310,6 +315,10 @@ public class KeyRequestDAO extends CMSRequestDAO { + if (encryptOID != null) { + requestParams.put(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); + } ++ ++ if (wrapName != null) { ++ requestParams.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName); ++ } + } + + public Hashtable getTransientData(IRequest request) throws EBaseException { +-- +1.8.3.1 + + +From 2d7ab34b812eb1cf28c7c53fb43bf595f94a806f Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 13 Apr 2017 14:54:38 -0400 +Subject: [PATCH 57/59] Add field to indicate if key was encrypted or wrapped + +Whether a secret was encrypted or wrapped in the storage unit +depends on a parameter in CS.cfg. If that parameter is changed, +the Storage unit may use the wrong mechanism to try to decrypt +the stored key. Thats ok for encrypt/wrap using DES or AES-CBC, +but not for AES KeyWrap. + +In this patch, we add a field in the Key record to specify whether +the secret was encrypted with stored (or keywrapped if false). + +A subsequent patch will change the logic when decrypting to use +this field. + +Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e +--- + base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 2 +- + base/kra/src/com/netscape/kra/AsymKeyGenService.java | 8 ++++++-- + base/kra/src/com/netscape/kra/EnrollmentService.java | 2 +- + base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 3 ++- + base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 5 ++++- + base/kra/src/com/netscape/kra/SymKeyGenService.java | 3 ++- + .../cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java | 1 + + base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java | 3 ++- + 8 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +index aa4eb30..c947d3c 100644 +--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java ++++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +@@ -170,7 +170,7 @@ public interface IKeyRecord { + */ + public String getRealm() throws EBaseException; + +- public void setWrappingParams(WrappingParams params) throws Exception; ++ public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception; + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; + } +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index bd2be70..9528972 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.TokenException; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.key.AsymKeyGenerationRequest; +@@ -72,7 +73,7 @@ public class AsymKeyGenService implements IService { + + @Override + public boolean serviceRequest(IRequest request) throws EBaseException { +- ++ IConfigStore cs = CMS.getConfigStore(); + String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); + String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); + +@@ -81,6 +82,8 @@ public class AsymKeyGenService implements IService { + + String realm = request.getRealm(); + ++ boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ + KeyPairGeneratorSpi.Usage[] usageList = null; + String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); + if (usageStr != null) { +@@ -164,6 +167,7 @@ public class AsymKeyGenService implements IService { + WrappingParams params = null; + + try { ++ // TODO(alee) What happens if key wrap algorithm is not supported? + params = storageUnit.getWrappingParams(); + privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params); + } catch (Exception e) { +@@ -201,7 +205,7 @@ public class AsymKeyGenService implements IService { + } + + try { +- record.setWrappingParams(params); ++ record.setWrappingParams(params, false); + } catch (Exception e) { + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to store wrapping params"); +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index 7c179d4..381fee8 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -502,7 +502,7 @@ public class EnrollmentService implements IService { + } + + try { +- rec.setWrappingParams(params); ++ rec.setWrappingParams(params, allowEncDecrypt_archival); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); + // TODO(alee) Set correct audit message here +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 4926873..e09eb42 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -584,6 +584,7 @@ public class NetkeyKeygenService implements IService { + WrappingParams params = null; + + try { ++ // TODO(alee) What happens if key wrap algorithm is not supported? + params = mStorageUnit.getWrappingParams(); + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); + } catch (Exception e) { +@@ -656,7 +657,7 @@ public class NetkeyKeygenService implements IService { + return false; + } + +- rec.setWrappingParams(params); ++ rec.setWrappingParams(params, false); + + CMS.debug("NetkeyKeygenService: before addKeyRecord"); + rec.set(KeyRecord.ATTR_ID, serialNo); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 4659901..4261833 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -214,6 +214,7 @@ public class SecurityDataProcessor { + + byte[] publicKey = null; + byte privateSecurityData[] = null; ++ boolean doEncrypt = false; + + try { + params = storageUnit.getWrappingParams(); +@@ -222,9 +223,11 @@ public class SecurityDataProcessor { + } else if (unwrapped != null && allowEncDecrypt_archival == true) { + privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params); + Arrays.fill(unwrapped, (byte)0); ++ doEncrypt = true; + CMS.debug("allowEncDecrypt_archival of symmetric key."); + } else if (securityData != null) { + privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params); ++ doEncrypt = true; + } else { // We have no data. + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, + clientKeyId, null, "Failed to create security data to archive"); +@@ -282,7 +285,7 @@ public class SecurityDataProcessor { + } + + try { +- rec.setWrappingParams(params); ++ rec.setWrappingParams(params, doEncrypt); + } catch (Exception e) { + kra.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index 0dfd3a2..c1830ec 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -170,6 +170,7 @@ public class SymKeyGenService implements IService { + } + + try { ++ // TODO(alee) what happens if key wrap algorithm is not supported? + params = mStorageUnit.getWrappingParams(); + privateSecurityData = mStorageUnit.wrap(sk, params); + } catch (Exception e) { +@@ -215,7 +216,7 @@ public class SymKeyGenService implements IService { + } + + try { +- rec.setWrappingParams(params); ++ rec.setWrappingParams(params, false); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java +index b1e6cd6..f4e54c4 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java +@@ -60,6 +60,7 @@ public class KeyRecordParser { + public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV"; + public final static String OUT_PL_ENCRYPTION_IV_LEN = "payloadEncryptionIVLen"; + public final static String OUT_PL_ENCRYPTION_OID = "payloadEncryptionOID"; ++ public static final String OUT_PL_ENCRYPTED = "payloadEncrypted"; + + /** + * Fills key record into argument block. +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +index 97f4942..b082165 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +@@ -407,7 +407,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { + return realm; + } + +- public void setWrappingParams(WrappingParams params) throws Exception { ++ public void setWrappingParams(WrappingParams params, boolean doEncrypt) throws Exception { + if (mMetaInfo == null) { + mMetaInfo = new MetaInfo(); + } +@@ -456,6 +456,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { + ); + } + ++ mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTED, Boolean.toString(doEncrypt)); + } + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception { +-- +1.8.3.1 + + +From b04739d364e7e220da29ce8d47654377999ad881 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 13 Apr 2017 16:53:58 -0700 +Subject: [PATCH 58/59] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature + implementation This patch provides the feature for CMC on handling + id-cmc-popLinkWitnessV2 + +--- + .../src/com/netscape/cmstools/CMCRequest.java | 458 +++++++++++++++++++-- + .../src/com/netscape/cmstools/CRMFPopClient.java | 10 +- + .../src/com/netscape/cmstools/PKCS10Client.java | 22 +- + .../netscape/cms/profile/common/EnrollProfile.java | 421 ++++++++++++++----- + .../cms/servlet/common/CMCOutputTemplate.java | 12 + + base/server/cmsbundle/src/UserMessages.properties | 2 + + 6 files changed, 770 insertions(+), 155 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index a2aca8a..ac523ad 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -34,6 +34,7 @@ import java.security.NoSuchAlgorithmException; + import java.text.SimpleDateFormat; + import java.util.Arrays; + import java.util.Date; ++import java.util.Random; + import java.util.StringTokenizer; + + import org.mozilla.jss.CryptoManager; +@@ -53,10 +54,12 @@ import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.DigestAlgorithm; + import org.mozilla.jss.crypto.ObjectNotFoundException; + import org.mozilla.jss.crypto.PrivateKey; ++import org.mozilla.jss.crypto.Signature; + import org.mozilla.jss.crypto.SignatureAlgorithm; + import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.pkcs10.CertificationRequest; ++import org.mozilla.jss.pkcs10.CertificationRequestInfo; + import org.mozilla.jss.pkix.cmc.CMCCertId; + import org.mozilla.jss.pkix.cmc.CMCStatusInfo; + import org.mozilla.jss.pkix.cmc.DecryptedPOP; +@@ -68,6 +71,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.OtherMsg; + import org.mozilla.jss.pkix.cmc.PKIData; + import org.mozilla.jss.pkix.cmc.PendInfo; ++import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; + import org.mozilla.jss.pkix.cmc.ResponseBody; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; +@@ -85,7 +89,11 @@ import org.mozilla.jss.pkix.cms.SignerInfo; + import org.mozilla.jss.pkix.crmf.CertReqMsg; + import org.mozilla.jss.pkix.crmf.CertRequest; + import org.mozilla.jss.pkix.crmf.CertTemplate; ++import org.mozilla.jss.pkix.crmf.POPOSigningKey; ++import org.mozilla.jss.pkix.crmf.ProofOfPossession; ++import org.mozilla.jss.pkix.primitive.AVA; + import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; ++import org.mozilla.jss.pkix.primitive.Attribute; + import org.mozilla.jss.pkix.primitive.Name; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + import org.mozilla.jss.util.Password; +@@ -148,6 +156,43 @@ public class CMCRequest { + } + + /** ++ * getSigningAlgFromPrivate ++ * ++ */ ++ static SignatureAlgorithm getSigningAlgFromPrivate (java.security.PrivateKey privKey) { ++ String method = "getSigningAlgFromPrivate: "; ++ System.out.println(method + "begins."); ++ ++ if (privKey == null) { ++ System.out.println(method + "method param privKey cannot be null"); ++ System.exit(1); ++ } ++ ++ SignatureAlgorithm signAlg = null; ++ /* ++ org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ++ ((org.mozilla.jss.crypto.PrivateKey) privKey) ++ .getType(); ++ */ ++ // TODO: allow more options later ++ String signingKeyType = privKey.getAlgorithm(); ++ System.out.println(method + "found signingKeyType=" + signingKeyType); ++ if (signingKeyType.equalsIgnoreCase("RSA")) { ++ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; ++ } else if (signingKeyType.equalsIgnoreCase("EC")) { ++ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; ++ } else { ++ System.out.println(method + "Algorithm not supported:" + ++ signingKeyType); ++ return null; ++ } ++ System.out.println(method + "using SignatureAlgorithm: " + ++ signAlg.toString()); ++ ++ return signAlg; ++ } ++ ++ /** + * signData signs the request PKIData + * + * @param signerCert the certificate of the authorized signer of the CMC revocation request. +@@ -190,17 +235,9 @@ public class CMCRequest { + + EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); + DigestAlgorithm digestAlg = null; +- SignatureAlgorithm signAlg = null; +- org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey) +- .getType(); +- if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { +- signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; +- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { +- signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; +- } else { +- System.out.println("Algorithm not supported"); ++ SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey); ++ if (signAlg == null) + return null; +- } + + MessageDigest SHADigest = null; + +@@ -292,9 +329,13 @@ public class CMCRequest { + String transactionMgtId, + String identificationEnable, String identification, + String identityProofEnable, String identityProofSharedSecret, +- String identityProofV2Enable, String witnessSharedSecret, ++ String witnessSharedSecret, ++ String identityProofV2Enable, + String identityProofV2hashAlg, String identityProofV2macAlg, +- SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) { ++ String popLinkWitnessV2Enable, ++ String popLinkWitnessV2keyGenAlg, String popLinkWitnessV2macAlg, ++ SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid, ++ CryptoToken token, PrivateKey privk) { + + String method = "createPKIData: "; + +@@ -305,6 +346,26 @@ public class CMCRequest { + TaggedRequest trq = null; + PKCS10 pkcs = null; + CertReqMsg certReqMsg = null; ++ CertReqMsg new_certReqMsg = null; ++ CertRequest new_certreq = null; ++ ++ PopLinkWitnessV2 popLinkWitnessV2Control = null; ++ if (popLinkWitnessV2Enable.equals("true")) { ++ popLinkWitnessV2Control = ++ createPopLinkWitnessV2Attr( ++ bpid, ++ controlSeq, ++ witnessSharedSecret, ++ popLinkWitnessV2keyGenAlg, ++ popLinkWitnessV2macAlg, ++ (identificationEnable.equals("true")) ? ++ identification : null); ++ if (popLinkWitnessV2Control == null) { ++ System.out.println(method + ++ "createPopLinkWitnessV2Attr returned null...exit"); ++ System.exit(1); ++ } ++ } + + // create CMC req + SEQUENCE reqSequence = new SEQUENCE(); +@@ -325,9 +386,63 @@ public class CMCRequest { + System.exit(1); + } + certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0); +- trq = new TaggedRequest(TaggedRequest.CRMF, null, +- certReqMsg); ++ ++ if (popLinkWitnessV2Enable.equals("true")) { ++ System.out.println(method + ++ "popLinkWitnessV2 enabled. reconstructing crmf"); ++ //crmf reconstruction to include PopLinkWitnessV2 control ++ CertRequest certReq = certReqMsg.getCertReq(); ++ INTEGER certReqId = certReq.getCertReqId(); ++ CertTemplate certTemplate = certReq.getCertTemplate(); ++ SEQUENCE controls = certReq.getControls(); ++ controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, ++ popLinkWitnessV2Control)); ++ new_certreq = new CertRequest(certReqId, certTemplate, controls); ++ ++ // recalculate signing POP, if it had one ++ ProofOfPossession new_pop = null; ++ if (certReqMsg.hasPop()) { ++ if (privk == null) { ++ System.out.println(method + ++ "privateKey not found; can't regenerate new POP"); ++ System.exit(1); ++ } ++ if (token == null) { ++ System.out.println(method + ++ "token not found; can't regenerate new POP"); ++ System.exit(1); ++ } ++ new_pop = createNewPOP( ++ certReqMsg, ++ new_certreq, ++ token, ++ privk); ++ } else { // !hasPop ++ System.out.println(method + ++ "old certReqMsg has no pop, so will the new certReqMsg"); ++ } ++ ++ new_certReqMsg = new CertReqMsg(new_certreq, new_pop, null); ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(new_certReqMsg); ++ ++ byte[] encodedNewCrmfMessage = ASN1Util.encode(seq); ++ String b64String = Utils.base64encode(encodedNewCrmfMessage); ++ System.out.println(method + "new CRMF b64encode completes."); ++ System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING); ++ System.out.println(b64String); ++ System.out.println(CryptoUtil.CERTREQ_END_HEADING); ++ System.out.println(""); ++ ++ trq = new TaggedRequest(TaggedRequest.CRMF, null, ++ new_certReqMsg); ++ ++ } else { // !popLinkWitnessV2Enable ++ trq = new TaggedRequest(TaggedRequest.CRMF, null, ++ certReqMsg); ++ } + } else if (format.equals("pkcs10")) { ++ System.out.println(method + " format: pkcs10"); + try { + pkcs = new PKCS10(decodedBytes, true); + } catch (Exception e2) { +@@ -338,9 +453,82 @@ public class CMCRequest { + pkcs.toByteArray()); + CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate() + .decode(crInputStream); +- TaggedCertificationRequest tcr = new TaggedCertificationRequest( +- new INTEGER(bpid++), cr); +- trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); ++ if (popLinkWitnessV2Enable.equals("true")) { ++ System.out.println(method + ++ "popLinkWitnessV2 enabled. reconstructing pkcs#10"); ++ //pkcs#10 reconstruction to include PopLinkWitnessV2 control ++ ++ CertificationRequestInfo certReqInfo = cr.getInfo(); ++ ++ INTEGER version = certReqInfo.getVersion(); ++ Name subject = certReqInfo.getSubject(); ++ SubjectPublicKeyInfo spkInfo = certReqInfo.getSubjectPublicKeyInfo(); ++ /* ++ AlgorithmIdentifier alg = spkInfo.getAlgorithmIdentifier(); ++ SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(alg.getOID()); ++ if (signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest) { ++ System.out.println(method + ++ "signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest"); ++ } else { ++ System.out.println(method + ++ "signAlg == " + signAlg.toString()); ++ } ++ */ ++ ++ Attribute attr = new Attribute( ++ OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, ++ popLinkWitnessV2Control); ++ SET attrs = certReqInfo.getAttributes(); ++ if (attrs == null) { ++ attrs = new SET(); ++ } ++ attrs.addElement(attr); ++ System.out.println(method + ++ " new pkcs#10 Attribute created for id_cmc_popLinkWitnessV2."); ++ ++ SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privk); ++ if (signAlg == null) { ++ System.out.println(method + ++ "signAlg not found"); ++ System.exit(1); ++ } ++ CertificationRequestInfo new_certReqInfo = new CertificationRequestInfo( ++ version, ++ subject, ++ spkInfo, ++ attrs); ++ System.out.println(method + ++ " new pkcs#10 CertificationRequestInfo created."); ++ ++ CertificationRequest new_certRequest = new CertificationRequest( ++ new_certReqInfo, ++ privk, ++ signAlg); ++ System.out.println(method + ++ "new pkcs#10 CertificationRequest created."); ++ ++ ByteArrayOutputStream bos = new ByteArrayOutputStream(); ++ new_certRequest.encode(bos); ++ byte[] bb = bos.toByteArray(); ++ ++ System.out.println(method + "calling Utils.b64encode."); ++ String b64String = Utils.base64encode(bb); ++ System.out.println(method + "new PKCS#10 b64encode completes."); ++ System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING); ++ System.out.println(b64String); ++ System.out.println(CryptoUtil.CERTREQ_END_HEADING); ++ System.out.println(""); ++ ++ TaggedCertificationRequest tcr = new TaggedCertificationRequest( ++ new INTEGER(bpid++), new_certRequest); ++ trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); ++ ++ } else { // !popLinkWitnessV2Enable ++ ++ TaggedCertificationRequest tcr = new TaggedCertificationRequest( ++ new INTEGER(bpid++), cr); ++ trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); ++ } + } else { + System.out.println(method + " Unrecognized request format: " + format); + System.exit(1); +@@ -348,7 +536,7 @@ public class CMCRequest { + reqSequence.addElement(trq); + } + } catch (Exception e) { +- System.out.println(method + " Exception:" + e.toString()); ++ System.out.println(method + " Exception:" + e); + System.exit(1); + } + +@@ -380,6 +568,63 @@ public class CMCRequest { + return pkidata; + } + ++ /** ++ * createNewPOP ++ * called in case of PopLinkwitnessV2 when pop exists, thus ++ * requiring recalculation due to changes in CertRequest controls ++ * ++ * @param old_certReqMsg, ++ * @param new_certReqMsg, ++ * @param token, ++ * @param privKey ++ * ++ * @author cfu ++ */ ++ static ProofOfPossession createNewPOP( ++ CertReqMsg old_certReqMsg, ++ CertRequest new_certReq, ++ CryptoToken token, ++ PrivateKey privKey) { ++ String method = "createNewPOP: "; ++ ++ System.out.println(method + "begins"); ++ if (old_certReqMsg == null || ++ new_certReq == null || ++ token == null || ++ privKey == null) { ++ System.out.println(method + "method params cannot be null."); ++ System.exit(1); ++ } ++ ProofOfPossession old_pop = old_certReqMsg.getPop(); ++ if (old_pop == null) { ++ System.out.println(method + "no pop in old_certReqMsg."); ++ System.exit(1); ++ } ++ ++ POPOSigningKey PopOfsignKey = old_pop.getSignature(); ++ AlgorithmIdentifier algId = PopOfsignKey.getAlgorithmIdentifier(); ++ ++ byte[] signature = null; ++ try { ++ SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(algId.getOID()); ++ Signature signer = token.getSignatureContext(signAlg); ++ signer.initSign(privKey); ++ ByteArrayOutputStream bo = new ByteArrayOutputStream(); ++ new_certReq.encode(bo); ++ signer.update(bo.toByteArray()); ++ signature = signer.sign(); ++ } catch (Exception e) { ++ System.out.println(method + e); ++ System.exit(1); ++ } ++ ++ System.out.println(method + "about to create POPOSigningKey"); ++ POPOSigningKey newPopOfSigningKey = new POPOSigningKey(null, algId, new BIT_STRING(signature, 0)); ++ ++ System.out.println(method + "creating and returning newPopOfSigningKey"); ++ return ProofOfPossession.createSignature(newPopOfSigningKey); ++ } ++ + static void printUsage() { + System.out.println(""); + System.out.println("Usage: CMCRequest "); +@@ -516,13 +761,29 @@ public class CMCRequest { + System.out.println("identityProofV2.hashAlg=SHA-256"); + System.out.println("identityProofV2.macAlg=SHA-256-HMAC"); + System.out.println(""); ++ System.out.println("#witness.sharedSecret works with identityProofV2 and popLinkWitnessV2"); + System.out.println("#witness.sharedSecret: Shared Secret"); + System.out.println("witness.sharedSecret=testing"); + System.out.println(""); +- System.out.println("#identification works with identityProofV2"); ++ System.out.println("#identification works with identityProofV2 and popLinkWitnessV2"); + System.out.println("identification.enable=false"); + System.out.println("identification=testuser"); + System.out.println(""); ++ System.out.println("#popLinkWitnessV2.enable: if true, then the underlying request will contain"); ++ System.out.println("#this control or attribute. Otherwise, false."); ++ System.out.println("#Supported keyGenAlg are:"); ++ System.out.println("# SHA-256, SHA-384, and SHA-512"); ++ System.out.println("#Supported macAlg are:"); ++ System.out.println("# SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC"); ++ System.out.println("popLinkWitnessV2.enable=false"); ++ System.out.println("popLinkWitnessV2.keyGenAlg=SHA-256"); ++ System.out.println("popLinkWitnessV2.macAlg=SHA-256-HMAC"); ++ System.out.println(""); ++ System.out.println(""); ++ System.out.println("###############################"); ++ System.out.println("Note: The following controls are outdated and replaced by newer"); ++ System.out.println(" controls above. They remain untouched, but also untested."); ++ System.out.println("###############################"); + System.out.println("#identityProof.enable: if true, then the request will contain"); + System.out.println("#this control. Otherwise, false."); + System.out.println("#Note that this control is updated by identityProofV2 above"); +@@ -879,7 +1140,7 @@ public class CMCRequest { + System.out.println(""); + seq.addElement(getCertControl); + } catch (Exception e) { +- System.out.println("Error in creating get certificate control. Check the parameters."); ++ System.out.println("Error in creating get certificate control. Check the parameters." + e); + System.exit(1); + } + +@@ -1023,6 +1284,118 @@ public class CMCRequest { + return bpid; + } + ++ /** ++ * createPopLinkWitnessV2Attr generates witness v2 ++ * ++ * @param ++ * @return PopLinkWitnessV2 ++ * ++ * @author cfu ++ */ ++ private static PopLinkWitnessV2 createPopLinkWitnessV2Attr( ++ int bpid, SEQUENCE controlSeq, ++ String sharedSecret, ++ String keyGenAlgString, ++ String macAlgString, ++ String ident) { ++ ++ String method = "createPopLinkWitnessV2Attr: "; ++ System.out.println(method + "begins"); ++ ++ if (sharedSecret == null) { ++ System.out.println(method + "method param sharedSecret cannot be null"); ++ System.exit(1); ++ } ++ ++ byte[] key = null; ++ byte[] finalDigest = null; ++ ++ // (1) generate a random byte-string R of 512 bits ++ Random random = new Random(); ++ byte[] random_R = new byte[64]; ++ random.nextBytes(random_R); ++ ++ // default to SHA256 if not specified ++ if (keyGenAlgString == null) { ++ keyGenAlgString = "SHA-256"; ++ } ++ if (macAlgString == null) { ++ macAlgString = "SHA-256-HMAC"; ++ } ++ System.out.println(method + "keyGenAlg=" + keyGenAlgString + ++ "; macAlg=" + macAlgString); ++ ++ String toBeDigested = sharedSecret; ++ if (ident != null) { ++ toBeDigested = sharedSecret + ident; ++ } ++ ++ // (2) compute key from sharedSecret + identity ++ try { ++ MessageDigest hash = MessageDigest.getInstance(keyGenAlgString); ++ key = hash.digest(toBeDigested.getBytes()); ++ } catch (NoSuchAlgorithmException ex) { ++ System.out.println(method + "No such algorithm!"); ++ return null; ++ } ++ ++ MessageDigest mac; ++ // (3) compute MAC over R from (1) using key from (2) ++ try { ++ mac = MessageDigest.getInstance( ++ CryptoUtil.getHMACtoMessageDigestName(macAlgString)); ++ HMACDigest hmacDigest = new HMACDigest(mac, key); ++ hmacDigest.update(random_R); ++ finalDigest = hmacDigest.digest(); ++ } catch (NoSuchAlgorithmException ex) { ++ System.out.println(method + "No such algorithm!"); ++ return null; ++ } ++ ++ // (4) encode R as the value of a POP Link Random control ++ TaggedAttribute idPOPLinkRandom = ++ new TaggedAttribute(new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom, ++ new OCTET_STRING(random_R)); ++ controlSeq.addElement(idPOPLinkRandom); ++ System.out.println(method + ++ "Successfully created id_cmc_idPOPLinkRandom control. bpid = " ++ + (bpid - 1)); ++ ++ AlgorithmIdentifier keyGenAlg; ++ try { ++ keyGenAlg = new AlgorithmIdentifier( ++ CryptoUtil.getHashAlgorithmOID(keyGenAlgString)); ++ } catch (NoSuchAlgorithmException ex) { ++ System.out.println(method + "No such hashing algorithm:" + keyGenAlgString); ++ return null; ++ } ++ AlgorithmIdentifier macAlg; ++ try { ++ macAlg = new AlgorithmIdentifier( ++ CryptoUtil.getHMACAlgorithmOID(macAlgString)); ++ } catch (NoSuchAlgorithmException ex) { ++ System.out.println(method + "No such HMAC algorithm:" + macAlgString); ++ return null; ++ } ++ ++ // (5) put MAC value from (3) in PopLinkWitnessV2 ++ PopLinkWitnessV2 popLinkWitnessV2 = ++ new PopLinkWitnessV2(keyGenAlg, macAlg, ++ new OCTET_STRING(finalDigest)); ++ /* ++ * for CRMF, needs to go into CRMF controls field of the CertRequest structure. ++ * for PKCS#10, needs to go into the aributes field of CertificationRequestInfo structure ++ * - return the PopLinkWitnessV2 for such surgical procedure ++ */ ++ System.out.println(method + "Successfully created PopLinkWitnessV2 control."); ++ ++ System.out.println(method + "returning..."); ++ System.out.println(""); ++ ++ return popLinkWitnessV2; ++ } ++ + private static int addPopLinkWitnessAttr(int bpid, SEQUENCE controlSeq) { + byte[] seed = + { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, +@@ -1309,7 +1682,8 @@ public class CMCRequest { + String dbdir = null, nickname = null; + String tokenName = null; + String ifilename = null, ofilename = null, password = null, format = null; +- String decryptedPopEnable = "false", encryptedPopResponseFile=null, privKeyId = null, decryptedPopRequestFile= null; ++ String privKeyId = null; ++ String decryptedPopEnable = "false", encryptedPopResponseFile=null, decryptedPopRequestFile= null; + String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null; + String getCertEnable = "false", getCertIssuer = null, getCertSerial = null; + String dataReturnEnable = "false", dataReturnData = null; +@@ -1321,7 +1695,9 @@ public class CMCRequest { + String revRequestInvalidityDatePresent = "false"; + String identificationEnable = "false", identification = null; + String identityProofEnable = "false", identityProofSharedSecret = null; +- String identityProofV2Enable = "false", witnessSharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256"; ++ String identityProofV2Enable = "false", identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256"; ++ String witnessSharedSecret = null; //shared by identityProofV2 and popLinkWitnessV2 ++ String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; + String popLinkWitnessEnable = "false"; + String bodyPartIDs = null, lraPopWitnessEnable = "false"; + +@@ -1378,6 +1754,8 @@ public class CMCRequest { + ofilename = val; + } else if (name.equals("input")) { + ifilename = val; ++ } else if (name.equals("numRequests")) { ++ numRequests = val; + } else if (name.equals("decryptedPop.enable")) { + decryptedPopEnable = val; + } else if (name.equals("encryptedPopResponseFile")) { +@@ -1430,14 +1808,21 @@ public class CMCRequest { + identificationEnable = val; + } else if (name.equals("identification")) { + identification = val; +- } else if (name.equals("identityProofV2.enable")) { +- identityProofV2Enable = val; + } else if (name.equals("witness.sharedSecret")) { + witnessSharedSecret = val; ++ } else if (name.equals("identityProofV2.enable")) { ++ identityProofV2Enable = val; + } else if (name.equals("identityProofV2.hashAlg")) { + identityProofV2hashAlg = val; + } else if (name.equals("identityProofV2.macAlg")) { + identityProofV2macAlg = val; ++ } else if (name.equals("popLinkWitnessV2.enable")) { ++ popLinkWitnessV2Enable = val; ++ } else if (name.equals("popLinkWitnessV2.keyGenAlg")) { ++ popLinkWitnessV2keyGenAlg = val; ++ } else if (name.equals("popLinkWitnessV2.macAlg")) { ++ popLinkWitnessV2macAlg = val; ++ /* the following are outdated */ + } else if (name.equals("identityProof.enable")) { + identityProofEnable = val; + } else if (name.equals("identityProof.sharedSecret")) { +@@ -1448,8 +1833,6 @@ public class CMCRequest { + lraPopWitnessEnable = val; + } else if (name.equals("LraPopWitness.bodyPartIDs")) { + bodyPartIDs = val; +- } else if (name.equals("numRequests")) { +- numRequests = val; + } + } + } +@@ -1518,13 +1901,14 @@ public class CMCRequest { + //cfu + ContentInfo cmcblob = null; + PKIData pkidata = null; +- if (decryptedPopEnable.equalsIgnoreCase("true")) { +- PrivateKey privk = null; ++ PrivateKey privk = null; ++ if (decryptedPopEnable.equalsIgnoreCase("true") || ++ popLinkWitnessV2Enable.equalsIgnoreCase("true")) { + if (privKeyId == null) { +- System.out.println("ecryptedPop.enable = true, but privKeyId not specified."); ++ System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); + printUsage(); + } else { +- System.out.println("got privKeyId: " + privKeyId); ++ System.out.println("got request privKeyId: " + privKeyId); + + byte[] keyIDb = CryptoUtil.string2byte(privKeyId); + +@@ -1538,7 +1922,9 @@ public class CMCRequest { + System.exit(1); + } + } ++ } + ++ if (decryptedPopEnable.equalsIgnoreCase("true")) { + if (encryptedPopResponseFile == null) { + System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified."); + printUsage(); +@@ -1688,7 +2074,9 @@ public class CMCRequest { + if (senderNonceEnable.equalsIgnoreCase("true")) + bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce); + +- if (popLinkWitnessEnable.equalsIgnoreCase("true")) ++ //popLinkWitnessV2 takes precedence ++ if (!popLinkWitnessV2Enable.equalsIgnoreCase("true") & ++ popLinkWitnessEnable.equalsIgnoreCase("true")) + bpid = addPopLinkWitnessAttr(bpid, controlSeq); + + SEQUENCE otherMsgSeq = new SEQUENCE(); +@@ -1711,9 +2099,13 @@ public class CMCRequest { + format, transactionMgtEnable, transactionMgtId, + identificationEnable, identification, + identityProofEnable, identityProofSharedSecret, +- identityProofV2Enable, witnessSharedSecret, ++ witnessSharedSecret, ++ identityProofV2Enable, + identityProofV2hashAlg, identityProofV2macAlg, +- controlSeq, otherMsgSeq, bpid); ++ popLinkWitnessV2Enable, ++ popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg, ++ controlSeq, otherMsgSeq, bpid, ++ token, privk); + + if (pkidata == null) { + System.out.println("pkidata null after createPKIData(). Exiting with error"); +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index c5da9cf..5d9f7f1 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -599,8 +599,10 @@ public class CRMFPopClient { + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); + ++ /* + OCTET_STRING ostr = createIDPOPLinkWitness(); + seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); ++ */ + + return new CertRequest(new INTEGER(1), certTemplate, seq); + } +@@ -676,10 +678,10 @@ public class CRMFPopClient { + + Signature signer; + if (algorithm.equals("rsa")) { +- signer = token.getSignatureContext(SignatureAlgorithm.RSASignatureWithMD5Digest); ++ signer = token.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA256Digest); + + } else if (algorithm.equals("ec")) { +- signer = token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA1Digest); ++ signer = token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA256Digest); + + } else { + throw new Exception("Unknown algorithm: " + algorithm); +@@ -694,10 +696,10 @@ public class CRMFPopClient { + + AlgorithmIdentifier algorithmID; + if (algorithm.equals("rsa")) { +- algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null); ++ algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithSHA256Digest.toOID(), null); + + } else if (algorithm.equals("ec")) { +- algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA1Digest.toOID(), null); ++ algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID(), null); + + } else { + throw new Exception("Unknown algorithm: " + algorithm); +diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +index 57f8792..fd1d087 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java ++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +@@ -22,14 +22,12 @@ import java.io.FileOutputStream; + import java.io.IOException; + import java.io.PrintStream; + import java.security.KeyPair; +-import java.security.MessageDigest; + import java.security.PublicKey; + + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.BMPString; + import org.mozilla.jss.asn1.INTEGER; + import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +-import org.mozilla.jss.asn1.OCTET_STRING; + import org.mozilla.jss.asn1.PrintableString; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.asn1.TeletexString; +@@ -38,17 +36,16 @@ import org.mozilla.jss.asn1.UniversalString; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.KeyPairAlgorithm; + import org.mozilla.jss.crypto.KeyPairGenerator; ++import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.crypto.SignatureAlgorithm; + import org.mozilla.jss.pkcs10.CertificationRequest; + import org.mozilla.jss.pkcs10.CertificationRequestInfo; + import org.mozilla.jss.pkix.primitive.AVA; +-import org.mozilla.jss.pkix.primitive.Attribute; + import org.mozilla.jss.pkix.primitive.Name; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + import org.mozilla.jss.util.Password; + + import com.netscape.cmsutil.crypto.CryptoUtil; +-import com.netscape.cmsutil.util.HMACDigest; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS10; +@@ -248,6 +245,8 @@ public class PKCS10Client { + + System.out.println("PKCS10Client: key pair generated."); //key pair generated"); + ++ /*** leave out this test code; cmc can add popLinkwitnessV2; ++ + // Add idPOPLinkWitness control + String secretValue = "testing"; + byte[] key1 = null; +@@ -255,7 +254,7 @@ public class PKCS10Client { + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + key1 = SHA1Digest.digest(secretValue.getBytes()); + +- /* seed */ ++ // seed + byte[] b = + { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, + 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c, +@@ -272,9 +271,10 @@ public class PKCS10Client { + + OCTET_STRING ostr = new OCTET_STRING(finalDigest); + Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); ++ ***/ + + SET attributes = new SET(); +- attributes.addElement(attr); ++ //attributes.addElement(attr); + Name n = getJssName(enable_encoding, subjectName); + SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); + System.out.println("PKCS10Client: pair.getPublic() called."); +@@ -286,7 +286,7 @@ public class PKCS10Client { + if (alg.equals("rsa")) { + CertificationRequest certRequest = null; + certRequest = new CertificationRequest(certReqInfo, +- pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest); ++ pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest); + System.out.println("PKCS10Client: CertificationRequest created."); + + ByteArrayOutputStream bos = new ByteArrayOutputStream(); +@@ -323,6 +323,14 @@ public class PKCS10Client { + b64E = CryptoUtil.base64Encode(certReqb); + } + ++ // print out keyid to be used in cmc popLinkWitnessV2 ++ PrivateKey privateKey = (PrivateKey) pair.getPrivate(); ++ @SuppressWarnings("deprecation") ++ byte id[] = privateKey.getUniqueID(); ++ String kid = CryptoUtil.byte2string(id); ++ System.out.println("Keypair private key id: " + kid); ++ System.out.println(""); ++ + System.out.println(RFC7468_HEADER); + System.out.println(b64E); + System.out.println(RFC7468_TRAILER); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 370cc33..5f7b0ef 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -55,6 +55,7 @@ import org.mozilla.jss.pkix.cmc.IdentityProofV2; + import org.mozilla.jss.pkix.cmc.LraPopWitness; + import org.mozilla.jss.pkix.cmc.OtherMsg; + import org.mozilla.jss.pkix.cmc.PKIData; ++import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; + import org.mozilla.jss.pkix.cmc.TaggedRequest; +@@ -64,6 +65,7 @@ import org.mozilla.jss.pkix.crmf.CertTemplate; + import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; + import org.mozilla.jss.pkix.crmf.ProofOfPossession; + import org.mozilla.jss.pkix.primitive.AVA; ++import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; + import org.mozilla.jss.pkix.primitive.Attribute; + import org.mozilla.jss.pkix.primitive.Name; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +@@ -73,7 +75,6 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.base.EBaseException; +-import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.logging.AuditEvent; +@@ -143,6 +144,9 @@ public abstract class EnrollProfile extends BasicProfile + */ + public IRequest[] createRequests(IProfileContext ctx, Locale locale) + throws EProfileException { ++ String method = "EnrollProfile: createRequests"; ++ CMS.debug(method + "begins"); ++ + // determine how many requests should be created + String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE); + String cert_request = ctx.get(CTX_CERT_REQUEST); +@@ -151,7 +155,7 @@ public abstract class EnrollProfile extends BasicProfile + + /* cert_request_type can be null for the case of CMC */ + if (cert_request_type == null) { +- CMS.debug("EnrollProfile: request type is null"); ++ CMS.debug(method + " request type is null"); + } + + int num_requests = 1; // default to 1 request +@@ -174,10 +178,14 @@ public abstract class EnrollProfile extends BasicProfile + */ + // catch for invalid request + cmc_msgs = parseCMC(locale, cert_request); +- if (cmc_msgs == null) ++ if (cmc_msgs == null) { ++ CMS.debug(method + "parseCMC returns cmc_msgs null"); + return null; +- else ++ } else { + num_requests = cmc_msgs.length; ++ CMS.debug(method + "parseCMC returns cmc_msgs num_requests=" + ++ num_requests); ++ } + } + + // only 1 request for renewal +@@ -356,7 +364,6 @@ public abstract class EnrollProfile extends BasicProfile + throw new EBaseException(method + msg); + } + byte[] req_key_data = req.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); +- netscape.security.x509.CertificateX509Key pubKey = null; + if (req_key_data != null) { + CMS.debug(method + "found user public key in request"); + +@@ -511,6 +518,11 @@ public abstract class EnrollProfile extends BasicProfile + } + } + ++ /* ++ * parseCMC ++ * @throws EProfileException in case of error ++ * note: returing "null" doesn't mean failure ++ */ + public TaggedRequest[] parseCMC(Locale locale, String certreq) + throws EProfileException { + +@@ -553,6 +565,7 @@ public abstract class EnrollProfile extends BasicProfile + int numcontrols = controlSeq.size(); + SEQUENCE reqSeq = pkiData.getReqSequence(); + byte randomSeed[] = null; ++ UTF8String ident_s = null; + SessionContext context = SessionContext.getContext(); + if (!context.containsKey("numOfControls")) { + if (numcontrols > 0) { +@@ -588,6 +601,7 @@ public abstract class EnrollProfile extends BasicProfile + id_cmc_identityProof = true; + attr = attributes[i]; + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { ++ CMS.debug(method + "id_cmc_idPOPLinkRandom true"); + id_cmc_idPOPLinkRandom = true; + vals = attributes[i].getValues(); + } else { +@@ -621,23 +635,31 @@ public abstract class EnrollProfile extends BasicProfile + return null; + } + +- UTF8String ident_s = null; + if (id_cmc_identification) { + if (ident == null) { + msg = "id_cmc_identification contains null attribute value"; + CMS.debug(method + msg); + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); +- return null; ++ ++ msg = " id_cmc_identification attribute value not found in"; ++ CMS.debug(method + msg); ++ throw new EProfileException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ msg); + } + ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), + ASN1Util.encode(ident.elementAt(0)))); + if (ident_s == null) { +- msg = "id_cmc_identification contains invalid content"; ++ msg = " id_cmc_identification contains invalid content"; + CMS.debug(method + msg); + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); +- return null; ++ ++ CMS.debug(method + msg); ++ throw new EProfileException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ msg); + } + } + +@@ -646,7 +668,8 @@ public abstract class EnrollProfile extends BasicProfile + if (!id_cmc_identification) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); +- msg = "id_cmc_identityProofV2 must be accompanied by id_cmc_identification in this server"; ++ context.put("identityProofV2", bpids); ++ msg = "id_cmc_identityProofV2 missing id_cmc_identification"; + CMS.debug(method + msg); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + +@@ -658,7 +681,11 @@ public abstract class EnrollProfile extends BasicProfile + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProofV2", bpids); +- return null; ++ ++ msg = " in verifyIdentityProofV2"; ++ CMS.debug(method + msg); ++ throw new EProfileException(CMS.getUserMessage(locale, ++ "CMS_POI_VERIFICATION_ERROR")+ msg); + } + } else if (id_cmc_identityProof && (attr != null)) { + boolean valid = verifyIdentityProof(attr, +@@ -666,14 +693,20 @@ public abstract class EnrollProfile extends BasicProfile + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProof", bpids); +- return null; ++ ++ msg = " in verifyIdentityProof"; ++ CMS.debug(method + msg); ++ throw new EProfileException(CMS.getUserMessage(locale, ++ "CMS_POI_VERIFICATION_ERROR")+ msg); + } + } + + if (id_cmc_idPOPLinkRandom && vals != null) { +- OCTET_STRING ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ OCTET_STRING ostr = ++ (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + randomSeed = ostr.toByteArray(); ++ CMS.debug(method + "got randomSeed"); + } + } // numcontrols > 0 + } +@@ -691,19 +724,55 @@ public abstract class EnrollProfile extends BasicProfile + + int nummsgs = reqSeq.size(); + if (nummsgs > 0) { ++ + msgs = new TaggedRequest[reqSeq.size()]; + SEQUENCE bpids = new SEQUENCE(); ++ ++ /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true ++ // enforce popLinkWitness (or V2) ++ boolean popLinkWitnessRequired = true; ++ try { ++ String configName = "cmc.popLinkWitnessRequired"; ++ CMS.debug(method + "getting :" + configName); ++ popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true); ++ CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired); ++ } catch (Exception e) { ++ // unlikely to get here ++ msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; ++ CMS.debug(msg); ++ throw new EProfileException(method + msg); ++ } ++*/ ++ + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); +- if (!context.containsKey("POPLinkWitness")) { ++ if (!context.containsKey("POPLinkWitnessV2") && ++ !context.containsKey("POPLinkWitness")) { + if (randomSeed != null) { +- valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids); +- if (!valid || bpids.size() > 0) { +- context.put("POPLinkWitness", bpids); +- return null; ++ // verifyPOPLinkWitness() will determine if this is ++ // POPLinkWitnessV2 or POPLinkWitness ++ // If failure, context is set in verifyPOPLinkWitness ++ valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); ++ if (valid == false) { ++ if (context.containsKey("POPLinkWitnessV2")) ++ msg = " in POPLinkWitnessV2"; ++ else if (context.containsKey("POPLinkWitness")) ++ msg = " in POPLinkWitness"; ++ else ++ msg = " unspecified failure from verifyPOPLinkWitness"; ++ ++ CMS.debug(method + msg); ++ throw new EProfileException(CMS.getUserMessage(locale, ++ "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg); + } +- } ++ /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip ++ } else if (popLinkWitnessRequired == true) { ++ //popLinkWitnessRequired == true, must have randomSeed ++ CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found"); ++ context.put("POPLinkWitnessV2", bpids); ++ return null;*/ ++ } //randomSeed != null + } + } + } else +@@ -711,8 +780,10 @@ public abstract class EnrollProfile extends BasicProfile + + CMS.debug(method + "ends"); + return msgs; ++ } catch (EProfileException e) { ++ throw new EProfileException(e); + } catch (Exception e) { +- CMS.debug(method + "Unable to parse CMC request: " + e); ++ CMS.debug(method + e); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); + } +@@ -778,9 +849,9 @@ public abstract class EnrollProfile extends BasicProfile + } + + byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST); +- if (pop_sysPubEncreyptedSession == null) { ++ if (cmc_msg == null) { + msg = method + +- "pop_sysPubEncreyptedSession not found in request:" + ++ "cmc_msg not found in request:" + + reqId.toString(); + CMS.debug(msg); + return null; +@@ -857,43 +928,125 @@ public abstract class EnrollProfile extends BasicProfile + return reqId; + } + +- private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req, +- SEQUENCE bpids) { +- ISharedToken tokenClass = null; +- boolean sharedSecretFound = true; +- String name = null; ++ /** ++ * getPopLinkWitnessV2control ++ * ++ * @author cfu ++ */ ++ protected PopLinkWitnessV2 getPopLinkWitnessV2control(ASN1Value value) { ++ String method = "EnrollProfile: getPopLinkWitnessV2control: "; ++ ++ ByteArrayInputStream bis = new ByteArrayInputStream( ++ ASN1Util.encode(value)); ++ PopLinkWitnessV2 popLinkWitnessV2 = null; ++ + try { +- name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); +- } catch (EPropertyNotFound e) { +- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); +- sharedSecretFound = false; +- } catch (EBaseException e) { +- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); +- sharedSecretFound = false; ++ popLinkWitnessV2 = (PopLinkWitnessV2) (new PopLinkWitnessV2.Template()).decode(bis); ++ } catch (Exception e) { ++ CMS.debug(method + e); ++ } ++ return popLinkWitnessV2; ++ } ++ ++ /** ++ * verifyPopLinkWitnessV2 ++ * ++ * @author cfu ++ */ ++ protected boolean verifyPopLinkWitnessV2( ++ PopLinkWitnessV2 popLinkWitnessV2, ++ byte[] randomSeed, ++ String sharedSecret, ++ String ident_string) { ++ String method = "EnrollProfile: verifyPopLinkWitnessV2: "; ++ ++ if ((popLinkWitnessV2 == null) || ++ (randomSeed == null) || ++ (sharedSecret == null)) { ++ CMS.debug(method + " method parameters cannot be null"); ++ return false; ++ } ++ AlgorithmIdentifier keyGenAlg = popLinkWitnessV2.getKeyGenAlgorithm(); ++ AlgorithmIdentifier macAlg = popLinkWitnessV2.getMacAlgorithm(); ++ OCTET_STRING witness = popLinkWitnessV2.getWitness(); ++ if (keyGenAlg == null) { ++ CMS.debug(method + " keyGenAlg reurned by popLinkWitnessV2.getWitness is null"); ++ return false; ++ } ++ if (macAlg == null) { ++ CMS.debug(method + " macAlg reurned by popLinkWitnessV2.getWitness is null"); ++ return false; ++ } ++ if (witness == null) { ++ CMS.debug(method + " witness reurned by popLinkWitnessV2.getWitness is null"); ++ return false; + } + + try { +- tokenClass = (ISharedToken) Class.forName(name).newInstance(); +- } catch (ClassNotFoundException e) { +- CMS.debug("EnrollProfile: Failed to find class name: " + name); +- sharedSecretFound = false; +- } catch (InstantiationException e) { +- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); +- sharedSecretFound = false; +- } catch (IllegalAccessException e) { +- CMS.debug("EnrollProfile: Illegal access: " + name); ++ DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID()); ++ MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString()); ++ ++ HMACAlgorithm macAlgID = HMACAlgorithm.fromOID(macAlg.getOID()); ++ MessageDigest macMDAlg = MessageDigest ++ .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString())); ++ ++ byte[] witness_bytes = witness.toByteArray(); ++ return verifyDigest( ++ (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(), ++ randomSeed, ++ witness_bytes, ++ keyGenMDAlg, macMDAlg); ++ } catch (NoSuchAlgorithmException e) { ++ CMS.debug(method + e); ++ return false; ++ } catch (Exception e) { ++ CMS.debug(method + e); ++ return false; ++ } ++ } ++ ++ /* ++ * verifyPOPLinkWitness now handles POPLinkWitnessV2; ++ */ ++ private boolean verifyPOPLinkWitness( ++ UTF8String ident, byte[] randomSeed, TaggedRequest req, ++ SEQUENCE bpids, SessionContext context) { ++ String method = "EnrollProfile: verifyPOPLinkWitness: "; ++ CMS.debug(method + "begins."); ++ ++ String ident_string = null; ++ if (ident != null) { ++ ident_string = ident.toString(); ++ } ++ ++ boolean sharedSecretFound = true; ++ String configName = "cmc.sharedSecret.class"; ++ String sharedSecret = null; ++ ISharedToken tokenClass = getSharedTokenClass(configName); ++ if (tokenClass == null) { ++ CMS.debug(method + " Failed to retrieve shared secret plugin class"); + sharedSecretFound = false; ++ } else { ++ if (ident_string != null) { ++ sharedSecret = tokenClass.getSharedToken(ident_string); ++ } else { ++ sharedSecret = tokenClass.getSharedToken(mCMCData); ++ } ++ if (sharedSecret == null) ++ sharedSecretFound = false; + } + + INTEGER reqId = null; + byte[] bv = null; +- String sharedSecret = null; +- if (tokenClass != null) +- sharedSecret = tokenClass.getSharedToken(mCMCData); ++ + if (req.getType().equals(TaggedRequest.PKCS10)) { ++ String methodPos = method + "PKCS10: "; ++ CMS.debug(methodPos + "begins"); ++ + TaggedCertificationRequest tcr = req.getTcr(); + if (!sharedSecretFound) { + bpids.addElement(tcr.getBodyPartID()); ++ context.put("POPLinkWitness", bpids); + return false; + } else { + CertificationRequest creq = tcr.getCertificationRequest(); +@@ -901,13 +1054,42 @@ public abstract class EnrollProfile extends BasicProfile + SET attrs = cinfo.getAttributes(); + for (int j = 0; j < attrs.size(); j++) { + Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); +- if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { ++ if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { ++ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); ++ if (ident_string == null) { ++ bpids.addElement(reqId); ++ context.put("identification", bpids); ++ context.put("POPLinkWitnessV2", bpids); ++ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; ++ CMS.debug(methodPos + msg); ++ return false; ++ } ++ ++ SET witnessVal = pkcs10Attr.getValues(); ++ if (witnessVal.size() > 0) { ++ try { ++ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0)); ++ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, ++ randomSeed, ++ sharedSecret, ++ ident_string); ++ if (!valid) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitnessV2", bpids); ++ return valid; ++ } ++ return true; ++ } catch (Exception ex) { ++ CMS.debug(methodPos + ex); ++ return false; ++ } ++ } ++ } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { + SET witnessVal = pkcs10Attr.getValues(); + if (witnessVal.size() > 0) { + try { +- OCTET_STRING str = +- (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), +- ASN1Util.encode(witnessVal.elementAt(0)))); ++ OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(witnessVal.elementAt(0)))); + bv = str.toByteArray(); + return verifyDigest(sharedSecret.getBytes(), + randomSeed, bv); +@@ -921,27 +1103,55 @@ public abstract class EnrollProfile extends BasicProfile + return false; + } + } else if (req.getType().equals(TaggedRequest.CRMF)) { ++ String methodPos = method + "CRMF: "; ++ CMS.debug(methodPos + "begins"); ++ + CertReqMsg crm = req.getCrm(); + CertRequest certReq = crm.getCertReq(); + reqId = certReq.getCertReqId(); + if (!sharedSecretFound) { + bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); + return false; + } else { + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + +- if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { ++ if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { ++ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); ++ if (ident_string == null) { ++ bpids.addElement(reqId); ++ context.put("identification", bpids); ++ context.put("POPLinkWitnessV2", bpids); ++ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; ++ CMS.debug(methodPos + msg); ++ return false; ++ } ++ ++ ASN1Value value = ava.getValue(); ++ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); ++ ++ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, ++ randomSeed, ++ sharedSecret, ++ ident_string); ++ if (!valid) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitnessV2", bpids); ++ return valid; ++ } ++ } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { ++ CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); + ASN1Value value = ava.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(value)); + OCTET_STRING ostr = null; + try { +- ostr = (OCTET_STRING) +- (new OCTET_STRING.Template()).decode(bis); ++ ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); + bv = ostr.toByteArray(); + } catch (Exception e) { + bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); + return false; + } + +@@ -949,6 +1159,7 @@ public abstract class EnrollProfile extends BasicProfile + randomSeed, bv); + if (!valid) { + bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); + return valid; + } + } +@@ -1002,10 +1213,7 @@ public abstract class EnrollProfile extends BasicProfile + byte[] finalDigest = null; + HMACDigest hmacDigest = new HMACDigest(macAlg, key); + hmacDigest.update(text); +- if (hmacDigest == null) { +- CMS.debug(method + " hmacDigest null after hmacDigest.update"); +- return false; +- } ++ + finalDigest = hmacDigest.digest(); + + if (finalDigest.length != bv.length) { +@@ -1041,6 +1249,40 @@ public abstract class EnrollProfile extends BasicProfile + return bpids; + } + ++ ++ ISharedToken getSharedTokenClass(String configName) { ++ String method = "EnrollProfile: getSharedTokenClass: "; ++ ISharedToken tokenClass = null; ++ ++ String name = null; ++ try { ++ CMS.debug(method + "getting :" + configName); ++ name = CMS.getConfigStore().getString(configName); ++ CMS.debug(method + "Shared Secret plugin class name retrieved:" + ++ name); ++ } catch (Exception e) { ++ CMS.debug(method + " Failed to retrieve shared secret plugin class name"); ++ return null; ++ } ++ ++ try { ++ tokenClass = (ISharedToken) Class.forName(name).newInstance(); ++ CMS.debug(method + "Shared Secret plugin class retrieved"); ++ } catch (ClassNotFoundException e) { ++ CMS.debug(method + " Failed to find class name: " + name); ++ return null; ++ } catch (InstantiationException e) { ++ CMS.debug("EnrollProfile: Failed to instantiate class: " + name); ++ return null; ++ } catch (IllegalAccessException e) { ++ CMS.debug(method + " Illegal access: " + name); ++ return null; ++ } ++ ++ return tokenClass; ++ } ++ ++ + /** + * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272 + * +@@ -1070,32 +1312,9 @@ public abstract class EnrollProfile extends BasicProfile + return false; + } + +- String name = null; +- try { +- String configName = "cmc.sharedSecret.class"; +- CMS.debug(method + "getting :" + configName); +- name = CMS.getConfigStore().getString(configName); +- CMS.debug(method + "Shared Secret plugin class name retrieved:" + +- name); +- } catch (Exception e) { +- CMS.debug(method + " Failed to retrieve shared secret plugin class name"); +- return false; +- } ++ String configName = "cmc.sharedSecret.class"; ++ ISharedToken tokenClass = getSharedTokenClass(configName); + +- ISharedToken tokenClass = null; +- try { +- tokenClass = (ISharedToken) Class.forName(name).newInstance(); +- CMS.debug(method + "Shared Secret plugin class retrieved"); +- } catch (ClassNotFoundException e) { +- CMS.debug(method + " Failed to find class name: " + name); +- return false; +- } catch (InstantiationException e) { +- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); +- return false; +- } catch (IllegalAccessException e) { +- CMS.debug(method + " Illegal access: " + name); +- return false; +- } + if (tokenClass == null) { + CMS.debug(method + " Failed to retrieve shared secret plugin class"); + return false; +@@ -1116,19 +1335,13 @@ public abstract class EnrollProfile extends BasicProfile + try { + IdentityProofV2 idV2val = (IdentityProofV2) (ASN1Util.decode(IdentityProofV2.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); +- /** +- * TODO: cfu: +- * phase2: getting configurable allowable hashing and mac algorithms +- */ + + DigestAlgorithm hashAlgID = DigestAlgorithm.fromOID(idV2val.getHashAlgID().getOID()); + MessageDigest hashAlg = MessageDigest.getInstance(hashAlgID.toString()); +- // TODO: check against CA allowed algs later + + HMACAlgorithm macAlgId = HMACAlgorithm.fromOID(idV2val.getMacAlgId().getOID()); + MessageDigest macAlg = MessageDigest + .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgId.toString())); +- // TODO: check against CA allowed algs later + + OCTET_STRING witness = idV2val.getWitness(); + if (witness == null) { +@@ -1151,32 +1364,18 @@ public abstract class EnrollProfile extends BasicProfile + } // verifyIdentityProofV2 + + private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { ++ String method = "verifyIdentityProof: "; ++ + SET vals = attr.getValues(); + if (vals.size() < 1) + return false; +- String name = null; +- try { +- name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); +- } catch (EPropertyNotFound e) { +- } catch (EBaseException e) { +- } + +- if (name == null) ++ String configName = "cmc.sharedSecret.class"; ++ ISharedToken tokenClass = getSharedTokenClass(configName); ++ if (tokenClass == null) { ++ CMS.debug(method + " Failed to retrieve shared secret plugin class"); + return false; +- else { +- ISharedToken tokenClass = null; +- try { +- tokenClass = (ISharedToken) Class.forName(name).newInstance(); +- } catch (ClassNotFoundException e) { +- CMS.debug("EnrollProfile: Failed to find class name: " + name); +- return false; +- } catch (InstantiationException e) { +- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); +- return false; +- } catch (IllegalAccessException e) { +- CMS.debug("EnrollProfile: Illegal access: " + name); +- return false; +- } ++ } + + String token = tokenClass.getSharedToken(mCMCData); + OCTET_STRING ostr = null; +@@ -1184,20 +1383,20 @@ public abstract class EnrollProfile extends BasicProfile + ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { +- CMS.debug("EnrollProfile: Failed to decode the byte value."); ++ CMS.debug(method + "Failed to decode the byte value."); + return false; + } + byte[] b = ostr.toByteArray(); + byte[] text = ASN1Util.encode(reqSeq); + + return verifyDigest(token.getBytes(), text, b); +- } + } + + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, + IRequest req) + throws EProfileException { + String method = "EnrollProfile: fillTaggedRequest: "; ++ CMS.debug(method + "begins"); + TaggedRequest.Type type = tagreq.getType(); + if (type == null) { + CMS.debug(method + "TaggedRequest type == null"); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index ac690f2..c130a1e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -268,6 +268,18 @@ public class CMCOutputTemplate { + controlSeq.addElement(tagattr); + } + ++ SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2"); ++ if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) { ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, ++ new INTEGER(OtherInfo.BAD_REQUEST), null); ++ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, ++ POPLinkWitnessV2Bpids, (String) null, otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ controlSeq.addElement(tagattr); ++ } ++ + SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness"); + if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index bc7f8cf..bf96f90 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -306,6 +306,8 @@ CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be v + # ProfileSubmitServlet + ####################################################### + CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed ++CMS_POI_VERIFICATION_ERROR=Proof-of-Identification Verification Failed ++CMS_POP_LINK_WITNESS_VERIFICATION_ERROR=POP Link Witness Verification Failed + CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication + CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate. + CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication +-- +1.8.3.1 + + +From 0bd94db7a4266a7a91e08162c7e5eebf071800f2 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 13 Apr 2017 20:44:32 -0400 +Subject: [PATCH 59/59] Allow key recovery to use encrypted field in key record + +The previous commit added a field in the KeyRecord to +specify whether or not a key was encrypted or key wrapped +when archived. This patch modifies the recovery servlets +to use this field to determine how to decrypt/unwrap the +key for transport. + +Absence of this field in the key record implies that is +an old record - and we use the value of the CS.cfg parameter +as the default. + +Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50 +--- + .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 2 ++ + base/kra/src/com/netscape/kra/RecoveryService.java | 13 ++++++++++--- + .../src/com/netscape/kra/SecurityDataProcessor.java | 21 ++++++++++++++------- + .../com/netscape/kra/TokenKeyRecoveryService.java | 11 +++++++++-- + .../src/com/netscape/cmscore/dbs/KeyRecord.java | 9 +++++++++ + 5 files changed, 44 insertions(+), 12 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +index c947d3c..d3aaa63 100644 +--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java ++++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +@@ -173,4 +173,6 @@ public interface IKeyRecord { + public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception; + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; ++ ++ public Boolean isEncrypted() throws EBaseException; + } +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index c89e2f3..fda5b80 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -224,8 +224,15 @@ public class RecoveryService implements IService { + statsSub.startTiming("recover_key"); + } + ++ Boolean encrypted = keyRecord.isEncrypted(); ++ if (encrypted == null) { ++ // must be an old key record ++ // assume the value of allowEncDecrypt ++ encrypted = allowEncDecrypt_recovery; ++ } ++ + PrivateKey privKey = null; +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + privateKeyData = recoverKey(params, keyRecord); + } else { + privKey = recoverKey(params, keyRecord, isRSA); +@@ -234,7 +241,7 @@ public class RecoveryService implements IService { + statsSub.endTiming("recover_key"); + } + +- if ((isRSA == true) && (allowEncDecrypt_recovery == true)) { ++ if ((isRSA == true) && encrypted) { + if (statsSub != null) { + statsSub.startTiming("verify_key"); + } +@@ -253,7 +260,7 @@ public class RecoveryService implements IService { + if (statsSub != null) { + statsSub.startTiming("create_p12"); + } +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + createPFX(request, params, privateKeyData); + } else { + createPFX(request, params, privKey, ct); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 4261833..701b611 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -363,8 +363,15 @@ public class SecurityDataProcessor { + byte[] unwrappedSecData = null; + PrivateKey privateKey = null; + ++ Boolean encrypted = keyRecord.isEncrypted(); ++ if (encrypted == null) { ++ // must be an old key record ++ // assume the value of allowEncDecrypt ++ encrypted = allowEncDecrypt_recovery; ++ } ++ + if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true."); + unwrappedSecData = recoverSecurityData(keyRecord); + } else { +@@ -375,7 +382,7 @@ public class SecurityDataProcessor { + unwrappedSecData = recoverSecurityData(keyRecord); + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + try { +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true."); + unwrappedSecData = recoverSecurityData(keyRecord); + } else { +@@ -466,7 +473,7 @@ public class SecurityDataProcessor { + if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { + + CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with transport passphrase"); +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, symmetric key: create blob with unwrapped key."); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); + } else { +@@ -478,7 +485,7 @@ public class SecurityDataProcessor { + CMS.debug("SecurityDataProcessor.recover(): encrypt stored passphrase with transport passphrase"); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, asymmetric key: create blob with unwrapped key."); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); + } else { +@@ -511,7 +518,7 @@ public class SecurityDataProcessor { + if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { + CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with session key"); + try { +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); + unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, + SymmetricKey.Usage.ENCRYPT, wrapParams); +@@ -559,7 +566,7 @@ public class SecurityDataProcessor { + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored private key with session key"); + try { +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key."); + unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, + SymmetricKey.Usage.ENCRYPT, wrapParams); +@@ -599,7 +606,7 @@ public class SecurityDataProcessor { + params.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, + wrapParams.getPayloadWrapAlgorithm().toString()); + +- if ((allowEncDecrypt_recovery == true) || (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE))) { ++ if (encrypted || dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { + params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(false)); + if (wrapParams.getPayloadEncryptionIV() != null) { + params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index 67f4dc6..64f65a0 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -433,9 +433,16 @@ public class TokenKeyRecoveryService implements IService { + } + } // else, searched by keyid, can't check + ++ Boolean encrypted = keyRecord.isEncrypted(); ++ if (encrypted == null) { ++ // must be an old key record ++ // assume the value of allowEncDecrypt ++ encrypted = allowEncDecrypt_recovery; ++ } ++ + Type keyType = PrivateKey.RSA; + byte wrapped[]; +- if (allowEncDecrypt_recovery == true) { ++ if (encrypted) { + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); +@@ -493,7 +500,7 @@ public class TokenKeyRecoveryService implements IService { + privateKeyData, + EncryptionAlgorithm.DES3_CBC_PAD, + algParam); +- } else { //allowEncDecrypt_recovery == false ++ } else { //encrypted == false + PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery); + if (privKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +index b082165..556c4a7 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +@@ -504,4 +504,13 @@ public class KeyRecord implements IDBObj, IKeyRecord { + + return params; + } ++ ++ public Boolean isEncrypted() throws EBaseException { ++ String encrypted = (String) mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTED); ++ if (encrypted == null) ++ return null; ++ return Boolean.valueOf(encrypted); ++ } ++ ++ + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-beta.patch b/SOURCES/pki-core-beta.patch new file mode 100644 index 0000000..6bcf558 --- /dev/null +++ b/SOURCES/pki-core-beta.patch @@ -0,0 +1,13101 @@ +From d4e83335d5ac6a6b39bf5abaa26075a9ec86f6b7 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 18 Apr 2017 08:09:00 +0200 +Subject: [PATCH 01/49] Spawn a CA and KRA on Travis + +Travis CI tests are now using a systemd container to install and run a +389-DS, CA and KRA instance. + +Change-Id: Ibc7d1a6b1e218492a84e88d4339de34b1eb58c7c +--- + .travis.test | 31 ----------------------------- + .travis.yml | 51 +++++++++++++++++++++++++++++++++++++++--------- + .travis/00-init | 36 ++++++++++++++++++++++++++++++++++ + .travis/10-compose-rpms | 31 +++++++++++++++++++++++++++++ + .travis/20-install-rpms | 6 ++++++ + .travis/30-setup-389ds | 12 ++++++++++++ + .travis/40-spawn-ca | 9 +++++++++ + .travis/50-spawn-kra | 9 +++++++++ + .travis/pki.cfg | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 9 files changed, 197 insertions(+), 40 deletions(-) + delete mode 100755 .travis.test + create mode 100755 .travis/00-init + create mode 100755 .travis/10-compose-rpms + create mode 100755 .travis/20-install-rpms + create mode 100755 .travis/30-setup-389ds + create mode 100755 .travis/40-spawn-ca + create mode 100755 .travis/50-spawn-kra + create mode 100644 .travis/pki.cfg + +diff --git a/.travis.test b/.travis.test +deleted file mode 100755 +index ca81022..0000000 +--- a/.travis.test ++++ /dev/null +@@ -1,31 +0,0 @@ +-#!/bin/bash +-set -ex +- +-WORKDIR="${BUILDDIR:-/tmp/builddir}" +-BUILDUSER=builduser +-BUILDUSER_UID=${UID:-1000} +-BUILDUSER_GID=${GID:-1000} +- +-. /etc/os-release +- +-echo "$NAME $VERSION $1" +- +-## compose_pki_core_packages doesn't run as root, create a build user +-groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER} +-useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER} +- +-## chown workdir and enter pki dir +-chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR} +-cd ${WORKDIR}/pki +- +-## prepare additional build dependencies +-dnf copr -y enable @pki/10.4 +-dnf builddep -y ./specs/pki-core.spec +- +-# update, container might be outdated +-dnf update -y +- +-## run tox and build +-# run make with --quiet to reduce log verbosity. Travis CI has a log limit +-# of 10,000 lines. +-sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms +diff --git a/.travis.yml b/.travis.yml +index 2e1a69f..b443118 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -5,16 +5,49 @@ services: + - docker + + env: +- - CONTAINER=dogtagpki/pki-ci-containers:f25_104 +- - CONTAINER=dogtagpki/pki-ci-containers:f26_104 +- - CONTAINER=dogtagpki/pki-ci-containers:rawhide ++ global: ++ - CONTAINER=pkitest ++ - SCRIPTDIR=/tmp/workdir/pki/.travis ++ matrix: ++ - IMAGE=dogtagpki/pki-ci-containers:f25_104 ++ # F26 repo is unstable ++ # - IMAGE=dogtagpki/pki-ci-containers:f26_104 ++ # rawhide repo is unstable ++ # - IMAGE=dogtagpki/pki-ci-containers:rawhide + +-script: +- - docker pull $CONTAINER ++before_install: ++ - docker pull ${IMAGE} + - > + docker run ++ --detach ++ --name=${CONTAINER} ++ --hostname='pki.test' ++ --privileged ++ --tmpfs /tmp ++ --tmpfs /run ++ -v /sys/fs/cgroup:/sys/fs/cgroup:ro + -v $(pwd):/tmp/workdir/pki +- -e UID=$(id -u) +- -e GID=$(id -g) +- $CONTAINER +- /tmp/workdir/pki/.travis.test $CONTAINER ++ -e BUILDUSER_UID=$(id -u) ++ -e BUILDUSER_GID=$(id -g) ++ -e TRAVIS=${TRAVIS} ++ -e TRAVIS_JOB_NUMBER=${TRAVIS_JOB_NUMBER} ++ -ti ++ ${IMAGE} ++ - docker ps -a ++ ++install: ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/00-init ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/10-compose-rpms ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/20-install-rpms ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds ++ ++script: ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra ++ ++after_script: ++ - docker kill ${CONTAINER} ++ - docker rm ${CONTAINER} ++ ++after_failure: ++ - journalctl -l +diff --git a/.travis/00-init b/.travis/00-init +new file mode 100755 +index 0000000..1b5aa53 +--- /dev/null ++++ b/.travis/00-init +@@ -0,0 +1,36 @@ ++#!/bin/bash ++set -e ++ ++. /etc/os-release ++ ++echo "$NAME $VERSION" ++ ++if test -z "${BUILDDIR}" || ! test -d "${BUILDDIR}"; then ++ echo "BUILDDIR not set or ${BUILDDIR} is not a directory." ++ exit 1 ++fi ++ ++if test -z "${BUILDUSER}" -o -z "${BUILDUSER_UID}" -o -z "${BUILDUSER_GID}"; then ++ echo "BUILDUSER, BUILDUSER_UID, BUILDUSER_GID not set" ++ exit 2 ++fi ++ ++## compose_pki_core_packages doesn't run as root, create a build user ++groupadd --non-unique -g ${BUILDUSER_GID} ${BUILDUSER} ++useradd --non-unique -u ${BUILDUSER_UID} -g ${BUILDUSER_GID} ${BUILDUSER} ++ ++## chown workdir and enter pki dir ++chown ${BUILDUSER}:${BUILDUSER} ${BUILDDIR} ++ ++# workaround for ++# [Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid' ++rm -f /var/cache/dnf/metadata_lock.pid ++dnf clean all ++dnf makecache || true ++dnf makecache ++ ++# update, container might be outdated ++dnf update -y ++ ++## prepare additional build dependencies ++dnf builddep -y ${BUILDDIR}/pki/specs/pki-core.spec +diff --git a/.travis/10-compose-rpms b/.travis/10-compose-rpms +new file mode 100755 +index 0000000..1e55548 +--- /dev/null ++++ b/.travis/10-compose-rpms +@@ -0,0 +1,31 @@ ++#!/bin/bash ++set -e ++ ++BUILDLOG=/tmp/compose.log ++ ++function compose { ++ pushd ${BUILDDIR}/pki ++ # run make with --quiet to reduce log verbosity. ++ sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -- \ ++ ./scripts/compose_pki_core_packages rpms ++ popd ++} ++ ++function upload { ++ if test -f $BUILDLOG; then ++ echo "Uploading build log to transfer" ++ curl --upload-file $BUILDLOG https://transfer.sh/pkitravis.txt ++ fi ++} ++ ++if test "${TRAVIS}" != "true"; then ++ compose ++else ++ trap upload EXIT ++ echo "Runing compose_pki_core_packages rpms." ++ echo "Build log will be posted to transfer.sh" ++ echo $(date) > $BUILDLOG ++ echo "Travis job ${TRAVIS_JOB_NUMBER}" >> $BUILDLOG ++ compose >>$BUILDLOG 2>&1 ++fi ++ +diff --git a/.travis/20-install-rpms b/.travis/20-install-rpms +new file mode 100755 +index 0000000..186efb8 +--- /dev/null ++++ b/.travis/20-install-rpms +@@ -0,0 +1,6 @@ ++#!/bin/bash ++set -e ++ ++find ${BUILDDIR}/packages/RPMS/ -name '*.rpm' -and -not -name '*debuginfo*' \ ++ | xargs dnf install -y --best --allowerasing ++ +diff --git a/.travis/30-setup-389ds b/.travis/30-setup-389ds +new file mode 100755 +index 0000000..cc16573 +--- /dev/null ++++ b/.travis/30-setup-389ds +@@ -0,0 +1,12 @@ ++#!/bin/bash ++set -e ++ ++setup-ds.pl \ ++ --silent \ ++ slapd.ServerIdentifier="pkitest" \ ++ General.SuiteSpotUserID=nobody \ ++ General.SuiteSpotGroup=nobody \ ++ slapd.ServerPort=389 \ ++ slapd.Suffix="dc=pki,dc=test" \ ++ slapd.RootDN="cn=Directory Manager" \ ++ slapd.RootDNPwd="DMSecret.123" +diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca +new file mode 100755 +index 0000000..9986698 +--- /dev/null ++++ b/.travis/40-spawn-ca +@@ -0,0 +1,9 @@ ++#!/bin/bash ++set -e ++ ++pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA ++ ++echo "Waiting for port 8080" ++for i in {1..20}; do ++ curl http://localhost:8080 && break || sleep 1 ++done +diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra +new file mode 100755 +index 0000000..80cb039 +--- /dev/null ++++ b/.travis/50-spawn-kra +@@ -0,0 +1,9 @@ ++#!/bin/bash ++set -e ++ ++pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA ++ ++echo "Waiting for port 8080" ++for i in {1..20}; do ++ curl http://localhost:8080 && break || sleep 1 ++done +diff --git a/.travis/pki.cfg b/.travis/pki.cfg +new file mode 100644 +index 0000000..a168822 +--- /dev/null ++++ b/.travis/pki.cfg +@@ -0,0 +1,52 @@ ++# based on ++# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/ca.cfg ++# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/kra.cfg ++ ++[DEFAULT] ++pki_instance_name=pkitest ++pki_https_port=8443 ++pki_http_port=8080 ++pki_master_https_port=8443 ++pki_security_domain_https_port=8443 ++pki_ds_bind_dn=cn=Directory Manager ++pki_ds_ldap_port=389 ++pki_ds_password=DMSecret.123 ++pki_backup_keys=True ++pki_backup_password=Secret.123 ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++pki_clone_pkcs12_password=Secret.123 ++pki_security_domain_name=pkitest ++pki_security_domain_user=caadmin ++pki_security_domain_password=Secret.123 ++pki_token_password=Secret123 ++ ++[CA] ++pki_admin_email=caadmin@pki.test ++pki_admin_name=caadmin ++pki_admin_nickname=caadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=caadmin ++pki_ds_base_dn=dc=ca,dc=pki,dc=test ++pki_ds_database=ca ++ ++[KRA] ++pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert ++pki_admin_email=kraadmin@pki.test ++pki_admin_name=kraadmin ++pki_admin_nickname=kraadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=kraadmin ++pki_ds_base_dn=dc=kra,dc=pki,dc=test ++pki_ds_database=kra ++ ++[OCSP] ++pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert ++pki_admin_email=ocspadmin@pki.test ++pki_admin_name=ocspadmin ++pki_admin_nickname=ocspadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=ocspadmin ++pki_ds_base_dn=dc=ocsp,dc=pki,dc=test ++pki_ds_database=ocsp +-- +1.8.3.1 + + +From 08edc86f8397543f308818458a320fbbef06c90d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 18 Apr 2017 16:24:53 +0200 +Subject: [PATCH 02/49] Get journald output from test container + +Change-Id: Ibc16a49b4a03524fb62ddb33326a36ffa0b0389f +Signed-off-by: Christian Heimes +--- + .travis.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.travis.yml b/.travis.yml +index b443118..2714bbc 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -50,4 +50,4 @@ after_script: + - docker rm ${CONTAINER} + + after_failure: +- - journalctl -l ++ - docker exec -ti ${CONTAINER} journalctl -l +-- +1.8.3.1 + + +From 749c137b59a9725a4cacdcd191b7e931303981df Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 17 Apr 2017 18:35:56 +0200 +Subject: [PATCH 03/49] Fixed missing IP addresses and subject ID in audit log. + +The PKIServerSocketListener has been modified to use WeakHashMap +to store socket info that might not be available after the socket +has been closed. + +https://pagure.io/dogtagpki/issue/2642 + +Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416 +--- + .../dogtagpki/server/PKIServerSocketListener.java | 104 +++++++++++++-------- + 1 file changed, 66 insertions(+), 38 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +index 093776f..d742317 100644 +--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java ++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +@@ -19,6 +19,9 @@ package org.dogtagpki.server; + + import java.net.InetAddress; + import java.security.Principal; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.WeakHashMap; + + import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.ssl.SSLAlertDescription; +@@ -38,6 +41,15 @@ public class PKIServerSocketListener implements SSLSocketListener { + + private static Logger logger = LoggerFactory.getLogger(PKIServerSocketListener.class); + ++ /** ++ * The socketInfos map is a storage for socket information that may not be available ++ * after the socket has been closed such as client IP address and subject ID. The ++ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be ++ * garbage-collected since there is no guarantee that socket will be closed with an ++ * SSL alert for a proper map entry removal. ++ */ ++ Map> socketInfos = new WeakHashMap<>(); ++ + @Override + public void alertReceived(SSLAlertEvent event) { + try { +@@ -57,9 +69,10 @@ public class PKIServerSocketListener implements SSLSocketListener { + String reason = SSLAlertDescription.valueOf(description).toString(); + + logger.debug("SSL alert received:"); +- logger.debug(" - client: " + clientAddress); +- logger.debug(" - server: " + serverAddress); + logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); + + IAuditor auditor = CMS.getAuditor(); + +@@ -73,7 +86,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + auditor.log(auditMessage); + + } catch (Exception e) { +- e.printStackTrace(); ++ logger.error(e.getMessage(), e); + } + } + +@@ -82,51 +95,59 @@ public class PKIServerSocketListener implements SSLSocketListener { + try { + SSLSocket socket = event.getSocket(); + +- InetAddress clientAddress = socket.getInetAddress(); +- InetAddress serverAddress = socket.getLocalAddress(); +- String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); +- String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); +- +- SSLSecurityStatus status = socket.getStatus(); +- X509Certificate peerCertificate = status.getPeerCertificate(); +- Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); +- String subjectID = subjectDN == null ? "" : subjectDN.toString(); +- + int description = event.getDescription(); + String reason = SSLAlertDescription.valueOf(description).toString(); + +- logger.debug("SSL alert sent:"); +- logger.debug(" - client: " + clientAddress); +- logger.debug(" - server: " + serverAddress); +- logger.debug(" - reason: " + reason); +- +- IAuditor auditor = CMS.getAuditor(); ++ String eventType; ++ String clientIP; ++ String serverIP; ++ String subjectID; + + if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { + +- String auditMessage = CMS.getLogMessage( +- AuditEvent.ACCESS_SESSION_TERMINATED, +- clientIP, +- serverIP, +- subjectID, +- reason); ++ eventType = AuditEvent.ACCESS_SESSION_TERMINATED; + +- auditor.log(auditMessage); ++ // get socket info from socketInfos map since socket has been closed ++ Map info = socketInfos.get(socket); ++ clientIP = (String)info.get("clientIP"); ++ serverIP = (String)info.get("serverIP"); ++ subjectID = (String)info.get("subjectID"); + + } else { + +- String auditMessage = CMS.getLogMessage( +- AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE, +- clientIP, +- serverIP, +- subjectID, +- reason); ++ eventType = AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE; + +- auditor.log(auditMessage); ++ // get socket info from the socket itself ++ InetAddress clientAddress = socket.getInetAddress(); ++ InetAddress serverAddress = socket.getLocalAddress(); ++ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ subjectID = subjectDN == null ? "" : subjectDN.toString(); + } + ++ logger.debug("SSL alert sent:"); ++ logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ IAuditor auditor = CMS.getAuditor(); ++ ++ String auditMessage = CMS.getLogMessage( ++ eventType, ++ clientIP, ++ serverIP, ++ subjectID, ++ reason); ++ ++ auditor.log(auditMessage); ++ + } catch (Exception e) { +- e.printStackTrace(); ++ logger.error(e.getMessage(), e); + } + } + +@@ -146,9 +167,16 @@ public class PKIServerSocketListener implements SSLSocketListener { + String subjectID = subjectDN == null ? "" : subjectDN.toString(); + + logger.debug("Handshake completed:"); +- logger.debug(" - client: " + clientAddress); +- logger.debug(" - server: " + serverAddress); +- logger.debug(" - subject: " + subjectDN); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ // store socket info in socketInfos map ++ Map info = new HashMap<>(); ++ info.put("clientIP", clientIP); ++ info.put("serverIP", serverIP); ++ info.put("subjectID", subjectID); ++ socketInfos.put(socket, info); + + IAuditor auditor = CMS.getAuditor(); + +@@ -161,7 +189,7 @@ public class PKIServerSocketListener implements SSLSocketListener { + auditor.log(auditMessage); + + } catch (Exception e) { +- e.printStackTrace(); ++ logger.error(e.getMessage(), e); + } + } + } +-- +1.8.3.1 + + +From 786d40f231f3636db381a835ce78904362ea72d0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 2 Mar 2017 16:32:21 +1000 +Subject: [PATCH 04/49] CMS.getLogMessage: escape format elements in arguments + +CMS.getLogMessage performs message formatting via MessageFormat, +then the message gets logged via a Logger. The Logger also performs +message formatting via MessageFormat. If the formatted log message +contains '{' or '}' (e.g. if it contains JSON) the MessageFormat +implementation interprets these as FormatElement delimiters and +parsing fails. + +Update CMS.getLogMessage() to scan arguments for unsafe characters +and if found, escape the whole message so that subsequent logging +will succeed. + +Part of: https://pagure.io/dogtagpki/issue/1359 +--- + .../src/com/netscape/cmscore/apps/CMSEngine.java | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index ef9a6a2..94a0783 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -1592,7 +1592,25 @@ public class CMSEngine implements ICMSEngine { + return msg; + MessageFormat mf = new MessageFormat(msg); + +- return mf.format(params); ++ Object escapedParams[] = new Object[params.length]; ++ for (int i = 0; i < params.length; i++) { ++ if (params[i] instanceof String) ++ escapedParams[i] = escapeLogMessageParam((String) params[i]); ++ else ++ escapedParams[i] = params[i]; ++ } ++ ++ return mf.format(escapedParams); ++ } ++ ++ /** Quote a string for inclusion in a java.text.MessageFormat ++ */ ++ private String escapeLogMessageParam(String s) { ++ if (s == null) ++ return null; ++ if (s.contains("{") || s.contains("}")) ++ return "'" + s.replaceAll("'", "''") + "'"; ++ return s; + } + + public void debug(byte data[]) { +-- +1.8.3.1 + + +From a35c6cde1047e305142bec839b8953d90008c127 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 7 Feb 2017 10:36:20 +1000 +Subject: [PATCH 05/49] Allow arbitrary user data in cert request + +If a certificate request comes with additional data in the +'cert-request' query param, add that to the request. Profile +components can then use this data. + +This is needed to convey the subject principal name to the +ExternalProcessConstraint, when validating FreeIPA certificate +requests after we switch to GSS-API authentication. + +Part of: https://pagure.io/dogtagpki/issue/1359 +--- + base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java | 5 +++++ + base/common/src/com/netscape/certsrv/request/IRequest.java | 5 +++++ + .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 3 +++ + .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 5 +++++ + 4 files changed, 18 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java +index 1266712..34543cb 100644 +--- a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java ++++ b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java +@@ -180,6 +180,11 @@ public interface IEnrollProfile extends IProfile { + public static final String REQUEST_AUTHORITY_ID = "req_authority_id"; + + /** ++ * Arbitrary user-supplied data. ++ */ ++ public static final String REQUEST_USER_DATA = "req_user_data"; ++ ++ /** + * Set Default X509CertInfo in the request. + * + * @param request profile-based certificate request. +diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java +index a57f08e..cfc4ca0 100644 +--- a/base/common/src/com/netscape/certsrv/request/IRequest.java ++++ b/base/common/src/com/netscape/certsrv/request/IRequest.java +@@ -96,6 +96,11 @@ public interface IRequest extends Serializable { + */ + public static final String AUTHORITY_ID = "req_authority_id"; + ++ /** ++ * Arbitrary user-supplied data that will be saved in request. ++ */ ++ public static final String USER_DATA = "user_data"; ++ + public static final String RESULT = "Result"; // service result. + public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value + public static final Integer RES_ERROR = Integer.valueOf(2); // result value +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 5f7b0ef..1c44e2c 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -221,6 +221,9 @@ public abstract class EnrollProfile extends BasicProfile + + // set requested CA + result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); ++ ++ // set user data ++ result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA)); + } + return result; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +index d394fd3..908cbe4 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +@@ -147,6 +147,11 @@ public class EnrollmentProcessor extends CertProcessor { + + IProfileContext ctx = profile.createContext(); + ++ // set arbitrary user data into request, if any ++ String userData = request.getParameter("user-data"); ++ if (userData != null) ++ ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); ++ + if (aid != null) + ctx.set(IEnrollProfile.REQUEST_AUTHORITY_ID, aid.toString()); + +-- +1.8.3.1 + + +From f67071910c6b74790f7ad75329f05e599076dee4 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 8 Feb 2017 11:55:13 +1000 +Subject: [PATCH 06/49] CertProcessor: set external principal attributes into + request + +When processing a certificate request, if the authenticated +principal is an ExternalPrincipal, add its whole attribute map to +the IRequest. This provides a way for AJP request attributes to be +propagated through the profile system to profile components like +ExternalProcessConstraint. One such attribute that is needed for +GSS-API support is "KRB5CCNAME". + +Part of: https://pagure.io/dogtagpki/issue/1359 +--- + .../netscape/cms/servlet/cert/CertProcessor.java | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index 0534f90..156060a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -18,6 +18,7 @@ + package com.netscape.cms.servlet.cert; + + import java.math.BigInteger; ++import java.security.Principal; + import java.util.Date; + import java.util.Enumeration; + import java.util.HashMap; +@@ -26,6 +27,7 @@ import java.util.Locale; + import javax.servlet.http.HttpServletRequest; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.ExternalAuthToken; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; +@@ -46,6 +48,7 @@ import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestStatus; + import com.netscape.cms.servlet.common.AuthCredentials; + import com.netscape.cms.servlet.processors.CAProcessor; ++import com.netscape.cms.tomcat.ExternalPrincipal; + import com.netscape.cmsutil.ldap.LDAPUtil; + + public class CertProcessor extends CAProcessor { +@@ -139,6 +142,24 @@ public class CertProcessor extends CAProcessor { + } + } + } ++ ++ // special processing of ExternalAuthToken / ExternalPrincipal ++ if (authToken instanceof ExternalAuthToken) { ++ Principal principal = ++ ((ExternalAuthToken) authToken).getPrincipal(); ++ if (principal instanceof ExternalPrincipal) { ++ HashMap m = ++ ((ExternalPrincipal) principal).getAttributes(); ++ for (String k : m.keySet()) { ++ req.setExtData( ++ IRequest.AUTH_TOKEN_PREFIX ++ + "." + "PRINCIPAL" ++ + "." + k ++ , m.get(k).toString() ++ ); ++ } ++ } ++ } + } + + /* +-- +1.8.3.1 + + +From dcc42ad4ed7fcbc566b7cf7ce1cbfae93b24a9a9 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 7 Dec 2016 15:24:07 +1000 +Subject: [PATCH 07/49] Add ExternalProcessConstraint for request validation + +Add the ExternalProcessConstraint profile policy constraint class. +It can be configured to execute an arbitrary program that performs +additional request validation, rejecting the request if it +terminates with a nonzero exit status. Information about the +request is conveyed in the subprocess' environment. + +Part of: https://pagure.io/dogtagpki/issue/1359 +--- + base/ca/shared/conf/registry.cfg | 5 +- + .../constraint/ExternalProcessConstraint.java | 178 +++++++++++++++++++++ + .../04-AddExternalProcessConstraintToRegistry | 67 ++++++++ + 3 files changed, 249 insertions(+), 1 deletion(-) + create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java + create mode 100755 base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry + +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 280c713..2855b7a 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -45,6 +45,9 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr + constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint + constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint + constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint ++constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint ++constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint ++constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint + defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl + defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault + defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java +new file mode 100644 +index 0000000..8fb91ab +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java +@@ -0,0 +1,178 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2016, 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cms.profile.constraint; ++ ++import java.io.IOException; ++import java.io.InputStream; ++import java.util.Enumeration; ++import java.util.Locale; ++import java.util.Map; ++import java.util.TreeMap; ++import java.util.concurrent.TimeUnit; ++ ++import org.apache.commons.io.IOUtils; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.Descriptor; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.input.CertReqInput; ++ ++import netscape.security.x509.X509CertInfo; ++ ++ ++public class ExternalProcessConstraint extends EnrollConstraint { ++ ++ public static final String CONFIG_EXECUTABLE = "executable"; ++ public static final String CONFIG_TIMEOUT = "timeout"; ++ ++ public static final long DEFAULT_TIMEOUT = 10; ++ ++ /* Map of envvars to include, and the corresponding IRequest keys ++ * ++ * All keys will be prefixed with "DOGTAG_" when added to environment. ++ */ ++ protected static final Map envVars = new TreeMap<>(); ++ ++ protected Map extraEnvVars = new TreeMap<>(); ++ ++ static { ++ envVars.put("DOGTAG_CERT_REQUEST", CertReqInput.VAL_CERT_REQUEST); ++ envVars.put("DOGTAG_USER", ++ IRequest.AUTH_TOKEN_PREFIX + "." + IAuthToken.USER_ID); ++ envVars.put("DOGTAG_PROFILE_ID", IRequest.PROFILE_ID); ++ envVars.put("DOGTAG_AUTHORITY_ID", IRequest.AUTHORITY_ID); ++ envVars.put("DOGTAG_USER_DATA", IRequest.USER_DATA); ++ } ++ ++ protected String executable; ++ protected long timeout; ++ ++ public ExternalProcessConstraint() { ++ addConfigName(CONFIG_EXECUTABLE); ++ addConfigName(CONFIG_TIMEOUT); ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ ++ this.executable = getConfig(CONFIG_EXECUTABLE); ++ if (this.executable == null || this.executable.isEmpty()) { ++ throw new EProfileException( ++ "Missing required config param 'executable'"); ++ } ++ ++ timeout = DEFAULT_TIMEOUT; ++ String timeoutConfig = getConfig(CONFIG_TIMEOUT); ++ if (this.executable != null && !this.executable.isEmpty()) { ++ try { ++ timeout = (new Integer(timeoutConfig)).longValue(); ++ } catch (NumberFormatException e) { ++ throw new EProfileException("Invalid timeout value", e); ++ } ++ if (timeout < 1) { ++ throw new EProfileException( ++ "Invalid timeout value: must be positive"); ++ } ++ } ++ ++ IConfigStore envConfig = config.getSubStore("params.env"); ++ Enumeration names = envConfig.getPropertyNames(); ++ while (names.hasMoreElements()) { ++ String name = names.nextElement(); ++ try { ++ extraEnvVars.put(name, envConfig.getString(name)); ++ } catch (EBaseException e) { ++ // shouldn't happen; log and move on ++ CMS.debug( ++ "ExternalProcessConstraint: caught exception processing " ++ + "'params.env' config: " + e ++ ); ++ ++ } ++ } ++ } ++ ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ if (name.equals(CONFIG_EXECUTABLE)) { ++ return new Descriptor( ++ IDescriptor.STRING, null, null, "Executable path"); ++ } else if (name.equals(CONFIG_TIMEOUT)) { ++ return new Descriptor( ++ IDescriptor.INTEGER, null, null, "Timeout in seconds"); ++ } else { ++ return null; ++ } ++ } ++ ++ public void validate(IRequest request, X509CertInfo info) ++ throws ERejectException { ++ CMS.debug("About to execute command: " + this.executable); ++ ProcessBuilder pb = new ProcessBuilder(this.executable); ++ ++ // set up process environment ++ Map env = pb.environment(); ++ for (String k : envVars.keySet()) { ++ String v = request.getExtDataInString(envVars.get(k)); ++ if (v != null) ++ env.put(k, v); ++ } ++ for (String k : extraEnvVars.keySet()) { ++ String v = request.getExtDataInString(extraEnvVars.get(k)); ++ if (v != null) ++ env.put(k, v); ++ } ++ ++ Process p; ++ String stdout = ""; ++ String stderr = ""; ++ boolean timedOut; ++ try { ++ p = pb.start(); ++ timedOut = !p.waitFor(timeout, TimeUnit.SECONDS); ++ if (timedOut) ++ p.destroyForcibly(); ++ else ++ stdout = IOUtils.toString(p.getInputStream()); ++ stderr = IOUtils.toString(p.getErrorStream()); ++ } catch (Throwable e) { ++ String msg = ++ "Caught exception while executing command: " + this.executable; ++ CMS.debug(msg); ++ CMS.debug(e); ++ throw new ERejectException(msg, e); ++ } ++ if (timedOut) ++ throw new ERejectException("Request validation timed out"); ++ int exitValue = p.exitValue(); ++ CMS.debug("ExternalProcessConstraint: exit value: " + exitValue); ++ CMS.debug("ExternalProcessConstraint: stdout: " + stdout); ++ CMS.debug("ExternalProcessConstraint: stderr: " + stderr); ++ if (exitValue != 0) ++ throw new ERejectException(stdout); ++ } ++ ++} +diff --git a/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry +new file mode 100755 +index 0000000..a9ee00a +--- /dev/null ++++ b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry +@@ -0,0 +1,67 @@ ++#!/usr/bin/python ++# Authors: ++# Fraser Tweedale ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++ ++from __future__ import absolute_import ++import os.path ++ ++import pki ++from pki.server.upgrade import PKIServerUpgradeScriptlet ++ ++ ++class AddExternalProcessConstraintToRegistry(PKIServerUpgradeScriptlet): ++ ++ new_config = { ++ 'constraintPolicy.externalProcessConstraintImpl.class': ++ 'com.netscape.cms.profile.constraint.ExternalProcessConstraint', ++ 'constraintPolicy.externalProcessConstraintImpl.desc': ++ 'External Process Constraint', ++ 'constraintPolicy.externalProcessConstraintImpl.name': ++ 'External Process Constraint', ++ } ++ ++ constraint_name = 'externalProcessConstraintImpl' ++ ++ def __init__(self): ++ super(AddExternalProcessConstraintToRegistry, self).__init__() ++ self.message = 'Add ExternalProcessConstraint to registry' ++ ++ def upgrade_subsystem(self, instance, subsystem): ++ if subsystem.name == 'ca': ++ self.add_new_entries(instance, subsystem) ++ ++ def add_new_entries(self, instance, subsystem): # pylint: disable=W0613 ++ filename = os.path.join(subsystem.conf_dir, 'registry.cfg') ++ self.backup(filename) ++ ++ properties = pki.PropertyFile(filename) ++ properties.read() ++ ++ # add constraint to constraint list ++ constraints = properties.get('constraintPolicy.ids').split(',') ++ if self.constraint_name in constraints: ++ return # update not required ++ ++ constraints.append(self.constraint_name) ++ properties.set('constraintPolicy.ids', ','.join(constraints)) ++ ++ for k, v in self.new_config.items(): ++ properties.set(k, v) ++ ++ properties.write() +-- +1.8.3.1 + + +From b099b631bb49e17e0aa4cd8c7a818ba1c923ec92 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 8 Feb 2017 12:18:03 +1000 +Subject: [PATCH 08/49] Add authn manager that reuses auth token from session + +To process a cert request immediately (rather than having it queued +as pending), the user must be authenticated *by the profile*; auth +tokens from the main authentication system are not used. + +For external authentication support it is possible that the external +authentication is sufficient to authenticate use of a problem; +especially when the profile uses componenets like +ExternalProcessConstraint to perform validation of the cert request +against external sources of information. + +To support this use case, add the SessionAuthentication profile +authenticator, which merely reuses the IAuthToken from the session +context, if present. + +Part of: https://pagure.io/dogtagpki/issue/1359 +--- + base/ca/shared/conf/CS.cfg | 2 + + .../cms/authentication/SessionAuthentication.java | 167 +++++++++++++++++++++ + base/server/upgrade/10.4.1/.gitignore | 4 + + .../10.4.2/01-AddSessionAuthenticationPlugin | 51 +++++++ + 4 files changed, 224 insertions(+) + create mode 100644 base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java + create mode 100644 base/server/upgrade/10.4.1/.gitignore + create mode 100755 base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index e800360..3923319 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD + auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication + auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication + auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth ++auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication + auths.instance.TokenAuth.pluginName=TokenAuth + auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents + auths.instance.AgentCertAuth.pluginName=AgentCertAuth +@@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth + auths.instance.flatFileAuth.pluginName=FlatFileAuth + auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt + auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth ++auths.instance.SessionAuthentication.pluginName=SessionAuthentication + auths.revocationChecking.bufferSize=50 + auths.revocationChecking.ca=ca + auths.revocationChecking.enabled=true +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java +new file mode 100644 +index 0000000..27f08cd +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java +@@ -0,0 +1,167 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cms.authentication; ++ ++import java.util.Collections; ++import java.util.Enumeration; ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.AuthToken; ++import com.netscape.certsrv.authentication.EMissingCredential; ++import com.netscape.certsrv.authentication.IAuthCredentials; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.profile.IProfileAuthenticator; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++ ++/** ++ * Pull any existing auth token from the session context. ++ * ++ * Use with caution as a profile authenticator; if there is a ++ * session it will unconditionally approve the request ++ * (subject to constraints, etc). ++ */ ++public class SessionAuthentication ++ implements IProfileAuthenticator { ++ ++ private String instName = null; ++ private String implName = null; ++ private IConfigStore config = null; ++ ++ public SessionAuthentication() { ++ } ++ ++ public void init(String instName, String implName, IConfigStore config) ++ throws EBaseException { ++ this.instName = instName; ++ this.implName = implName; ++ this.config = config; ++ } ++ ++ /** ++ * Gets the name of this authentication manager. ++ */ ++ public String getName() { ++ return instName; ++ } ++ ++ /** ++ * Gets the plugin name of authentication manager. ++ */ ++ public String getImplName() { ++ return implName; ++ } ++ ++ public boolean isSSLClientRequired() { ++ return false; ++ } ++ ++ /** ++ * Authenticate user. ++ * ++ * @return the auth token from existing session context, if any. ++ * @throws EMissingCredential if no auth token or no session ++ */ ++ public IAuthToken authenticate(IAuthCredentials authCred) ++ throws EMissingCredential { ++ SessionContext context = SessionContext.getExistingContext(); ++ ++ if (context == null) ++ throw new EMissingCredential("SessionAuthentication: no session"); ++ ++ IAuthToken authToken = (IAuthToken) ++ context.get(SessionContext.AUTH_TOKEN); ++ ++ if (authToken == null) ++ throw new EMissingCredential("SessionAuthentication: no auth token"); ++ ++ return authToken; ++ } ++ ++ public String[] getRequiredCreds() { ++ String[] requiredCreds = { }; ++ return requiredCreds; ++ } ++ ++ public String[] getConfigParams() { ++ return null; ++ } ++ ++ /** ++ * prepare this authentication manager for shutdown. ++ */ ++ public void shutdown() { ++ } ++ ++ /** ++ * gets the configuretion substore used by this authentication ++ * manager ++ * ++ * @return configuration store ++ */ ++ public IConfigStore getConfigStore() { ++ return config; ++ } ++ ++ // Profile-related methods ++ ++ public void init(IProfile profile, IConfigStore config) { ++ } ++ ++ /** ++ * Retrieves the localizable name of this policy. ++ */ ++ public String getName(Locale locale) { ++ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); ++ } ++ ++ /** ++ * Retrieves the localizable description of this policy. ++ */ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); ++ } ++ ++ /** ++ * Retrieves a list of names of the value parameter. ++ */ ++ public Enumeration getValueNames() { ++ return Collections.emptyEnumeration(); ++ } ++ ++ public boolean isValueWriteable(String name) { ++ return false; ++ } ++ ++ /** ++ * Retrieves the descriptor of the given value ++ * parameter by name. ++ */ ++ public IDescriptor getValueDescriptor(Locale locale, String name) { ++ return null; ++ } ++ ++ public void populate(IAuthToken token, IRequest request) { ++ } ++} +diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/server/upgrade/10.4.1/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin +new file mode 100755 +index 0000000..62d508e +--- /dev/null ++++ b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin +@@ -0,0 +1,51 @@ ++#!/usr/bin/python ++# Authors: ++# Fraser Tweedale ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++ ++from __future__ import absolute_import ++import os.path ++ ++import pki ++from pki.server.upgrade import PKIServerUpgradeScriptlet ++ ++ ++class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet): ++ def __init__(self): ++ super(AddSessionAuthenticationPlugin, self).__init__() ++ self.message = 'Add SessionAuthentication to CS.cfg' ++ ++ def upgrade_subsystem(self, instance, subsystem): ++ if subsystem.name == 'ca': ++ self.add_plugin(instance, subsystem) ++ ++ def add_plugin(self, instance, subsystem): # pylint: disable=W0613 ++ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') ++ self.backup(filename) ++ ++ properties = pki.PropertyFile(filename) ++ properties.read() ++ ++ properties.set( ++ 'auths.impl.SessionAuthentication.class', ++ 'com.netscape.cms.authentication.SessionAuthentication') ++ properties.set( ++ 'auths.instance.SessionAuthentication.pluginName', ++ 'SessionAuthentication') ++ ++ properties.write() +-- +1.8.3.1 + + +From b9dc595806abb17f34a679976122e526bdc29de8 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 18 Apr 2017 16:46:12 -0400 +Subject: [PATCH 09/49] Modify cert clients to check server for wrapping params + +CRMFPopClient and the pki cert client both can send a CRMF request +to a CA directly. Logic is added to check the CA for the required +KRA wrapping params and use those in place of any that have been +provided by the environment or command line. + +Also, additional data for the supported KRA keyset has been added to +the CAInfoService. This will need to be managed by the admin. The +default is "1" which corresponds to AES. + +Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4 +--- + base/common/src/org/dogtagpki/common/CAInfo.java | 16 +++++ + .../src/com/netscape/cmstools/CRMFPopClient.java | 71 ++++++++++++++++++++-- + .../cmstools/client/ClientCertRequestCLI.java | 32 ++++++---- + .../org/dogtagpki/server/rest/CAInfoService.java | 10 +++ + 4 files changed, 110 insertions(+), 19 deletions(-) + +diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java +index 89255ed..f21dcd0 100644 +--- a/base/common/src/org/dogtagpki/common/CAInfo.java ++++ b/base/common/src/org/dogtagpki/common/CAInfo.java +@@ -54,6 +54,7 @@ public class CAInfo extends ResourceMessage { + } + + String archivalMechanism; ++ String wrappingKeySet; + + @XmlElement(name="ArchivalMechanism") + public String getArchivalMechanism() { +@@ -64,11 +65,21 @@ public class CAInfo extends ResourceMessage { + this.archivalMechanism = archivalMechanism; + } + ++ @XmlElement(name="WrappingKeySet") ++ public String getWrappingKeySet() { ++ return wrappingKeySet; ++ } ++ ++ public void setWrappingKeySet(String wrappingKeySet) { ++ this.wrappingKeySet = wrappingKeySet; ++ } ++ + @Override + public int hashCode() { + final int prime = 31; + int result = super.hashCode(); + result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); ++ result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); + return result; + } + +@@ -86,6 +97,11 @@ public class CAInfo extends ResourceMessage { + return false; + } else if (!archivalMechanism.equals(other.archivalMechanism)) + return false; ++ if (wrappingKeySet == null) { ++ if (other.wrappingKeySet != null) ++ return false; ++ } else if (!wrappingKeySet.equals(other.wrappingKeySet)) ++ return false; + return true; + } + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 5d9f7f1..0168503 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -40,6 +40,8 @@ import org.apache.http.HttpResponse; + import org.apache.http.client.methods.HttpGet; + import org.apache.http.impl.client.DefaultHttpClient; + import org.apache.http.util.EntityUtils; ++import org.dogtagpki.common.CAInfo; ++import org.dogtagpki.common.CAInfoClient; + import org.dogtagpki.common.KRAInfoResource; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ASN1Util; +@@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + import org.mozilla.jss.util.Password; + ++import com.netscape.certsrv.base.PKIException; ++import com.netscape.certsrv.client.ClientConfig; ++import com.netscape.certsrv.client.PKIClient; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.HMACDigest; +@@ -187,6 +192,10 @@ public class CRMFPopClient { + option.setArgName("keyWrap"); + options.addOption(option); + ++ option = new Option("w", true, "Wrapping Keyset"); ++ option.setArgName("keySet"); ++ options.addOption(option); ++ + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "help", false, "Show help message."); + +@@ -218,6 +227,7 @@ public class CRMFPopClient { + System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); + System.out.println(" - true: use a key wrapping algorithm"); + System.out.println(" - false: use an encryption algorithm"); ++ System.out.println(" -w Key set ID to use when wrapping the private key"); + System.out.println(" -b PEM transport certificate (default: transport.txt)"); + System.out.println(" -v, --verbose Run in verbose mode."); + System.out.println(" --help Show help message."); +@@ -310,6 +320,7 @@ public class CRMFPopClient { + int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); + int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + ++ // get the key wrapping mechanism + boolean keyWrap = true; + if (cmd.hasOption("g")) { + keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); +@@ -319,6 +330,10 @@ public class CRMFPopClient { + keyWrap = Boolean.parseBoolean(useKeyWrap); + } + } ++ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : ++ KRAInfoResource.ENCRYPT_MECHANISM; ++ ++ String wrappingKeySet = cmd.getOptionValue("w"); + + String output = cmd.getOptionValue("o"); + +@@ -326,6 +341,16 @@ public class CRMFPopClient { + String username = cmd.getOptionValue("u"); + String requestor = cmd.getOptionValue("r"); + ++ if (hostPort != null) { ++ if (cmd.hasOption("g") || cmd.hasOption("w")) { ++ printError("Wrapping Key Set (-g) and keywrap (-w) options should " + ++ "not be specified when hostport is specified. " + ++ "CRMFPopClient will contact the server to " + ++ "determine the correct values for these parameters"); ++ System.exit(1); ++ } ++ } ++ + if (subjectDN == null) { + printError("Missing subject DN"); + System.exit(1); +@@ -458,11 +483,41 @@ public class CRMFPopClient { + String kid = CryptoUtil.byte2string(id); + System.out.println("Keypair private key id: " + kid); + +- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : +- KRAInfoResource.ENCRYPT_MECHANISM; ++ if (hostPort != null) { ++ // check the CA for the required keyset and archival mechanism ++ // if found, override whatever has been set by the command line ++ // options or environment for archivalMechanism and wrappingKeySet ++ ++ ClientConfig config = new ClientConfig(); ++ String host = hostPort.substring(0, hostPort.indexOf(':')); ++ int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1)); ++ config.setServerURL("http", host, port); ++ ++ PKIClient pkiclient = new PKIClient(config); ++ ++ // get archival mechanism ++ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); ++ try { ++ CAInfo info = infoClient.getInfo(); ++ archivalMechanism = info.getArchivalMechanism(); ++ wrappingKeySet = info.getWrappingKeySet(); ++ } catch (PKIException e) { ++ if (e.getCode() == 404) { ++ // assume this is an older server, ++ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ wrappingKeySet = "0"; ++ } else { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); ++ } ++ } catch (Exception e) { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); ++ } ++ } ++ + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( +- token, transportCert, algorithm, keyPair, subject, archivalMechanism); ++ token, transportCert, algorithm, keyPair, ++ subject, archivalMechanism, wrappingKeySet); + + ProofOfPossession pop = null; + +@@ -572,11 +627,15 @@ public class CRMFPopClient { + String algorithm, + KeyPair keyPair, + Name subject, +- String archivalMechanism) throws Exception { ++ String archivalMechanism, ++ String wrappingKeySet) throws Exception { + EncryptionAlgorithm encryptAlg = null; +- String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); + +- if (keyset != null && keyset.equalsIgnoreCase("0")) { ++ if (wrappingKeySet == null) { ++ wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); ++ } ++ ++ if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { + // talking to an old server? + encryptAlg = EncryptionAlgorithm.DES3_CBC; + } else { +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +index 8ca857b..696ab8b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +@@ -29,6 +29,7 @@ import java.util.Vector; + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; + import org.apache.commons.io.FileUtils; ++import org.dogtagpki.common.CAInfo; + import org.dogtagpki.common.CAInfoClient; + import org.dogtagpki.common.KRAInfoResource; + import org.mozilla.jss.CryptoManager; +@@ -39,6 +40,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; + import org.mozilla.jss.pkix.crmf.ProofOfPossession; + import org.mozilla.jss.pkix.primitive.Name; + ++import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.cert.CertClient; + import com.netscape.certsrv.cert.CertEnrollmentRequest; + import com.netscape.certsrv.cert.CertRequestInfos; +@@ -250,23 +252,26 @@ public class ClientCertRequestCLI extends CLI { + // get archival mechanism + CAInfoClient infoClient = new CAInfoClient(client, "ca"); + String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ String wrappingKeySet = "1"; + try { +- archivalMechanism = infoClient.getInfo().getArchivalMechanism(); +- } catch (Exception e) { +- // this could be an older server, check for environment variable. +- String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); +- if (useKeyWrapping != null) { +- if (Boolean.parseBoolean(useKeyWrapping)) { +- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; +- } else { +- archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; +- } ++ CAInfo info = infoClient.getInfo(); ++ archivalMechanism = info.getArchivalMechanism(); ++ wrappingKeySet = info.getWrappingKeySet(); ++ } catch (PKIException e) { ++ if (e.getCode() == 404) { ++ // assume this is an older server, ++ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ wrappingKeySet = "0"; ++ } else { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } ++ } catch (Exception e) { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + + csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, + algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, +- archivalMechanism); ++ archivalMechanism, wrappingKeySet); + + } else { + throw new Exception("Unknown request type: " + requestType); +@@ -408,7 +413,8 @@ public class ClientCertRequestCLI extends CLI { + int sensitive, + int extractable, + boolean withPop, +- String archivalMechanism ++ String archivalMechanism, ++ String wrappingKeySet + ) throws Exception { + + CryptoManager manager = CryptoManager.getInstance(); +@@ -430,7 +436,7 @@ public class ClientCertRequestCLI extends CLI { + } + + CertRequest certRequest = client.createCertRequest( +- token, transportCert, algorithm, keyPair, subject, archivalMechanism); ++ token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); + + ProofOfPossession pop = null; + if (withPop) { +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +index 975ad61..f4724a6 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +@@ -50,6 +50,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { + if (archivalMechanism != null) + info.setArchivalMechanism(getArchivalMechanism()); + ++ info.setWrappingKeySet(getWrappingKeySet()); ++ + return createOKResponse(info); + } + +@@ -61,4 +63,12 @@ public class CAInfoService extends PKIService implements CAInfoResource { + boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; + } ++ ++ String getWrappingKeySet() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); ++ if (!kra_present) return null; ++ ++ return cs.getString("kra.wrappingKeySet", "1"); ++ } + } +-- +1.8.3.1 + + +From 316e20d2e39542bcb2d2043f36633dc7b779c61b Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 19 Apr 2017 14:19:37 -0400 +Subject: [PATCH 10/49] Make sure connection is always closed + +When an exception is thrown, the connection is currently +not closed, leading to Invalid State exceptions when the +next connection is attempted. This resolves this issue. + +Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb +--- + .../com/netscape/certsrv/client/PKIConnection.java | 30 ++++++++++++++-------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +index d5e4c00..d655023 100644 +--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java ++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +@@ -429,23 +429,33 @@ public class PKIConnection { + } + + public T getEntity(Response response, Class clazz) { +- Family family = response.getStatusInfo().getFamily(); +- if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { +- if (response.hasEntity()) return response.readEntity(clazz); ++ try { ++ Family family = response.getStatusInfo().getFamily(); ++ if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { ++ if (response.hasEntity()) ++ return response.readEntity(clazz); ++ return null; ++ } ++ handleErrorResponse(response); + return null; ++ } finally { ++ response.close(); + } +- handleErrorResponse(response); +- return null; + } + + public T getEntity(Response response, GenericType clazz) { +- Family family = response.getStatusInfo().getFamily(); +- if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { +- if (response.hasEntity()) return response.readEntity(clazz); ++ try { ++ Family family = response.getStatusInfo().getFamily(); ++ if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { ++ if (response.hasEntity()) ++ return response.readEntity(clazz); ++ return null; ++ } ++ handleErrorResponse(response); + return null; ++ } finally { ++ response.close(); + } +- handleErrorResponse(response); +- return null; + } + + private void handleErrorResponse(Response response) { +-- +1.8.3.1 + + +From 7033c5208fd315e9fd1c76d1755d1f7fd2bbf17a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 19 Apr 2017 23:40:43 +0200 +Subject: [PATCH 12/49] Added AuditEvent.setParameters(). + +A new method has been added to set AuditEvent's parameters. + +Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714 +--- + base/common/src/com/netscape/certsrv/logging/AuditEvent.java | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 716e0d4..72c93f8 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -387,6 +387,13 @@ public class AuditEvent implements IBundleLogEvent { + } + + /** ++ * Sets audit event's parameters. ++ */ ++ public void setParameters(Object[] params) { ++ mParams = params; ++ } ++ ++ /** + * Returns localized message string. This method should + * only be called if a localized string is necessary. + *

    +-- +1.8.3.1 + + +From 6817c67bc93e99f36c79838fffc08145e6599580 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 19 Apr 2017 21:35:09 +0200 +Subject: [PATCH 14/49] Updated default SSL connection timeout. + +The default SSL connection timeout has been changed to 5 minutes +to improve PKI console usability. + +https://pagure.io/dogtagpki/issue/2643 + +Change-Id: I905ca855285ddd655d965488b175c2d11fe407fd +--- + base/server/tomcat7/conf/server.xml | 2 +- + base/server/tomcat8/conf/server.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml +index cc3160d..35bd7a4 100644 +--- a/base/server/tomcat7/conf/server.xml ++++ b/base/server/tomcat7/conf/server.xml +@@ -187,7 +187,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + --> + +Date: Thu, 20 Apr 2017 01:06:18 +0200 +Subject: [PATCH 15/49] Fixed SSL connection timeouts. + +The connectionTimeout parameter has been restored to 80 seconds. +The keepAliveTimeout parameter has been set to 5 minutes. + +https://pagure.io/dogtagpki/issue/2643 + +Change-Id: I05bca0284ad946d833ed144e2f93a4ef4b9b6f0f +--- + base/server/tomcat7/conf/server.xml | 3 ++- + base/server/tomcat8/conf/server.xml | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml +index 35bd7a4..2db8bca 100644 +--- a/base/server/tomcat7/conf/server.xml ++++ b/base/server/tomcat7/conf/server.xml +@@ -187,7 +187,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + --> + +Date: Thu, 20 Apr 2017 01:03:29 +0200 +Subject: [PATCH 16/49] Refactored line concatenation. + +The code that concatenates lines has been simplified using +String.replace(). + +Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea +--- + .../cms/profile/updater/SubsystemGroupUpdater.java | 11 +++-------- + .../netscape/cms/servlet/csadmin/RegisterUser.java | 14 ++++---------- + .../cms/servlet/processors/CAProcessor.java | 21 ++++----------------- + .../servlet/profile/ProfileSubmitCMCServlet.java | 10 ++-------- + 4 files changed, 13 insertions(+), 43 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +index 7daa8e4..4ecc255 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java ++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +@@ -175,14 +175,9 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + byte[] certEncoded = cert.getEncoded(); + b64 = CMS.BtoA(certEncoded).trim(); + +- // extract all line separators +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < b64.length(); i++) { +- if (!Character.isWhitespace(b64.charAt(i))) { +- sb.append(b64.charAt(i)); +- } +- } +- b64 = sb.toString(); ++ // concatenate lines ++ b64 = b64.replace("\r", "").replace("\n", ""); ++ + } catch (Exception ence) { + CMS.debug("SubsystemGroupUpdater update: user cert encoding failed: " + ence); + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +index f02932e..77ef4d8 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +@@ -27,8 +27,6 @@ import javax.servlet.ServletException; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.x509.X509CertImpl; +- + import org.w3c.dom.Node; + + import com.netscape.certsrv.apps.CMS; +@@ -49,6 +47,8 @@ import com.netscape.cms.servlet.common.ICMSTemplateFiller; + import com.netscape.cmsutil.util.Utils; + import com.netscape.cmsutil.xml.XMLObject; + ++import netscape.security.x509.X509CertImpl; ++ + /** + * This servlet creates a TPS user in the CA, + * and it associates TPS's server certificate to +@@ -207,14 +207,8 @@ public class RegisterUser extends CMSServlet { + audit(auditMessage); + } + +- // extract all line separators +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < certsString.length(); i++) { +- if (!Character.isWhitespace(certsString.charAt(i))) { +- sb.append(certsString.charAt(i)); +- } +- } +- certsString = sb.toString(); ++ // concatenate lines ++ certsString = certsString.replace("\r", "").replace("\n", ""); + + auditParams = "Scope;;certs+Operation;;OP_ADD+source;;RegisterUser" + + "+Resource;;" + uid + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 8c4fef1..4bc738c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -1024,15 +1024,8 @@ public class CAProcessor extends Processor { + + base64Data = Utils.base64encode(rawData).trim(); + +- // extract all line separators from the "base64Data" +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < base64Data.length(); i++) { +- if (!Character.isWhitespace(base64Data.charAt(i))) { +- sb.append(base64Data.charAt(i)); +- +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +@@ -1180,14 +1173,8 @@ public class CAProcessor extends Processor { + + base64Data = Utils.base64encode(rawData).trim(); + +- // extract all line separators from the "base64Data" +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < base64Data.length(); i++) { +- if (!Character.isWhitespace(base64Data.charAt(i))) { +- sb.append(base64Data.charAt(i)); +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index fd155a6..83bab5b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -928,14 +928,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + base64Data = Utils.base64encode(rawData).trim(); + +- // extract all line separators from the "base64Data" +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < base64Data.length(); i++) { +- if (!Character.isWhitespace(base64Data.charAt(i))) { +- sb.append(base64Data.charAt(i)); +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +-- +1.8.3.1 + + +From 6bb1757a035d3439a65aa604a19dcdf48b7b2dbc Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 05:01:57 +0200 +Subject: [PATCH 17/49] Refactored additional line concatenation. + +The code that concatenates lines has been simplified using +String.replace(). + +Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74 +--- + .../src/com/netscape/kra/EnrollmentService.java | 12 ++++------ + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 26 ++++----------------- + .../cms/servlet/admin/CMSAdminServlet.java | 11 ++------- + .../netscape/cms/servlet/cert/EnrollServlet.java | 27 ++++++++-------------- + .../cms/servlet/connector/ConnectorServlet.java | 11 ++------- + .../cms/servlet/request/ProcessCertReq.java | 11 ++------- + 6 files changed, 25 insertions(+), 73 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index 381fee8..a200c34 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -24,7 +24,6 @@ import java.security.InvalidKeyException; + import java.security.PublicKey; + import java.security.cert.CertificateException; + import java.util.Arrays; +-import java.util.StringTokenizer; + import java.util.Vector; + + import org.mozilla.jss.asn1.ASN1Util; +@@ -917,7 +916,7 @@ public class EnrollmentService implements IService { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + +- StringBuffer key = new StringBuffer(); ++ String key = ""; + + // convert "rawData" into "base64Data" + if (rawData != null) { +@@ -925,13 +924,10 @@ public class EnrollmentService implements IService { + + base64Data = CMS.BtoA(rawData).trim(); + +- // extract all line separators from the "base64Data" +- StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); +- while (st.hasMoreTokens()) { +- key.append(st.nextToken()); +- } ++ // concatenate lines ++ key = base64Data.replace("\r", "").replace("\n", ""); + } +- String checkKey = key.toString().trim(); ++ String checkKey = key.trim(); + if (checkKey.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 1df04db..ec920e6 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -136,7 +136,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + public IRequestListener mReqInQListener = null; + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; + /** + * Constructs an escrow authority. +@@ -1713,16 +1712,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = CMS.BtoA(rawData).trim(); +- StringBuffer key = new StringBuffer(); + +- // extract all line separators from the "base64Data" +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- key.append(base64Data.substring(i, i)); +- } +- } +- +- return key.toString(); ++ // concatenate lines ++ return base64Data.replace("\r", "").replace("\n", ""); + } + + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +@@ -1757,23 +1749,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + } + + String key = null; +- StringBuffer tempBuffer = new StringBuffer(); ++ + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = null; + + base64Data = CMS.BtoA(rawData).trim(); + +- // extract all line separators from the "base64Data" +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- tempBuffer.append(base64Data.substring(i, i)); +- } +- } +- } +- +- if (tempBuffer.length() > 0) { +- key = tempBuffer.toString(); ++ // concatenate lines ++ key = base64Data.replace("\r", "").replace("\n", ""); + } + + if (key != null) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index 229c377..e5a1474 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -105,7 +105,6 @@ public final class CMSAdminServlet extends AdminServlet { + private final static String PROP_INTERNAL_DB = "internaldb"; + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static byte EOL[] = { Character.LINE_SEPARATOR }; + + // CMS must be instantiated before this admin servlet. + +@@ -3390,7 +3389,6 @@ public final class CMSAdminServlet extends AdminServlet { + rawData = object.getPublic().getEncoded(); + + String key = null; +- StringBuffer sb = new StringBuffer(); + + // convert "rawData" into "base64Data" + if (rawData != null) { +@@ -3398,14 +3396,9 @@ public final class CMSAdminServlet extends AdminServlet { + + base64Data = Utils.base64encode(rawData).trim(); + +- // extract all line separators from the "base64Data" +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- sb.append(base64Data.substring(i, i)); +- } +- } ++ // concatenate lines ++ key = base64Data.replace("\r", "").replace("\n", ""); + } +- key = sb.toString(); + + if (key != null) { + key = key.trim(); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +index 3757967..6f01d2a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +@@ -35,14 +35,6 @@ import javax.servlet.http.HttpServletResponse; + + import org.dogtagpki.legacy.policy.IPolicyProcessor; + +-import netscape.security.pkcs.PKCS10; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.CertificateAlgorithmId; +-import netscape.security.x509.CertificateX509Key; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +-import netscape.security.x509.X509Key; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.IAuthSubsystem; +@@ -78,6 +70,14 @@ import com.netscape.cms.servlet.processors.PKCS10Processor; + import com.netscape.cms.servlet.processors.PKIProcessor; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.CertificateAlgorithmId; ++import netscape.security.x509.CertificateX509Key; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++import netscape.security.x509.X509Key; ++ + /** + * Submit a Certificate Enrollment request + * +@@ -138,7 +138,6 @@ public class EnrollServlet extends CMSServlet { + "racertbasedenrollment"; + private final static String EE_RA_ENROLLMENT_SERVLET = + "raenrollment"; +- private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { + + /* 0 */"automated non-profile cert request rejection: " +@@ -1732,14 +1731,8 @@ public class EnrollServlet extends CMSServlet { + + base64Data = Utils.base64encode(rawData).trim(); + +- StringBuffer sb = new StringBuffer(); +- // extract all line separators from the "base64Data" +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- sb.append(base64Data.substring(i, i)); +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index 13c732b..9c75cc1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -98,7 +98,6 @@ public class ConnectorServlet extends CMSServlet { + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; +- private final static byte EOL[] = { Character.LINE_SEPARATOR }; + + public ConnectorServlet() { + } +@@ -1101,14 +1100,8 @@ public class ConnectorServlet extends CMSServlet { + + base64Data = Utils.base64encode(rawData).trim(); + +- StringBuffer sb = new StringBuffer(); +- // extract all line separators from the "base64Data" +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- sb.append(base64Data.substring(i, i)); +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +index d15774e..9d0da48 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +@@ -118,7 +118,6 @@ public class ProcessCertReq extends CMSServlet { + private final static String SIGNED_AUDIT_CANCELLATION = "cancel"; + private final static String SIGNED_AUDIT_CLONING = "clone"; + private final static String SIGNED_AUDIT_REJECTION = "reject"; +- private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String[] SIGNED_AUDIT_MANUAL_CANCELLATION_REASON = new String[] { + + /* 0 */"manual non-profile cert request cancellation: " +@@ -1840,14 +1839,8 @@ public class ProcessCertReq extends CMSServlet { + + base64Data = Utils.base64encode(rawData).trim(); + +- // extract all line separators from the "base64Data" +- StringBuffer sb = new StringBuffer(); +- for (int i = 0; i < base64Data.length(); i++) { +- if (base64Data.substring(i, i).getBytes() != EOL) { +- sb.append(base64Data.substring(i, i)); +- } +- } +- cert = sb.toString(); ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); + } + + if (cert != null) { +-- +1.8.3.1 + + +From 17e71d3ec1f52cc2e13590499dd70c5932885b20 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 09:56:16 +0200 +Subject: [PATCH 18/49] Added AdminServlet.audit(AuditEvent). + +A new audit() methods have been added to log AuditEvents in +AdminServlet. + +Change-Id: I92a259363bdda553621491e46122365c7097946a +--- + .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 089fcbe..16a2e39 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -1024,6 +1024,16 @@ public class AdminServlet extends HttpServlet { + auditor.log(msg); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ + /** + * Signed Audit Log Subject ID + * +-- +1.8.3.1 + + +From 4a28ac15f5552d6594b6f6bb58af8f076ab5c46f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 03:43:06 +0200 +Subject: [PATCH 19/49] Refactored CAProcessor.auditInfoCertValue(). + +The auditInfoCertValue(IRequest) in CAProcessor has been merged +into auditInfoCertValue(X509CertImpl) since they are identical. + +Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca +--- + .../netscape/cms/servlet/cert/CertProcessor.java | 8 +-- + .../cms/servlet/processors/CAProcessor.java | 57 ---------------------- + 2 files changed, 5 insertions(+), 60 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index 156060a..c16d8e0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.profile.IProfileContext; +@@ -51,6 +52,8 @@ import com.netscape.cms.servlet.processors.CAProcessor; + import com.netscape.cms.tomcat.ExternalPrincipal; + import com.netscape.cmsutil.ldap.LDAPUtil; + ++import netscape.security.x509.X509CertImpl; ++ + public class CertProcessor extends CAProcessor { + + public CertProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException { +@@ -217,7 +220,6 @@ public class CertProcessor extends CAProcessor { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; +- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String errorCode = null; + String errorReason = null; + +@@ -244,8 +246,8 @@ public class CertProcessor extends CAProcessor { + profile.submit(authToken, req); + req.setRequestStatus(RequestStatus.COMPLETE); + +- // reset the "auditInfoCertValue" +- auditInfoCertValue = auditInfoCertValue(req); ++ X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); ++ String auditInfoCertValue = auditInfoCertValue(x509cert); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 4bc738c..a98d555 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -53,7 +53,6 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; +-import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -985,62 +984,6 @@ public class CAProcessor extends Processor { + return requesterID; + } + +- /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param request request containing an X509CertImpl +- * @return cert string containing the certificate +- */ +- protected String auditInfoCertValue(IRequest request) { +- // if no signed audit object exists, bail +- if (signedAuditLogger == null) { +- return null; +- } +- +- X509CertImpl x509cert = request.getExtDataInCert( +- IEnrollProfile.REQUEST_ISSUED_CERT); +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } +- + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (signedAuditLogger == null) { +-- +1.8.3.1 + + +From 41fcfc470c6462bc069774c74ecfe2fe09cf6ac3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 04:24:18 +0200 +Subject: [PATCH 20/49] Refactored ConnectorServlet.auditInfoCertValue(). + +The ConnectorServlet.auditInfoCertValue() has been refactored to +accept X509CertImpl like CAProcessor.auditInfoCertValue(). + +Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33 +--- + .../cms/servlet/connector/ConnectorServlet.java | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index 9c75cc1..6732e92 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -424,9 +424,6 @@ public class ConnectorServlet extends CMSServlet { + String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String subject = null; + +- // additional parms for LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED +- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- + // "normalize" the "auditSubjectID" + if (auditSubjectID != null) { + auditSubjectID = auditSubjectID.trim(); +@@ -622,8 +619,9 @@ public class ConnectorServlet extends CMSServlet { + queue.processRequest(thisreq); + + if (isProfileRequest(thisreq)) { +- // reset the "auditInfoCertValue" +- auditInfoCertValue = auditInfoCertValue(thisreq); ++ ++ X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); ++ String auditInfoCertValue = auditInfoCertValue(x509cert); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( +@@ -643,8 +641,9 @@ public class ConnectorServlet extends CMSServlet { + } + } catch (EBaseException eAudit1) { + if (isProfileRequest(thisreq)) { +- // reset the "auditInfoCertValue" +- auditInfoCertValue = auditInfoCertValue(thisreq); ++ ++ X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); ++ String auditInfoCertValue = auditInfoCertValue(x509cert); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( +@@ -1068,18 +1067,15 @@ public class ConnectorServlet extends CMSServlet { + * "X509CertImpl" for a signed audit log message. + *

    + * +- * @param request a Request containing an X509CertImpl ++ * @param x509cert an X509CertImpl + * @return cert string containing the certificate + */ +- private String auditInfoCertValue(IRequest request) { ++ private String auditInfoCertValue(X509CertImpl x509cert) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + +- X509CertImpl x509cert = request.getExtDataInCert( +- IEnrollProfile.REQUEST_ISSUED_CERT); +- + if (x509cert == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } +-- +1.8.3.1 + + +From e74fca2ced2416d656a09613e6e56657f4f88d20 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 04:29:40 +0200 +Subject: [PATCH 21/49] Refactored + ProfileSubmitCMCServlet.auditInfoCertValue(). + +The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified +to accept X509CertImpl like CAProcessor.auditInfoCertValue(). + +Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b +--- + .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 83bab5b..c3ada9a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -642,7 +642,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; +- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + + try { + /////////////////////////////////////////////// +@@ -672,8 +671,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + profile.submit(authToken, reqs[k]); + reqs[k].setRequestStatus(RequestStatus.COMPLETE); + +- // reset the "auditInfoCertValue" +- auditInfoCertValue = auditInfoCertValue(reqs[k]); ++ X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); ++ String auditInfoCertValue = auditInfoCertValue(x509cert); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( +@@ -777,8 +776,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + profile.getRequestQueue().markAsServiced(provedReq); + CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); + +- // reset the "auditInfoCertValue" +- auditInfoCertValue = auditInfoCertValue(reqs[0]); ++ X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); ++ String auditInfoCertValue = auditInfoCertValue(x509cert); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( +@@ -896,18 +895,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + * "X509CertImpl" for a signed audit log message. + *

    + * +- * @param request request containing an X509CertImpl ++ * @param x509cert an X509CertImpl + * @return cert string containing the certificate + */ +- private String auditInfoCertValue(IRequest request) { ++ private String auditInfoCertValue(X509CertImpl x509cert) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + +- X509CertImpl x509cert = request.getExtDataInCert( +- IEnrollProfile.REQUEST_ISSUED_CERT); +- + if (x509cert == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } +-- +1.8.3.1 + + +From ba32351d7c362e6b0e313cde0929c56f3f55ec5f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 21 Apr 2017 05:04:05 +0200 +Subject: [PATCH 22/49] Fixed missing IAuditor.log(AuditEvent). + +The IAuditor has been modified to define a log() method for +AuditEvent object. + +Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9 +--- + base/common/src/com/netscape/certsrv/logging/IAuditor.java | 2 ++ + base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java +index 216015f..9521228 100644 +--- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java ++++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java +@@ -73,4 +73,6 @@ public interface IAuditor { + * Log audit message. + */ + public void log(String message); ++ ++ public void log(AuditEvent event); + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java +index 48dfe3a..8962561 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java +@@ -220,7 +220,8 @@ public class Auditor implements IAuditor { + message); + } + +- protected void audit(AuditEvent event) { ++ @Override ++ public void log(AuditEvent event) { + + String template = event.getMessage(); + Object[] params = event.getParameters(); +-- +1.8.3.1 + + +From fcbabc0ce929d91f63098bba4867d102ac04ead0 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 19 Apr 2017 08:50:06 +0200 +Subject: [PATCH 23/49] Python 3 support and Travis testing + +Fix Python 3 support for pkispawn: Config values are text values. Therefore +the config file has to be written as text file. + +Test Python 3 support in Travis CI. The little script py3rewrite copies +pki.server Python files and rewrites pkispawn and pkidestroy to use +Python 3. + +Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf +Signed-off-by: Christian Heimes +--- + .travis.yml | 7 +++++ + .travis/40-spawn-ca | 2 +- + .travis/50-spawn-kra | 2 +- + .travis/99-destroy | 11 ++++++++ + .travis/py3rewrite | 46 +++++++++++++++++++++++++++++++ + base/server/python/pki/server/__init__.py | 4 +-- + 6 files changed, 68 insertions(+), 4 deletions(-) + create mode 100755 .travis/99-destroy + create mode 100755 .travis/py3rewrite + +diff --git a/.travis.yml b/.travis.yml +index 2714bbc..54ae884 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -44,6 +44,13 @@ install: + script: + - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca + - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy ++ # copy pki.server for Python 3 and rewrite pkispawn/pkidestroy shebang ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/py3rewrite ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra ++ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy + + after_script: + - docker kill ${CONTAINER} +diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca +index 9986698..d6771db 100755 +--- a/.travis/40-spawn-ca ++++ b/.travis/40-spawn-ca +@@ -1,7 +1,7 @@ + #!/bin/bash + set -e + +-pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA ++pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA + + echo "Waiting for port 8080" + for i in {1..20}; do +diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra +index 80cb039..93f2f4c 100755 +--- a/.travis/50-spawn-kra ++++ b/.travis/50-spawn-kra +@@ -1,7 +1,7 @@ + #!/bin/bash + set -e + +-pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA ++pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA + + echo "Waiting for port 8080" + for i in {1..20}; do +diff --git a/.travis/99-destroy b/.travis/99-destroy +new file mode 100755 +index 0000000..d2fb1ad +--- /dev/null ++++ b/.travis/99-destroy +@@ -0,0 +1,11 @@ ++#!/bin/bash ++set -e ++ ++if [ -d /etc/pki/pkitest/kra ]; then ++ pkidestroy -v -i pkitest -s KRA ++fi ++ ++pkidestroy -v -i pkitest -s CA ++ ++remove-ds.pl -f -i slapd-pkitest ++ +diff --git a/.travis/py3rewrite b/.travis/py3rewrite +new file mode 100755 +index 0000000..f8a208d +--- /dev/null ++++ b/.travis/py3rewrite +@@ -0,0 +1,46 @@ ++#!/usr/bin/python3 ++import os ++import shutil ++ ++from distutils.sysconfig import get_python_lib ++ ++ ++BUILDDIR = os.environ['BUILDDIR'] ++PKIBASE = os.path.join(BUILDDIR, 'pki', 'base') ++PKICLIENT = os.path.join(PKIBASE, 'common', 'python', 'pki') ++PKISERVER = os.path.join(PKIBASE, 'server', 'python', 'pki', 'server') ++PKISBIN = os.path.join(PKIBASE, 'server', 'sbin') ++ ++SITEPACKAGES = get_python_lib() ++ ++ ++def copyscript(src, dst): ++ with open(src) as f: ++ lines = f.readlines() ++ lines[0] = '#!/usr/bin/python3\n' ++ with open(dst, 'w') as f: ++ os.fchmod(f.fileno(), 0o755) ++ f.writelines(lines) ++ ++ ++def copyfiles(): ++ shutil.rmtree(os.path.join(SITEPACKAGES, 'pki')) ++ shutil.copytree( ++ PKICLIENT, ++ os.path.join(SITEPACKAGES, 'pki') ++ ) ++ shutil.copytree( ++ PKISERVER, ++ os.path.join(SITEPACKAGES, 'pki', 'server') ++ ) ++ copyscript( ++ os.path.join(PKISBIN, 'pkispawn'), ++ '/usr/sbin/pkispawn' ++ ) ++ copyscript( ++ os.path.join(PKISBIN, 'pkidestroy'), ++ '/usr/sbin/pkidestroy' ++ ) ++ ++if __name__ == '__main__': ++ copyfiles() +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 8898654..46c6711 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -296,9 +296,9 @@ class PKISubsystem(object): + + def save(self): + sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) +- with io.open(self.cs_conf, 'wb') as f: ++ with io.open(self.cs_conf, 'w') as f: + for (key, value) in sorted_config: +- f.write('%s=%s\n' % (key, value)) ++ f.write(u'%s=%s\n' % (key, value)) + + def is_valid(self): + return os.path.exists(self.conf_dir) +-- +1.8.3.1 + + +From ce3304834dbb3e4d001ecbbfc1af61044ae7a74c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 09:52:32 +0200 +Subject: [PATCH 24/49] Added AuthSuccessEvent. + +A new AuthSuccessEvent class of has been added to encapsulate the +AUTH_SUCCESS events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3 +--- + .../certsrv/logging/event/AuthSuccessEvent.java | 39 ++++++++++++++++++++++ + .../cms/src/com/netscape/cms/realm/PKIRealm.java | 16 ++++----- + .../netscape/cms/servlet/admin/AdminServlet.java | 21 +++++------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 9 ++--- + .../cms/servlet/processors/CAProcessor.java | 17 +++------- + 5 files changed, 61 insertions(+), 41 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java +new file mode 100644 +index 0000000..5d4f973 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java +@@ -0,0 +1,39 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class AuthSuccessEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public AuthSuccessEvent( ++ String subjectID, ++ String outcome, ++ String authManagerID) { ++ ++ super(AUTH_SUCCESS); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ authManagerID ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +index bcd3ff8..81de9fb 100644 +--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java ++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -60,14 +61,11 @@ public class PKIRealm extends RealmBase { + authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ audit(new AuthSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, +- IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); ++ IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID)); + +- audit(auditMessage); + return getPrincipal(username, authToken); + + } catch (Throwable e) { +@@ -120,14 +118,12 @@ public class PKIRealm extends RealmBase { + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); + + CMS.debug("PKIRealm: User ID: " + username); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ ++ audit(new AuthSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, +- IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); ++ IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)); + +- audit(auditMessage); + return getPrincipal(username, authToken); + + } catch (Throwable e) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 16a2e39..d530f6a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -35,8 +35,6 @@ import javax.servlet.http.HttpServlet; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.x509.X509CertImpl; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.IAuthCredentials; + import com.netscape.certsrv.authentication.IAuthManager; +@@ -54,12 +52,15 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; + import com.netscape.cms.servlet.base.UserInfo; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.x509.X509CertImpl; ++ + /** + * A class represents an administration servlet that + * is responsible to serve administrative +@@ -524,23 +525,17 @@ public class AdminServlet extends HttpServlet { + sc.put(SessionContext.LOCALE, locale); + + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ ++ audit(new AuthSuccessEvent( + auditSubjectID(), + ILogger.SUCCESS, +- CERTUSERDB); ++ CERTUSERDB)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ audit(new AuthSuccessEvent( + auditSubjectID(), + ILogger.SUCCESS, +- PASSWDUSERDB); +- +- audit(auditMessage); ++ PASSWDUSERDB)); + } + } catch (IOException eAudit1) { + if (authType.equals("sslclientauth")) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index a007a00..9168870 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -1789,14 +1790,10 @@ public abstract class CMSServlet extends HttpServlet { + // reset the "auditSubjectID" + auditSubjectID = auditSubjectID(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ audit(new AuthSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditAuthMgrID); +- +- audit(auditMessage); ++ auditAuthMgrID)); + + return authToken; + } catch (EBaseException eAudit1) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index a98d555..93d6a9a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -520,14 +521,10 @@ public class CAProcessor extends Processor { + + authSubjectID = authSubjectID + " : " + uid_cred; + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ audit(new AuthSuccessEvent( + authSubjectID, + ILogger.SUCCESS, +- authMgrID); +- +- audit(auditMessage); ++ authMgrID)); + } + endTiming("profile_authentication"); + return authToken; +@@ -655,14 +652,10 @@ public class CAProcessor extends Processor { + // reset the "auditSubjectID" + auditSubjectID = auditSubjectID(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_SUCCESS, ++ audit(new AuthSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditAuthMgrID); +- +- audit(auditMessage); ++ auditAuthMgrID)); + + return authToken; + } catch (EBaseException eAudit1) { +-- +1.8.3.1 + + +From 0de8be3084c4ccf23c2850331f86fc067e7c8383 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 10:07:44 +0200 +Subject: [PATCH 25/49] Added AuthFailEvent. + +A new AuthFailEvent class of has been added to encapsulate the +AUTH_FAIL events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b +--- + .../certsrv/logging/event/AuthFailEvent.java | 41 +++++++++ + .../cms/src/com/netscape/cms/realm/PKIRealm.java | 22 +++-- + .../netscape/cms/servlet/admin/AdminServlet.java | 96 ++++++++-------------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 11 ++- + .../cms/servlet/processors/CAProcessor.java | 27 +++--- + 5 files changed, 102 insertions(+), 95 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java +new file mode 100644 +index 0000000..a2c7d8d +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java +@@ -0,0 +1,41 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class AuthFailEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public AuthFailEvent( ++ String subjectID, ++ String outcome, ++ String authManagerID, ++ String attemptedUID) { ++ ++ super(AUTH_FAIL); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ authManagerID, ++ attemptedUID ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +index 81de9fb..8306193 100644 +--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java ++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -45,7 +46,7 @@ public class PKIRealm extends RealmBase { + @Override + public Principal authenticate(String username, String password) { + CMS.debug("PKIRealm: Authenticating user " + username + " with password."); +- String auditMessage = null; ++ + String auditSubjectID = ILogger.UNIDENTIFIED; + String attemptedAuditUID = username; + +@@ -69,14 +70,13 @@ public class PKIRealm extends RealmBase { + return getPrincipal(username, authToken); + + } catch (Throwable e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID, +- attemptedAuditUID); +- audit(auditMessage); ++ attemptedAuditUID)); ++ + e.printStackTrace(); + } + +@@ -87,7 +87,6 @@ public class PKIRealm extends RealmBase { + public Principal authenticate(final X509Certificate certs[]) { + CMS.debug("PKIRealm: Authenticating certificate chain:"); + +- String auditMessage = null; + // get the cert from the ssl client auth + // in cert based auth, subject id from cert has already passed SSL authentication + // what remains is to see if the user exists in the internal user db +@@ -127,14 +126,13 @@ public class PKIRealm extends RealmBase { + return getPrincipal(username, authToken); + + } catch (Throwable e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID, +- attemptedAuditUID); +- audit(auditMessage); ++ attemptedAuditUID)); ++ + e.printStackTrace(); + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index d530f6a..a715c73 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -274,7 +275,6 @@ public class AdminServlet extends HttpServlet { + protected void authenticate(HttpServletRequest req) throws + IOException { + +- String auditMessage = null; + String auditUID = ILogger.UNIDENTIFIED; + String authType = ""; + +@@ -297,15 +297,12 @@ public class AdminServlet extends HttpServlet { + (X509Certificate[]) req.getAttribute(CERT_ATTR); + + if (allCerts == null || allCerts.length == 0) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + + throw new IOException("No certificate"); + } +@@ -389,25 +386,20 @@ public class AdminServlet extends HttpServlet { + */ + + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); ++ auditUID)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + } + + throw new IOException("authentication failed"); +@@ -423,25 +415,20 @@ public class AdminServlet extends HttpServlet { + tuserid)); + + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); ++ auditUID)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + } + + throw new IOException("authentication failed"); +@@ -459,25 +446,20 @@ public class AdminServlet extends HttpServlet { + tuserid)); + + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); ++ auditUID)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + } + + throw new IOException("authentication failed"); +@@ -495,25 +477,20 @@ public class AdminServlet extends HttpServlet { + CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString())); + + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); ++ auditUID)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + } + + throw new IOException("authentication failed"); +@@ -539,25 +516,20 @@ public class AdminServlet extends HttpServlet { + } + } catch (IOException eAudit1) { + if (authType.equals("sslclientauth")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, +- auditUID); ++ auditUID)); + +- audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, +- auditUID); +- +- audit(auditMessage); ++ auditUID)); + } + + // rethrow the specific exception to be handled later +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index 9168870..c23b9d1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; +@@ -1701,7 +1702,7 @@ public abstract class CMSServlet extends HttpServlet { + */ + public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName) + throws EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = ILogger.UNIDENTIFIED; + String auditAuthMgrID = ILogger.UNIDENTIFIED; + String auditUID = ILogger.UNIDENTIFIED; +@@ -1797,14 +1798,12 @@ public abstract class CMSServlet extends HttpServlet { + + return authToken; + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditAuthMgrID, +- auditUID); +- audit(auditMessage); ++ auditUID)); + + // rethrow the specific exception to be handled later + throw eAudit1; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 93d6a9a..a28bee1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; +@@ -474,7 +475,7 @@ public class CAProcessor extends Processor { + + String authSubjectID = auditSubjectID(); + String authMgrID = authenticator.getName(); +- String auditMessage = null; ++ + try { + if (isRenewal) { + authToken = authenticate(authenticator, request, origReq, context, credentials); +@@ -486,13 +487,12 @@ public class CAProcessor extends Processor { + CMS.debug("CAProcessor: authentication error: " + e); + + authSubjectID += " : " + uid_cred; +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + authSubjectID, + ILogger.FAILURE, + authMgrID, +- uid_attempted_cred); +- audit(auditMessage); ++ uid_attempted_cred)); + + throw e; + +@@ -500,13 +500,12 @@ public class CAProcessor extends Processor { + CMS.debug(e); + + authSubjectID += " : " + uid_cred; +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + authSubjectID, + ILogger.FAILURE, + authMgrID, +- uid_attempted_cred); +- audit(auditMessage); ++ uid_attempted_cred)); + + throw e; + } +@@ -565,7 +564,7 @@ public class CAProcessor extends Processor { + + public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName) + throws EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = ILogger.UNIDENTIFIED; + String auditAuthMgrID = ILogger.UNIDENTIFIED; + String auditUID = ILogger.UNIDENTIFIED; +@@ -659,14 +658,12 @@ public class CAProcessor extends Processor { + + return authToken; + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTH_FAIL, ++ ++ audit(new AuthFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditAuthMgrID, +- auditUID); +- audit(auditMessage); ++ auditUID)); + + // rethrow the specific exception to be handled later + throw eAudit1; +-- +1.8.3.1 + + +From fdcb514b0711f10eab47c81837138192207e44b4 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 16:30:18 +0200 +Subject: [PATCH 26/49] Added AuthzSuccessEvent. + +A new AuthzSuccessEvent class of has been added to encapsulate the +AUTHZ_SUCCESS events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5 +--- + .../certsrv/logging/event/AuthzSuccessEvent.java | 59 ++++++++++++++++++++++ + .../netscape/cms/servlet/admin/AdminServlet.java | 9 ++-- + .../com/netscape/cms/servlet/base/CMSServlet.java | 18 +++---- + .../cms/servlet/processors/CAProcessor.java | 18 +++---- + .../org/dogtagpki/server/rest/ACLInterceptor.java | 27 +++++----- + 5 files changed, 89 insertions(+), 42 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java +new file mode 100644 +index 0000000..05e505c +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java +@@ -0,0 +1,59 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class AuthzSuccessEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public AuthzSuccessEvent( ++ String subjectID, ++ String outcome, ++ String aclResource, ++ String operation) { ++ ++ super(AUTHZ_SUCCESS); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ aclResource, ++ operation ++ }); ++ } ++ ++ public AuthzSuccessEvent( ++ String subjectID, ++ String outcome, ++ String aclResource, ++ String operation, ++ String info) { ++ ++ super(AUTHZ_SUCCESS_INFO); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ aclResource, ++ operation, ++ info ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index a715c73..adf9424 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; +@@ -676,15 +677,11 @@ public class AdminServlet extends HttpServlet { + return null; + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS, ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index c23b9d1..c70f55a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -1822,14 +1823,12 @@ public abstract class CMSServlet extends HttpServlet { + try { + authzToken = mAuthz.authorize(authzMgrName, authToken, exp); + if (authzToken != null) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -1955,15 +1954,12 @@ public abstract class CMSServlet extends HttpServlet { + operation); + + if (authzTok != null) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index a28bee1..8760caf 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -707,14 +708,12 @@ public class CAProcessor extends Processor { + try { + authzToken = authz.authorize(authzMgrName, authToken, exp); + if (authzToken != null) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -839,15 +838,12 @@ public class CAProcessor extends Processor { + operation); + + if (authzTok != null) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +index 331bae1..490eaed 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.cms.realm.PKIPrincipal; + + /** +@@ -189,15 +190,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + // If still not available, it's unprotected, allow request. + if (!authzRequired) { + CMS.debug("ACLInterceptor: No ACL mapping; authz not required."); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS_INFO, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + null, //resource + null, //operation +- LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo); //info +- audit(auditMessage); ++ LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo)); //info ++ + return; + } + +@@ -230,14 +230,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + // If no property defined, allow request. + if (value == null) { + CMS.debug("ACLInterceptor: No ACL configuration."); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS_INFO, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + null, //resource + null, //operation +- LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo); ++ LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo)); ++ + return; + } + +@@ -317,15 +317,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + } + + // Allow request. +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_SUCCESS_INFO, ++ ++ audit(new AuthzSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + values[0], // resource + values[1], // operation +- auditInfo); +- audit(auditMessage); ++ auditInfo)); ++ + return; + } + +-- +1.8.3.1 + + +From 30d1575046065dbd79f537e5f819c405e45af0bc Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 16:49:28 +0200 +Subject: [PATCH 27/49] Added AuthzFailEvent. + +A new AuthzFailEvent class of has been added to encapsulate the +AUTHZ_FAIL events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c +--- + .../certsrv/logging/event/AuthzFailEvent.java | 59 ++++++++++++++++++++++ + .../netscape/cms/servlet/admin/AdminServlet.java | 26 +++------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 44 ++++++---------- + .../cms/servlet/processors/CAProcessor.java | 35 +++++-------- + .../org/dogtagpki/server/rest/ACLInterceptor.java | 52 ++++++++----------- + 5 files changed, 118 insertions(+), 98 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java +new file mode 100644 +index 0000000..1e44919 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java +@@ -0,0 +1,59 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class AuthzFailEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public AuthzFailEvent( ++ String subjectID, ++ String outcome, ++ String aclResource, ++ String operation) { ++ ++ super(AUTHZ_FAIL); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ aclResource, ++ operation ++ }); ++ } ++ ++ public AuthzFailEvent( ++ String subjectID, ++ String outcome, ++ String aclResource, ++ String operation, ++ String info) { ++ ++ super(AUTHZ_FAIL_INFO); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ aclResource, ++ operation, ++ info ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index adf9424..ecc6a7d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -611,15 +612,11 @@ public class AdminServlet extends HttpServlet { + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -634,15 +631,11 @@ public class AdminServlet extends HttpServlet { + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -655,15 +648,12 @@ public class AdminServlet extends HttpServlet { + + return null; + } catch (Exception e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index c70f55a..afb109a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; +@@ -1839,14 +1840,12 @@ public abstract class CMSServlet extends HttpServlet { + + audit(auditMessage); + } else { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + auditMessage = CMS.getLogMessage( + AuditEvent.ROLE_ASSUME, +@@ -1858,14 +1857,12 @@ public abstract class CMSServlet extends HttpServlet { + } + return authzToken; + } catch (Exception e) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + auditMessage = CMS.getLogMessage( + AuditEvent.ROLE_ASSUME, +@@ -1970,15 +1967,12 @@ public abstract class CMSServlet extends HttpServlet { + + audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -1992,15 +1986,12 @@ public abstract class CMSServlet extends HttpServlet { + + return authzTok; + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -2013,15 +2004,12 @@ public abstract class CMSServlet extends HttpServlet { + + return null; + } catch (Exception eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 8760caf..1d04f3a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; ++import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; +@@ -724,14 +725,12 @@ public class CAProcessor extends Processor { + + audit(auditMessage); + } else { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + auditMessage = CMS.getLogMessage( + AuditEvent.ROLE_ASSUME, +@@ -743,14 +742,12 @@ public class CAProcessor extends Processor { + } + return authzToken; + } catch (EBaseException e) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + auditMessage = CMS.getLogMessage( + AuditEvent.ROLE_ASSUME, +@@ -854,15 +851,12 @@ public class CAProcessor extends Processor { + + audit(auditMessage); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -876,15 +870,12 @@ public class CAProcessor extends Processor { + + return authzTok; + } catch (Exception eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + auditACLResource, +- auditOperation); +- +- audit(auditMessage); ++ auditOperation)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +index 490eaed..b4f75f1 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.ForbiddenException; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; + import com.netscape.cms.realm.PKIPrincipal; + +@@ -108,7 +109,6 @@ public class ACLInterceptor implements ContainerRequestFilter { + String auditInfo = clazz.getSimpleName() + "." + method.getName(); + + CMS.debug("ACLInterceptor: " + auditInfo + "()"); +- String auditMessage = null; + String auditSubjectID = ILogger.UNIDENTIFIED; + + /* +@@ -174,14 +174,13 @@ public class ACLInterceptor implements ContainerRequestFilter { + CMS.debug("ACLInterceptor: No authentication token present."); + // store a message in the signed audit log file + // although if it didn't pass authentication, it should not have gotten here +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + null, // resource + null, // operation +- LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo); +- audit(auditMessage); ++ LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo)); ++ + throw new ForbiddenException("No authorization token present."); + } + if (authToken != null) +@@ -213,16 +212,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + value = properties.getProperty(name); + + } catch (IOException e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + null, //resource + null, //operation +- LOGGING_ACL_PARSING_ERROR + ":" + auditInfo); ++ LOGGING_ACL_PARSING_ERROR + ":" + auditInfo)); + +- audit(auditMessage); + e.printStackTrace(); + throw new Failure(e); + } +@@ -246,16 +243,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + // If invalid mapping, reject request. + if (values.length != 2) { + CMS.debug("ACLInterceptor: Invalid ACL mapping."); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + null, //resource + null, //operation +- LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo); ++ LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo)); + +- audit(auditMessage); + throw new ForbiddenException("Invalid ACL mapping."); + } + +@@ -273,15 +268,14 @@ public class ACLInterceptor implements ContainerRequestFilter { + if (authzToken == null) { + String info = "No authorization token present."; + CMS.debug("ACLInterceptor: " + info); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + values[0], // resource + values[1], // operation +- info); +- audit(auditMessage); ++ info)); ++ + throw new ForbiddenException("No authorization token present."); + } + +@@ -290,28 +284,26 @@ public class ACLInterceptor implements ContainerRequestFilter { + } catch (EAuthzAccessDenied e) { + String info = e.getMessage(); + CMS.debug("ACLInterceptor: " + info); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + values[0], // resource + values[1], // operation +- info); +- audit(auditMessage); ++ info)); ++ + throw new ForbiddenException(e.toString()); + + } catch (EBaseException e) { + String info = e.getMessage(); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.AUTHZ_FAIL_INFO, ++ ++ audit(new AuthzFailEvent( + auditSubjectID, + ILogger.FAILURE, + values[0], // resource + values[1], // operation +- info); +- audit(auditMessage); ++ info)); ++ + e.printStackTrace(); + throw new Failure(e); + } +-- +1.8.3.1 + + +From aad80e8775eac61ed9eac2f3f94d2ec90207e827 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Apr 2017 10:20:06 +0200 +Subject: [PATCH 28/49] Added RoleAssumeEvent. + +A new RoleAssumeEvent class of has been added to encapsulate the +ROLE_ASSUME events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9 +--- + .../certsrv/logging/event/RoleAssumeEvent.java | 39 +++++++++++++++ + .../netscape/cms/servlet/admin/AdminServlet.java | 35 ++++---------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 56 +++++++--------------- + .../servlet/csadmin/SecurityDomainProcessor.java | 15 +++--- + .../cms/servlet/processors/CAProcessor.java | 48 ++++++------------- + 5 files changed, 88 insertions(+), 105 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java +new file mode 100644 +index 0000000..2715893 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java +@@ -0,0 +1,39 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class RoleAssumeEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public RoleAssumeEvent( ++ String subjectID, ++ String outcome, ++ String groups) { ++ ++ super(ROLE_ASSUME); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ groups ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index ecc6a7d..662a3e9 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; ++import com.netscape.certsrv.logging.event.RoleAssumeEvent; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; +@@ -573,7 +574,7 @@ public class AdminServlet extends HttpServlet { + * @return the authorization token + */ + protected AuthzToken authorize(HttpServletRequest req) { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE; +@@ -618,14 +619,10 @@ public class AdminServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } catch (EBaseException e) { +@@ -637,14 +634,10 @@ public class AdminServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } catch (Exception e) { +@@ -655,14 +648,10 @@ public class AdminServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } +@@ -673,14 +662,10 @@ public class AdminServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return authzTok; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index afb109a..9dc7470 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -70,6 +70,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; ++import com.netscape.certsrv.logging.event.RoleAssumeEvent; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -1815,7 +1816,7 @@ public abstract class CMSServlet extends HttpServlet { + public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken, + String exp) throws EBaseException { + AuthzToken authzToken = null; +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String auditGroupID = auditGroupID(); + String auditACLResource = resource; +@@ -1831,14 +1832,11 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditGroupID); ++ auditGroupID)); + +- audit(auditMessage); + } else { + + audit(new AuthzFailEvent( +@@ -1847,13 +1845,10 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroupID); +- +- audit(auditMessage); ++ auditGroupID)); + } + return authzToken; + } catch (Exception e) { +@@ -1864,13 +1859,11 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroupID); ++ auditGroupID)); + +- audit(auditMessage); + throw new EBaseException(e.toString()); + } + } +@@ -1900,7 +1893,7 @@ public abstract class CMSServlet extends HttpServlet { + public AuthzToken authorize(String authzMgrName, IAuthToken authToken, + String resource, String operation) + throws EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String auditGroupID = auditGroupID(); + String auditID = auditSubjectID; +@@ -1958,14 +1951,11 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.SUCCESS, +- auditGroups(auditSubjectID)); ++ auditGroups(auditSubjectID))); + +- audit(auditMessage); + } else { + + audit(new AuthzFailEvent( +@@ -1974,14 +1964,10 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + } + + return authzTok; +@@ -1993,14 +1979,10 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } catch (Exception eAudit1) { +@@ -2011,14 +1993,10 @@ public abstract class CMSServlet extends HttpServlet { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +index cd769db..dc28a7c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.UnauthorizedException; + import com.netscape.certsrv.ldap.ILdapConnFactory; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.RoleAssumeEvent; + import com.netscape.certsrv.system.DomainInfo; + import com.netscape.certsrv.system.InstallToken; + import com.netscape.certsrv.system.SecurityDomainHost; +@@ -89,22 +90,19 @@ public class SecurityDomainProcessor extends CAProcessor { + CMS.debug("SecurityDomainProcessor: group: " + group); + + if (!ugSubsystem.isMemberOf(user, group)) { +- String message = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ ++ audit(new RoleAssumeEvent( + user, + ILogger.FAILURE, +- group); +- audit(message); ++ group)); + + throw new UnauthorizedException("User " + user + " is not a member of " + group + " group."); + } + +- String message = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + user, + ILogger.SUCCESS, +- group); +- audit(message); ++ group)); + + String ip = ""; + try { +@@ -123,6 +121,7 @@ public class SecurityDomainProcessor extends CAProcessor { + + ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable(); + int status = ctable.addEntry(sessionID, ip, user, group); ++ String message; + + if (status == ISecurityDomainSessionTable.SUCCESS) { + message = CMS.getLogMessage( +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 1d04f3a..74f501f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -57,6 +57,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; + import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.logging.event.AuthzFailEvent; + import com.netscape.certsrv.logging.event.AuthzSuccessEvent; ++import com.netscape.certsrv.logging.event.RoleAssumeEvent; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -700,7 +701,7 @@ public class CAProcessor extends Processor { + public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken, + String exp) throws EBaseException { + AuthzToken authzToken = null; +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String auditGroupID = auditGroupID(); + String auditACLResource = resource; +@@ -716,14 +717,11 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditGroupID); ++ auditGroupID)); + +- audit(auditMessage); + } else { + + audit(new AuthzFailEvent( +@@ -732,13 +730,10 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroupID); +- +- audit(auditMessage); ++ auditGroupID)); + } + return authzToken; + } catch (EBaseException e) { +@@ -749,13 +744,11 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditSubjectID, + ILogger.FAILURE, +- auditGroupID); ++ auditGroupID)); + +- audit(auditMessage); + throw e; + } + } +@@ -784,7 +777,7 @@ public class CAProcessor extends Processor { + */ + public AuthzToken authorize(String authzMgrName, IAuthToken authToken, + String resource, String operation) { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String auditGroupID = auditGroupID(); + String auditID = auditSubjectID; +@@ -842,14 +835,11 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.SUCCESS, +- auditGroups(auditSubjectID)); ++ auditGroups(auditSubjectID))); + +- audit(auditMessage); + } else { + + audit(new AuthzFailEvent( +@@ -858,14 +848,10 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + } + + return authzTok; +@@ -877,14 +863,10 @@ public class CAProcessor extends Processor { + auditACLResource, + auditOperation)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.ROLE_ASSUME, ++ audit(new RoleAssumeEvent( + auditID, + ILogger.FAILURE, +- auditGroups(auditSubjectID)); +- +- audit(auditMessage); ++ auditGroups(auditSubjectID))); + + return null; + } +-- +1.8.3.1 + + +From 3d9ef95a913af023958b79ef383853cf958757e0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 21 Apr 2017 04:55:00 +0200 +Subject: [PATCH 29/49] Added ConfigRoleEvent. + +A new ConfigRoleEvent class of has been added to encapsulate the +CONFIG_ROLE events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738 +--- + .../certsrv/logging/event/ConfigRoleEvent.java | 39 ++ + .../cms/profile/updater/SubsystemGroupUpdater.java | 37 +- + .../cms/servlet/admin/GroupMemberProcessor.java | 10 +- + .../cms/servlet/admin/UsrGrpAdminServlet.java | 500 ++++++--------------- + .../netscape/cms/servlet/csadmin/RegisterUser.java | 40 +- + .../cms/servlet/csadmin/UpdateDomainXML.java | 44 +- + .../netscape/cms/servlet/processors/Processor.java | 13 - + .../org/dogtagpki/server/rest/GroupService.java | 10 +- + .../src/org/dogtagpki/server/rest/UserService.java | 18 +- + 9 files changed, 264 insertions(+), 447 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java +new file mode 100644 +index 0000000..695712b +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java +@@ -0,0 +1,39 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class ConfigRoleEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public ConfigRoleEvent( ++ String subjectID, ++ String outcome, ++ String params) { ++ ++ super(CONFIG_ROLE); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ params ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +index 4ecc255..276c5b5 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java ++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.profile.IProfile; +@@ -102,7 +103,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + public void update(IRequest req, RequestStatus status) + throws EProfileException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + CMS.debug("SubsystemGroupUpdater update starts"); +@@ -163,12 +163,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + + system.addUser(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- audit(auditMessage); ++ auditParams)); + + String b64 = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + try { +@@ -188,12 +187,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + + system.addUserCert(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- audit(auditMessage); ++ auditParams)); + + } catch (ConflictingOperationException e) { + CMS.debug("UpdateSubsystemGroup: update " + e.toString()); +@@ -201,12 +199,12 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams); +- audit(auditMessage); ++ auditParams)); ++ + throw new EProfileException(e.toString()); + } + +@@ -232,12 +230,10 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + group.addMemberName(id); + system.modifyGroup(group); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- audit(auditMessage); ++ auditParams)); + + CMS.debug("UpdateSubsystemGroup: update: successfully added the user to the group."); + } else { +@@ -245,12 +241,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { + } + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString()); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams); +- audit(auditMessage); ++ auditParams)); + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java +index 00f960e..c6ae5b1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java +@@ -43,9 +43,9 @@ import com.netscape.certsrv.group.GroupMemberCollection; + import com.netscape.certsrv.group.GroupMemberData; + import com.netscape.certsrv.group.GroupNotFoundException; + import com.netscape.certsrv.group.GroupResource; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.cms.servlet.processors.Processor; +@@ -388,6 +388,12 @@ public class GroupMemberProcessor extends Processor { + } + + public void audit(String type, String id, Map params, String status) { +- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); ++ ++ if (auditor == null) return; ++ ++ auditor.log(new ConfigRoleEvent( ++ auditor.getSubjectID(), ++ status, ++ auditor.getParamString(ScopeDef.SC_GROUP_MEMBERS, type, id, params))); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +index 1c38b88..183fbea 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +@@ -31,9 +31,6 @@ import javax.servlet.ServletException; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.pkcs.PKCS7; +-import netscape.security.x509.X509CertImpl; +- + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.InternalCertificate; + +@@ -48,9 +45,9 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.common.NameValuePairs; + import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.password.IPasswordCheck; + import com.netscape.certsrv.usrgrp.EUsrGrpException; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -60,6 +57,9 @@ import com.netscape.certsrv.usrgrp.IUser; + import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.pkcs.PKCS7; ++import netscape.security.x509.X509CertImpl; ++ + /** + * A class representing an administration servlet for + * User/Group Manager. It communicates with client +@@ -667,7 +667,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -678,14 +677,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -697,14 +692,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + // backslashes (BS) are not allowed + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_RS_ID_BS"), +@@ -716,14 +707,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + // backslashes (BS) are not allowed + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", id)); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_SPECIAL_ID", id), +@@ -739,14 +726,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + + log(ILogger.LL_FAILURE, msg); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, msg, null, resp); + return; +@@ -766,14 +749,11 @@ public class UsrGrpAdminServlet extends AdminServlet { + IPasswordCheck passwdCheck = CMS.getPasswordChecker(); + + if (!passwdCheck.isGoodPassword(pword)) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EUsrGrpException(passwdCheck.getReason(pword)); + +@@ -819,14 +799,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception ex) { + ex.printStackTrace(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); +@@ -842,14 +818,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception ex) { + log(ILogger.LL_FAILURE, ex.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); +@@ -868,28 +840,20 @@ public class UsrGrpAdminServlet extends AdminServlet { + + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (EUsrGrpException e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + if (user.getUserID() == null) { + sendResponse(ERROR, +@@ -903,40 +867,30 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + return; + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -978,7 +932,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -989,14 +942,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1012,14 +961,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (certsString == null) { + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; +@@ -1052,14 +997,11 @@ public class UsrGrpAdminServlet extends AdminServlet { + X509Certificate p7certs[] = pkcs7.getCertificates(); + + if (p7certs.length == 0) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); +@@ -1087,14 +1029,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + // not a chain, or in random order + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); +@@ -1153,14 +1091,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + //----- + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", ex.toString())); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); +@@ -1169,14 +1103,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_O_ERROR", e.toString())); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_O_ERROR"), null, resp); +@@ -1191,14 +1121,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.addUserCert(user); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; +@@ -1207,14 +1133,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED", + String.valueOf(certs[0].getSubjectDN()))); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_EXPIRED"), null, resp); +@@ -1223,28 +1145,21 @@ public class UsrGrpAdminServlet extends AdminServlet { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID", + String.valueOf(certs[0].getSubjectDN()))); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp); + return; + + } catch (ConflictingOperationException e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp); +@@ -1253,14 +1168,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); +@@ -1279,14 +1190,11 @@ public class UsrGrpAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1331,7 +1239,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1342,14 +1249,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1364,14 +1267,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (certDN == null) { + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; +@@ -1382,28 +1281,20 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.removeUserCert(user); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); +@@ -1422,14 +1313,11 @@ public class UsrGrpAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1474,7 +1362,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1493,14 +1380,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1515,14 +1398,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + } catch (Exception ex) { + ex.printStackTrace(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; +@@ -1535,14 +1414,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (mustDelete) { + mMgr.removeUserFromGroup(group, id); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV_G"), +@@ -1557,52 +1432,39 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.removeUser(id); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception ex) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV"), null, resp); + return; + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1644,7 +1506,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1656,14 +1517,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1694,26 +1551,19 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.addGroup(group); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_ADD_FAILED"), +@@ -1721,26 +1571,20 @@ public class UsrGrpAdminServlet extends AdminServlet { + return; + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1782,7 +1626,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1794,14 +1637,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1813,37 +1652,27 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.removeGroup(id); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1887,7 +1716,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1899,14 +1727,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -1952,14 +1776,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (!isDuplicate(groupName, memberName)) { + group.addMemberName(memberName); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberName)); + } +@@ -1976,27 +1796,19 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.modifyGroup(group); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_MODIFY_FAILED"), +@@ -2004,26 +1816,20 @@ public class UsrGrpAdminServlet extends AdminServlet { + return; + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -2136,7 +1942,6 @@ public class UsrGrpAdminServlet extends AdminServlet { + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -2148,14 +1953,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), +@@ -2172,14 +1973,10 @@ public class UsrGrpAdminServlet extends AdminServlet { + + log(ILogger.LL_FAILURE, msg); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, msg, null, resp); + return; +@@ -2197,14 +1994,11 @@ public class UsrGrpAdminServlet extends AdminServlet { + IPasswordCheck passwdCheck = CMS.getPasswordChecker(); + + if (!passwdCheck.isGoodPassword(pword)) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EUsrGrpException(passwdCheck.getReason(pword)); + +@@ -2228,54 +2022,40 @@ public class UsrGrpAdminServlet extends AdminServlet { + mMgr.modifyUser(user); + NameValuePairs params = new NameValuePairs(); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); + return; + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +index 77ef4d8..f3a0164 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java +@@ -34,8 +34,8 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.authorization.EAuthzAccessDenied; + import com.netscape.certsrv.base.EBaseException; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.usrgrp.ICertUserLocator; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -144,7 +144,6 @@ public class RegisterUser extends CMSServlet { + CMS.debug("RegisterUser got name=" + name); + CMS.debug("RegisterUser got certsString=" + certsString); + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditParams = "Scope;;users+Operation;;OP_ADD+source;;RegisterUser" + + "+Resource;;" + uid + +@@ -199,12 +198,11 @@ public class RegisterUser extends CMSServlet { + + ugsys.addUser(user); + CMS.debug("RegisterUser created user " + uid); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- audit(auditMessage); ++ auditParams)); + } + + // concatenate lines +@@ -218,23 +216,22 @@ public class RegisterUser extends CMSServlet { + if (!foundByCert) { + ugsys.addUserCert(user); + CMS.debug("RegisterUser added user certificate"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- audit(auditMessage); ++ auditParams)); ++ + } else + CMS.debug("RegisterUser no need to add user certificate"); + } catch (Exception eee) { + CMS.debug("RegisterUser error " + eee.toString()); +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams); ++ auditParams)); + +- audit(auditMessage); + outputError(httpResp, "Error: Certificate malformed"); + return; + } +@@ -261,22 +258,17 @@ public class RegisterUser extends CMSServlet { + ugsys.modifyGroup(group); + CMS.debug("RegisterUser modified group"); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams); +- +- audit(auditMessage); ++ auditParams)); + } + } catch (Exception e) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams); +- +- audit(auditMessage); ++ auditParams)); + } + + // send success status back to the requestor +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +index 5872ab0..91d8983 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +@@ -28,13 +28,6 @@ import javax.servlet.ServletException; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.ldap.LDAPAttribute; +-import netscape.ldap.LDAPAttributeSet; +-import netscape.ldap.LDAPConnection; +-import netscape.ldap.LDAPEntry; +-import netscape.ldap.LDAPException; +-import netscape.ldap.LDAPModification; +- + import org.w3c.dom.Document; + import org.w3c.dom.Element; + import org.w3c.dom.Node; +@@ -49,12 +42,20 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ldap.ILdapConnFactory; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.base.UserInfo; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.common.ICMSTemplateFiller; + import com.netscape.cmsutil.xml.XMLObject; + ++import netscape.ldap.LDAPAttribute; ++import netscape.ldap.LDAPAttributeSet; ++import netscape.ldap.LDAPConnection; ++import netscape.ldap.LDAPEntry; ++import netscape.ldap.LDAPException; ++import netscape.ldap.LDAPModification; ++ + public class UpdateDomainXML extends CMSServlet { + + /** +@@ -368,12 +369,11 @@ public class UpdateDomainXML extends CMSServlet { + // remove the user for this subsystem's admin + status2 = remove_from_ldap(adminUserDN); + if (status2.equals(SUCCESS)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- userAuditParams); +- audit(auditMessage); ++ userAuditParams)); + + // remove this user from the subsystem group + userAuditParams = "Scope;;groups+Operation;;OP_DELETE_USER" + +@@ -384,26 +384,26 @@ public class UpdateDomainXML extends CMSServlet { + new LDAPAttribute("uniqueMember", adminUserDN)); + status2 = modify_ldap(dn, mod); + if (status2.equals(SUCCESS)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.SUCCESS, +- userAuditParams); ++ userAuditParams)); ++ + } else { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- userAuditParams); ++ userAuditParams)); + } +- audit(auditMessage); ++ + } else { // error deleting user +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_ROLE, ++ ++ audit(new ConfigRoleEvent( + auditSubjectID, + ILogger.FAILURE, +- userAuditParams); +- audit(auditMessage); ++ userAuditParams)); + } + } + } else { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java +index 64344d2..ffe707c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java +@@ -60,19 +60,6 @@ public class Processor { + return map; + } + +- public void audit(String message, String scope, String type, String id, Map params, String status) { +- +- if (auditor == null) return; +- +- String auditMessage = CMS.getLogMessage( +- message, +- auditor.getSubjectID(), +- status, +- auditor.getParamString(scope, type, id, params)); +- +- auditor.log(auditMessage); +- } +- + public void log(int source, int level, String message) { + + if (logger == null) return; +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +index 4aa0209..6292cf8 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java +@@ -40,8 +40,8 @@ import com.netscape.certsrv.group.GroupData; + import com.netscape.certsrv.group.GroupMemberData; + import com.netscape.certsrv.group.GroupNotFoundException; + import com.netscape.certsrv.group.GroupResource; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.usrgrp.IGroup; + import com.netscape.certsrv.usrgrp.IGroupConstants; + import com.netscape.certsrv.usrgrp.IUGSubsystem; +@@ -432,6 +432,12 @@ public class GroupService extends SubsystemService implements GroupResource { + } + + public void audit(String type, String id, Map params, String status) { +- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); ++ ++ if (auditor == null) return; ++ ++ auditor.log(new ConfigRoleEvent( ++ auditor.getSubjectID(), ++ status, ++ auditor.getParamString(ScopeDef.SC_GROUPS, type, id, params))); + } + } +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +index e10c4f5..ec690d6 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java +@@ -52,8 +52,8 @@ import com.netscape.certsrv.common.OpDef; + import com.netscape.certsrv.common.ScopeDef; + import com.netscape.certsrv.dbs.certdb.CertId; + import com.netscape.certsrv.group.GroupMemberData; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigRoleEvent; + import com.netscape.certsrv.password.IPasswordCheck; + import com.netscape.certsrv.user.UserCertCollection; + import com.netscape.certsrv.user.UserCertData; +@@ -1227,10 +1227,22 @@ public class UserService extends SubsystemService implements UserResource { + } + + public void auditUser(String type, String id, Map params, String status) { +- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); ++ ++ if (auditor == null) return; ++ ++ auditor.log(new ConfigRoleEvent( ++ auditor.getSubjectID(), ++ status, ++ auditor.getParamString(ScopeDef.SC_USERS, type, id, params))); + } + + public void auditUserCert(String type, String id, Map params, String status) { +- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); ++ ++ if (auditor == null) return; ++ ++ auditor.log(new ConfigRoleEvent( ++ auditor.getSubjectID(), ++ status, ++ auditor.getParamString(ScopeDef.SC_USER_CERTS, type, id, params))); + } + } +-- +1.8.3.1 + + +From 692b2d776397b8fd2e4dfbab3a5d2ac407c440de Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Apr 2017 21:45:12 +0200 +Subject: [PATCH 30/49] Added CertRequestProcessedEvent. + +A new CertRequestProcessedEvent class of has been added to +encapsulate the CERT_REQUEST_PROCESSED events. + +https://pagure.io/dogtagpki/issue/2636 + +Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f +--- + .../logging/event/CertRequestProcessedEvent.java | 43 +++++++ + .../netscape/cms/servlet/cert/CertProcessor.java | 26 ++--- + .../netscape/cms/servlet/cert/EnrollServlet.java | 50 +++------ + .../cms/servlet/cert/RequestProcessor.java | 42 ++----- + .../cms/servlet/connector/ConnectorServlet.java | 19 ++-- + .../servlet/profile/ProfileSubmitCMCServlet.java | 38 +++---- + .../cms/servlet/request/ProcessCertReq.java | 125 +++++++-------------- + 7 files changed, 138 insertions(+), 205 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +new file mode 100644 +index 0000000..1703f65 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -0,0 +1,43 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class CertRequestProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public CertRequestProcessedEvent( ++ String subjectID, ++ String outcome, ++ String requesterID, ++ String infoName, ++ String infoValue) { ++ ++ super(CERT_REQUEST_PROCESSED); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requesterID, ++ infoName, ++ infoValue ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index c16d8e0..2a60cb0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -32,8 +32,8 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.cert.CertEnrollmentRequest; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.ERejectException; + import com.netscape.certsrv.profile.IEnrollProfile; +@@ -217,7 +217,6 @@ public class CertProcessor extends CAProcessor { + } + + protected String submitRequests(Locale locale, IProfile profile, IAuthToken authToken, IRequest[] reqs) { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; + String errorCode = null; +@@ -252,16 +251,13 @@ public class CertProcessor extends CAProcessor { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue); +- +- audit(auditMessage); ++ auditInfoCertValue)); + } + } + } catch (EDeferException e) { +@@ -288,16 +284,13 @@ public class CertProcessor extends CAProcessor { + req.setExtData(IRequest.ERROR, e.toString()); + req.setExtData(IRequest.ERROR_CODE, errorCode); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- codeToReason(locale, errorCode, e.toString(), req.getRequestId())); ++ codeToReason(locale, errorCode, e.toString(), req.getRequestId()))); + +- audit(auditMessage); + } catch (Throwable e) { + // return error to the user + CMS.debug(e); +@@ -307,15 +300,12 @@ public class CertProcessor extends CAProcessor { + req.setExtData(IRequest.ERROR, errorReason); + req.setExtData(IRequest.ERROR_CODE, errorCode); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- errorReason); +- +- audit(auditMessage); ++ errorReason)); + } + + try { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +index 6f01d2a..cb2b76f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.RequestStatus; + import com.netscape.certsrv.usrgrp.IGroup; +@@ -1368,29 +1369,23 @@ public class EnrollServlet extends CMSServlet { + for (int i = 0; i < issuedCerts.length; i++) { + // (automated "agent" cert request processed + // - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i])); +- +- audit(auditMessage); ++ auditInfoCertValue(issuedCerts[i]))); + } + } catch (IOException ex) { + cmsReq.setStatus(ICMSRequest.ERROR); + + // (automated "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0])); + } + + return; +@@ -1402,15 +1397,12 @@ public class EnrollServlet extends CMSServlet { + + if (completed == false) { + // (automated "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1])); + + return; + } +@@ -1458,15 +1450,12 @@ public class EnrollServlet extends CMSServlet { + + for (int i = 0; i < issuedCerts.length; i++) { + // (automated "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i])); +- +- audit(auditMessage); ++ auditInfoCertValue(issuedCerts[i]))); + } + + return; +@@ -1481,15 +1470,12 @@ public class EnrollServlet extends CMSServlet { + + for (int i = 0; i < issuedCerts.length; i++) { + // (automated "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i])); +- +- audit(auditMessage); ++ auditInfoCertValue(issuedCerts[i]))); + } + } catch (IOException e) { + log(ILogger.LL_FAILURE, +@@ -1498,15 +1484,12 @@ public class EnrollServlet extends CMSServlet { + e.toString())); + + // (automated "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2])); + + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); +@@ -1514,15 +1497,12 @@ public class EnrollServlet extends CMSServlet { + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + // (automated "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3])); + + throw eAudit1; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index 474a2e5..66fe58c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -25,8 +25,6 @@ import java.util.Locale; + + import javax.servlet.http.HttpServletRequest; + +-import netscape.security.x509.X509CertImpl; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; +@@ -40,8 +38,8 @@ import com.netscape.certsrv.ca.AuthorityID; + import com.netscape.certsrv.ca.CANotFoundException; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.cert.CertReviewResponse; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; +@@ -62,6 +60,8 @@ import com.netscape.certsrv.request.RequestStatus; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.profile.ProfileOutputFactory; + ++import netscape.security.x509.X509CertImpl; ++ + public class RequestProcessor extends CertProcessor { + + public RequestProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException { +@@ -275,23 +275,18 @@ public class RequestProcessor extends CertProcessor { + * occurred + */ + private void cancelRequest(IRequest req) throws EProfileException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(req); + String auditInfoValue = auditInfoValue(req); + + req.setRequestStatus(RequestStatus.CANCELED); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_CANCELLATION, +- auditInfoValue); +- +- audit(auditMessage); ++ auditInfoValue)); + } + + /** +@@ -311,23 +306,18 @@ public class RequestProcessor extends CertProcessor { + * occurred + */ + private void rejectRequest(IRequest req) throws EProfileException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(req); + String auditInfoValue = auditInfoValue(req); + + req.setRequestStatus(RequestStatus.REJECTED); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- auditInfoValue); +- +- audit(auditMessage); ++ auditInfoValue)); + } + + /** +@@ -374,7 +364,6 @@ public class RequestProcessor extends CertProcessor { + */ + private void approveRequest(IRequest req, CertReviewResponse data, IProfile profile, Locale locale) + throws EBaseException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(req); + +@@ -398,28 +387,21 @@ public class RequestProcessor extends CertProcessor { + X509CertImpl theCert = req.getExtDataInCert( + IEnrollProfile.REQUEST_ISSUED_CERT); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(theCert)); +- +- audit(auditMessage); ++ auditInfoCertValue(theCert))); + + } catch (EProfileException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); +- +- audit(auditMessage); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + + CMS.debug("CertRequestExecutor: about to throw EProfileException because of bad profile execute."); + throw eAudit1; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index 6732e92..ee60187 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.connector.IRequestEncoder; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -626,16 +627,13 @@ public class ConnectorServlet extends CMSServlet { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue); +- +- audit(auditMessage); ++ auditInfoCertValue)); + } + } + } +@@ -648,16 +646,13 @@ public class ConnectorServlet extends CMSServlet { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue); +- +- audit(auditMessage); ++ auditInfoCertValue)); + } + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index c3ada9a..28f777b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -44,8 +44,8 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; +@@ -639,7 +639,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } //for + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; + +@@ -677,16 +676,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue); +- +- audit(auditMessage); ++ auditInfoCertValue)); + } + } + } catch (EDeferException e) { +@@ -733,31 +729,26 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + if (errorCode != null) { + if (errorCode.equals("1")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- errorReason); ++ errorReason)); + +- audit(auditMessage); + } else if (errorCode.equals("2")) { + // do NOT store a message in the signed audit log file + // as this errorCode indicates that a process has been + // deferred for manual acceptance/cancellation/rejection + } else if (errorCode.equals("3")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- errorReason); +- +- audit(auditMessage); ++ errorReason)); + } + error_codes[k] = Integer.parseInt(errorCode); + } else +@@ -782,16 +773,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue); +- +- audit(auditMessage); ++ auditInfoCertValue)); + } + } + } catch (ERejectException e) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +index 9d0da48..2bcc8ad 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -463,37 +464,31 @@ public class ProcessCertReq extends CMSServlet { + audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0]); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0])); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[0]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[0])); + } + + return; +@@ -935,15 +930,12 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // (one for each manual "agent" + // cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditInfoName, +- auditInfoCertValue(issuedCerts[i])); +- +- audit(auditMessage); ++ auditInfoCertValue(issuedCerts[i]))); + } + header.addStringValue( + "serialNumber", sbuf.toString()); +@@ -979,15 +971,12 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // (manual "agent" cert request processed + // - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); +- +- audit(auditMessage); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + } + + // grant trusted manager or agent privileges +@@ -1104,15 +1093,12 @@ public class ProcessCertReq extends CMSServlet { + + // store a message in the signed audit log file + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[1]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[1])); + + } else if (toDo.equals("cancel")) { + mQueue.cancelRequest(r); +@@ -1166,15 +1152,12 @@ public class ProcessCertReq extends CMSServlet { + + // store a message in the signed audit log file + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1])); + + } else if (toDo.equals("clone")) { + IRequest clonedRequest = mQueue.cloneAndMarkPending(r); +@@ -1277,37 +1260,30 @@ public class ProcessCertReq extends CMSServlet { + audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2]); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2])); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[2]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[2])); + } + } + +@@ -1330,37 +1306,30 @@ public class ProcessCertReq extends CMSServlet { + audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3]); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3])); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[3]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[3])); + } + } + +@@ -1384,37 +1353,30 @@ public class ProcessCertReq extends CMSServlet { + audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4]); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4])); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[4]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[4])); + } + } + +@@ -1438,37 +1400,30 @@ public class ProcessCertReq extends CMSServlet { + audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { + // (manual "agent" cert request processed - "accepted") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- ILogger.SIGNED_AUDIT_EMPTY_VALUE); ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { + // (manual "agent" cert request processed - "cancelled") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5]); ++ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5])); + +- audit(auditMessage); + } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { + // (manual "agent" cert request processed - "rejected") +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_REQUEST_PROCESSED, ++ audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditInfoName, +- SIGNED_AUDIT_MANUAL_REJECTION_REASON[5]); +- +- audit(auditMessage); ++ SIGNED_AUDIT_MANUAL_REJECTION_REASON[5])); + } + } + +-- +1.8.3.1 + + +From f902b0365f2cf92f14f0a814394cd025669b3ea8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 24 Apr 2017 20:35:50 +0200 +Subject: [PATCH 31/49] Updated debug logs in SystemConfigService. + +Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177 +--- + .../src/org/dogtagpki/server/rest/SystemConfigService.java | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 27a6817..afbb24a 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -1008,18 +1008,25 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + if (!CryptoUtil.isInternalToken(token)) { + try { ++ CMS.debug("Logging into token " + token); + CryptoToken ctoken = CryptoUtil.getKeyStorageToken(token); + String tokenpwd = data.getTokenPassword(); + ConfigurationUtils.loginToken(ctoken, tokenpwd); ++ + } catch (NotInitializedException e) { ++ CMS.debug(e); + throw new PKIException("Token is not initialized", e); ++ + } catch (NoSuchTokenException e) { +- throw new BadRequestException("Invalid Token provided. No such token.", e); ++ CMS.debug(e); ++ throw new BadRequestException("No such key storage token: " + token, e); ++ + } catch (TokenException e) { + CMS.debug(e); + throw new PKIException("Token Exception: " + e, e); ++ + } catch (IncorrectPasswordException e) { +- throw new BadRequestException("Incorrect Password provided for token.", e); ++ throw new BadRequestException("Incorrect password for token " + token, e); + } + } + } +-- +1.8.3.1 + + +From 993a55fb4c883b3ca7ea0e64e24f4501909a571c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 21 Apr 2017 05:37:05 +0200 +Subject: [PATCH 32/49] Added ConfigSignedAuditEvent. + +A new SignedAuditConfigRoleEvent class of has been added to +encapsulate the CONFIG_SIGNED_AUDIT events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd +--- + .../logging/event/ConfigSignedAuditEvent.java | 39 +++ + .../cms/servlet/admin/LogAdminServlet.java | 381 ++++++++------------- + .../org/dogtagpki/server/rest/AuditService.java | 9 +- + 3 files changed, 185 insertions(+), 244 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java +new file mode 100644 +index 0000000..32de443 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java +@@ -0,0 +1,39 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class ConfigSignedAuditEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public ConfigSignedAuditEvent( ++ String subjectID, ++ String outcome, ++ String params) { ++ ++ super(CONFIG_SIGNED_AUDIT); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ params ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +index c424520..1641f27 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java +@@ -44,6 +44,7 @@ import com.netscape.certsrv.logging.ILogEventListener; + import com.netscape.certsrv.logging.ILogSubsystem; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogPlugin; ++import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent; + + /** + * A class representings an administration servlet for logging +@@ -414,7 +415,7 @@ public class LogAdminServlet extends AdminServlet { + private synchronized void addLogPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -435,13 +436,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -454,13 +453,11 @@ public class LogAdminServlet extends AdminServlet { + if (mSys.getLogPlugins().containsKey(id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -475,13 +472,11 @@ public class LogAdminServlet extends AdminServlet { + if (classPath == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -504,13 +499,11 @@ public class LogAdminServlet extends AdminServlet { + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -520,13 +513,11 @@ public class LogAdminServlet extends AdminServlet { + } catch (IllegalArgumentException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -540,13 +531,11 @@ public class LogAdminServlet extends AdminServlet { + if (ILogEventListener.class.isAssignableFrom(newImpl) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -557,13 +546,11 @@ public class LogAdminServlet extends AdminServlet { + } catch (NullPointerException e) { // unlikely, only if newImpl null. + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -584,13 +571,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -608,13 +593,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(SUCCESS, null, params, resp); +@@ -632,14 +615,11 @@ public class LogAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -686,7 +666,7 @@ public class LogAdminServlet extends AdminServlet { + private synchronized void addLogInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -705,13 +685,11 @@ public class LogAdminServlet extends AdminServlet { + if (id == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -723,13 +701,11 @@ public class LogAdminServlet extends AdminServlet { + if (!isValidID(id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, "Invalid ID '" + id + "'", +@@ -740,13 +716,11 @@ public class LogAdminServlet extends AdminServlet { + if (mSys.getLogInsts().containsKey(id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -762,13 +736,11 @@ public class LogAdminServlet extends AdminServlet { + if (implname == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -785,13 +757,11 @@ public class LogAdminServlet extends AdminServlet { + if (plugin == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse( +@@ -845,13 +815,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -864,13 +832,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -883,13 +849,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -908,13 +872,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); +@@ -924,13 +886,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, e.toString(), null, resp); +@@ -946,13 +906,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -970,13 +928,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(SUCCESS, null, params, resp); +@@ -994,14 +950,11 @@ public class LogAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1077,7 +1030,7 @@ public class LogAdminServlet extends AdminServlet { + private synchronized void delLogInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1099,13 +1052,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1118,13 +1069,11 @@ public class LogAdminServlet extends AdminServlet { + if (mSys.getLogInsts().containsKey(id) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1154,13 +1103,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1171,13 +1118,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(SUCCESS, null, params, resp); +@@ -1195,14 +1140,11 @@ public class LogAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1239,7 +1181,7 @@ public class LogAdminServlet extends AdminServlet { + private synchronized void delLogPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1261,13 +1203,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1279,13 +1219,11 @@ public class LogAdminServlet extends AdminServlet { + if (mSys.getLogPlugins().containsKey(id) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1304,13 +1242,11 @@ public class LogAdminServlet extends AdminServlet { + if (getLogPluginName(log) == id) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1335,13 +1271,11 @@ public class LogAdminServlet extends AdminServlet { + } catch (EBaseException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1352,13 +1286,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(SUCCESS, null, params, resp); +@@ -1376,14 +1308,11 @@ public class LogAdminServlet extends AdminServlet { + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1468,13 +1397,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1487,13 +1414,11 @@ public class LogAdminServlet extends AdminServlet { + if (!mSys.getLogInsts().containsKey(id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1508,13 +1433,11 @@ public class LogAdminServlet extends AdminServlet { + if (implname == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1530,13 +1453,11 @@ public class LogAdminServlet extends AdminServlet { + if (plugin == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse( +@@ -1682,13 +1603,11 @@ public class LogAdminServlet extends AdminServlet { + // store a message in the signed audit log + // file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1797,13 +1716,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1848,13 +1765,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1899,13 +1814,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -1958,13 +1871,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(ERROR, +@@ -2017,13 +1928,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + sendResponse(RESTART, null, params, resp); +@@ -2063,13 +1972,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + // rethrow the specific exception to be handled later +@@ -2109,13 +2016,11 @@ public class LogAdminServlet extends AdminServlet { + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ ++ audit(new ConfigSignedAuditEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + } + + // rethrow the specific exception to be handled later +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +index 2d5b371..7c29651 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +@@ -49,11 +49,11 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.base.ResourceNotFoundException; + import com.netscape.certsrv.logging.AuditConfig; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFile; + import com.netscape.certsrv.logging.AuditFileCollection; + import com.netscape.certsrv.logging.AuditResource; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent; + import com.netscape.cms.servlet.base.SubsystemService; + + /** +@@ -412,12 +412,9 @@ public class AuditService extends SubsystemService implements AuditResource { + */ + public void auditTPSConfigSignedAudit(String status, Map params) { + +- String msg = CMS.getLogMessage( +- AuditEvent.CONFIG_SIGNED_AUDIT, ++ auditor.log(new ConfigSignedAuditEvent( + servletRequest.getUserPrincipal().getName(), + status, +- auditor.getParamString(null, params)); +- auditor.log(msg); +- ++ auditor.getParamString(null, params))); + } + } +-- +1.8.3.1 + + +From 36a606e4b51de17c56da0f9ee4daab062ec4acf3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 19 Apr 2017 23:23:39 +0200 +Subject: [PATCH 33/49] Added CertRequestProcessedEvent constructor for + X509CertImpl. + +A new CertRequestProcessedEvent constructor has been added to +encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl +object. + +Copies of auditInfoCertValue() method in various classes have been +combined and moved into CertRequestProcessedEvent. + +https://pagure.io/dogtagpki/issue/2636 + +Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091 +--- + .../logging/event/CertRequestProcessedEvent.java | 71 ++++++++++++++++++++++ + .../netscape/cms/servlet/cert/CertProcessor.java | 5 +- + .../netscape/cms/servlet/cert/EnrollServlet.java | 61 +------------------ + .../cms/servlet/cert/RequestProcessor.java | 2 +- + .../cms/servlet/connector/ConnectorServlet.java | 65 ++------------------ + .../cms/servlet/processors/CAProcessor.java | 54 ---------------- + .../servlet/profile/ProfileSubmitCMCServlet.java | 64 ++----------------- + .../cms/servlet/request/ProcessCertReq.java | 56 +---------------- + 8 files changed, 91 insertions(+), 287 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +index 1703f65..3e5041d 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -17,7 +17,13 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.logging.event; + ++import java.security.cert.CertificateEncodingException; ++ + import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.cmsutil.util.Utils; ++ ++import netscape.security.x509.X509CertImpl; + + public class CertRequestProcessedEvent extends AuditEvent { + +@@ -40,4 +46,69 @@ public class CertRequestProcessedEvent extends AuditEvent { + infoValue + }); + } ++ ++ public CertRequestProcessedEvent( ++ String subjectID, ++ String outcome, ++ String requesterID, ++ String infoName, ++ X509CertImpl x509cert) { ++ ++ super(CERT_REQUEST_PROCESSED); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requesterID, ++ infoName, ++ auditInfoCertValue(x509cert) ++ }); ++ } ++ ++ /** ++ * Signed Audit Log Info Certificate Value ++ * ++ * This method is called to obtain the certificate from the passed in ++ * "X509CertImpl" for a signed audit log message. ++ *

    ++ * ++ * @param x509cert an X509CertImpl ++ * @return cert string containing the certificate ++ */ ++ public static String auditInfoCertValue(X509CertImpl x509cert) { ++ ++ if (x509cert == null) { ++ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ ++ byte rawData[] = null; ++ ++ try { ++ rawData = x509cert.getEncoded(); ++ } catch (CertificateEncodingException e) { ++ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ ++ String cert = null; ++ ++ // convert "rawData" into "base64Data" ++ if (rawData != null) { ++ String base64Data = Utils.base64encode(rawData).trim(); ++ ++ // concatenate lines ++ cert = base64Data.replace("\r", "").replace("\n", ""); ++ } ++ ++ if (cert != null) { ++ cert = cert.trim(); ++ ++ if (cert.equals("")) { ++ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } else { ++ return cert; ++ } ++ } else { ++ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index 2a60cb0..d25d817 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -246,8 +246,9 @@ public class CertProcessor extends CAProcessor { + req.setRequestStatus(RequestStatus.COMPLETE); + + X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = auditInfoCertValue(x509cert); ++ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + ++ // TODO: simplify this condition + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +@@ -257,7 +258,7 @@ public class CertProcessor extends CAProcessor { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue)); ++ x509cert)); + } + } + } catch (EDeferException e) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +index cb2b76f..43df5b6 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.cert; + + import java.io.IOException; + import java.math.BigInteger; +-import java.security.cert.CertificateEncodingException; + import java.security.cert.CertificateException; + import java.security.cert.CertificateParsingException; + import java.security.cert.X509Certificate; +@@ -69,7 +68,6 @@ import com.netscape.cms.servlet.processors.CRMFProcessor; + import com.netscape.cms.servlet.processors.KeyGenProcessor; + import com.netscape.cms.servlet.processors.PKCS10Processor; + import com.netscape.cms.servlet.processors.PKIProcessor; +-import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS10; + import netscape.security.x509.AlgorithmId; +@@ -1374,7 +1372,7 @@ public class EnrollServlet extends CMSServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i]))); ++ issuedCerts[i])); + } + } catch (IOException ex) { + cmsReq.setStatus(ICMSRequest.ERROR); +@@ -1455,7 +1453,7 @@ public class EnrollServlet extends CMSServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i]))); ++ issuedCerts[i])); + } + + return; +@@ -1475,7 +1473,7 @@ public class EnrollServlet extends CMSServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(issuedCerts[i]))); ++ issuedCerts[i])); + } + } catch (IOException e) { + log(ILogger.LL_FAILURE, +@@ -1674,57 +1672,4 @@ public class EnrollServlet extends CMSServlet { + throws EBaseException { + mIsTestBed = config.getBoolean("isTestBed", true); + } +- +- /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param x509cert an X509CertImpl +- * @return cert string containing the certificate +- */ +- private String auditInfoCertValue(X509CertImpl x509cert) { +- // if no signed audit object exists, bail +- if (mSignedAuditLogger == null) { +- return null; +- } +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index 66fe58c..b66aec2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -392,7 +392,7 @@ public class RequestProcessor extends CertProcessor { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue(theCert))); ++ theCert)); + + } catch (EProfileException eAudit1) { + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index ee60187..b5ccdd2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -25,7 +25,6 @@ import java.io.InputStreamReader; + import java.io.OutputStream; + import java.io.OutputStreamWriter; + import java.security.cert.Certificate; +-import java.security.cert.CertificateEncodingException; + import java.security.cert.CertificateException; + import java.security.cert.X509Certificate; + import java.util.Enumeration; +@@ -62,7 +61,6 @@ import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestStatus; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; +-import com.netscape.cmsutil.util.Utils; + + import netscape.security.x509.CRLExtensions; + import netscape.security.x509.CRLReasonExtension; +@@ -622,8 +620,9 @@ public class ConnectorServlet extends CMSServlet { + if (isProfileRequest(thisreq)) { + + X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = auditInfoCertValue(x509cert); ++ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + ++ // TODO: simplify this condition + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +@@ -633,7 +632,7 @@ public class ConnectorServlet extends CMSServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue)); ++ x509cert)); + } + } + } +@@ -641,8 +640,9 @@ public class ConnectorServlet extends CMSServlet { + if (isProfileRequest(thisreq)) { + + X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = auditInfoCertValue(x509cert); ++ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + ++ // TODO: simplify this condition + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +@@ -652,7 +652,7 @@ public class ConnectorServlet extends CMSServlet { + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue)); ++ x509cert)); + } + } + } +@@ -1054,57 +1054,4 @@ public class ConnectorServlet extends CMSServlet { + + return profileID; + } +- +- /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param x509cert an X509CertImpl +- * @return cert string containing the certificate +- */ +- private String auditInfoCertValue(X509CertImpl x509cert) { +- // if no signed audit object exists, bail +- if (mSignedAuditLogger == null) { +- return null; +- } +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 74f501f..25f7bb3 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -71,7 +71,6 @@ import com.netscape.certsrv.util.IStatsSubsystem; + import com.netscape.cms.servlet.common.AuthCredentials; + import com.netscape.cms.servlet.common.CMSGateway; + import com.netscape.cms.servlet.common.ServletUtils; +-import com.netscape.cmsutil.util.Utils; + + import netscape.security.x509.X509CertImpl; + +@@ -1040,59 +1039,6 @@ public class CAProcessor extends Processor { + } + + /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param x509cert an X509CertImpl +- * @return cert string containing the certificate +- */ +- protected String auditInfoCertValue(X509CertImpl x509cert) { +- // if no signed audit object exists, bail +- if (signedAuditLogger == null) { +- return null; +- } +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } +- +- /** + * Signed Audit Groups + * + * This method is called to extract all "groups" associated +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 28f777b..26ca2a4 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.profile; + + import java.io.InputStream; + import java.io.OutputStream; +-import java.security.cert.CertificateEncodingException; + import java.util.Enumeration; + import java.util.Locale; + +@@ -671,8 +670,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + reqs[k].setRequestStatus(RequestStatus.COMPLETE); + + X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = auditInfoCertValue(x509cert); ++ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + ++ // TODO: simplify this condition + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +@@ -682,7 +682,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue)); ++ x509cert)); + } + } + } catch (EDeferException e) { +@@ -768,8 +768,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); + + X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = auditInfoCertValue(x509cert); ++ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + ++ // TODO: simplify this condition + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +@@ -779,7 +780,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, +- auditInfoCertValue)); ++ x509cert)); + } + } + } catch (ERejectException e) { +@@ -875,57 +876,4 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + return requesterID; + } +- +- /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param x509cert an X509CertImpl +- * @return cert string containing the certificate +- */ +- private String auditInfoCertValue(X509CertImpl x509cert) { +- // if no signed audit object exists, bail +- if (mSignedAuditLogger == null) { +- return null; +- } +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +index 2bcc8ad..c229263 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +@@ -21,7 +21,6 @@ import java.io.IOException; + import java.math.BigInteger; + import java.security.NoSuchAlgorithmException; + import java.security.cert.Certificate; +-import java.security.cert.CertificateEncodingException; + import java.security.cert.CertificateException; + import java.util.Date; + import java.util.Enumeration; +@@ -935,7 +934,7 @@ public class ProcessCertReq extends CMSServlet { + ILogger.SUCCESS, + auditRequesterID, + auditInfoName, +- auditInfoCertValue(issuedCerts[i]))); ++ issuedCerts[i])); + } + header.addStringValue( + "serialNumber", sbuf.toString()); +@@ -1757,59 +1756,6 @@ public class ProcessCertReq extends CMSServlet { + + return infoName; + } +- +- /** +- * Signed Audit Log Info Certificate Value +- * +- * This method is called to obtain the certificate from the passed in +- * "X509CertImpl" for a signed audit log message. +- *

    +- * +- * @param x509cert an X509CertImpl +- * @return cert string containing the certificate +- */ +- private String auditInfoCertValue(X509CertImpl x509cert) { +- // if no signed audit object exists, bail +- if (mSignedAuditLogger == null) { +- return null; +- } +- +- if (x509cert == null) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- byte rawData[] = null; +- +- try { +- rawData = x509cert.getEncoded(); +- } catch (CertificateEncodingException e) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- +- String cert = null; +- +- // convert "rawData" into "base64Data" +- if (rawData != null) { +- String base64Data = null; +- +- base64Data = Utils.base64encode(rawData).trim(); +- +- // concatenate lines +- cert = base64Data.replace("\r", "").replace("\n", ""); +- } +- +- if (cert != null) { +- cert = cert.trim(); +- +- if (cert.equals("")) { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } else { +- return cert; +- } +- } else { +- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } + } + + class RAReqCompletedFiller extends ImportCertsTemplateFiller { +-- +1.8.3.1 + + +From 6f457f2c5e0df576f067b46a78b481eb5dc197e8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 14 Apr 2017 01:46:36 +0200 +Subject: [PATCH 34/49] Added CertRequestProcessedEvent constructor for + IRequest. + +A new CertRequestProcessedEvent constructor has been added to +encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest +object. + +The auditInfoValue() method in CAProcessor has been moved into +CertRequestProcessedEvent. + +https://pagure.io/dogtagpki/issue/2636 + +Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb +--- + .../logging/event/CertRequestProcessedEvent.java | 53 ++++++++++++++++++++++ + .../cms/servlet/cert/RequestProcessor.java | 7 +-- + .../cms/servlet/processors/CAProcessor.java | 39 ---------------- + 3 files changed, 55 insertions(+), 44 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +index 3e5041d..777434b 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -21,6 +21,7 @@ import java.security.cert.CertificateEncodingException; + + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.request.IRequest; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.x509.X509CertImpl; +@@ -29,6 +30,8 @@ public class CertRequestProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + ++ public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes"; ++ + public CertRequestProcessedEvent( + String subjectID, + String outcome, +@@ -65,6 +68,24 @@ public class CertRequestProcessedEvent extends AuditEvent { + }); + } + ++ public CertRequestProcessedEvent( ++ String subjectID, ++ String outcome, ++ String requesterID, ++ String infoName, ++ IRequest request) { ++ ++ super(CERT_REQUEST_PROCESSED); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requesterID, ++ infoName, ++ auditInfoValue(request) ++ }); ++ } ++ + /** + * Signed Audit Log Info Certificate Value + * +@@ -111,4 +132,36 @@ public class CertRequestProcessedEvent extends AuditEvent { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } ++ ++ /** ++ * Signed Audit Log Info Value ++ * ++ * This method is called to obtain the "reason" for ++ * a signed audit log message. ++ *

    ++ * ++ * @param request the actual request ++ * @return reason string containing the signed audit log message reason ++ */ ++ String auditInfoValue(IRequest request) { ++ ++ String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ ++ if (request != null) { ++ // overwrite "reason" if and only if "info" != null ++ String info = ++ request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON); ++ ++ if (info != null) { ++ reason = info.trim(); ++ ++ // overwrite "reason" if and only if "reason" is empty ++ if (reason.equals("")) { ++ reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ } ++ } ++ ++ return reason; ++ } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index b66aec2..4494d2c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -277,8 +277,6 @@ public class RequestProcessor extends CertProcessor { + private void cancelRequest(IRequest req) throws EProfileException { + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(req); +- String auditInfoValue = auditInfoValue(req); +- + req.setRequestStatus(RequestStatus.CANCELED); + + audit(new CertRequestProcessedEvent( +@@ -286,7 +284,7 @@ public class RequestProcessor extends CertProcessor { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_CANCELLATION, +- auditInfoValue)); ++ req)); + } + + /** +@@ -308,7 +306,6 @@ public class RequestProcessor extends CertProcessor { + private void rejectRequest(IRequest req) throws EProfileException { + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(req); +- String auditInfoValue = auditInfoValue(req); + + req.setRequestStatus(RequestStatus.REJECTED); + +@@ -317,7 +314,7 @@ public class RequestProcessor extends CertProcessor { + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, +- auditInfoValue)); ++ req)); + } + + /** +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 25f7bb3..bc5b9b5 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -120,9 +120,6 @@ public class CAProcessor extends Processor { + public static final String ACL_INFO = "ACLinfo"; + public static final String PROFILE_SUB_ID = "profileSubId"; + +- public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = +- "requestNotes"; +- + protected String profileID; + protected String profileSubId; + protected String aclMethod; +@@ -1003,42 +1000,6 @@ public class CAProcessor extends Processor { + } + + /** +- * Signed Audit Log Info Value +- * +- * This method is called to obtain the "reason" for +- * a signed audit log message. +- *

    +- * +- * @param request the actual request +- * @return reason string containing the signed audit log message reason +- */ +- protected String auditInfoValue(IRequest request) { +- // if no signed audit object exists, bail +- if (signedAuditLogger == null) { +- return null; +- } +- +- String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- +- if (request != null) { +- // overwrite "reason" if and only if "info" != null +- String info = +- request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON); +- +- if (info != null) { +- reason = info.trim(); +- +- // overwrite "reason" if and only if "reason" is empty +- if (reason.equals("")) { +- reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- } +- } +- +- return reason; +- } +- +- /** + * Signed Audit Groups + * + * This method is called to extract all "groups" associated +-- +1.8.3.1 + + +From 8caedd6723f4885d4aff2348aa3d9fc850627aa1 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 7 Feb 2017 17:27:06 +1000 +Subject: [PATCH 35/49] LDAPProfileSubsystem: avoid duplicating logic in + superclass + +Part of: https://fedorahosted.org/pki/ticket/2588 + +Change-Id: I1ac9a3d89c93832ef6b6b48b89138495ef4892fb +--- + .../cmscore/profile/AbstractProfileSubsystem.java | 7 +++- + .../cmscore/profile/LDAPProfileSubsystem.java | 43 ++++------------------ + 2 files changed, 13 insertions(+), 37 deletions(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java +index 116b8e2..2a209ad 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java +@@ -121,7 +121,7 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem { + /** + * Commits a profile. + */ +- public void commitProfile(String id) ++ public synchronized void commitProfile(String id) + throws EProfileException { + IConfigStore cs = mProfiles.get(id).getConfigStore(); + +@@ -157,6 +157,11 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem { + + // finally commit the configStore + // ++ commitConfigStore(id, cs); ++ } ++ ++ protected void commitConfigStore(String id, IConfigStore cs) ++ throws EProfileException { + try { + cs.commit(false); + } catch (EBaseException e) { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java +index fff8ead..bce675e 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java +@@ -303,43 +303,14 @@ public class LDAPProfileSubsystem + readProfile(entry); + } + ++ /** ++ * Commit the configStore and track the resulting ++ * entryUSN and (in case of add) the nsUniqueId ++ */ + @Override +- public synchronized void commitProfile(String id) throws EProfileException { +- LDAPConfigStore cs = (LDAPConfigStore) mProfiles.get(id).getConfigStore(); +- +- // first create a *new* profile object from the configStore +- // and initialise it with the updated configStore +- // +- IPluginRegistry registry = (IPluginRegistry) +- CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); +- String classId = mProfileClassIds.get(id); +- IPluginInfo info = registry.getPluginInfo("profile", classId); +- String className = info.getClassName(); +- IProfile newProfile = null; +- try { +- newProfile = (IProfile) Class.forName(className).newInstance(); +- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) { +- throw new EProfileException("Could not instantiate class '" +- + classId + "' for profile '" + id + "': " + e); +- } +- newProfile.setId(id); +- try { +- newProfile.init(this, cs); +- } catch (EBaseException e) { +- throw new EProfileException( +- "Failed to initialise profile '" + id + "': " + e); +- } +- +- // next replace the existing profile with the new profile; +- // this is to avoid any intermediate state where the profile +- // is not fully initialised with its inputs, outputs and +- // policy objects. +- // +- mProfiles.put(id, newProfile); +- +- // finally commit the configStore and track the resulting +- // entryUSN and (in case of add) the nsUniqueId +- // ++ protected void commitConfigStore(String id, IConfigStore configStore) ++ throws EProfileException { ++ LDAPConfigStore cs = (LDAPConfigStore) configStore; + try { + String[] attrs = {"entryUSN", "nsUniqueId"}; + LDAPEntry entry = cs.commitReturn(false, attrs); +-- +1.8.3.1 + + +From 6562b05a73090c0f7882a9684a8ceac2666e4401 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 7 Feb 2017 17:39:33 +1000 +Subject: [PATCH 36/49] ISourceConfigStore: add clear() method to interface + +The SourceConfigStore load() method does not clear the config store, +but this might be necessary to avoid stale data if wanting to +perform a complete replacement of the data (e.g. reload from file). + +We should not change the behaviour of load() in case some code is +relying on the current behaviour, so add the clear() method to the +interface. + +Part of: https://fedorahosted.org/pki/ticket/2588 + +Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93 +--- + base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java | 5 +++++ + .../cmscore/src/com/netscape/cmscore/base/PropConfigStore.java | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java +index 42637c2..8eb86c2 100644 +--- a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java ++++ b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java +@@ -63,6 +63,11 @@ public interface ISourceConfigStore extends Serializable { + public Enumeration keys(); + + /** ++ * Clear the config store. ++ */ ++ public void clear(); ++ ++ /** + * Reads a config store from an input stream. + * + * @param in input stream where the properties are located +diff --git a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java +index cc16e24..acf2844 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java +@@ -223,6 +223,10 @@ public class PropConfigStore implements IConfigStore, Cloneable { + } + } + ++ public synchronized void clear() { ++ mSource.clear(); ++ } ++ + /** + * Reads a config store from an input stream. + * +-- +1.8.3.1 + + +From 62419afd831039e7487ba184c6bf8f876f4d21da Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 7 Feb 2017 21:12:08 +1000 +Subject: [PATCH 37/49] ProfileService: clear profile attributes when modifying + +When modifying a profile, attributes are not cleared. Attributes +that were removed in the updated profile configuration are not +actually removed. + +When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear +the config store before loading the new configuration. + +Fixes: https://fedorahosted.org/pki/ticket/2588 +Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19 +--- + base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index be61892..8666b9c 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -718,6 +718,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + } + + // no error thrown, so commit updated profile config ++ profile.getConfigStore().clear(); + profile.getConfigStore().load(new ByteArrayInputStream(data)); + ps.disableProfile(profileId); + ps.commitProfile(profileId); +-- +1.8.3.1 + + +From da624993c302a81a11f37f984d75c37a467dc5e5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 6 Apr 2017 16:07:07 +1000 +Subject: [PATCH 38/49] KRA: do not accumulate recovered keys in token + +When using token-based unwrapping of archived keys, the key is being +stored in the token. We do not want to accumulate the keys here; +make them temporary. + +Part of: https://pagure.io/dogtagpki/issue/2610 + +Change-Id: Ic12a4db7238512b4fec5d6fdb023b20195c2d438 +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index fda5b80..5609b19 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -416,7 +416,7 @@ public class RecoveryService implements IService { + privKey = mStorageUnit.unwrap( + keyRecord.getPrivateKeyData(), + pubkey, +- false, ++ true /* temporary */, + keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams())); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); +-- +1.8.3.1 + + +From 3cc50b49e2a18344937702bd1b170b9faf738845 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 27 Apr 2017 11:10:36 -0400 +Subject: [PATCH 39/49] Modify the key client to default to 3DES + +When no algorithm OID is provided, we used to default to 3DES. +We need to continue to do this to not break IPA. + +Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d +--- + base/common/python/pki/key.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index e782d54..9313b0e 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -514,7 +514,7 @@ class KeyClient(object): + pki.util.read_environment_files() + client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET') + if client_keyset is not None: +- return client_keyset ++ return int(client_keyset) + return 0 + + def get_server_keyset(self): +@@ -795,7 +795,7 @@ class KeyClient(object): + data_type, + encrypted_data, + wrapped_session_key, +- algorithm_oid=None, ++ algorithm_oid=self.encrypt_alg_oid, + nonce_iv=nonce_iv, + key_algorithm=key_algorithm, + key_size=key_size, +@@ -850,8 +850,10 @@ class KeyClient(object): + raise TypeError('Missing wrapped session key') + + if not algorithm_oid: +- algorithm_oid = pki.crypto.AES_128_CBC_OID +- # algorithm_oid = KeyClient.DES_EDE3_CBC_OID ++ # legacy apps like IPA call this directly without ++ # setting the algorithm_oid. We need to keep DES ++ # for backward compatibility ++ algorithm_oid = pki.crypto.DES_EDE3_CBC_OID + + if not nonce_iv: + raise TypeError('Missing nonce IV') +-- +1.8.3.1 + + +From b93cec621203c6fb970b57ef042636ba2f9efa3d Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 27 Apr 2017 16:01:39 +1000 +Subject: [PATCH 41/49] Add upgrade script that adds KRA wrapping params + +Part of: https://pagure.io/dogtagpki/issue/1408 + +Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1 +--- + base/server/upgrade/10.4.2/02-AddKRAWrappingParams | 78 ++++++++++++++++++++++ + 1 file changed, 78 insertions(+) + create mode 100755 base/server/upgrade/10.4.2/02-AddKRAWrappingParams + +diff --git a/base/server/upgrade/10.4.2/02-AddKRAWrappingParams b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams +new file mode 100755 +index 0000000..c95b844 +--- /dev/null ++++ b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams +@@ -0,0 +1,78 @@ ++#!/usr/bin/python ++# Authors: ++# Fraser Tweedale ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++ ++from __future__ import absolute_import ++import os.path ++ ++import pki ++from pki.server.upgrade import PKIServerUpgradeScriptlet ++ ++proplist = [ ++ ('kra.storageUnit.wrapping.0.sessionKeyLength', '168'), ++ ('kra.storageUnit.wrapping.0.sessionKeyWrapAlgorithm', 'RSA'), ++ ('kra.storageUnit.wrapping.0.payloadEncryptionPadding', 'PKCS5Padding'), ++ ('kra.storageUnit.wrapping.0.sessionKeyKeyGenAlgorithm', 'DESede'), ++ ('kra.storageUnit.wrapping.0.payloadEncryptionAlgorithm', 'DESede'), ++ ('kra.storageUnit.wrapping.0.payloadEncryptionMode', 'CBC'), ++ ('kra.storageUnit.wrapping.0.payloadEncryptionIV', 'AQEBAQEBAQE='), ++ ('kra.storageUnit.wrapping.0.payloadWrapAlgorithm', 'DES3/CBC/Pad'), ++ ('kra.storageUnit.wrapping.0.payloadWrapIV', 'AQEBAQEBAQE='), ++ ('kra.storageUnit.wrapping.0.sessionKeyType', 'DESede'), ++ ('kra.storageUnit.wrapping.1.sessionKeyLength', '128'), ++ ('kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm', 'RSA'), ++ ('kra.storageUnit.wrapping.1.payloadEncryptionPadding', 'PKCS5Padding'), ++ ('kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm', 'AES'), ++ ('kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm', 'AES'), ++ ('kra.storageUnit.wrapping.1.payloadEncryptionMode', 'CBC'), ++ ('kra.storageUnit.wrapping.1.payloadEncryptionIVLen', '16'), ++ ('kra.storageUnit.wrapping.1.payloadWrapAlgorithm', 'AES KeyWrap/Padding'), ++ ('kra.storageUnit.wrapping.1.sessionKeyType', 'AES'), ++ ++ # this upgrade script adds the config, but uses the legacy ++ # configuration so that behaviour of deployed instance does ++ # not change ++ ('kra.storageUnit.wrapping.choice', '0'), ++] ++ ++ ++class AddKRAWrappingParams(PKIServerUpgradeScriptlet): ++ def __init__(self): ++ super(AddKRAWrappingParams, self).__init__() ++ self.message = 'Add wrapping params to KRA CS.cfg' ++ ++ def upgrade_subsystem(self, instance, subsystem): ++ if subsystem.name == 'kra': ++ self.upgrade_config(instance, subsystem) ++ ++ def upgrade_config(self, instance, subsystem): # pylint: disable=W0613 ++ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') ++ self.backup(filename) ++ ++ properties = pki.PropertyFile(filename) ++ properties.read() ++ ++ # if the property exists, leave it alone, otherwise set ++ # it to the value defined above ++ for k, v in proplist: ++ cur = properties.get(k) ++ if cur is None: ++ properties.set(k, v) ++ ++ properties.write() +-- +1.8.3.1 + + +From 853220445eb0ce54b6ce241547891605329b7e3e Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 28 Apr 2017 00:29:45 -0400 +Subject: [PATCH 42/49] Fix DES3 using python-cryptography provider + +Incorrect key size lead to errors when the client side +was set to use 3DES. Also deprecate not providing an +encryption algorithm OID explcitly in +archive_encrypted_data() + +Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9 +--- + base/common/python/pki/crypto.py | 7 ++++++- + base/common/python/pki/key.py | 3 +++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py +index 0891acd..7f03846 100644 +--- a/base/common/python/pki/crypto.py ++++ b/base/common/python/pki/crypto.py +@@ -389,9 +389,14 @@ class CryptographyCryptoProvider(CryptoProvider): + self.encrypt_mode = modes.CBC + self.encrypt_size = 128 + elif level == 0: ++ # note that 3DES keys are actually 192 bits long, even ++ # though only 168 bits are used internally. See ++ # https://tools.ietf.org/html/rfc4949 ++ # Using 168 here will cause python-cryptography key verification ++ # checks to fail. + self.encrypt_alg = algorithms.TripleDES + self.encrypt_mode = modes.CBC +- self.encrypt_size = 168 ++ self.encrypt_size = 192 + + def generate_nonce_iv(self, mechanism='AES'): + """ Create a random initialization vector """ +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index 9313b0e..d2b8297 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -28,6 +28,7 @@ from __future__ import print_function + import base64 + import json + import os ++import warnings + + from six import iteritems + from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 +@@ -853,6 +854,8 @@ class KeyClient(object): + # legacy apps like IPA call this directly without + # setting the algorithm_oid. We need to keep DES + # for backward compatibility ++ warnings.warn("algorithm_oid=None is deprecated", ++ DeprecationWarning) + algorithm_oid = pki.crypto.DES_EDE3_CBC_OID + + if not nonce_iv: +-- +1.8.3.1 + + +From d98f20d33378a37898d4d6ffec80b09261504823 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Wed, 26 Apr 2017 15:21:39 -0700 +Subject: [PATCH 43/49] CA in the certificate profiles the startTime parameter + is not working as expected. + +This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects. +--- + .../src/com/netscape/cms/profile/def/CAValidityDefault.java | 12 ++++++------ + .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java | 4 ++-- + .../netscape/cms/profile/def/RandomizedValidityDefault.java | 2 +- + .../src/com/netscape/cms/profile/def/ValidityDefault.java | 10 +++++----- + 4 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java +index 2df256e..2ecd484 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java +@@ -24,6 +24,11 @@ import java.util.Calendar; + import java.util.Date; + import java.util.Locale; + ++import netscape.security.x509.BasicConstraintsExtension; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.X509CertInfo; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; +@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.PKIXExtensions; +-import netscape.security.x509.X509CertInfo; +- + /** + * This class implements a CA signing cert enrollment default policy + * that populates a server-side configurable validity +@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + CMS.debug("CAValidityDefault: not before: " + notBefore); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java +index 6532a13..2f05f32 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java +@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + + (1000 * startTime)); + long notAfterVal = 0; + + notAfterVal = notBefore.getTime() + +- (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION))); ++ (mDefault * Long.parseLong(getConfig(CONFIG_DURATION))); + Date notAfter = new Date(notAfterVal); + + ext = new PrivateKeyUsageExtension(notBefore, notAfter); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java +index 6308715..ce69c15 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java +@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS); + if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +index 21ec8ea..a74ccdf 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +@@ -24,6 +24,10 @@ import java.util.Calendar; + import java.util.Date; + import java.util.Locale; + ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; +@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +- + /** + * This class implements an enrollment default policy + * that populates a server-side configurable validity +@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + CMS.debug("ValidityDefault: not before: " + notBefore); +-- +1.8.3.1 + + +From 9590944d5726ff32d94c6a2b2909175eae946466 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 28 Apr 2017 17:44:19 -0400 +Subject: [PATCH 44/49] Fix symkey retrieval using NSS python client + +This is tested using Barbican as a client. We are simply +reverting to the same behavior we had before for the +NSS Crypto provider case. + +Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce +--- + base/common/python/pki/crypto.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py +index 7f03846..edb32c0 100644 +--- a/base/common/python/pki/crypto.py ++++ b/base/common/python/pki/crypto.py +@@ -325,9 +325,17 @@ class NSSCryptoProvider(CryptoProvider): + :param nonce_iv Nonce data + :return: Unwrapped data + +- Return unwrapped data for data wrapped using AES KeyWrap ++ Return unwrapped data for data that has been keywrapped. ++ For NSS, we only support 3DES - so something that has been ++ keywrapped can be decrypted. This is precisely what we used ++ to do before. + """ +- raise NotImplementedError() ++ return self.symmetric_unwrap( ++ data, ++ wrapping_key, ++ mechanism=nss.CKM_DES3_CBC_PAD, ++ nonce_iv=nonce_iv ++ ) + + def get_cert(self, cert_nick): + """ +-- +1.8.3.1 + + +From 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 28 Apr 2017 17:55:17 -0700 +Subject: [PATCH 45/49] Ticket #2717 CMC user-signed enrollment request This + patch provides implementation that allows user-signed CMC requests to be + processed; The resulting certificate will bear the same subjectDN as that of + the signing cert; The new uri to access is + /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: + caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: + CMCUserSignedAuth and new profile default plugin: + CMCUserSignedSubjectNameDefault and new profile constraint plugin: + CMCUserSignedSubjectNameConstraint + +--- + base/ca/shared/conf/CS.cfg | 6 +- + base/ca/shared/conf/registry.cfg | 10 +- + .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 83 ++ + base/ca/shared/webapps/ca/WEB-INF/web.xml | 28 + + .../certsrv/authentication/IAuthManager.java | 3 + + .../com/netscape/certsrv/logging/AuditEvent.java | 2 + + .../src/com/netscape/cmstools/CRMFPopClient.java | 2 +- + .../cms/authentication/CMCUserSignedAuth.java | 1140 ++++++++++++++++++++ + .../netscape/cms/profile/common/BasicProfile.java | 28 +- + .../netscape/cms/profile/common/EnrollProfile.java | 426 +++++--- + .../CMCUserSignedSubjectNameConstraint.java | 141 +++ + .../def/CMCUserSignedSubjectNameDefault.java | 159 +++ + .../netscape/cms/profile/def/EnrollDefault.java | 5 +- + .../cms/profile/input/CMCCertReqInput.java | 21 +- + .../netscape/cms/profile/input/CertReqInput.java | 36 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 28 +- + base/server/cmsbundle/src/LogMessages.properties | 1 + + base/server/cmsbundle/src/UserMessages.properties | 2 + + 18 files changed, 1964 insertions(+), 157 deletions(-) + create mode 100644 base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg + create mode 100644 base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java + create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java + create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 3923319..b29802c 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -168,6 +168,7 @@ auths.impl._001=## authentication manager implementations + auths.impl._002=## + auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication + auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth ++auths.impl.CMCUserSignedAuth.class=com.netscape.cms.authentication.CMCUserSignedAuth + auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication + auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication + auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +@@ -734,6 +735,7 @@ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher + ca.publish.rule.instance.LdapXCertRule.type=xcert + cmc.cert.confirmRequired=false + cmc.lraPopWitness.verify.allow=false ++cmc.popLinkWitnessRequired=false + cmc.revokeCert.verify=true + cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret + cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +@@ -905,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 2855b7a..519d854 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -36,6 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr + constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint + constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint + constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint ++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint ++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint ++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint + constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint + constraintPolicy.validityConstraintImpl.desc=Validity Constraint + constraintPolicy.validityConstraintImpl.name=Validity Constraint +@@ -48,7 +51,7 @@ constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint + constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint + constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint + constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint +-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl ++defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,cmcUserSignedSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl + defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault + defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default + defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default +@@ -67,6 +70,9 @@ defaultPolicy.authTokenSubjectNameDefaultImpl.name=Token Supplied Subject Name D + defaultPolicy.userSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.UserSubjectNameDefault + defaultPolicy.userSubjectNameDefaultImpl.desc=User Supplied Subject Name Default + defaultPolicy.userSubjectNameDefaultImpl.name=User Supplied Subject Name Default ++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault ++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.desc=CMC User Signed Subject Name Default ++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.name=CMC User Signed Subject Name Default + defaultPolicy.userKeyDefaultImpl.class=com.netscape.cms.profile.def.UserKeyDefault + defaultPolicy.userKeyDefaultImpl.desc=User Supplied Key Default + defaultPolicy.userKeyDefaultImpl.name=User Supplied Key Default +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +new file mode 100644 +index 0000000..229a3cd +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -0,0 +1,83 @@ ++desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. ++enable=true ++enableBy=admin ++name=User-Signed CMC-Authenticated User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml +index bf8aed4..dc61ab3 100644 +--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml ++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml +@@ -1553,6 +1553,29 @@ + + + ++ caProfileSubmitUserSignedCMCFull ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caFullCMCUserSignedCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitUserSignedCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ + caProfileList + com.netscape.cms.servlet.profile.ProfileListServlet + GetClientCert +@@ -2257,6 +2280,11 @@ + + + ++ caProfileSubmitUserSignedCMCFull ++ /ee/ca/profileSubmitUserSignedCMCFull ++ ++ ++ + caProfileList + /ee/ca/profileList + +diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java +index f9eddbc..21639e2 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java ++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java +@@ -31,6 +31,9 @@ public interface IAuthManager { + /* standard credential for client cert from ssl client auth */ + public static final String CRED_SSL_CLIENT_CERT = "sslClientCert"; + ++ /* standard credential for CMC request signing cert */ ++ public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert"; ++ + /** + * Standard credential for client cert's serial number from revocation. + */ +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 72c93f8..7a4aa9b 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -145,6 +145,8 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; + public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = + "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; ++ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY = ++ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5"; + + public final static String COMPUTE_RANDOM_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 0168503..d0e5c27 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -545,7 +545,7 @@ public class CRMFPopClient { + pop = client.createPop(algorithm, signature); + } + +- if (verbose) System.out.println("Creating CRMF requrest"); ++ if (verbose) System.out.println("Creating CRMF request"); + String request = client.createCRMFRequest(certRequest, pop); + + StringWriter sw = new StringWriter(); +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +new file mode 100644 +index 0000000..a72ce58 +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -0,0 +1,1140 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2007 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++// package statement // ++/////////////////////// ++ ++package com.netscape.cms.authentication; ++ ++/////////////////////// ++// import statements // ++/////////////////////// ++ ++/* cert server imports */ ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.io.IOException; ++import java.math.BigInteger; ++import java.security.MessageDigest; ++import java.security.PublicKey; ++import java.util.Enumeration; ++import java.util.Hashtable; ++import java.util.Locale; ++import java.util.Vector; ++ ++import org.mozilla.jss.CryptoManager; ++import org.mozilla.jss.CryptoManager.NotInitializedException; ++import org.mozilla.jss.asn1.ASN1Util; ++import org.mozilla.jss.asn1.INTEGER; ++import org.mozilla.jss.asn1.InvalidBERException; ++import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; ++import org.mozilla.jss.asn1.OCTET_STRING; ++import org.mozilla.jss.asn1.SEQUENCE; ++import org.mozilla.jss.asn1.SET; ++import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.DigestAlgorithm; ++import org.mozilla.jss.crypto.PrivateKey; ++import org.mozilla.jss.pkcs10.CertificationRequest; ++import org.mozilla.jss.pkcs11.PK11ECPublicKey; ++import org.mozilla.jss.pkcs11.PK11PubKey; ++import org.mozilla.jss.pkix.cert.Certificate; ++import org.mozilla.jss.pkix.cert.CertificateInfo; ++import org.mozilla.jss.pkix.cmc.PKIData; ++import org.mozilla.jss.pkix.cmc.TaggedAttribute; ++import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; ++import org.mozilla.jss.pkix.cmc.TaggedRequest; ++import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; ++import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber; ++import org.mozilla.jss.pkix.cms.SignedData; ++import org.mozilla.jss.pkix.cms.SignerIdentifier; ++import org.mozilla.jss.pkix.crmf.CertReqMsg; ++import org.mozilla.jss.pkix.crmf.CertRequest; ++import org.mozilla.jss.pkix.crmf.CertTemplate; ++import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; ++import org.mozilla.jss.pkix.primitive.Name; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.AuthToken; ++import com.netscape.certsrv.authentication.EInvalidCredentials; ++import com.netscape.certsrv.authentication.EMissingCredential; ++import com.netscape.certsrv.authentication.IAuthCredentials; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.base.IExtendedPluginInfo; ++import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.profile.IProfileAuthenticator; ++import com.netscape.certsrv.property.Descriptor; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cmsutil.crypto.CryptoUtil; ++import com.netscape.cmsutil.util.Utils; ++ ++import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++import netscape.security.x509.X509Key; ++ ++//import com.netscape.cmscore.util.*; ++////////////////////// ++// class definition // ++////////////////////// ++ ++/** ++ * User Signed CMC authentication plug-in ++ * note: ++ * - this version differs from CMCAuth in that it allows non-agent users ++ * to sign own cmc requests; It is expected to be used with ++ * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint ++ * so that the resulting cert will bear the same subjectDN of that of the CMC ++ * signing cert ++ * - it originates from CMCAuth with modification for user-signed cmc ++ * @author cfu - user signed cmc authentication ++ *

    ++ * ++ * @version $Revision$, $Date$ ++ */ ++public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, ++ IProfileAuthenticator { ++ ++ //////////////////////// ++ // default parameters // ++ //////////////////////// ++ ++ ///////////////////////////// ++ // IAuthManager parameters // ++ ///////////////////////////// ++ ++ /* authentication plug-in configuration store */ ++ private IConfigStore mConfig; ++ private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; ++ private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; ++ public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; ++ public static final String REASON_CODE = "reasonCode"; ++ /* authentication plug-in name */ ++ private String mImplName = null; ++ ++ /* authentication plug-in instance name */ ++ private String mName = null; ++ ++ /* authentication plug-in fields */ ++ ++ /* Holds authentication plug-in fields accepted by this implementation. ++ * This list is passed to the configuration console so configuration ++ * for instances of this implementation can be configured through the ++ * console. ++ */ ++ protected static String[] mConfigParams = ++ new String[] {}; ++ ++ /* authentication plug-in values */ ++ ++ /* authentication plug-in properties */ ++ ++ /* required credentials to authenticate. UID and CMC are strings. */ ++ public static final String CRED_CMC = "cmcRequest"; ++ ++ protected static String[] mRequiredCreds = {}; ++ ++ //////////////////////////////////// ++ // IExtendedPluginInfo parameters // ++ //////////////////////////////////// ++ ++ /* Vector of extendedPluginInfo strings */ ++ protected static Vector mExtendedPluginInfo = null; ++ //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; ++ //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; ++ ++ /* actual help messages */ ++ static { ++ mExtendedPluginInfo = new Vector(); ++ ++ mExtendedPluginInfo ++ .add(IExtendedPluginInfo.HELP_TEXT + ++ ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); ++ mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + ++ ";configuration-authentication"); ++ } ++ ++ /////////////////////// ++ // Logger parameters // ++ /////////////////////// ++ ++ /* the system's logger */ ++ private ILogger mLogger = CMS.getLogger(); ++ ++ /* signed audit parameters */ ++ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); ++ private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = ++ "enrollment"; ++ private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = ++ "revocation"; ++ ++ ///////////////////// ++ // default methods // ++ ///////////////////// ++ ++ /** ++ * Default constructor, initialization must follow. ++ */ ++ public CMCUserSignedAuth() { ++ } ++ ++ ////////////////////////// ++ // IAuthManager methods // ++ ////////////////////////// ++ ++ /** ++ * Initializes the CMCUserSignedAuth authentication plug-in. ++ *

    ++ * ++ * @param name The name for this authentication plug-in instance. ++ * @param implName The name of the authentication plug-in. ++ * @param config - The configuration store for this instance. ++ * @exception EBaseException If an error occurs during initialization. ++ */ ++ public void init(String name, String implName, IConfigStore config) ++ throws EBaseException { ++ mName = name; ++ mImplName = implName; ++ mConfig = config; ++ ++ log(ILogger.LL_INFO, "Initialization complete!"); ++ } ++ ++ /** ++ * Authenticates user by their CMC; ++ * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. ++ *

    ++ * ++ *

      ++ *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert ++ * requests or revocation requests are submitted and signature is verified ++ *
    ++ * ++ * @param authCred Authentication credentials, CRED_UID and CRED_CMC. ++ * @return an AuthToken ++ * @exception com.netscape.certsrv.authentication.EMissingCredential ++ * If a required authentication credential is missing. ++ * @exception com.netscape.certsrv.authentication.EInvalidCredentials ++ * If credentials failed authentication. ++ * @exception com.netscape.certsrv.base.EBaseException ++ * If an internal error occurred. ++ * @see com.netscape.certsrv.authentication.AuthToken ++ */ ++ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, ++ EBaseException { ++ String method = "CMCUserSignedAuth: authenticate: "; ++ CMS.debug(method + "begins"); ++ ++ String auditMessage = null; ++ String auditSubjectID = auditSubjectID(); ++ String auditReqType = ILogger.UNIDENTIFIED; ++ String auditCertSubject = ILogger.UNIDENTIFIED; ++ String auditSignerInfo = ILogger.UNIDENTIFIED; ++ ++ // ensure that any low-level exceptions are reported ++ // to the signed audit log and stored as failures ++ try { ++ // get the CMC. ++ ++ Object argblock = authCred.getArgBlock(); ++ Object returnVal = null; ++ if (argblock == null) { ++ returnVal = authCred.get("cert_request"); ++ if (returnVal == null) ++ returnVal = authCred.get(CRED_CMC); ++ } else { ++ returnVal = authCred.get("cert_request"); ++ if (returnVal == null) ++ returnVal = authCred.getArgBlock().get(CRED_CMC); ++ } ++ String cmc = (String) returnVal; ++ if (cmc == null) { ++ CMS.debug(method + " Authentication failed. Missing CMC."); ++ ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ throw new EMissingCredential(CMS.getUserMessage( ++ "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); ++ } ++ ++ if (cmc.equals("")) { ++ log(ILogger.LL_FAILURE, ++ "cmc : attempted login with empty CMC."); ++ ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ throw new EInvalidCredentials(CMS.getUserMessage( ++ "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ ++ // authenticate by checking CMC. ++ ++ // everything OK. ++ // now formulate the certificate info. ++ // set the subject name at a minimum. ++ // set anything else like version, extensions, etc. ++ // if nothing except subject name is set the rest of ++ // cert info will be filled in by policies and CA defaults. ++ ++ AuthToken authToken = new AuthToken(this); ++ ++ try { ++ String asciiBASE64Blob; ++ ++ int startIndex = cmc.indexOf(HEADER); ++ int endIndex = cmc.indexOf(TRAILER); ++ if (startIndex != -1 && endIndex != -1) { ++ startIndex = startIndex + HEADER.length(); ++ asciiBASE64Blob = cmc.substring(startIndex, endIndex); ++ } else ++ asciiBASE64Blob = cmc; ++ ++ byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); ++ ByteArrayInputStream cmcBlobIn = new ++ ByteArrayInputStream(cmcBlob); ++ ++ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = ++ (org.mozilla.jss.pkix.cms.ContentInfo) ++ org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( ++ cmcBlobIn); ++ ++ if (!cmcReq.getContentType().equals( ++ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || ++ !cmcReq.hasContent()) { ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); ++ ++ throw new EBaseException("NO_CMC_CONTENT"); ++ } ++ ++ SignedData cmcFullReq = (SignedData) ++ cmcReq.getInterpretedContent(); ++ ++ IConfigStore cmc_config = CMS.getConfigStore(); ++ boolean checkSignerInfo = ++ cmc_config.getBoolean("cmc.signerInfo.verify", true); ++ String userid = "defUser"; ++ String uid = "defUser"; ++ if (checkSignerInfo) { ++ IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq); ++ if (userToken == null) { ++ CMS.debug(method + " authenticate() userToken null"); ++ throw new EBaseException(method + " verifySignerInfo failure"); ++ } ++ userid = userToken.getInString("userid"); ++ uid = userToken.getInString("cn"); ++ } else { ++ CMS.debug(method + " authenticate() signerInfo verification bypassed"); ++ } ++ // reset value of auditSignerInfo ++ if (uid != null) { ++ auditSignerInfo = uid.trim(); ++ } ++ ++ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); ++ ++ OBJECT_IDENTIFIER id = ci.getContentType(); ++ ++ if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || ++ !ci.hasContent()) { ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ // throw new ECMSGWException( ++ // CMSGWResources.NO_PKIDATA); ++ ++ throw new EBaseException("NO_PKIDATA"); ++ } ++ ++ OCTET_STRING content = ci.getContent(); ++ ++ ByteArrayInputStream s = new ++ ByteArrayInputStream(content.toByteArray()); ++ PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); ++ ++ SEQUENCE reqSequence = pkiData.getReqSequence(); ++ ++ int numReqs = reqSequence.size(); ++ ++ if (numReqs == 0) { ++ CMS.debug(method + "numReqs 0, assume revocation request"); ++ // revocation request ++ ++ // reset value of auditReqType ++ auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE; ++ ++ SEQUENCE controlSequence = pkiData.getControlSequence(); ++ int controlSize = controlSequence.size(); ++ ++ if (controlSize > 0) { ++ for (int i = 0; i < controlSize; i++) { ++ TaggedAttribute taggedAttribute = ++ (TaggedAttribute) controlSequence.elementAt(i); ++ OBJECT_IDENTIFIER type = taggedAttribute.getType(); ++ ++ if (type.equals( ++ OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { ++/* TODO: user-signed revocation to be handled in next ticket ++ // if( i ==1 ) { ++ // taggedAttribute.getType() == ++ // OBJECT_IDENTIFIER.id_cmc_revokeRequest ++ // } ++ ++ SET values = taggedAttribute.getValues(); ++ int numVals = values.size(); ++ BigInteger[] bigIntArray = null; ++ ++ bigIntArray = new BigInteger[numVals]; ++ for (int j = 0; j < numVals; j++) { ++ // serialNumber INTEGER ++ ++ // SEQUENCE RevRequest = (SEQUENCE) ++ // values.elementAt(j); ++ byte[] encoded = ASN1Util.encode( ++ values.elementAt(j)); ++ org.mozilla.jss.asn1.ASN1Template template = new ++ org.mozilla.jss.pkix.cmmf.RevRequest.Template(); ++ org.mozilla.jss.pkix.cmmf.RevRequest revRequest = ++ (org.mozilla.jss.pkix.cmmf.RevRequest) ++ ASN1Util.decode(template, encoded); ++ ++ // SEQUENCE RevRequest = (SEQUENCE) ++ // ASN1Util.decode( ++ // SEQUENCE.getTemplate(), ++ // ASN1Util.encode( ++ // values.elementAt(j))); ++ ++ // SEQUENCE RevRequest = ++ // values.elementAt(j); ++ // int revReqSize = RevRequest.size(); ++ // if( revReqSize > 3 ) { ++ // INTEGER serialNumber = ++ // new INTEGER((long)0); ++ // } ++ ++ INTEGER temp = revRequest.getSerialNumber(); ++ ++ bigIntArray[j] = temp; ++ authToken.set(TOKEN_CERT_SERIAL, bigIntArray); ++ ++ long reasonCode = revRequest.getReason().getValue(); ++ Integer IntObject = Integer.valueOf((int) reasonCode); ++ authToken.set(REASON_CODE, IntObject); ++ ++ authToken.set("uid", uid); ++ authToken.set("userid", userid); ++ } ++*/ ++ } ++ } ++ ++ } ++ } else { ++ CMS.debug(method + "numReqs not 0, assume enrollment request"); ++ // enrollment request ++ ++ // reset value of auditReqType ++ auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE; ++ ++ X509CertInfo[] certInfoArray = new X509CertInfo[numReqs]; ++ String[] reqIdArray = new String[numReqs]; ++ ++ for (int i = 0; i < numReqs; i++) { ++ // decode message. ++ TaggedRequest taggedRequest = ++ (TaggedRequest) reqSequence.elementAt(i); ++ ++ TaggedRequest.Type type = taggedRequest.getType(); ++ ++ if (type.equals(TaggedRequest.PKCS10)) { ++ CMS.debug(method + " type is PKCS10"); ++ authToken.set("cert_request_type", "cmc-pkcs10"); ++ ++ TaggedCertificationRequest tcr = ++ taggedRequest.getTcr(); ++ int p10Id = tcr.getBodyPartID().intValue(); ++ ++ reqIdArray[i] = String.valueOf(p10Id); ++ ++ CertificationRequest p10 = ++ tcr.getCertificationRequest(); ++ ++ // transfer to sun class ++ ByteArrayOutputStream ostream = ++ new ByteArrayOutputStream(); ++ ++ p10.encode(ostream); ++ boolean sigver = true; ++ boolean tokenSwitched = false; ++ CryptoManager cm = null; ++ CryptoToken signToken = null; ++ CryptoToken savedToken = null; ++ ++ // for PKCS10, "sigver" would offer the POP ++ sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); ++ try { ++ cm = CryptoManager.getInstance(); ++ if (sigver == true) { ++ String tokenName = ++ CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); ++ savedToken = cm.getThreadToken(); ++ signToken = CryptoUtil.getCryptoToken(tokenName); ++ if (!savedToken.getName().equals(signToken.getName())) { ++ cm.setThreadToken(signToken); ++ tokenSwitched = true; ++ } ++ } ++ ++ PKCS10 pkcs10 = ++ new PKCS10(ostream.toByteArray(), sigver); ++ ++ // xxx do we need to do anything else? ++ X509CertInfo certInfo = ++ CMS.getDefaultX509CertInfo(); ++ ++ // fillPKCS10(certInfo,pkcs10,authToken,null); ++ ++ // authToken.set( ++ // pkcs10.getSubjectPublicKeyInfo()); ++ ++ X500Name tempName = pkcs10.getSubjectName(); ++ ++ // reset value of auditCertSubject ++ if (tempName != null) { ++ auditCertSubject = ++ tempName.toString().trim(); ++ if (auditCertSubject.equals("")) { ++ auditCertSubject = ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ++ tempName.toString()); ++ } ++ ++ authToken.set("uid", uid); ++ authToken.set("userid", userid); ++ ++ certInfoArray[i] = certInfo; ++ } catch (Exception e) { ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ //throw new ECMSGWException( ++ //CMSGWResources.ERROR_PKCS101, e.toString()); ++ ++ e.printStackTrace(); ++ throw new EBaseException(e.toString()); ++ } finally { ++ if ((sigver == true) && (tokenSwitched == true)){ ++ cm.setThreadToken(savedToken); ++ } ++ } ++ } else if (type.equals(TaggedRequest.CRMF)) { ++ ++ CMS.debug(method + " type is CRMF"); ++ authToken.set("cert_request_type", "cmc-crmf"); ++ try { ++ CertReqMsg crm = ++ taggedRequest.getCrm(); ++ CertRequest certReq = crm.getCertReq(); ++ INTEGER reqID = certReq.getCertReqId(); ++ reqIdArray[i] = reqID.toString(); ++ CertTemplate template = certReq.getCertTemplate(); ++ Name name = template.getSubject(); ++ ++ // xxx do we need to do anything else? ++ X509CertInfo certInfo = ++ CMS.getDefaultX509CertInfo(); ++ ++ // reset value of auditCertSubject ++ if (name != null) { ++ String ss = name.getRFC1485(); ++ ++ auditCertSubject = ss; ++ if (auditCertSubject.equals("")) { ++ auditCertSubject = ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ ++ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); ++ authToken.set("uid", uid); ++ authToken.set("userid", userid); ++ } ++ certInfoArray[i] = certInfo; ++ } catch (Exception e) { ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ //throw new ECMSGWException( ++ //CMSGWResources.ERROR_PKCS101, e.toString()); ++ ++ e.printStackTrace(); ++ throw new EBaseException(e.toString()); ++ } ++ } ++ ++ // authToken.set(AgentAuthentication.CRED_CERT, new ++ // com.netscape.certsrv.usrgrp.Certificates( ++ // x509Certs)); ++ } ++ } ++ } catch (Exception e) { ++ CMS.debug(method + e); ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ //Debug.printStackTrace(e); ++ throw new EInvalidCredentials(CMS.getUserMessage( ++ "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ CMS.debug(method + "ends successfully; returning authToken"); ++ return authToken; ++ } catch (EMissingCredential eAudit1) { ++ CMS.debug(method + eAudit1); ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ // rethrow the specific exception to be handled later ++ throw eAudit1; ++ } catch (EInvalidCredentials eAudit2) { ++ CMS.debug(method + eAudit2); ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ // rethrow the specific exception to be handled later ++ throw eAudit2; ++ } catch (EBaseException eAudit3) { ++ CMS.debug(method + eAudit3); ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ ++ // rethrow the specific exception to be handled later ++ throw eAudit3; ++ } ++ } ++ ++ /** ++ * Returns a list of configuration parameter names. ++ * The list is passed to the configuration console so instances of ++ * this implementation can be configured through the console. ++ *

    ++ * ++ * @return String array of configuration parameter names. ++ */ ++ public String[] getConfigParams() { ++ return (mConfigParams); ++ } ++ ++ /** ++ * gets the configuration substore used by this authentication ++ * plug-in ++ *

    ++ * ++ * @return configuration store ++ */ ++ public IConfigStore getConfigStore() { ++ return mConfig; ++ } ++ ++ /** ++ * gets the plug-in name of this authentication plug-in. ++ */ ++ public String getImplName() { ++ return mImplName; ++ } ++ ++ /** ++ * gets the name of this authentication plug-in instance ++ */ ++ public String getName() { ++ return mName; ++ } ++ ++ /** ++ * get the list of required credentials. ++ *

    ++ * ++ * @return list of required credentials as strings. ++ */ ++ public String[] getRequiredCreds() { ++ return (mRequiredCreds); ++ } ++ ++ /** ++ * prepares for shutdown. ++ */ ++ public void shutdown() { ++ } ++ ++ ///////////////////////////////// ++ // IExtendedPluginInfo methods // ++ ///////////////////////////////// ++ ++ /** ++ * Activate the help system. ++ *

    ++ * ++ * @return help messages ++ */ ++ public String[] getExtendedPluginInfo() { ++ String method = "CMCUserSignedAuth: getExtendedPluginInfo: "; ++ CMS.debug(method + " begins"); ++ String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); ++ ++ CMS.debug(method + " s.length = " + s.length); ++ for (int i = 0; i < s.length; i++) { ++ CMS.debug("" + i + " " + s[i]); ++ } ++ return s; ++ } ++ ++ //////////////////// ++ // Logger methods // ++ //////////////////// ++ ++ /** ++ * Logs a message for this class in the system log file. ++ *

    ++ * ++ * @param level The log level. ++ * @param msg The message to log. ++ * @see com.netscape.certsrv.logging.ILogger ++ */ ++ protected void log(int level, String msg) { ++ if (mLogger == null) ++ return; ++ mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, ++ level, "CMC User Signed Authentication: " + msg); ++ } ++ ++ protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { ++ String method = "CMCUserSignedAuth: verifySignerInfo: "; ++ CMS.debug(method + "begins"); ++ ++ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); ++ OBJECT_IDENTIFIER id = ci.getContentType(); ++ OCTET_STRING content = ci.getContent(); ++ ++ boolean tokenSwitched = false; ++ CryptoToken signToken = null; ++ CryptoToken savedToken = null; ++ CryptoManager cm = null; ++ try { ++ cm = CryptoManager.getInstance(); ++ ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); ++ PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); ++ ++ SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); ++ int numDig = dais.size(); ++ Hashtable digs = new Hashtable(); ++ ++ //if request key is used for signing, there MUST be only one signerInfo ++ //object in the signedData object. ++ for (int i = 0; i < numDig; i++) { ++ AlgorithmIdentifier dai = ++ (AlgorithmIdentifier) dais.elementAt(i); ++ String name = ++ DigestAlgorithm.fromOID(dai.getOID()).toString(); ++ ++ MessageDigest md = ++ MessageDigest.getInstance(name); ++ ++ byte[] digest = md.digest(content.toByteArray()); ++ ++ digs.put(name, digest); ++ } ++ ++ SET sis = cmcFullReq.getSignerInfos(); ++ int numSis = sis.size(); ++ ++ for (int i = 0; i < numSis; i++) { ++ org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); ++ ++ String name = si.getDigestAlgorithm().toString(); ++ byte[] digest = digs.get(name); ++ ++ if (digest == null) { ++ MessageDigest md = MessageDigest.getInstance(name); ++ ByteArrayOutputStream ostream = new ByteArrayOutputStream(); ++ ++ pkiData.encode(ostream); ++ digest = md.digest(ostream.toByteArray()); ++ ++ } ++ // signed by previously certified signature key ++ SignerIdentifier sid = si.getSignerIdentifier(); ++ // TODO: need to handle signing key being the matching key from ++ // the request ++ if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { ++ IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); ++ // find from the certs in the signedData ++ java.security.cert.X509Certificate cert = null; ++ ++ if (cmcFullReq.hasCertificates()) { ++ SET certs = cmcFullReq.getCertificates(); ++ int numCerts = certs.size(); ++ java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; ++ byte[] certByteArray = new byte[0]; ++ for (int j = 0; j < numCerts; j++) { ++ Certificate certJss = (Certificate) certs.elementAt(j); ++ CertificateInfo certI = certJss.getInfo(); ++ Name issuer = certI.getIssuer(); ++ ++ byte[] issuerB = ASN1Util.encode(issuer); ++CMS.debug(method + "issuer = " + new String(issuerB)); ++ INTEGER sn = certI.getSerialNumber(); ++ // if this cert is the signer cert, not a cert in the chain ++ if (new String(issuerB).equals(new String( ++ ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) ++ && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { ++ ByteArrayOutputStream os = new ++ ByteArrayOutputStream(); ++ ++ certJss.encode(os); ++ certByteArray = os.toByteArray(); ++ ++ X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); ++ ++ cert = tempcert; ++ x509Certs[0] = cert; ++ // xxx validate the cert length ++ ++ } ++ } ++ CMS.debug(method + "start checking signature"); ++ if (cert == null) { ++ // find from certDB ++ CMS.debug(method + "verifying signature"); ++ si.verify(digest, id); ++ } else { ++ CMS.debug(method + "found signing cert... verifying"); ++ PublicKey signKey = cert.getPublicKey(); ++ PrivateKey.Type keyType = null; ++ String alg = signKey.getAlgorithm(); ++ ++ PK11PubKey pubK = null; ++ if (alg.equals("RSA")) { ++ CMS.debug(method + "signing key alg=RSA"); ++ keyType = PrivateKey.RSA; ++ pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); ++ } else if (alg.equals("EC")) { ++ CMS.debug(method + "signing key alg=EC"); ++ keyType = PrivateKey.EC; ++ byte publicKeyData[] = ((X509Key) signKey).getEncoded(); ++ pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); ++ } else { ++ CMS.debug(method + "unsupported signature algorithm: " + alg); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ ++ String tokenName = ++ CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); ++ // by default JSS will use internal crypto token ++ if (!CryptoUtil.isInternalToken(tokenName)) { ++ savedToken = cm.getThreadToken(); ++ signToken = CryptoUtil.getCryptoToken(tokenName); ++ if(signToken != null) { ++ cm.setThreadToken(signToken); ++ tokenSwitched = true; ++ CMS.debug(method + "verifySignerInfo token switched:"+ tokenName); ++ } else { ++ CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal"); ++ } ++ } ++ ++ CMS.debug(method + "verifying signature with public key"); ++ si.verify(digest, id, pubK); ++ } ++ CMS.debug(method + "finished checking signature"); ++ // verify signer's certificate using the revocator ++ if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { ++ CMS.debug(method + "CMC signature failed to be verified"); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } else { ++ CMS.debug(method + "CMC signature verified; but signer not yet;"); ++ } ++ // At this point, the signature has been verified; ++ ++ IAuthToken tempToken = new AuthToken(null); ++ netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); ++ String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); ++ CMS.debug(method + " Principal name = " + CN); ++ ++ BigInteger certSerial = x509Certs[0].getSerialNumber(); ++ CMS.debug(method + " verified cert serial=" + certSerial.toString()); ++ authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); ++ tempToken.set("cn", CN); ++ ++ return tempToken; ++ ++ } ++ ++ } else { ++ CMS.debug(method + "unsupported SignerIdentifier type"); ++ } ++ } ++ } catch (InvalidBERException e) { ++ CMS.debug(method + e.toString()); ++ } catch (IOException e) { ++ CMS.debug(method + e.toString()); ++ } catch (NotInitializedException e) { ++ CMS.debug(method + e.toString()); ++ } catch (Exception e) { ++ CMS.debug(method + e.toString()); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } finally { ++ if ((tokenSwitched == true) && (savedToken != null)){ ++ cm.setThreadToken(savedToken); ++ CMS.debug(method + "verifySignerInfo token restored"); ++ } ++ } ++ return null; ++ ++ } ++ ++ public String[] getExtendedPluginInfo(Locale locale) { ++ return null; ++ } ++ ++ // Profile-related methods ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ } ++ ++ /** ++ * Retrieves the localizable name of this policy. ++ */ ++ public String getName(Locale locale) { ++ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); ++ } ++ ++ /** ++ * Retrieves the localizable description of this policy. ++ */ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); ++ } ++ ++ /** ++ * Retrieves a list of names of the value parameter. ++ */ ++ public Enumeration getValueNames() { ++ Vector v = new Vector(); ++ v.addElement("cert_request"); ++ return v.elements(); ++ } ++ ++ public boolean isValueWriteable(String name) { ++ return false; ++ } ++ ++ /** ++ * Retrieves the descriptor of the given value ++ * parameter by name. ++ */ ++ public IDescriptor getValueDescriptor(Locale locale, String name) { ++ if (name.equals(CRED_CMC)) { ++ return new Descriptor(IDescriptor.STRING_LIST, null, null, ++ "CMC request"); ++ } ++ return null; ++ } ++ ++ public void populate(IAuthToken token, IRequest request) ++ throws EProfileException { ++ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, ++ token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); ++ } ++ ++ public boolean isSSLClientRequired() { ++ return false; ++ } ++ ++ /** ++ * Signed Audit Log ++ * ++ * This method is called to store messages to the signed audit log. ++ *

    ++ * ++ * @param msg signed audit log message ++ */ ++ private void audit(String msg) { ++ // in this case, do NOT strip preceding/trailing whitespace ++ // from passed-in String parameters ++ ++ if (mSignedAuditLogger == null) { ++ return; ++ } ++ ++ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, ++ null, ++ ILogger.S_SIGNED_AUDIT, ++ ILogger.LL_SECURITY, ++ msg); ++ } ++ ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ ++ /** ++ * Signed Audit Log Subject ID ++ * ++ * This method is called to obtain the "SubjectID" for ++ * a signed audit log message. ++ *

    ++ * ++ * @return id string containing the signed audit log message SubjectID ++ */ ++ private String auditSubjectID() { ++ // if no signed audit object exists, bail ++ if (mSignedAuditLogger == null) { ++ return null; ++ } ++ ++ String subjectID = null; ++ ++ // Initialize subjectID ++ SessionContext auditContext = SessionContext.getExistingContext(); ++ ++ if (auditContext != null) { ++ subjectID = (String) ++ auditContext.get(SessionContext.USER_ID); ++ ++ if (subjectID != null) { ++ subjectID = subjectID.trim(); ++ } else { ++ subjectID = ILogger.NONROLEUSER; ++ } ++ } else { ++ subjectID = ILogger.UNIDENTIFIED; ++ } ++ ++ return subjectID; ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +index e6fc045..e47c722 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +@@ -783,6 +783,8 @@ public abstract class BasicProfile implements IProfile { + boolean createConfig) + throws EProfileException { + ++ String method = "BasicProfile: createProfilePolicy: "; ++ CMS.debug(method + "begins"); + // String setId ex: policyset.set1 + // String id Id of policy : examples: p1,p2,p3 + // String defaultClassId : id of the default plugin ex: validityDefaultImpl +@@ -911,19 +913,18 @@ public abstract class BasicProfile implements IProfile { + } + } + } +- + String defaultRoot = id + "." + PROP_DEFAULT; + String constraintRoot = id + "." + PROP_CONSTRAINT; + IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy", + defaultClassId); + + if (defInfo == null) { +- CMS.debug("BasicProfile: Cannot find " + defaultClassId); ++ CMS.debug(method + " Cannot find " + defaultClassId); + throw new EProfileException("Cannot find " + defaultClassId); + } + String defaultClass = defInfo.getClassName(); + +- CMS.debug("BasicProfile: loading default class " + defaultClass); ++ CMS.debug(method + " loading default class " + defaultClass); + IPolicyDefault def = null; + + try { +@@ -931,7 +932,7 @@ public abstract class BasicProfile implements IProfile { + Class.forName(defaultClass).newInstance(); + } catch (Exception e) { + // throw Exception +- CMS.debug("BasicProfile: default policy " + ++ CMS.debug(method + " default policy " + + defaultClass + " " + e.toString()); + } + if (def == null) { +@@ -941,24 +942,30 @@ public abstract class BasicProfile implements IProfile { + + defStore = policyStore.getSubStore(defaultRoot); + def.init(this, defStore); ++ CMS.debug(method + " default class initialized."); + } + + IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy", + constraintClassId); ++ if (conInfo == null) { ++ CMS.debug(method + " Cannot find " + constraintClassId); ++ throw new EProfileException("Cannot find " + constraintClassId); ++ } + String constraintClass = conInfo.getClassName(); +- IPolicyConstraint constraint = null; + ++ CMS.debug(method + " loading constraint class " + constraintClass); ++ IPolicyConstraint constraint = null; + try { + constraint = (IPolicyConstraint) + Class.forName(constraintClass).newInstance(); + } catch (Exception e) { + // throw Exception +- CMS.debug("BasicProfile: constraint policy " + ++ CMS.debug(method + " constraint policy " + + constraintClass + " " + e.toString()); + } + ProfilePolicy policy = null; + if (constraint == null) { +- CMS.debug("BasicProfile: failed to create " + constraintClass); ++ CMS.debug(method + " failed to create " + constraintClass); + } else { + IConfigStore conStore = null; + +@@ -966,9 +973,11 @@ public abstract class BasicProfile implements IProfile { + constraint.init(this, conStore); + policy = new ProfilePolicy(id, def, constraint); + policies.addElement(policy); ++ CMS.debug(method + " constraint class initialized."); + } + + if (createConfig) { ++ CMS.debug(method + " createConfig true; creating..."); + String list = null; + + try { +@@ -996,8 +1005,10 @@ public abstract class BasicProfile implements IProfile { + CMS.debug("BasicProfile: commiting config store " + + e.toString()); + } ++ CMS.debug(method + " config created."); + } + ++ CMS.debug(method + "ends"); + return policy; + } + +@@ -1091,9 +1102,10 @@ public abstract class BasicProfile implements IProfile { + */ + public void populate(IRequest request) + throws EProfileException { ++ String method = "BasicProfile: populate: "; + String setId = getPolicySetId(request); + Vector policies = getPolicies(setId); +- CMS.debug("BasicProfile: populate() policy setid =" + setId); ++ CMS.debug(method + "policy setid =" + setId); + + for (int i = 0; i < policies.size(); i++) { + IProfilePolicy policy = policies.elementAt(i); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 1c44e2c..57f07d1 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -71,6 +71,7 @@ import org.mozilla.jss.pkix.primitive.Name; + import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthManager; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; +@@ -110,6 +111,7 @@ import netscape.security.x509.CertificateX509Key; + import netscape.security.x509.Extension; + import netscape.security.x509.Extensions; + import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509CertInfo; + import netscape.security.x509.X509Key; + +@@ -144,7 +146,8 @@ public abstract class EnrollProfile extends BasicProfile + */ + public IRequest[] createRequests(IProfileContext ctx, Locale locale) + throws EProfileException { +- String method = "EnrollProfile: createRequests"; ++ ++ String method = "EnrollProfile: createRequests: "; + CMS.debug(method + "begins"); + + // determine how many requests should be created +@@ -171,13 +174,20 @@ public abstract class EnrollProfile extends BasicProfile + } + TaggedRequest[] cmc_msgs = null; + if (cert_request_type != null && cert_request_type.startsWith("cmc")) { +- /* +- * TODO: cfu: Phase 2: check if CMCAuth pre-signed request passed. +- * if not, identityProofV2 and/or identification controls +- * are required; +- */ ++ ++ // donePOI true means Proof-Of-Identity is already done. ++ // if the auth manager is the CMCUserSignedAuth, then ++ // the new cert will eventually have the same subject as the ++ // user signing cert ++ // if the auth manager is the CMCAuth (agent pre-approved), ++ // then no changes ++ boolean donePOI = false; ++ String signingUserSerial = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (signingUserSerial != null) { ++ donePOI = true; ++ } + // catch for invalid request +- cmc_msgs = parseCMC(locale, cert_request); ++ cmc_msgs = parseCMC(locale, cert_request, donePOI); + if (cmc_msgs == null) { + CMS.debug(method + "parseCMC returns cmc_msgs null"); + return null; +@@ -209,7 +219,7 @@ public abstract class EnrollProfile extends BasicProfile + } else { + result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i)); + if ((cmc_msgs != null) && (cmc_msgs[i] != null)) { +- CMS.debug("EnrollProfile: createRequests: setting cmc TaggedRequest in request"); ++ CMS.debug(method + "setting cmc TaggedRequest in request"); + result[i].setExtData( + CTX_CERT_REQUEST, + ASN1Util.encode(cmc_msgs[i])); +@@ -221,9 +231,6 @@ public abstract class EnrollProfile extends BasicProfile + + // set requested CA + result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); +- +- // set user data +- result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA)); + } + return result; + } +@@ -300,7 +307,7 @@ public abstract class EnrollProfile extends BasicProfile + req.setExtData(REQUEST_EXTENSIONS, + new CertificateExtensions()); + +- CMS.debug("EnrollProfile: createRequest " + ++ CMS.debug("EnrollProfile: createEnrollmentRequest " + + req.getRequestId()); + } catch (EBaseException e) { + // raise exception? +@@ -469,6 +476,7 @@ public abstract class EnrollProfile extends BasicProfile + + IRequestQueue queue = getRequestQueue(); + String msg = ""; ++ CMS.debug(method + "begins"); + + boolean popChallengeRequired = + request.getExtDataInBoolean("cmc_POPchallengeRequired", false); +@@ -485,7 +493,7 @@ public abstract class EnrollProfile extends BasicProfile + } + + if (token == null){ +- CMS.debug(method + " auth token is null"); ++ CMS.debug(method + " auth token is null; agent manual approval required;"); + CMS.debug(method + " validating request"); + validate(request); + try { +@@ -500,6 +508,7 @@ public abstract class EnrollProfile extends BasicProfile + // this is encryptedPOP case; defer to require decryptedPOP + CMS.debug(method + " popChallengeRequired, defer to enforce decryptedPOP"); + validate(request); ++ + CMS.debug(method + " about to call setPOPchallenge"); + try { + setPOPchallenge(request); +@@ -521,40 +530,38 @@ public abstract class EnrollProfile extends BasicProfile + } + } + +- /* +- * parseCMC +- * @throws EProfileException in case of error +- * note: returing "null" doesn't mean failure ++ /** ++ * getPKIDataFromCMCblob ++ * ++ * @param certReqBlob cmc b64 encoded blob ++ * @return PKIData + */ +- public TaggedRequest[] parseCMC(Locale locale, String certreq) ++ public PKIData getPKIDataFromCMCblob(Locale locale, String certReqBlob) + throws EProfileException { + +- String method = "EnrollProfile: parseCMC: "; ++ String method = "EnrollProfile: getPKIDataFromCMCblob: "; + String msg = ""; // for capturing debug and throw info + + /* cert request must not be null */ +- if (certreq == null) { +- msg = method + "certreq null"; ++ if (certReqBlob == null) { ++ msg = method + "certReqBlob null"; + CMS.debug(msg); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + + msg); + } +- //CMS.debug(method + " Start parseCMC(): " + certreq); ++ //CMS.debug(method + " Start: " + certReqBlob); + CMS.debug(method + "starts"); + +- TaggedRequest msgs[] = null; +- +- String creq = normalizeCertReq(certreq); ++ String creq = normalizeCertReq(certReqBlob); + try { + byte data[] = CMS.AtoB(creq); +- ByteArrayInputStream cmcBlobIn = +- new ByteArrayInputStream(data); ++ ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data); + +- org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) +- org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn); +- org.mozilla.jss.pkix.cms.SignedData cmcFullReq = +- (org.mozilla.jss.pkix.cms.SignedData) cmcReq.getInterpretedContent(); ++ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo ++ .getTemplate().decode(cmcBlobIn); ++ org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq ++ .getInterpretedContent(); + org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OCTET_STRING content = ci.getContent(); + +@@ -564,6 +571,104 @@ public abstract class EnrollProfile extends BasicProfile + mCMCData = pkiData; + //PKIData pkiData = (PKIData) + // (new PKIData.Template()).decode(cmcBlobIn); ++ ++ return pkiData; ++ } catch (Exception e) { ++ CMS.debug(method + e); ++ throw new EProfileException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); ++ } ++ } ++ ++ public static CertificateSubjectName getCMCSigningCertSNfromCertSerial( ++ String certSerial) throws Exception { ++ X509CertImpl userCert = getCMCSigningCertFromCertSerial(certSerial); ++ ++ if (userCert != null) { ++ return userCert.getSubjectObj(); ++ } else { ++ return null; ++ } ++ } ++ ++ /** ++ * getCMCSigningCertFromCertSerial is to be used when authentication ++ * was done with CMCUserSignedAuth where the resulting ++ * authToken contains ++ * IAuthManager.CRED_CMC_SIGNING_CERT, serial number ++ * This method takes the serial number ++ * and finds the cert from the CA's certdb ++ */ ++ public static X509CertImpl getCMCSigningCertFromCertSerial( ++ String certSerial) throws Exception { ++ String method = "EnrollProfile: getCMCSigningCertFromCertSerial: "; ++ String msg = ""; ++ ++ X509CertImpl userCert = null; ++ ++ if (certSerial == null || certSerial.equals("")) { ++ msg = method + "certSerial empty"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ // for CMCUserSignedAuth, the signing user is the subject of ++ // the new cert ++ ICertificateAuthority authority = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); ++ try { ++ BigInteger serialNo = new BigInteger(certSerial); ++ userCert = authority.getCertificateRepository().getX509Certificate(serialNo); ++ } catch (NumberFormatException e) { ++ msg = method + e; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } catch (EBaseException e) { ++ msg = method + e + "; signing user cert not found: serial=" + certSerial; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ if (userCert != null) { ++ msg = method + "signing user cert found; serial=" + certSerial; ++ CMS.debug(msg); ++ } else { ++ msg = method + "signing user cert not found: serial=" + certSerial; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ return userCert; ++ } ++ ++ /* ++ * parseCMC ++ * @throws EProfileException in case of error ++ * note: returing "null" doesn't mean failure ++ */ ++ public TaggedRequest[] parseCMC(Locale locale, String certreq) ++ throws EProfileException { ++ return parseCMC(locale, certreq, false); ++ } ++ public TaggedRequest[] parseCMC(Locale locale, String certreq, boolean donePOI) ++ throws EProfileException { ++ ++ String method = "EnrollProfile: parseCMC: "; ++ String msg = ""; // for capturing debug and throw info ++ //CMS.debug(method + " Start parseCMC(): " + certreq); ++ CMS.debug(method + "starts"); ++ ++ /* cert request must not be null */ ++ if (certreq == null) { ++ msg = method + "certreq null"; ++ CMS.debug(msg); ++ throw new EProfileException( ++ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ++ msg); ++ } ++ ++ TaggedRequest msgs[] = null; ++ try { ++ PKIData pkiData = getPKIDataFromCMCblob(locale, certreq); + SEQUENCE controlSeq = pkiData.getControlSequence(); + int numcontrols = controlSeq.size(); + SEQUENCE reqSeq = pkiData.getReqSequence(); +@@ -571,6 +676,7 @@ public abstract class EnrollProfile extends BasicProfile + UTF8String ident_s = null; + SessionContext context = SessionContext.getContext(); + if (!context.containsKey("numOfControls")) { ++ CMS.debug(method + "numcontrols="+ numcontrols); + if (numcontrols > 0) { + context.put("numOfControls", Integer.valueOf(numcontrols)); + TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; +@@ -587,56 +693,45 @@ public abstract class EnrollProfile extends BasicProfile + boolean id_cmc_idPOPLinkRandom = false; + SET vals = null; + ++ /** ++ * pre-process all controls -- ++ * the postponed processing is so that we can capture ++ * the identification, if included ++ */ ++ CMS.debug(method + "about to pre-process controls"); + for (int i = 0; i < numcontrols; i++) { + attributes[i] = (TaggedAttribute) controlSeq.elementAt(i); + OBJECT_IDENTIFIER oid = attributes[i].getType(); + if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { +- CMS.debug(method + " decryptedPOP found"); ++ CMS.debug(method + " id_cmc_decryptedPOP found"); + id_cmc_decryptedPOP = true; + decPopVals = attributes[i].getValues(); + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identification)) { ++ CMS.debug(method + " id_cmc_identification found"); + id_cmc_identification = true; + ident = attributes[i].getValues(); + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProofV2)) { ++ CMS.debug(method + " id_cmc_identityProofV2 found"); + id_cmc_identityProofV2 = true; + attr = attributes[i]; + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) { ++ CMS.debug(method + " id_cmc_identityProof found"); + id_cmc_identityProof = true; + attr = attributes[i]; + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { +- CMS.debug(method + "id_cmc_idPOPLinkRandom true"); ++ CMS.debug(method + "id_cmc_idPOPLinkRandom found"); + id_cmc_idPOPLinkRandom = true; + vals = attributes[i].getValues(); + } else { ++ CMS.debug(method + "unknown control found"); + context.put(attributes[i].getType(), attributes[i]); + } + } //for + + /** + * now do the actual control processing +- * (the postponed processing is so that we can capture +- * the identification, if included) + */ +- +- if (id_cmc_decryptedPOP) { +- if (decPopVals != null) { +- +- DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), +- ASN1Util.encode(decPopVals.elementAt(0)))); +- CMS.debug(method + "DecryptedPOP encoded"); +- +- Integer reqId = verifyDecryptedPOP(locale, decPop); +- if (reqId != null) { +- context.put("decryptedPopReqId", reqId); +- } +- } else { //decPopVals == null +- msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; +- CMS.debug(method + msg); +- SEQUENCE bpids = getRequestBpids(reqSeq); +- context.put("decryptedPOP", bpids); +- } +- return null; +- } ++ CMS.debug(method + "processing controls..."); + + if (id_cmc_identification) { + if (ident == null) { +@@ -666,8 +761,22 @@ public abstract class EnrollProfile extends BasicProfile + } + } + +- // either V2 or not V2; can't be both +- if (id_cmc_identityProofV2 && (attr != null)) { ++ // checking Proof Of Identity, if not pre-signed ++ ++ if (donePOI) { ++ // for logging purposes ++ if (id_cmc_identityProofV2) { ++ CMS.debug(method ++ + "pre-signed CMC request, but id_cmc_identityProofV2 found...ignore; no further proof of identification check"); ++ } else if (id_cmc_identityProof) { ++ CMS.debug(method ++ + "pre-signed CMC request, but id_cmc_identityProof found...ignore; no further proof of identification check"); ++ } else { ++ CMS.debug(method + "pre-signed CMC request; no further proof of identification check"); ++ } ++ } else if (id_cmc_identityProofV2 && (attr != null)) { ++ // either V2 or not V2; can't be both ++ CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;"); + if (!id_cmc_identification) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); +@@ -685,23 +794,57 @@ public abstract class EnrollProfile extends BasicProfile + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProofV2", bpids); + +- msg = " in verifyIdentityProofV2"; ++ msg = " after verifyIdentityProofV2"; + CMS.debug(method + msg); + throw new EProfileException(CMS.getUserMessage(locale, +- "CMS_POI_VERIFICATION_ERROR")+ msg); ++ "CMS_POI_VERIFICATION_ERROR") + msg); ++ } else { ++ CMS.debug(method + "passed verifyIdentityProofV2; Proof of Identity successful;"); + } + } else if (id_cmc_identityProof && (attr != null)) { ++ CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProof;"); + boolean valid = verifyIdentityProof(attr, + reqSeq); + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProof", bpids); + +- msg = " in verifyIdentityProof"; ++ msg = " after verifyIdentityProof"; + CMS.debug(method + msg); + throw new EProfileException(CMS.getUserMessage(locale, +- "CMS_POI_VERIFICATION_ERROR")+ msg); ++ "CMS_POI_VERIFICATION_ERROR") + msg); ++ } else { ++ CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); + } ++ } else { ++ msg = "not pre-signed CMC request; missing Proof of Identification control"; ++ CMS.debug(method + msg); ++ throw new EProfileException(CMS.getUserMessage(locale, ++ "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); ++ } ++ ++ if (id_cmc_decryptedPOP) { ++ if (decPopVals != null) { ++ ++ DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), ++ ASN1Util.encode(decPopVals.elementAt(0)))); ++ CMS.debug(method + "DecryptedPOP encoded"); ++ ++ Integer reqId = verifyDecryptedPOP(locale, decPop); ++ if (reqId != null) { ++ context.put("cmcDecryptedPopReqId", reqId); ++ } ++ } else { //decPopVals == null ++ msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; ++ CMS.debug(method + msg); ++ SEQUENCE bpids = getRequestBpids(reqSeq); ++ context.put("decryptedPOP", bpids); ++ } ++ ++ // decryptedPOP is expected to return null; ++ // POPLinkWitnessV2 would have to be checked in ++ // round one, if required ++ return null; + } + + if (id_cmc_idPOPLinkRandom && vals != null) { +@@ -725,61 +868,65 @@ public abstract class EnrollProfile extends BasicProfile + } + } + +- int nummsgs = reqSeq.size(); +- if (nummsgs > 0) { ++ /** ++ * in CS.cfg, cmc.popLinkWitnessRequired=true ++ * will enforce popLinkWitness (or V2); ++ */ ++ boolean popLinkWitnessRequired = false; ++ try { ++ String configName = "cmc.popLinkWitnessRequired"; ++ CMS.debug(method + "getting :" + configName); ++ popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false); ++ } catch (Exception e) { ++ // unlikely to get here ++ msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; ++ CMS.debug(msg); ++ throw new EProfileException(method + msg); ++ } + ++ int nummsgs = reqSeq.size(); ++ if (!popLinkWitnessRequired) { ++ CMS.debug(method + "popLinkWitnessRequired false, skip check"); ++ } else if (nummsgs > 0) { ++ CMS.debug(method + "cmc.popLinkWitnessRequired is true"); ++ CMS.debug(method + "nummsgs =" + nummsgs); + msgs = new TaggedRequest[reqSeq.size()]; + SEQUENCE bpids = new SEQUENCE(); + +- /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true +- // enforce popLinkWitness (or V2) +- boolean popLinkWitnessRequired = true; +- try { +- String configName = "cmc.popLinkWitnessRequired"; +- CMS.debug(method + "getting :" + configName); +- popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true); +- CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired); +- } catch (Exception e) { +- // unlikely to get here +- msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; +- CMS.debug(msg); +- throw new EProfileException(method + msg); +- } +-*/ +- + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); + if (!context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { +- if (randomSeed != null) { +- // verifyPOPLinkWitness() will determine if this is +- // POPLinkWitnessV2 or POPLinkWitness +- // If failure, context is set in verifyPOPLinkWitness +- valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); +- if (valid == false) { +- if (context.containsKey("POPLinkWitnessV2")) +- msg = " in POPLinkWitnessV2"; +- else if (context.containsKey("POPLinkWitness")) +- msg = " in POPLinkWitness"; +- else +- msg = " unspecified failure from verifyPOPLinkWitness"; +- +- CMS.debug(method + msg); +- throw new EProfileException(CMS.getUserMessage(locale, +- "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg); +- } +- /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip +- } else if (popLinkWitnessRequired == true) { +- //popLinkWitnessRequired == true, must have randomSeed +- CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found"); ++ CMS.debug(method + "popLinkWitness(V2) required"); ++ if (randomSeed == null) { ++ CMS.debug(method + "no randomSeed found"); + context.put("POPLinkWitnessV2", bpids); +- return null;*/ +- } //randomSeed != null ++ return null; ++ } ++ ++ // verifyPOPLinkWitness() will determine if this is ++ // POPLinkWitnessV2 or POPLinkWitness ++ // If failure, context is set in verifyPOPLinkWitness ++ valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); ++ if (valid == false) { ++ if (context.containsKey("POPLinkWitnessV2")) ++ msg = " in POPLinkWitnessV2"; ++ else if (context.containsKey("POPLinkWitness")) ++ msg = " in POPLinkWitness"; ++ else ++ msg = " unspecified failure from verifyPOPLinkWitness"; ++ ++ CMS.debug(method + msg); ++ throw new EProfileException(CMS.getUserMessage(locale, ++ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); ++ } + } +- } +- } else ++ } //for ++ } else { ++ CMS.debug(method + "nummsgs 0; returning..."); + return null; ++ } + + CMS.debug(method + "ends"); + return msgs; +@@ -1398,6 +1545,9 @@ public abstract class EnrollProfile extends BasicProfile + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, + IRequest req) + throws EProfileException { ++ String auditMessage = null; ++ String auditSubjectID = auditSubjectID(); ++ + String method = "EnrollProfile: fillTaggedRequest: "; + CMS.debug(method + "begins"); + TaggedRequest.Type type = tagreq.getType(); +@@ -1409,16 +1559,19 @@ public abstract class EnrollProfile extends BasicProfile + } + + if (type.equals(TaggedRequest.PKCS10)) { +- CMS.debug(method + " TaggedRequest type == pkcs10"); ++ String methodPos = method + "PKCS10: "; ++ CMS.debug(methodPos + " TaggedRequest type == pkcs10"); + boolean sigver = true; + boolean tokenSwitched = false; + CryptoManager cm = null; + CryptoToken signToken = null; + CryptoToken savedToken = null; + try { ++ // for PKCS10, "sigver" would provide the POP + sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); + cm = CryptoManager.getInstance(); + if (sigver == true) { ++ CMS.debug(methodPos + "sigver true, POP is to be verified"); + String tokenName = + CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); + savedToken = cm.getThreadToken(); +@@ -1427,6 +1580,12 @@ public abstract class EnrollProfile extends BasicProfile + cm.setThreadToken(signToken); + tokenSwitched = true; + } ++ } else { ++ // normally, you would not get here, as you almost always ++ // would want to verify the PKCS10 signature when it's ++ // already there instead of taking a 2nd trip ++ CMS.debug(methodPos + "sigver false, POP is not to be verified now, but instead will be challenged"); ++ req.setExtData("cmc_POPchallengeRequired", "true"); + } + + TaggedCertificationRequest tcr = tagreq.getTcr(); +@@ -1440,13 +1599,17 @@ public abstract class EnrollProfile extends BasicProfile + fillPKCS10(locale, pkcs10, info, req); + } catch (Exception e) { + CMS.debug(method + e); ++ // this will throw ++ popFailed(locale, auditSubjectID, auditMessage, e); + } finally { + if ((sigver == true) && (tokenSwitched == true)){ + cm.setThreadToken(savedToken); + } + } ++ CMS.debug(methodPos + "done"); + } else if (type.equals(TaggedRequest.CRMF)) { +- CMS.debug(method + " TaggedRequest type == crmf"); ++ String methodPos = method + "CRMF: "; ++ CMS.debug(methodPos + " TaggedRequest type == crmf"); + CertReqMsg crm = tagreq.getCrm(); + SessionContext context = SessionContext.getContext(); + Integer nums = (Integer) (context.get("numOfControls")); +@@ -1454,12 +1617,12 @@ public abstract class EnrollProfile extends BasicProfile + boolean verifyAllow = false; //disable RA by default + try { + String configName = "cmc.lraPopWitness.verify.allow"; +- CMS.debug(method + "getting :" + configName); ++ CMS.debug(methodPos + "getting :" + configName); + verifyAllow = CMS.getConfigStore().getBoolean(configName, false); +- CMS.debug(method + "cmc.lraPopWitness.verify.allow is " + verifyAllow); ++ CMS.debug(methodPos + "cmc.lraPopWitness.verify.allow is " + verifyAllow); + } catch (Exception e) { + // unlikely to get here +- String msg = method + " Failed to retrieve cmc.lraPopWitness.verify.allow"; ++ String msg = methodPos + " Failed to retrieve cmc.lraPopWitness.verify.allow"; + CMS.debug(msg); + throw new EProfileException(method + msg); + } +@@ -1471,23 +1634,23 @@ public abstract class EnrollProfile extends BasicProfile + parseLRAPopWitness(locale, crm, attr); + } else { + CMS.debug( +- method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); ++ methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + if (crm.hasPop()) { +- CMS.debug(method + " hasPop true"); ++ CMS.debug(methodPos + " hasPop true"); + verifyPOP(locale, crm); + } else { // no signing POP, then do it the hard way +- CMS.debug(method + "hasPop false, need to challenge"); ++ CMS.debug(methodPos + "hasPop false, need to challenge"); + req.setExtData("cmc_POPchallengeRequired", "true"); + } + } + } else { + CMS.debug( +- method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); ++ methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + if (crm.hasPop()) { +- CMS.debug(method + " hasPop true"); ++ CMS.debug(methodPos + " hasPop true"); + verifyPOP(locale, crm); + } else { // no signing POP, then do it the hard way +- CMS.debug(method + "hasPop false, need to challenge"); ++ CMS.debug(methodPos + "hasPop false, need to challenge"); + req.setExtData("cmc_POPchallengeRequired", "true"); + } + } +@@ -1495,10 +1658,10 @@ public abstract class EnrollProfile extends BasicProfile + } else { //!verifyAllow + + if (crm.hasPop()) { +- CMS.debug(method + " hasPop true"); ++ CMS.debug(methodPos + " hasPop true"); + verifyPOP(locale, crm); + } else { // no signing POP, then do it the hard way +- CMS.debug(method + "hasPop false, need to challenge"); ++ CMS.debug(methodPos + "hasPop false, need to challenge"); + req.setExtData("cmc_POPchallengeRequired", "true"); + } + } +@@ -1835,6 +1998,8 @@ public abstract class EnrollProfile extends BasicProfile + + public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) + throws EProfileException { ++ String method = "EnrollProfile: fillPKCS10: "; ++ CMS.debug(method + "begins"); + X509Key key = pkcs10.getSubjectPublicKeyInfo(); + + try { +@@ -1869,7 +2034,7 @@ public abstract class EnrollProfile extends BasicProfile + PKCS10Attribute p10Attr = p10Attrs.getAttribute(CertificateExtensions.NAME); + if (p10Attr != null && p10Attr.getAttributeId().equals( + PKCS9Attribute.EXTENSION_REQUEST_OID)) { +- CMS.debug("Found PKCS10 extension"); ++ CMS.debug(method + "Found PKCS10 extension"); + Extensions exts0 = (Extensions) + (p10Attr.getAttributeValue()); + DerOutputStream extOut = new DerOutputStream(); +@@ -1879,24 +2044,22 @@ public abstract class EnrollProfile extends BasicProfile + DerInputStream extIn = new DerInputStream(extB); + CertificateExtensions exts = new CertificateExtensions(extIn); + if (exts != null) { +- CMS.debug("Set extensions " + exts); ++ CMS.debug(method + "Set extensions " + exts); + // info.set(X509CertInfo.EXTENSIONS, exts); + req.setExtData(REQUEST_EXTENSIONS, exts); + } + } else { +- CMS.debug("PKCS10 extension Not Found"); ++ CMS.debug(method + "PKCS10 extension Not Found"); + } + } + +- CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName()); ++ CMS.debug(method + "Finish parsePKCS10 - " + pkcs10.getSubjectName()); + } catch (IOException e) { +- CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e); +- CMS.debug(e); ++ CMS.debug(method + "Unable to fill PKCS #10: " + e); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); + } catch (CertificateException e) { +- CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e); +- CMS.debug(e); ++ CMS.debug(method + "Unable to fill PKCS #10: " + e); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); + } +@@ -2074,8 +2237,11 @@ public abstract class EnrollProfile extends BasicProfile + + public void populate(IRequest request) + throws EProfileException { +- super.populate(request); + ++ String method = "EnrollProfile: populate: "; ++ CMS.debug(method + "begins"); ++ ++ super.populate(request); + } + + /** +@@ -2240,7 +2406,7 @@ public abstract class EnrollProfile extends BasicProfile + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) + throws EProfileException { + String method = "EnrollProfile: verifyPOP: "; +- CMS.debug(method + "for signing keys"); ++ CMS.debug(method + "for signing keys begins."); + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); +@@ -2261,10 +2427,10 @@ public abstract class EnrollProfile extends BasicProfile + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); + if (CryptoUtil.isInternalToken(tokenName)) { +- CMS.debug("POP verification using internal token"); ++ CMS.debug(method + "POP verification using internal token"); + certReqMsg.verify(); + } else { +- CMS.debug("POP verification using token:" + tokenName); ++ CMS.debug(method + "POP verification using token:" + tokenName); + verifyToken = CryptoUtil.getCryptoToken(tokenName); + certReqMsg.verify(verifyToken); + } +@@ -2279,7 +2445,7 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + "Unable to verify POP: " + e); + popFailed(locale, auditSubjectID, auditMessage, e); + } +- CMS.debug(method + "ends."); ++ CMS.debug(method + "done."); + } + + private void popFailed(Locale locale, String auditSubjectID, String auditMessage) +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java +new file mode 100644 +index 0000000..c71b670 +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java +@@ -0,0 +1,141 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2013 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cms.profile.constraint; ++ ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IPolicyDefault; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.common.EnrollProfile; ++import com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault; ++ ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ ++/** ++ * This class implements the user subject name constraint for user-signed cmc requests. ++ * It makes sure the signing cert's subjectDN and the rsulting cert match ++ * ++ * @author cfu ++ * @version $Revision$, $Date$ ++ */ ++public class CMCUserSignedSubjectNameConstraint extends EnrollConstraint { ++ ++ public CMCUserSignedSubjectNameConstraint() { ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ } ++ ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ return null; ++ } ++ ++ public String getDefaultConfig(String name) { ++ return null; ++ } ++ ++ /** ++ * Validates the request. The request is not modified ++ * during the validation. User encoded subject name ++ * is copied into the certificate template. ++ */ ++ public void validate(IRequest request, X509CertInfo info) ++ throws ERejectException { ++ String method = "CMCUserSignedSubjectNameConstraint: "; ++ String msg = ""; ++ ++ CMS.debug(method + "validate start"); ++ CertificateSubjectName infoCertSN = null; ++ CertificateSubjectName authTokenCertSN = null; ++ ++ ++ try { ++ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); ++ if (infoCertSN == null) { ++ msg = method + "infoCertSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ CMS.debug(method + "validate user subject ="+ ++ infoCertSN.toString()); ++ String certSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (certSerial == null) { ++ msg = method + "certSerial null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ authTokenCertSN = ++ EnrollProfile.getCMCSigningCertSNfromCertSerial(certSerial); ++ if (authTokenCertSN == null) { ++ msg = method + "authTokenCertSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); ++ if (infoCertName == null) { ++ msg = method + "infoCertName null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ X500Name authTokenCertName = (X500Name) authTokenCertSN.get(CertificateSubjectName.DN_NAME); ++ if (authTokenCertName == null) { ++ msg = method + "authTokenCertName null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ if (infoCertName.equals(authTokenCertName)) { ++ CMS.debug(method + "names match"); ++ } else { ++ msg = method + "names do not match"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ } catch (Exception e) { ++ throw new ERejectException( ++ CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); ++ } ++ } ++ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, ++ "CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT"); ++ } ++ ++ public boolean isApplicable(IPolicyDefault def) { ++ String method = "CMCUserSignedSubjectNameConstraint: isApplicable: "; ++ if (def instanceof CMCUserSignedSubjectNameDefault) { ++ CMS.debug(method + "true"); ++ return true; ++ } ++ CMS.debug(method + "false"); ++ return false; ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java +new file mode 100644 +index 0000000..a0816ea +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java +@@ -0,0 +1,159 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2007 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cms.profile.def; ++ ++import java.io.IOException; ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.IEnrollProfile; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.Descriptor; ++import com.netscape.certsrv.property.EPropertyException; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.common.EnrollProfile; ++ ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ ++/** ++ * This class implements an enrollment default policy ++ * that populates a CMC signing user's subject name ++ * into the certificate template. ++ * ++ * @author cfu ++ * @version $Revision$, $Date$ ++ */ ++public class CMCUserSignedSubjectNameDefault extends EnrollDefault { ++ ++ public static final String VAL_NAME = "name"; ++ ++ public CMCUserSignedSubjectNameDefault() { ++ super(); ++ addValueName(VAL_NAME); ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ } ++ ++ public IDescriptor getValueDescriptor(Locale locale, String name) { ++ if (name.equals(VAL_NAME)) { ++ return new Descriptor(IDescriptor.STRING, null, null, ++ CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME")); ++ } else { ++ return null; ++ } ++ } ++ ++ public void setValue(String name, Locale locale, ++ X509CertInfo info, String value) ++ throws EPropertyException { ++ if (name == null) { ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ if (name.equals(VAL_NAME)) { ++ X500Name x500name = null; ++ ++ try { ++ x500name = new X500Name(value); ++ } catch (IOException e) { ++ CMS.debug(e.toString()); ++ // failed to build x500 name ++ } ++ CMS.debug("SubjectNameDefault: setValue name=" + x500name); ++ try { ++ info.set(X509CertInfo.SUBJECT, ++ new CertificateSubjectName(x500name)); ++ } catch (Exception e) { ++ // failed to insert subject name ++ CMS.debug("CMCUserSignedSubjectNameDefault: setValue " + e.toString()); ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ } else { ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ } ++ ++ public String getValue(String name, Locale locale, ++ X509CertInfo info) ++ throws EPropertyException { ++ if (name == null) { ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ if (name.equals(VAL_NAME)) { ++ CertificateSubjectName sn = null; ++ ++ try { ++ sn = (CertificateSubjectName) ++ info.get(X509CertInfo.SUBJECT); ++ return sn.toString(); ++ } catch (Exception e) { ++ // nothing ++ } ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } else { ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ } ++ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME"); ++ } ++ ++ /** ++ * Populates the request with this policy default. ++ */ ++ public void populate(IRequest request, X509CertInfo info) ++ throws EProfileException { ++ String method = "CMCUserSignedSubjectNameDefault: populate: "; ++ String msg = ""; ++ CMS.debug(method + "begins"); ++ ++ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (info == null) { ++ msg = method + "info null"; ++ CMS.debug(msg); ++ throw new EProfileException(msg); ++ } ++ ++ CertificateSubjectName certSN = null; ++ try { ++ certSN = EnrollProfile.getCMCSigningCertSNfromCertSerial(signingUserSerial); ++ info.set(X509CertInfo.SUBJECT, certSN); ++ CMS.debug(method + "subjectDN set in X509CertInfo"); ++ } catch (Exception e) { ++ msg = method + "exception thrown:" + e; ++ throw new EProfileException(e.toString()); ++ } ++ request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); ++ CMS.debug(method + "ends"); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +index 00d669e..1d5bfc4 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +@@ -214,17 +214,18 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + */ + public void populate(IRequest request) + throws EProfileException { ++ String method = "EnrollDefault: populate: "; + String name = getClass().getName(); + + name = name.substring(name.lastIndexOf('.') + 1); +- CMS.debug(name + ": populate start"); ++ CMS.debug(method + name + ": start"); + X509CertInfo info = + request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + + populate(request, info); + + request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); +- CMS.debug(name + ": populate end"); ++ CMS.debug(method + name + ": end"); + } + + public void addValueName(String name) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java +index a62d6e9..0a9cae1 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java ++++ b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java +@@ -21,6 +21,8 @@ import java.util.Locale; + + import netscape.security.x509.X509CertInfo; + ++import org.mozilla.jss.asn1.SEQUENCE; ++import org.mozilla.jss.pkix.cmc.PKIData; + import org.mozilla.jss.pkix.cmc.TaggedRequest; + + import com.netscape.certsrv.apps.CMS; +@@ -85,19 +87,32 @@ public class CMCCertReqInput extends EnrollInput implements IProfileInput { + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { ++ String method = "CMCCertReqInput: populate: "; ++ CMS.debug(method + "begins"); ++ + String cert_request = ctx.get(VAL_CERT_REQUEST); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (cert_request == null) { +- CMS.debug("CMCCertReqInput: populate - invalid certificate request"); ++ CMS.debug(method + "invalid certificate request"); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } +- TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); ++ // cfu: getPKIDataFromCMCblob() is extracted from parseCMC ++ // so it's less confusing ++ //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); ++ PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request); ++ SEQUENCE reqSeq = pkiData.getReqSequence(); ++ int nummsgs = reqSeq.size(); // for now we only handle one anyways ++ CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs); ++ TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()]; ++ for (int i = 0; i < nummsgs; i++) { ++ msgs[i] = (TaggedRequest) reqSeq.elementAt(i); ++ } + + if (msgs == null) { +- CMS.debug("CMCCertReqInput: populate - parseCMC returns null TaggedRequest msgs"); ++ CMS.debug(method + "TaggedRequest msgs null after getPKIDataFromCMCblob"); + return; + } + // This profile only handle the first request in CRMF +diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java +index e67f5b5..fabd2aa 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java ++++ b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java +@@ -19,10 +19,8 @@ package com.netscape.cms.profile.input; + + import java.util.Locale; + +-import netscape.security.pkcs.PKCS10; +-import netscape.security.util.DerInputStream; +-import netscape.security.x509.X509CertInfo; +- ++import org.mozilla.jss.asn1.SEQUENCE; ++import org.mozilla.jss.pkix.cmc.PKIData; + import org.mozilla.jss.pkix.cmc.TaggedRequest; + import org.mozilla.jss.pkix.crmf.CertReqMsg; + +@@ -37,6 +35,10 @@ import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.cms.profile.common.EnrollProfile; + ++import netscape.security.pkcs.PKCS10; ++import netscape.security.util.DerInputStream; ++import netscape.security.x509.X509CertInfo; ++ + /** + * This class implements the certificate request input. + * This input populates 2 main fields to the enrollment page: +@@ -89,13 +91,16 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { ++ String method = "CertReqInput: populate: "; ++ CMS.debug(method + "begins"); ++ + String cert_request_type = ctx.get(VAL_CERT_REQUEST_TYPE); + String cert_request = ctx.get(VAL_CERT_REQUEST); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (cert_request_type == null) { +- CMS.debug("CertReqInput: populate - invalid cert request type " + ++ CMS.debug(method + "invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), +@@ -103,12 +108,14 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + "")); + } + if (cert_request == null) { +- CMS.debug("CertReqInput: populate - invalid certificate request"); ++ CMS.debug(method + "invalid certificate request"); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + if (cert_request_type.equals(EnrollProfile.REQ_TYPE_PKCS10)) { ++ CMS.debug(method + "cert_request_type= REQ_TYPE_PKCS10"); ++ + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), cert_request); + + if (pkcs10 == null) { +@@ -118,6 +125,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { ++ CMS.debug(method + "cert_request_type= REQ_TYPE_KEYGEN"); + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), cert_request); + + if (keygen == null) { +@@ -127,6 +135,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { ++ CMS.debug(method + "cert_request_type= REQ_TYPE_CRMF"); + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), cert_request); + + if (msgs == null) { +@@ -142,7 +151,18 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request + ); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { +- TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); ++ CMS.debug(method + "cert_request_type= REQ_TYPE_CMC"); ++ // cfu: getPKIDataFromCMCblob() is extracted from parseCMC ++ // so it's less confusing ++ //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); ++ PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request); ++ SEQUENCE reqSeq = pkiData.getReqSequence(); ++ int nummsgs = reqSeq.size(); // for now we only handle one anyways ++ CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs); ++ TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()]; ++ for (int i = 0; i < nummsgs; i++) { ++ msgs[i] = (TaggedRequest) reqSeq.elementAt(i); ++ } + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( +@@ -159,7 +179,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error +- CMS.debug("CertReqInput: populate - invalid cert request type " + ++ CMS.debug(method + "invalid cert request type " + + cert_request_type); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 26ca2a4..1e128d0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -39,6 +39,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthManager; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; +@@ -443,6 +444,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + /////////////////////////////////////////////// + // create request + /////////////////////////////////////////////// ++ String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (tmpCertSerialS != null) { ++ // unlikely to happenm, but do this just in case ++ CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); ++ CMS.debug("ProfileSubmitCMCServlet: null it out"); ++ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); ++ } ++ String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (signingCertSerialS != null) { ++ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); ++ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); ++ } + try { + reqs = profile.createRequests(ctx, locale); + } catch (EProfileException e) { +@@ -512,7 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + IRequest provedReq = null; + if (reqs == null) { + // handling DecryptedPOP request here +- Integer reqID = (Integer) context.get("decryptedPopReqId"); ++ Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); + provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString())); + if (provedReq == null) { + +@@ -568,6 +581,19 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } + } ++ ++ tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (tmpCertSerialS != null) { ++ // unlikely to happenm, but do this just in case ++ CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); ++ CMS.debug("ProfileSubmitCMCServlet: null it out"); ++ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); ++ } ++ // put CMCUserSignedAuth authToken in request ++ if (signingCertSerialS != null) { ++ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); ++ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); ++ } + } + + // put profile framework parameters into the request +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 7572db4..d3ac06a 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2235,6 +2235,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification + + # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST + # - used for TPS to TKS to get random challenge data +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index bf96f90..ff56465 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -951,6 +951,7 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing + CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} + CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only + CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only ++CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only + CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. + CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} + CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. +@@ -994,6 +995,7 @@ CMS_PROFILE_DEF_USER_KEY=This default populates a User-Supplied Certificate Key + CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM=This default populates a User-Supplied Certificate Signing Algorithm to the request. + CMS_PROFILE_DEF_AUTHZ_REALM=This default populates an authorization realm. + CMS_PROFILE_DEF_USER_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request. ++CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request. + CMS_PROFILE_DEF_USER_VALIDITY=This default populates a User-Supplied Certificate Validity to the request. + CMS_PROFILE_DEF_VALIDITY=This default populates a Certificate Validity to the request. The default values are Range={0} in days + CMS_PROFILE_CERTIFICATE_POLICIES_ID=Certificate Policies ID +-- +1.8.3.1 + + +From f31ad87440332845e7e5a1d6ea1f092fefd9eef1 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 28 Apr 2017 20:05:44 -0700 +Subject: [PATCH 46/49] Ticket #2617 added the new caFullCMCUserSignedCert + profile in CS.cfg + +--- + base/ca/shared/conf/CS.cfg | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index b29802c..078abee 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -970,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -1015,6 +1015,8 @@ profile.caRAagentCert.class_id=caEnrollImpl + profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg + profile.caFullCMCUserCert.class_id=caEnrollImpl + profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg ++profile.caFullCMCUserSignedCert.class_id=caEnrollImpl ++profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg + profile.caInternalAuthOCSPCert.class_id=caEnrollImpl + profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg + profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +-- +1.8.3.1 + + +From 633c7c6519c925af7e3700adff29961d72435c7f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 23 Mar 2017 14:34:31 +1100 +Subject: [PATCH 47/49] PKCS12Util: use AES to encrypt private keys + +Update PKCS12Util to use AES-256-CBC to encrypt private keys. +Use JSS CryptoStore methods to ensure that all key wrapping and +unwrapping is done on the token. + +Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the +previous process where a symmetric key was generated, the private +key wrapped to the symmetric key, then decryted into Dogtag's +memory, then re-encrypted under the supplied passphrase. Now the +key gets wrapped directly to the supplied passphrase. + +Similarly, for import, the EncryptedPrivateKeyInfo was decrypted +using the supplied passphrase, then encrypted to a freshly generated +symmetric key, which was then used to unwrap the key into the token. +Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is +used to unwrap the EncryptedPrivateKeyInfo directly into the token, +using the supplied passphrase. + +As a result, the PKCS12KeyInfo class, which previously stored +unencrypted key material (a PrivateKeyInfo object), it now only +deals with PrivateKey (an opaque handle to an PKCS #11 object) +on export and encoded (byte[]) EncryptedPrivateKeyInfo data on +import. This split suggests that PKCS12KeyInfo should be decomposed +into two classes - one containing a PrivateKey and the other +containing a byte[] encryptedPrivateKeyInfo - but this refactoring +is left for another day. + +Part of: https://pagure.io/dogtagpki/issue/2610 + +Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70 +(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92) +--- + .../netscape/cmstools/pkcs12/PKCS12ImportCLI.java | 4 +- + .../com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java | 1 - + .../src/netscape/security/pkcs/PKCS12KeyInfo.java | 29 +++-- + .../src/netscape/security/pkcs/PKCS12Util.java | 122 ++++++++------------- + 4 files changed, 65 insertions(+), 91 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java +index da5478c..de43284 100644 +--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java +@@ -124,12 +124,12 @@ public class PKCS12ImportCLI extends CLI { + + if (nicknames.length == 0) { + // store all certificates +- util.storeIntoNSS(pkcs12, overwrite); ++ util.storeIntoNSS(pkcs12, password, overwrite); + + } else { + // load specified certificates + for (String nickname : nicknames) { +- util.storeCertIntoNSS(pkcs12, nickname, overwrite); ++ util.storeCertIntoNSS(pkcs12, password, nickname, overwrite); + } + } + +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java +index fbebdda..e74b63a 100644 +--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java +@@ -38,6 +38,5 @@ public class PKCS12KeyCLI extends CLI { + + System.out.println(" Key ID: " + keyInfo.getID().toString(16)); + System.out.println(" Subject DN: " + keyInfo.getSubjectDN()); +- System.out.println(" Algorithm: " + keyInfo.getPrivateKeyInfo().getAlgorithm()); + } + } +diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java +index c7e84f0..f180cf2 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java +@@ -19,31 +19,40 @@ package netscape.security.pkcs; + + import java.math.BigInteger; + +-import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; ++import org.mozilla.jss.crypto.PrivateKey; + + public class PKCS12KeyInfo { + ++ private PrivateKey privateKey; ++ private byte[] epkiBytes; + BigInteger id; +- PrivateKeyInfo privateKeyInfo; + String subjectDN; + + public PKCS12KeyInfo() { + } + +- public BigInteger getID() { +- return id; ++ public PKCS12KeyInfo(PrivateKey k) { ++ this.privateKey = k; + } + +- public void setID(BigInteger id) { +- this.id = id; ++ public PKCS12KeyInfo(byte[] epkiBytes) { ++ this.epkiBytes = epkiBytes; ++ } ++ ++ public PrivateKey getPrivateKey() { ++ return this.privateKey; + } + +- public PrivateKeyInfo getPrivateKeyInfo() { +- return privateKeyInfo; ++ public byte[] getEncryptedPrivateKeyInfoBytes() { ++ return epkiBytes; + } + +- public void setPrivateKeyInfo(PrivateKeyInfo privateKeyInfo) { +- this.privateKeyInfo = privateKeyInfo; ++ public BigInteger getID() { ++ return id; ++ } ++ ++ public void setID(BigInteger id) { ++ this.id = id; + } + + public String getSubjectDN() { +diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java +index 0b164aa..9f9a35e 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java +@@ -33,27 +33,19 @@ import java.util.Collection; + import org.apache.commons.lang.StringUtils; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ANY; +-import org.mozilla.jss.asn1.ASN1Util; + import org.mozilla.jss.asn1.ASN1Value; + import org.mozilla.jss.asn1.BMPString; + import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; + import org.mozilla.jss.asn1.OCTET_STRING; + import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; +-import org.mozilla.jss.crypto.Cipher; + import org.mozilla.jss.crypto.CryptoStore; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.EncryptionAlgorithm; +-import org.mozilla.jss.crypto.IVParameterSpec; + import org.mozilla.jss.crypto.InternalCertificate; +-import org.mozilla.jss.crypto.KeyGenAlgorithm; +-import org.mozilla.jss.crypto.KeyWrapAlgorithm; +-import org.mozilla.jss.crypto.KeyWrapper; + import org.mozilla.jss.crypto.NoSuchItemOnTokenException; + import org.mozilla.jss.crypto.ObjectNotFoundException; +-import org.mozilla.jss.crypto.PBEAlgorithm; + import org.mozilla.jss.crypto.PrivateKey; +-import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.pkcs12.AuthenticatedSafes; + import org.mozilla.jss.pkcs12.CertBag; +@@ -61,14 +53,10 @@ import org.mozilla.jss.pkcs12.PFX; + import org.mozilla.jss.pkcs12.PasswordConverter; + import org.mozilla.jss.pkcs12.SafeBag; + import org.mozilla.jss.pkix.primitive.Attribute; +-import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; +-import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; + import org.mozilla.jss.util.Password; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + +-import com.netscape.cmsutil.crypto.CryptoUtil; +- + import netscape.ldap.LDAPDN; + import netscape.ldap.util.DN; + import netscape.security.x509.X509CertImpl; +@@ -114,41 +102,30 @@ public class PKCS12Util { + icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); + } + +- byte[] getEncodedKey(PrivateKey privateKey) throws Exception { +- CryptoManager cm = CryptoManager.getInstance(); +- CryptoToken token = cm.getInternalKeyStorageToken(); +- +- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec param = new IVParameterSpec(iv); +- +- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); +- byte[] enckey = CryptoUtil.wrapUsingSymmetricKey( +- token, +- sk, +- privateKey, +- param, +- KeyWrapAlgorithm.DES3_CBC_PAD); +- +- Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); +- c.initDecrypt(sk, param); +- return c.doFinal(enckey); +- } +- + public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, + SEQUENCE encSafeContents) throws Exception { ++ PrivateKey k = keyInfo.getPrivateKey(); ++ if (k == null) { ++ logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); ++ return; ++ } + + logger.debug("Creating key bag for " + keyInfo.subjectDN); + + PasswordConverter passConverter = new PasswordConverter(); +- byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; +- +- EncryptedPrivateKeyInfo encPrivateKeyInfo = EncryptedPrivateKeyInfo.createPBE( +- PBEAlgorithm.PBE_SHA1_DES3_CBC, +- password, salt, 1, passConverter, keyInfo.privateKeyInfo); ++ byte[] epkiBytes = CryptoManager.getInstance() ++ .getInternalKeyStorageToken() ++ .getCryptoStore() ++ .getEncryptedPrivateKeyInfo( ++ /* NSS has a bug that causes any AES CBC encryption ++ * to use AES-256, but AlgorithmID contains chosen ++ * alg. To avoid mismatch, use AES_256_CBC. */ ++ passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k); + + SET keyAttrs = createKeyBagAttrs(keyInfo); + +- SafeBag safeBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, encPrivateKeyInfo, keyAttrs); ++ SafeBag safeBag = new SafeBag( ++ SafeBag.PKCS8_SHROUDED_KEY_BAG, new ANY(epkiBytes), keyAttrs); + encSafeContents.addElement(safeBag); + } + +@@ -318,14 +295,10 @@ public class PKCS12Util { + PrivateKey privateKey = cm.findPrivKeyByCert(cert); + logger.debug("Certificate \"" + nickname + "\" has private key"); + +- PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(); ++ PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(privateKey); + keyInfo.id = id; + keyInfo.subjectDN = cert.getSubjectDN().toString(); + +- byte[] privateData = getEncodedKey(privateKey); +- keyInfo.privateKeyInfo = (PrivateKeyInfo) +- ASN1Util.decode(PrivateKeyInfo.getTemplate(), privateData); +- + pkcs12.addKeyInfo(keyInfo); + + } catch (ObjectNotFoundException e) { +@@ -375,11 +348,7 @@ public class PKCS12Util { + + public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception { + +- PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(); +- +- // get private key info +- EncryptedPrivateKeyInfo encPrivateKeyInfo = (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); +- keyInfo.privateKeyInfo = encPrivateKeyInfo.decrypt(password, new PasswordConverter()); ++ PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded()); + + // get key attributes + SET bagAttrs = bag.getBagAttributes(); +@@ -491,7 +460,7 @@ public class PKCS12Util { + + public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception { + +- logger.debug("Load private keys:"); ++ logger.debug("Load encrypted private keys:"); + + AuthenticatedSafes safes = pfx.getAuthSafes(); + +@@ -590,20 +559,12 @@ public class PKCS12Util { + + public void importKey( + PKCS12 pkcs12, ++ Password password, ++ String nickname, + PKCS12KeyInfo keyInfo) throws Exception { + + logger.debug("Importing private key " + keyInfo.subjectDN); + +- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec param = new IVParameterSpec(iv); +- +- PrivateKeyInfo privateKeyInfo = keyInfo.privateKeyInfo; +- +- // encode private key +- ByteArrayOutputStream bos = new ByteArrayOutputStream(); +- privateKeyInfo.encode(bos); +- byte[] privateKey = bos.toByteArray(); +- + PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID()); + if (certInfo == null) { + logger.debug("Private key has no certificate, ignore"); +@@ -619,26 +580,29 @@ public class PKCS12Util { + // get public key + PublicKey publicKey = cert.getPublicKey(); + +- // delete the cert again ++ byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes(); ++ if (epkiBytes == null) { ++ logger.debug( ++ "No EncryptedPrivateKeyInfo for key '" ++ + keyInfo.subjectDN + "'; skipping key"); ++ } ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epkiBytes); ++ ++ // delete the cert again (it will be imported again later ++ // with the correct nickname) + try { + store.deleteCert(cert); + } catch (NoSuchItemOnTokenException e) { + // this is OK + } +- +- // encrypt private key +- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); +- byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey( +- token, sk, privateKey, EncryptionAlgorithm.DES3_CBC_PAD, param); +- +- // unwrap private key to load into database +- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); +- wrapper.initUnwrap(sk, param); +- wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey); + } + +- public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo, boolean overwrite) throws Exception { +- ++ public void storeCertIntoNSS( ++ PKCS12 pkcs12, Password password, ++ PKCS12CertInfo certInfo, boolean overwrite) ++ throws Exception ++ { + CryptoManager cm = CryptoManager.getInstance(); + CryptoToken ct = cm.getInternalKeyStorageToken(); + CryptoStore store = ct.getCryptoStore(); +@@ -656,7 +620,7 @@ public class PKCS12Util { + X509Certificate cert; + if (keyInfo != null) { // cert has key + logger.debug("Importing user key for " + certInfo.nickname); +- importKey(pkcs12, keyInfo); ++ importKey(pkcs12, password, certInfo.nickname, keyInfo); + + logger.debug("Importing user certificate " + certInfo.nickname); + cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname); +@@ -671,19 +635,21 @@ public class PKCS12Util { + setTrustFlags(cert, certInfo.trustFlags); + } + +- public void storeCertIntoNSS(PKCS12 pkcs12, String nickname, boolean overwrite) throws Exception { ++ public void storeCertIntoNSS(PKCS12 pkcs12, Password password, String nickname, boolean overwrite) throws Exception { + Collection certInfos = pkcs12.getCertInfosByNickname(nickname); + for (PKCS12CertInfo certInfo : certInfos) { +- storeCertIntoNSS(pkcs12, certInfo, overwrite); ++ storeCertIntoNSS(pkcs12, password, certInfo, overwrite); + } + } + +- public void storeIntoNSS(PKCS12 pkcs12, boolean overwrite) throws Exception { +- ++ public void storeIntoNSS( ++ PKCS12 pkcs12, Password password, boolean overwrite) ++ throws Exception ++ { + logger.info("Storing data into NSS database"); + + for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) { +- storeCertIntoNSS(pkcs12, certInfo, overwrite); ++ storeCertIntoNSS(pkcs12, password, certInfo, overwrite); + } + } + } +-- +1.8.3.1 + + +From 118f648961e502f55d6997f59f6cf8f355218da5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 28 Apr 2017 19:45:53 +1000 +Subject: [PATCH 48/49] PKCS12Util: add some much-needed comments + +Part of: https://pagure.io/dogtagpki/issue/2610 + +Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6 +(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8) +--- + .../src/netscape/security/pkcs/PKCS12KeyInfo.java | 19 +++++++++++++++++++ + base/util/src/netscape/security/pkcs/PKCS12Util.java | 17 +++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java +index f180cf2..ddcc3db 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java +@@ -21,6 +21,17 @@ import java.math.BigInteger; + + import org.mozilla.jss.crypto.PrivateKey; + ++/** ++ * This object is used for carrying key info around. ++ * ++ * It does not handle raw key material (but it used to). ++ * ++ * FIXME: A clear refactoring opportunity exists. The 'privateKey' ++ * field (and associated constructor) is only used during export, ++ * and the 'epkiBytes' field (and associated constructor) is only ++ * used during import. Therefore this should be two different ++ * types. ++ */ + public class PKCS12KeyInfo { + + private PrivateKey privateKey; +@@ -31,10 +42,18 @@ public class PKCS12KeyInfo { + public PKCS12KeyInfo() { + } + ++ /** ++ * Construct with a PrivateKey. This constructor is used ++ * for moving the PrivateKey handle around during export. ++ */ + public PKCS12KeyInfo(PrivateKey k) { + this.privateKey = k; + } + ++ /** Construct with a (serialised) EncrypedPrivateKeyInfo. This ++ * constructor is used for moving the EPKI data around during ++ * import. ++ */ + public PKCS12KeyInfo(byte[] epkiBytes) { + this.epkiBytes = epkiBytes; + } +diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java +index 9f9a35e..31c7126 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java +@@ -102,6 +102,14 @@ public class PKCS12Util { + icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); + } + ++ /** ++ * Used during EXPORT to add a private key to the PKCS12. ++ * ++ * The private key is exported directly from the token, into ++ * an EncryptedPrivateKeyInfo value, then added as a ++ * "Shrouded Key Bag" to the PKCS #12 object. Unencrypted ++ * key material is never seen. ++ */ + public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, + SEQUENCE encSafeContents) throws Exception { + PrivateKey k = keyInfo.getPrivateKey(); +@@ -346,6 +354,12 @@ public class PKCS12Util { + } + } + ++ /** ++ * Loads key bags (for IMPORT and other operations on existing ++ * PKCS #12 files). Does not decrypt EncryptedPrivateKeyInfo ++ * values, but stores them in PKCS12KeyInfo objects for possible ++ * later use. ++ */ + public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception { + + PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded()); +@@ -598,6 +612,9 @@ public class PKCS12Util { + } + } + ++ /** ++ * Store a certificate (and key, if present) in NSSDB. ++ */ + public void storeCertIntoNSS( + PKCS12 pkcs12, Password password, + PKCS12CertInfo certInfo, boolean overwrite) +-- +1.8.3.1 + + +From 012718d24aff8c37713f42f2ca69c5bd7aec97df Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 6 Apr 2017 13:27:56 +1000 +Subject: [PATCH 49/49] KRA: use AES in PKCS #12 recovery for wrapped keys + +The KRA has two private key recovery code paths: one dealing with +keys wrapped to the storage key, and one dealing with symmetrically +encrypted keys. Each has a separate function for constructing a +PKCS #12 file for the recovered key. + +This commit updates the PKCS #12 generation for wrapped keys to use +AES encryption. The JSS PBE facility is not expressive enough to +handle PBES2 encryption, which is necessary for many algorithms +including AES, so we now use CryptoStore.getEncryptedPrivateKeyInfo. + +Part of: https://pagure.io/dogtagpki/issue/2610 + +Change-Id: Iba67f15642338316e4a6d09f78504327e8853b85 +(cherry picked from commit 8e663b6270d9a9409a04bfcb445318a6d5622b52) +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 24 ++++++++++++---------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index 5609b19..eee800a 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -31,6 +31,7 @@ import java.util.Random; + + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ASN1Util; ++import org.mozilla.jss.asn1.ANY; + import org.mozilla.jss.asn1.ASN1Value; + import org.mozilla.jss.asn1.BMPString; + import org.mozilla.jss.asn1.OCTET_STRING; +@@ -38,6 +39,7 @@ import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.PBEAlgorithm; ++import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.pkcs12.AuthenticatedSafes; + import org.mozilla.jss.pkcs12.CertBag; +@@ -484,20 +486,20 @@ public class RecoveryService implements IService { + SEQUENCE safeContents = new SEQUENCE(); + PasswordConverter passConverter = new + PasswordConverter(); +- Random ran = new SecureRandom(); +- byte[] salt = new byte[20]; +- ran.nextBytes(salt); + +- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( +- PBEAlgorithm.PBE_SHA1_DES3_CBC, +- pass, salt, 1, passConverter, priKey, ct); +- CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); +- if (key == null) { +- CMS.debug("RecoverService: createPFX() key null"); +- throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); ++ byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( ++ /* NSS has a bug that causes any AES CBC encryption ++ * to use AES-256, but AlgorithmID contains chosen ++ * alg. To avoid mismatch, use AES_256_CBC. */ ++ passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); ++ CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); ++ if (epkiBytes == null) { ++ CMS.debug("RecoverService: createPFX() epkiBytes null"); ++ throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); + } else { +- CMS.debug("RecoverService: createPFX() key not null"); ++ CMS.debug("RecoverService: createPFX() epkiBytes not null"); + } ++ ASN1Value key = new ANY(epkiBytes); + + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-cmc-plugin-default-change.patch b/SOURCES/pki-core-cmc-plugin-default-change.patch new file mode 100644 index 0000000..2a9b5aa --- /dev/null +++ b/SOURCES/pki-core-cmc-plugin-default-change.patch @@ -0,0 +1,28 @@ +From 7c075ba00c81dd01ebdb3ee455a07a2fe1256f13 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 29 Jun 2017 15:44:13 -0700 +Subject: [PATCH] Ticket #2779 cmc plugin default change + +(cherry picked from commit 876d13c6d20e7e1235b9efbd601b47315debb492) +--- + base/ca/shared/conf/CS.cfg | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 4da7429..5a244d7 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -735,8 +735,8 @@ ca.publish.rule.instance.LdapXCertRule.predicate= + ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher + ca.publish.rule.instance.LdapXCertRule.type=xcert + cmc.popLinkWitnessRequired=false +-cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +-cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret ++#cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret ++#cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret + cmc.token=internal + cms.passwordlist=internaldb,replicationdb + cms.password.ignore.publishing.failure=true +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch b/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch new file mode 100644 index 0000000..721c49f --- /dev/null +++ b/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch @@ -0,0 +1,278 @@ +From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 9 Oct 2017 16:26:21 +1100 +Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception + +renderFinalError is a "last resort" error handler that writes an +error message back to the client. If the exception was not already +logged, the call stack will be discarded after renderFinalError is +finished with the exception. + +Log the exception so that the call stack information is not lost. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f +(cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492) +(cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7) +--- + base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index 65dc06a..fe18ee1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet { + + public void renderFinalError(CMSRequest cmsReq, Exception ex) + throws IOException { ++ CMS.debug("Caught exception in renderFinalError:"); ++ CMS.debug(ex); + // this template is the last resort for all other unexpected + // errors in other templates so we can only output text. + HttpServletResponse httpResp = cmsReq.getHttpResp(); +-- +1.8.3.1 + + +From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 9 Oct 2017 16:45:51 +1100 +Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table + +If the security domain session table is null for some reason, detect +this condition, log it, and return cleanly instead of throwing a +NullPointerException. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb +(cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d) +(cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6) +--- + .../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java +index 27f4782..1d98693 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java +@@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet { + String uid = ""; + String gid = ""; + CMS.debug("TokenAuthentication: checking session in the session table"); +- if (table.sessionExists(sessionId)) { ++ if (table == null) { ++ CMS.debug("TokenAuthentication: session table is null"); ++ outputError(httpResp, "Error: session table is null"); ++ return; ++ } else if (table.sessionExists(sessionId)) { + CMS.debug("TokenAuthentication: found session"); + if (checkIP) { + String hostname = table.getIP(sessionId); +-- +1.8.3.1 + + +From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 10 Oct 2017 00:21:57 +1100 +Subject: [PATCH 3/5] TokenAuthentication: log error message on error + +If a TokenAuthenticate response indicates failure (state != 0), log +the error string in addition to the status code. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2 +(cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26) +(cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143) +--- + .../cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java +index ebda0b6..2aa32d4 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java +@@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager, + CMS.debug("TokenAuthentication: status=" + status); + if (!status.equals("0")) { + String error = parser.getValue("Error"); ++ CMS.debug("TokenAuthentication: error: " + error); + throw new EBaseException(error); + } + +-- +1.8.3.1 + + +From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 11 Oct 2017 15:41:15 +1100 +Subject: [PATCH 4/5] Sleep after security domain login during configuration + +Clone installation can fail due to security domain token +authentication failure that arises because: + +1. The security domain session gets created on the replica's CA + instance. + +2. The "updateNumberRange" is performed against the subsystem being + cloned, and results in a token authentication request to the CA + subsystem on the same host. + +3. LDAP replication lag means that the master does not yet see + the security domain session that was created on the replica. + +To avoid this problem, introduce a small delay after logging into +the security domain, to allow for replication to occur. The delay +is configurable and defaults to 5 seconds. + +Fixes: https://pagure.io/dogtagpki/issue/2557 +Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913 +(cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3) +(cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b) +--- + .../netscape/certsrv/system/ConfigurationRequest.java | 14 ++++++++++++++ + .../org/dogtagpki/server/rest/SystemConfigService.java | 17 ++++++++++++++++- + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +index 26f45f0..03dbfa6 100644 +--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java ++++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +@@ -244,6 +244,11 @@ public class ConfigurationRequest { + @XmlElement + protected String signingCertSerialNumber; + ++ /** Seconds to sleep after logging into the Security Domain, ++ * so that replication of the session data may complete. */ ++ @XmlElement ++ protected Long securityDomainPostLoginSleepSeconds; ++ + public ConfigurationRequest() { + // required for JAXB + } +@@ -974,6 +979,14 @@ public class ConfigurationRequest { + this.signingCertSerialNumber = signingCertSerialNumber; + } + ++ public Long getSecurityDomainPostLoginSleepSeconds() { ++ return securityDomainPostLoginSleepSeconds; ++ } ++ ++ public void setSecurityDomainPostLoginSleepSeconds(Long d) { ++ securityDomainPostLoginSleepSeconds = d; ++ } ++ + @Override + public String toString() { + return "ConfigurationRequest [pin=XXXX" + +@@ -983,6 +996,7 @@ public class ConfigurationRequest { + ", securityDomainName=" + securityDomainName + + ", securityDomainUser=" + securityDomainUser + + ", securityDomainPassword=XXXX" + ++ ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds + + ", isClone=" + isClone + + ", cloneUri=" + cloneUri + + ", subsystemName=" + subsystemName + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index afbb24a..9ffb6e3 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + getInstallToken(data, host, port); + +- return getDomainXML(host, port); ++ String domainXML = getDomainXML(host, port); ++ ++ /* Sleep for a bit to allow security domain session to replicate ++ * to other clones. In the future we can use signed tokens ++ * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to ++ * be mindful of working with older versions, too. ++ * ++ * The default sleep time is 5s. ++ */ ++ Long d = data.getSecurityDomainPostLoginSleepSeconds(); ++ if (null == d || d <= 0) ++ d = new Long(5); ++ CMS.debug("Logged into security domain; sleeping for " + d + "s"); ++ Thread.sleep(d * 1000); ++ ++ return domainXML; + } + + private String getDomainXML(String host, int port) { +-- +1.8.3.1 + + +From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 11 Oct 2017 18:12:04 +1100 +Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration + configurable + +Add the pki_security_domain_post_login_sleep_seconds pkispawn +config, so that the administrator may set a duration other than the +default. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I74f16ea15621773e0742f709adc87df559cb530a +(cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b) +(cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910) +--- + base/server/man/man8/pkispawn.8 | 7 +++++++ + base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 +index 002520a..1d4ae24 100644 +--- a/base/server/man/man8/pkispawn.8 ++++ b/base/server/man/man8/pkispawn.8 +@@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP + pki_security_domain_hostname= + pki_security_domain_https_port= + pki_security_domain_user=caadmin ++pki_security_domain_post_login_sleep_seconds=\fI5\fP + + [Tomcat] + pki_clone=True +@@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set. The PKCS#12 file is then found under + be generated at any time post-installation using \fBPKCS12Export\fP. + + .PP ++The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep ++duration after logging into a security domain, to allow the security domain ++session data to be replicated to subsystems on other hosts. It is optional and ++defaults to 5 seconds. ++ ++.PP + An example invocation showing the export of the system certificates and keys, + copying the keys to the replica subsystem, and setting the relevant SELinux and + file permissions is shown below. \fBpwfile\fP is a text file containing the +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index cf2a748..9bb0dfc 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -4045,6 +4045,13 @@ class ConfigClient: + if self.subordinate: + self.set_subca_security_domain(data) + ++ try: ++ d = int(self.mdict['pki_security_domain_post_login_sleep_seconds']) ++ if d > 0: ++ data.securityDomainPostLoginSleepSeconds = d ++ except (KeyError, ValueError): ++ pass ++ + # database + if self.subsystem != "RA": + self.set_database_parameters(data) +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch b/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch new file mode 100644 index 0000000..4514c7b --- /dev/null +++ b/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch @@ -0,0 +1,38 @@ +From 5f62e2db4a1a9040758a806095e1b4da5d0a0d1d Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 6 Oct 2017 11:21:48 +1100 +Subject: [PATCH] Fix issuance when CA cert lacks Subject Key ID ext + +If the CA signing cert does not have the Subject Key Identifier +extension, issuance of certificates fails. Although such a CA +certificate is not compliant with RFC 5280, this does happen in the +wild, and we previously handled this case by computing the SHA-1 +digest of the signing key as a last resort. This behaviour was +removed by 3c43b1119ca978c296a38a9fe404e1c0cdcdab63, breaking cert +issuance in installations with CA certs that lack the SKI extention. + +Restore this behaviour. + +Fixes: https://pagure.io/dogtagpki/issue/2829 +Change-Id: I2f590abe258c0f9405549945b89e3c25c32c2a00 +(cherry picked from commit 8ec0cbd1bef372ed50e19f6c5b6332b75209beb0) +(cherry picked from commit 119f4ee0288c1e6e6996847a66f617f04dd42ae6) +--- + base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +index 635c044..8d5361e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +@@ -95,6 +95,6 @@ public abstract class CAEnrollDefault extends EnrollDefault { + "CryptoUtil.generateKeyIdentifier returns null"); + return null; + } +- return null; ++ return new KeyIdentifier(hash); + } + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-platform-dependent-python-import.patch b/SOURCES/pki-core-platform-dependent-python-import.patch new file mode 100644 index 0000000..c36bd3a --- /dev/null +++ b/SOURCES/pki-core-platform-dependent-python-import.patch @@ -0,0 +1,30 @@ +From dfbd7c8d54dc27957438a722bc43e37b1b2057b6 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 22 Jun 2017 12:50:21 -0600 +Subject: [PATCH] dogtagpki Pagure Issue #2745 - Platform Dependent Python + Import + +(cherry picked from commit 9d63a7a6b1abb42595b6a24296a39a79441ba8df) +--- + base/common/python/pki/client.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py +index 805d0fa..e1a4d3f 100644 +--- a/base/common/python/pki/client.py ++++ b/base/common/python/pki/client.py +@@ -25,7 +25,10 @@ import functools + import warnings + + import requests +-from requests.packages.urllib3.exceptions import InsecureRequestWarning ++try: ++ from requests.packages.urllib3.exceptions import InsecureRequestWarning ++except ImportError: ++ from urllib3.exceptions import InsecureRequestWarning + + + def catch_insecure_warning(func): +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-post-beta.patch b/SOURCES/pki-core-post-beta.patch new file mode 100644 index 0000000..49bb244 --- /dev/null +++ b/SOURCES/pki-core-post-beta.patch @@ -0,0 +1,1733 @@ +From c95cff5899e2975b16db61b811b626742e5e7114 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 1 May 2017 17:48:33 -0700 +Subject: [PATCH 01/10] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false + would cause error This patch would fix the issue. It also adds the + CMCUserSignedAuth authentication instance that was missed in the CS.cfg + +--- + base/ca/shared/conf/CS.cfg | 1 + + .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 8 +++----- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 078abee..3eb5b1b 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -180,6 +180,7 @@ auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAu + auths.instance.TokenAuth.pluginName=TokenAuth + auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents + auths.instance.AgentCertAuth.pluginName=AgentCertAuth ++auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth + auths.instance.raCertAuth.agentGroup=Registration Manager Agents + auths.instance.raCertAuth.pluginName=AgentCertAuth + auths.instance.flatFileAuth.pluginName=FlatFileAuth +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 57f07d1..7d52fc8 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -885,10 +885,7 @@ public abstract class EnrollProfile extends BasicProfile + } + + int nummsgs = reqSeq.size(); +- if (!popLinkWitnessRequired) { +- CMS.debug(method + "popLinkWitnessRequired false, skip check"); +- } else if (nummsgs > 0) { +- CMS.debug(method + "cmc.popLinkWitnessRequired is true"); ++ if (nummsgs > 0) { + CMS.debug(method + "nummsgs =" + nummsgs); + msgs = new TaggedRequest[reqSeq.size()]; + SEQUENCE bpids = new SEQUENCE(); +@@ -896,7 +893,8 @@ public abstract class EnrollProfile extends BasicProfile + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); +- if (!context.containsKey("POPLinkWitnessV2") && ++ if (popLinkWitnessRequired && ++ !context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { + CMS.debug(method + "popLinkWitness(V2) required"); + if (randomSeed == null) { +-- +1.8.3.1 + + +From 220e35d2b5610cb051831b990451b3b3ff53604e Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 2 May 2017 21:44:36 +1000 +Subject: [PATCH 02/10] CAInfoService: retrieve info from KRA + +The CAInfoService returns CA configuration info, including +KRA-related values the CA clients may need to know (e.g. for +generating a CRMF cert request that will cause keys to be archived +in KRA). Currently that information is statically configured and +does not respect the actual configuration of the KRA. + +Update the service to retrieve info from the KRA, which is queried +according to the KRA Connector configuration. After the KRA has +been successfully contacted, the recorded KRA-related settings are +regarded as authoritative. + +The KRA is contacted ONLY if the current info is NOT authoritative, +otherwise the currently recorded values are used. This means that +any change to relevant KRA configuration (which should occur seldom +if ever) necessitates restart of the CA subsystem. + +If this is unsuccessful (e.g. if the KRA is down or the connector is +misconfigured) we use the default values, which may be incorrect. + +Fixes: https://pagure.io/dogtagpki/issue/2665 +Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746 +--- + .../org/dogtagpki/server/rest/CAInfoService.java | 143 ++++++++++++++++++--- + 1 file changed, 126 insertions(+), 17 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +index f4724a6..398f499 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +@@ -18,26 +18,63 @@ + + package org.dogtagpki.server.rest; + ++import java.net.MalformedURLException; ++import java.net.URISyntaxException; ++ + import javax.servlet.http.HttpSession; + import javax.ws.rs.core.Response; + + import org.dogtagpki.common.CAInfo; + import org.dogtagpki.common.CAInfoResource; ++import org.dogtagpki.common.KRAInfo; ++import org.dogtagpki.common.KRAInfoClient; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.base.PKIException; ++import com.netscape.certsrv.client.ClientConfig; ++import com.netscape.certsrv.client.PKIClient; ++import com.netscape.certsrv.system.KRAConnectorInfo; ++import com.netscape.cms.servlet.admin.KRAConnectorProcessor; + import com.netscape.cms.servlet.base.PKIService; + + /** + * @author Ade Lee ++ * ++ * This class returns CA info, including KRA-related values the CA ++ * clients may need to know (e.g. for generating a CRMF cert request ++ * that will cause keys to be archived in KRA). ++ * ++ * The KRA-related info is read from the KRAInfoService, which is ++ * queried according to the KRA Connector configuration. After ++ * the KRAInfoService has been successfully contacted, the recorded ++ * KRA-related settings are regarded as authoritative. ++ * ++ * The KRA is contacted ONLY if the current info is NOT ++ * authoritative, otherwise the currently recorded values are used. ++ * This means that any change to relevant KRA configuration (which ++ * should occur seldom if ever) necessitates restart of the CA ++ * subsystem. ++ * ++ * If this is unsuccessful (e.g. if the KRA is down or the ++ * connector is misconfigured) we use the default values, which ++ * may be incorrect. + */ + public class CAInfoService extends PKIService implements CAInfoResource { + + private static Logger logger = LoggerFactory.getLogger(InfoService.class); + ++ // is the current KRA-related info authoritative? ++ private static boolean kraInfoAuthoritative = false; ++ ++ // KRA-related fields (the initial values are only used if we ++ // did not yet receive authoritative info from KRA) ++ private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; ++ private static String wrappingKeySet = "0"; ++ + @Override + public Response getInfo() throws Exception { + +@@ -45,30 +82,102 @@ public class CAInfoService extends PKIService implements CAInfoResource { + logger.debug("CAInfoService.getInfo(): session: " + session.getId()); + + CAInfo info = new CAInfo(); +- String archivalMechanism = getArchivalMechanism(); +- +- if (archivalMechanism != null) +- info.setArchivalMechanism(getArchivalMechanism()); + +- info.setWrappingKeySet(getWrappingKeySet()); ++ addKRAInfo(info); + + return createOKResponse(info); + } + +- String getArchivalMechanism() throws EBaseException { +- IConfigStore cs = CMS.getConfigStore(); +- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); +- if (!kra_present) return null; +- +- boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); +- return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; ++ /** ++ * Add KRA fields if KRA is configured, querying the KRA ++ * if necessary. ++ * ++ * Apart from reading 'headers', this method doesn't access ++ * any instance data. ++ */ ++ private void addKRAInfo(CAInfo info) { ++ KRAConnectorInfo connInfo = null; ++ try { ++ KRAConnectorProcessor processor = ++ new KRAConnectorProcessor(getLocale(headers)); ++ connInfo = processor.getConnectorInfo(); ++ } catch (Throwable e) { ++ // connInfo remains as null ++ } ++ boolean kraEnabled = ++ connInfo != null ++ && "true".equalsIgnoreCase(connInfo.getEnable()); ++ ++ if (kraEnabled) { ++ if (!kraInfoAuthoritative) { ++ // KRA is enabled but we are yet to successfully ++ // query the KRA-related info. Do it now. ++ queryKRAInfo(connInfo); ++ } ++ ++ info.setArchivalMechanism(archivalMechanism); ++ info.setWrappingKeySet(wrappingKeySet); ++ } + } + +- String getWrappingKeySet() throws EBaseException { +- IConfigStore cs = CMS.getConfigStore(); +- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); +- if (!kra_present) return null; ++ private static void queryKRAInfo(KRAConnectorInfo connInfo) { ++ try { ++ KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); ++ ++ archivalMechanism = kraInfo.getArchivalMechanism(); ++ ++ // request succeeded; the KRA is 10.4 or higher, ++ // therefore supports key set v1 ++ wrappingKeySet = "1"; ++ ++ // mark info as authoritative ++ kraInfoAuthoritative = true; ++ } catch (PKIException e) { ++ if (e.getCode() == 404) { ++ // The KRAInfoResource was added in 10.4, ++ // so we are talking to a pre-10.4 KRA ++ ++ // pre-10.4 only supports key set v0 ++ wrappingKeySet = "0"; ++ ++ // pre-10.4 KRA does not advertise the archival ++ // mechanism; look for the old knob in CA's config ++ // or fall back to the default ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean encrypt_archival; ++ try { ++ encrypt_archival = cs.getBoolean( ++ "kra.allowEncDecrypt.archival", false); ++ } catch (EBaseException e1) { ++ encrypt_archival = false; ++ } ++ archivalMechanism = encrypt_archival ++ ? KRAInfoService.ENCRYPT_MECHANISM ++ : KRAInfoService.KEYWRAP_MECHANISM; ++ ++ // mark info as authoritative ++ kraInfoAuthoritative = true; ++ } else { ++ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e); ++ CMS.debug(e); ++ } ++ } catch (Throwable e) { ++ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e); ++ CMS.debug(e); ++ } ++ } + +- return cs.getString("kra.wrappingKeySet", "1"); ++ /** ++ * Construct KRAInfoClient given KRAConnectorInfo ++ */ ++ private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo) ++ throws MalformedURLException, URISyntaxException, EBaseException { ++ ClientConfig config = new ClientConfig(); ++ int port = Integer.parseInt(connInfo.getPort()); ++ config.setServerURL("https", connInfo.getHost(), port); ++ config.setCertDatabase( ++ CMS.getConfigStore().getString("instanceRoot") + "/alias"); ++ return new KRAInfoClient(new PKIClient(config), "kra"); + } ++ + } +-- +1.8.3.1 + + +From c64d6331d52dcf07108226c5dff26bd8b6c41e70 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 4 May 2017 10:36:49 +0200 +Subject: [PATCH 03/10] pki.authority: Don't send header as POST body + +pki.authority was mistakenly sending headers as POST body instead of +sending an empty POST body with right headers. + +Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae +Signed-off-by: Christian Heimes +--- + base/common/python/pki/authority.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py +index 9fa459c..0d83a4b 100644 +--- a/base/common/python/pki/authority.py ++++ b/base/common/python/pki/authority.py +@@ -140,7 +140,7 @@ class AuthorityClient(object): + url = self.ca_url + '/' + str(aid) + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} +- r = self.connection.get(url, headers) ++ r = self.connection.get(url, headers=headers) + return AuthorityData.from_json(r.json()) + + @pki.handle_exceptions() +@@ -167,7 +167,7 @@ class AuthorityClient(object): + raise ValueError( + "Invalid format passed in - PEM or DER expected.") + +- r = self.connection.get(url, headers) ++ r = self.connection.get(url, headers=headers) + return r.text + + @pki.handle_exceptions() +@@ -189,7 +189,7 @@ class AuthorityClient(object): + elif output_format == "PKCS7": + headers['Accept'] = "application/pkcs7-mime" + +- r = self.connection.get(url, headers) ++ r = self.connection.get(url, headers=headers) + return r.text + + @pki.handle_exceptions() +@@ -238,7 +238,7 @@ class AuthorityClient(object): + response = self.connection.post( + self.ca_url, + create_request, +- headers) ++ headers=headers) + + new_ca = AuthorityData.from_json(response.json()) + return new_ca +@@ -257,7 +257,7 @@ class AuthorityClient(object): + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} + +- self.connection.post(url, headers) ++ self.connection.post(url, None, headers=headers) + + @pki.handle_exceptions() + def disable_ca(self, aid): +@@ -272,7 +272,7 @@ class AuthorityClient(object): + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} + +- self.connection.post(url, headers) ++ self.connection.post(url, None, headers=headers) + + @pki.handle_exceptions() + def delete_ca(self, aid): +@@ -287,7 +287,7 @@ class AuthorityClient(object): + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} + +- self.connection.delete(url, headers) ++ self.connection.delete(url, headers=headers) + + + encoder.NOTYPES['AuthorityData'] = AuthorityData +-- +1.8.3.1 + + +From 62a78bfa227b5e75a7cb931d7e65e824f5fe01ec Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 5 May 2017 19:54:15 +1000 +Subject: [PATCH 04/10] Fix PKCS #12 import during clone installation + +PKCS #12 export was updated to use AES / PBES2 encryption for the +key bags, but an import code path used when spawning a clone was +missed, and now fails (because it doesn't grok PBES2). + +Update it to use CryptoStore.importEncryptedPrivateKeyInfo() +instead, fixing the problem. + +Fixes: https://pagure.io/dogtagpki/issue/2677 +Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9 +--- + .../cms/servlet/csadmin/ConfigurationUtils.java | 32 +++++++--------------- + 1 file changed, 10 insertions(+), 22 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index ee1984b..07c64af 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -886,9 +886,7 @@ public class ConfigurationUtils { + if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { + + CMS.debug(" - Bag #" + j + ": key"); +- EncryptedPrivateKeyInfo privkeyinfo = +- (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); +- PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter()); ++ byte[] epki = bag.getBagContent().getEncoded(); + + SET bagAttrs = bag.getBagAttributes(); + String subjectDN = null; +@@ -910,9 +908,10 @@ public class ConfigurationUtils { + } + } + +- // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String) ++ // pkeyinfo_v stores EncryptedPrivateKeyInfo ++ // (byte[]) and subject DN (String) + Vector pkeyinfo_v = new Vector(); +- pkeyinfo_v.addElement(pkeyinfo); ++ pkeyinfo_v.addElement(epki); + if (subjectDN != null) + pkeyinfo_v.addElement(subjectDN); + +@@ -971,7 +970,7 @@ public class ConfigurationUtils { + } + } + +- importKeyCert(pkeyinfo_collection, cert_collection); ++ importKeyCert(password, pkeyinfo_collection, cert_collection); + } + + public static void verifySystemCertificates() throws Exception { +@@ -1012,6 +1011,7 @@ public class ConfigurationUtils { + } + + public static void importKeyCert( ++ Password password, + Vector> pkeyinfo_collection, + Vector> cert_collection + ) throws Exception { +@@ -1028,7 +1028,7 @@ public class ConfigurationUtils { + CMS.debug("Importing new keys:"); + for (int i = 0; i < pkeyinfo_collection.size(); i++) { + Vector pkeyinfo_v = pkeyinfo_collection.elementAt(i); +- PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); ++ byte[] epki = (byte[]) pkeyinfo_v.elementAt(0); + String nickname = (String) pkeyinfo_v.elementAt(1); + CMS.debug("- Key: " + nickname); + +@@ -1037,11 +1037,6 @@ public class ConfigurationUtils { + continue; + } + +- // encode private key +- ByteArrayOutputStream bos = new ByteArrayOutputStream(); +- pkeyinfo.encode(bos); +- byte[] pkey = bos.toByteArray(); +- + CMS.debug(" Find cert with subject DN " + nickname); + // TODO: use better mechanism to find the cert + byte[] x509cert = getX509Cert(nickname, cert_collection); +@@ -1063,16 +1058,9 @@ public class ConfigurationUtils { + // this is OK + } + +- // encrypt private key +- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); +- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec param = new IVParameterSpec(iv); +- byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(token, sk, pkey, EncryptionAlgorithm.DES3_CBC_PAD, param); +- +- // unwrap private key to load into database +- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); +- wrapper.initUnwrap(sk, param); +- wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey); ++ // import private key into database ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epki); + } + + CMS.debug("Importing new certificates:"); +-- +1.8.3.1 + + +From 3fb95590cdf0e45418fa0be7a020691567ef152a Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 5 May 2017 20:13:07 +1000 +Subject: [PATCH 05/10] Delete unused methods + +Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203 +--- + .../cms/servlet/csadmin/ConfigurationUtils.java | 103 --------------------- + 1 file changed, 103 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 07c64af..c9a375f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -1203,13 +1203,6 @@ public class ConfigurationUtils { + return null; + } + +- public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) { +- if (pubkey.getAlgorithm().equals("EC")) { +- return org.mozilla.jss.crypto.PrivateKey.Type.EC; +- } +- return org.mozilla.jss.crypto.PrivateKey.Type.RSA; +- } +- + public static boolean isCASigningCert(String name) throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + try { +@@ -3495,102 +3488,6 @@ public class ConfigurationUtils { + } + } + +- public static void addKeyBag(PrivateKey pkey, X509Certificate x509cert, +- Password pass, byte[] localKeyId, SEQUENCE safeContents) +- throws NoSuchAlgorithmException, InvalidBERException, InvalidKeyException, +- InvalidAlgorithmParameterException, NotInitializedException, TokenException, IllegalStateException, +- IllegalBlockSizeException, BadPaddingException, CharConversionException { +- +- PasswordConverter passConverter = new PasswordConverter(); +- +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); +- byte salt[] = random.generateSeed(4); // 4 bytes salt +- byte[] priData = getEncodedKey(pkey); +- +- PrivateKeyInfo pki = (PrivateKeyInfo) +- ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData); +- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( +- PBEAlgorithm.PBE_SHA1_DES3_CBC, +- pass, salt, 1, passConverter, pki); +- SET keyAttrs = createBagAttrs( +- x509cert.getSubjectDN().toString(), localKeyId); +- SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, +- key, keyAttrs); +- safeContents.addElement(keyBag); +- +- } +- +- public static byte[] addCertBag(X509Certificate x509cert, String nickname, +- SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException, +- CharConversionException { +- byte[] localKeyId = null; +- +- ASN1Value cert = new OCTET_STRING(x509cert.getEncoded()); +- localKeyId = createLocalKeyId(x509cert); +- SET certAttrs = null; +- if (nickname != null) +- certAttrs = createBagAttrs(nickname, localKeyId); +- SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, +- new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs); +- safeContents.addElement(certBag); +- +- return localKeyId; +- } +- +- public static byte[] getEncodedKey(PrivateKey pkey) throws NotInitializedException, NoSuchAlgorithmException, +- TokenException, IllegalStateException, CharConversionException, InvalidKeyException, +- InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException { +- CryptoManager cm = CryptoManager.getInstance(); +- CryptoToken token = cm.getInternalKeyStorageToken(); +- KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); +- SymmetricKey sk = kg.generate(); +- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); +- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec param = new IVParameterSpec(iv); +- wrapper.initWrap(sk, param); +- byte[] enckey = wrapper.wrap(pkey); +- Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); +- c.initDecrypt(sk, param); +- byte[] recovered = c.doFinal(enckey); +- return recovered; +- } +- +- public static byte[] createLocalKeyId(X509Certificate cert) +- throws NoSuchAlgorithmException, CertificateEncodingException { +- +- // SHA1 hash of the X509Cert der encoding +- byte certDer[] = cert.getEncoded(); +- +- MessageDigest md = MessageDigest.getInstance("SHA"); +- +- md.update(certDer); +- return md.digest(); +- +- } +- +- public static SET createBagAttrs(String nickName, byte localKeyId[]) throws CharConversionException { +- +- SET attrs = new SET(); +- SEQUENCE nickNameAttr = new SEQUENCE(); +- +- nickNameAttr.addElement(SafeBag.FRIENDLY_NAME); +- SET nickNameSet = new SET(); +- +- nickNameSet.addElement(new BMPString(nickName)); +- nickNameAttr.addElement(nickNameSet); +- attrs.addElement(nickNameAttr); +- SEQUENCE localKeyAttr = new SEQUENCE(); +- +- localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID); +- SET localKeySet = new SET(); +- +- localKeySet.addElement(new OCTET_STRING(localKeyId)); +- localKeyAttr.addElement(localKeySet); +- attrs.addElement(localKeyAttr); +- return attrs; +- +- } +- + public static void createAdminCertificate(String certRequest, String certRequestType, String subject) + throws Exception { + IConfigStore cs = CMS.getConfigStore(); +-- +1.8.3.1 + + +From f26b3aaee1cf36941f387b464b937ffee1403048 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 5 May 2017 11:44:17 -0700 +Subject: [PATCH 06/10] Non server keygen issue in SCP03. + +Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 + +We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue. +--- + .../server/tps/channel/SecureChannel.java | 4 +- + .../server/tps/processor/TPSProcessor.java | 51 +++++++++++++++------- + 2 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java +index fc5472c..5e5646b 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java ++++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java +@@ -148,8 +148,8 @@ public class SecureChannel { + + CMS.debug("SecureChannel.SecureChannel: For SCP03. : "); + +- CMS.debug("kekDesKey: " + kekDesKey.toHexString()); +- CMS.debug("keyCheck: " + keyCheck.toHexString()); ++ if (keyCheck != null) ++ CMS.debug("keyCheck: " + keyCheck.toHexString()); + + this.platProtInfo = platformInfo; + this.processor = processor; +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 0cfac59..0f96915 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -33,6 +33,8 @@ import java.util.List; + import java.util.Map; + import java.util.Set; + ++import netscape.security.x509.RevocationReason; ++ + import org.dogtagpki.server.tps.TPSSession; + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.authentication.AuthUIParameter; +@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + +-import netscape.security.x509.RevocationReason; +- + public class TPSProcessor { + + public static final int RESULT_NO_ERROR = 0; +@@ -923,20 +923,39 @@ public class TPSProcessor { + TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey(); + TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey(); + +- CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString()); +- CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString()); +- CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString()); +- CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString()); +- CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString()); +- CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString()); +- CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString()); +- +- encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, +- encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); +- macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, +- macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); +- kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, +- kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); ++ if (encSessionKeyBuff != null) ++ CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString()); ++ ++ if (kekSessionKeyBuff != null) ++ CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString()); ++ ++ if (macSessionKeyBuff != null) ++ CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString()); ++ ++ if (hostCryptogramBuff != null) ++ CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString()); ++ ++ if (keyCheckBuff != null) ++ CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString()); ++ ++ if (drmDesKeyBuff != null) ++ CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString()); ++ ++ if (kekDesKeyBuff != null) ++ CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString()); ++ ++ ++ if (encSessionKeyBuff != null) ++ encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, ++ encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); ++ ++ if (macSessionKeyBuff != null) ++ macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, ++ macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); ++ ++ if (kekSessionKeyBuff != null) ++ kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, ++ kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); + + channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03, + drmDesKeyBuff, kekDesKeyBuff, +-- +1.8.3.1 + + +From f84bfab30647ae1492fcdca0a026bfa4d91350c9 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 1 May 2017 15:56:58 -0400 +Subject: [PATCH 07/10] Make sure generated asym keys are extractable + +In HSMs, we were not able to retrieve asym keys that were +generated from the AsymKeyGenService, because the right +flags were not set (ie. set like in the server side +keygen case). + +To do this, I extracted the key generation function from +NetKeygenService to KeyRecoveryAuthority, so that it could +be used by both services. + +Bugzilla BZ# 1386303 + +Change-Id: I13b5f4b602217a685acada94091e91df75e25eff +--- + .../certsrv/kra/IKeyRecoveryAuthority.java | 17 ++ + .../src/com/netscape/kra/AsymKeyGenService.java | 23 +-- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 184 ++++++++++++++++++++ + .../src/com/netscape/kra/NetkeyKeygenService.java | 185 +-------------------- + 4 files changed, 213 insertions(+), 196 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java +index a12d773..4f709e9 100644 +--- a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java ++++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java +@@ -17,12 +17,15 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.kra; + ++import java.security.KeyPair; + import java.util.Enumeration; + import java.util.Hashtable; + import java.util.Vector; + + import org.dogtagpki.legacy.policy.IPolicyProcessor; + import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.KeyPairGeneratorSpi; ++import org.mozilla.jss.crypto.PQGParams; + + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.ISubsystem; +@@ -337,4 +340,18 @@ public interface IKeyRecoveryAuthority extends ISubsystem { + * @return + */ + public boolean isRetrievalSynchronous(String realm); ++ ++ /** ++ * Generate an asymmetric key pair. ++ * ++ * @param alg ++ * @param keySize ++ * @param keyCurve ++ * @param pqg ++ * @param usageList - RSA only for now ++ * @return key pair ++ * @throws EBaseException ++ */ ++ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve, ++ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException; + } +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index 9528972..7351d50 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -19,14 +19,10 @@ package com.netscape.kra; + + import java.math.BigInteger; + import java.security.KeyPair; +-import java.security.NoSuchAlgorithmException; + + import org.mozilla.jss.crypto.CryptoToken; +-import org.mozilla.jss.crypto.KeyPairAlgorithm; +-import org.mozilla.jss.crypto.KeyPairGenerator; + import org.mozilla.jss.crypto.KeyPairGeneratorSpi; + import org.mozilla.jss.crypto.PrivateKey; +-import org.mozilla.jss.crypto.TokenException; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; +@@ -42,7 +38,6 @@ import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; +-import com.netscape.cms.servlet.key.KeyRequestDAO; + import com.netscape.cmscore.dbs.KeyRecord; + + import netscape.security.util.WrappingParams; +@@ -132,8 +127,6 @@ public class AsymKeyGenService implements IService { + CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId()); + CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm); + +- KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase()); +- + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; + +@@ -141,16 +134,18 @@ public class AsymKeyGenService implements IService { + CryptoToken token = kra.getKeygenToken(); + + // Generating the asymmetric keys +- KeyPairGenerator keyPairGen = null; + KeyPair kp = null; + + try { +- keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm); +- keyPairGen.initialize(keySize); +- if (usageList != null) +- keyPairGen.setKeyPairUsages(usageList, usageList); +- kp = keyPairGen.genKeyPair(); +- } catch (NoSuchAlgorithmException | TokenException e) { ++ kp = kra.generateKeyPair( ++ algorithm.toUpperCase(), ++ keySize, ++ null, // keyCurve for ECC, not yet supported ++ null, // PQG not yet supported ++ usageList ++ ); ++ ++ } catch (EBaseException e) { + CMS.debugStackTrace(); + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to generate Asymmetric key"); +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index ec920e6..54953d1 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -20,6 +20,10 @@ package com.netscape.kra; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidParameterException; ++import java.security.KeyPair; ++import java.security.NoSuchAlgorithmException; + import java.security.cert.CertificateEncodingException; + import java.security.cert.CertificateException; + import java.security.cert.X509Certificate; +@@ -32,6 +36,12 @@ import org.dogtagpki.legacy.kra.KRAPolicy; + import org.dogtagpki.legacy.policy.IPolicyProcessor; + import org.mozilla.jss.NoSuchTokenException; + import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.KeyPairAlgorithm; ++import org.mozilla.jss.crypto.KeyPairGenerator; ++import org.mozilla.jss.crypto.KeyPairGeneratorSpi; ++import org.mozilla.jss.crypto.PQGParamGenException; ++import org.mozilla.jss.crypto.PQGParams; ++import org.mozilla.jss.crypto.TokenException; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authority.IAuthority; +@@ -1816,4 +1826,178 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + return agents; + } ++ ++ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve, ++ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException { ++ KeyPairAlgorithm kpAlg = null; ++ ++ if (alg.equals("RSA")) ++ kpAlg = KeyPairAlgorithm.RSA; ++ else if (alg.equals("EC")) ++ kpAlg = KeyPairAlgorithm.EC; ++ else ++ kpAlg = KeyPairAlgorithm.DSA; ++ ++ try { ++ KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg, usageList); ++ ++ return kp; ++ } catch (InvalidParameterException e) { ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", ++ "" + keySize)); ++ } catch (PQGParamGenException e) { ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); ++ } catch (NoSuchAlgorithmException e) { ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", ++ kpAlg.toString())); ++ } catch (TokenException e) { ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); ++ } catch (InvalidAlgorithmParameterException e) { ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); ++ } ++ } ++ ++ public KeyPair generateKeyPair( ++ KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg, ++ KeyPairGeneratorSpi.Usage[] usageList ) ++ throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, ++ InvalidParameterException, PQGParamGenException { ++ ++ CryptoToken token = getKeygenToken(); ++ ++ CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName()); ++ ++ /* ++ make it temporary so can work with HSM ++ netHSM works with ++ temporary == true ++ sensitive == ++ extractable == ++ LunaSA2 works with ++ temporary == true ++ sensitive == true ++ extractable == true ++ */ ++ KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); ++ IConfigStore config = CMS.getConfigStore(); ++ IConfigStore kgConfig = config.getSubStore("kra.keygen"); ++ boolean tp = false; ++ boolean sp = false; ++ boolean ep = false; ++ if ((kgConfig != null) && (!kgConfig.equals(""))) { ++ try { ++ tp = kgConfig.getBoolean("temporaryPairs", false); ++ sp = kgConfig.getBoolean("sensitivePairs", false); ++ ep = kgConfig.getBoolean("extractablePairs", false); ++ CMS.debug("NetkeyKeygenService: found config store: kra.keygen"); ++ // by default, let nethsm work ++ if ((tp == false) && (sp == false) && (ep == false)) { ++ if (kpAlg == KeyPairAlgorithm.EC) { ++ // set to what works for nethsm ++ tp = true; ++ sp = false; ++ ep = true; ++ } else ++ tp = true; ++ } ++ } catch (Exception e) { ++ CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); ++ // by default, let nethsm work ++ tp = true; ++ } ++ } else { ++ // by default, let nethsm work ++ CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); ++ if (kpAlg == KeyPairAlgorithm.EC) { ++ // set to what works for nethsm ++ tp = true; ++ sp = false; ++ ep = true; ++ } else { ++ tp = true; ++ } ++ } ++ ++ if (kpAlg == KeyPairAlgorithm.EC) { ++ ++ boolean isECDHE = false; ++ KeyPair pair = null; ++ ++ // used with isECDHE == true ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = { ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE ++ }; ++ ++ // used with isECDHE == false ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER ++ }; ++ ++ try { ++ pair = CryptoUtil.generateECCKeyPair(token.getName(), ++ keyCurve /*ECC_curve default*/, ++ null, ++ (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH, ++ tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/); ++ CMS.debug("NetkeyKeygenService: after key pair generation" ); ++ } catch (Exception e) { ++ CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString()); ++ } ++ return pair; ++ ++ } else { // !EC ++ //only specified to "true" will it be set ++ if (tp == true) { ++ CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); ++ kpGen.temporaryPairs(true); ++ } ++ ++ if (sp == true) { ++ CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); ++ kpGen.sensitivePairs(true); ++ } ++ ++ if (ep == true) { ++ CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); ++ kpGen.extractablePairs(true); ++ } ++ ++ if (kpAlg == KeyPairAlgorithm.DSA) { ++ if (pqg == null) { ++ kpGen.initialize(keySize); ++ } else { ++ kpGen.initialize(pqg); ++ } ++ } else { ++ kpGen.initialize(keySize); ++ } ++ ++ if (usageList != null) ++ kpGen.setKeyPairUsages(usageList, usageList); ++ ++ if (pqg == null) { ++ KeyPair kp = null; ++ synchronized (new Object()) { ++ CMS.debug("NetkeyKeygenService: key pair generation begins"); ++ kp = kpGen.genKeyPair(); ++ CMS.debug("NetkeyKeygenService: key pair generation done"); ++ addEntropy(true); ++ } ++ return kp; ++ } else { ++ // DSA ++ KeyPair kp = null; ++ ++ /* no DSA for now... netkey prototype ++ do { ++ // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair ++ kp = kpGen.genKeyPair(); ++ } ++ while (isBadDSAKeyPair(kp)); ++ */ ++ return kp; ++ } ++ } ++ } + } +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index e09eb42..f068a4a 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -23,11 +23,8 @@ import java.io.FilterOutputStream; + import java.io.IOException; + import java.io.PrintStream; + import java.math.BigInteger; +-import java.security.InvalidAlgorithmParameterException; + import java.security.InvalidKeyException; +-import java.security.InvalidParameterException; + import java.security.KeyPair; +-import java.security.NoSuchAlgorithmException; + import java.security.SecureRandom; + + import org.mozilla.jss.asn1.ASN1Util; +@@ -35,21 +32,15 @@ import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.IVParameterSpec; + import org.mozilla.jss.crypto.KeyGenAlgorithm; +-import org.mozilla.jss.crypto.KeyPairAlgorithm; +-import org.mozilla.jss.crypto.KeyPairGenerator; + import org.mozilla.jss.crypto.KeyWrapAlgorithm; +-import org.mozilla.jss.crypto.PQGParamGenException; +-import org.mozilla.jss.crypto.PQGParams; + import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.crypto.SymmetricKey; +-import org.mozilla.jss.crypto.TokenException; + import org.mozilla.jss.pkcs11.PK11SymKey; + import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; + import org.mozilla.jss.util.Base64OutputStream; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; +-import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.MetaInfo; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; +@@ -122,177 +113,6 @@ public class NetkeyKeygenService implements IService { + return archOpts; + } + +- public KeyPair generateKeyPair( +- KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg) +- throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, +- InvalidParameterException, PQGParamGenException { +- +- CryptoToken token = mKRA.getKeygenToken(); +- +- CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName()); +- +- /* +- make it temporary so can work with HSM +- netHSM works with +- temporary == true +- sensitive == +- extractable == +- LunaSA2 works with +- temporary == true +- sensitive == true +- extractable == true +- */ +- KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); +- IConfigStore config = CMS.getConfigStore(); +- IConfigStore kgConfig = config.getSubStore("kra.keygen"); +- boolean tp = false; +- boolean sp = false; +- boolean ep = false; +- if ((kgConfig != null) && (!kgConfig.equals(""))) { +- try { +- tp = kgConfig.getBoolean("temporaryPairs", false); +- sp = kgConfig.getBoolean("sensitivePairs", false); +- ep = kgConfig.getBoolean("extractablePairs", false); +- CMS.debug("NetkeyKeygenService: found config store: kra.keygen"); +- // by default, let nethsm work +- if ((tp == false) && (sp == false) && (ep == false)) { +- if (kpAlg == KeyPairAlgorithm.EC) { +- // set to what works for nethsm +- tp = true; +- sp = false; +- ep = true; +- } else +- tp = true; +- } +- } catch (Exception e) { +- CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); +- // by default, let nethsm work +- tp = true; +- } +- } else { +- // by default, let nethsm work +- CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); +- if (kpAlg == KeyPairAlgorithm.EC) { +- // set to what works for nethsm +- tp = true; +- sp = false; +- ep = true; +- } else { +- tp = true; +- } +- } +- +- if (kpAlg == KeyPairAlgorithm.EC) { +- +- boolean isECDHE = false; +- KeyPair pair = null; +- +- // used with isECDHE == true +- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = { +- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE +- }; +- +- // used with isECDHE == false +- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { +- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, +- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER +- }; +- +- try { +- pair = CryptoUtil.generateECCKeyPair(token.getName(), +- keyCurve /*ECC_curve default*/, +- null, +- (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH, +- tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/); +- CMS.debug("NetkeyKeygenService: after key pair generation" ); +- } catch (Exception e) { +- CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString()); +- } +- return pair; +- +- } else { // !EC +- //only specified to "true" will it be set +- if (tp == true) { +- CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); +- kpGen.temporaryPairs(true); +- } +- +- if (sp == true) { +- CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); +- kpGen.sensitivePairs(true); +- } +- +- if (ep == true) { +- CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); +- kpGen.extractablePairs(true); +- } +- +- if (kpAlg == KeyPairAlgorithm.DSA) { +- if (pqg == null) { +- kpGen.initialize(keySize); +- } else { +- kpGen.initialize(pqg); +- } +- } else { +- kpGen.initialize(keySize); +- } +- +- if (pqg == null) { +- KeyPair kp = null; +- synchronized (new Object()) { +- CMS.debug("NetkeyKeygenService: key pair generation begins"); +- kp = kpGen.genKeyPair(); +- CMS.debug("NetkeyKeygenService: key pair generation done"); +- mKRA.addEntropy(true); +- } +- return kp; +- } else { +- // DSA +- KeyPair kp = null; +- +- /* no DSA for now... netkey prototype +- do { +- // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair +- kp = kpGen.genKeyPair(); +- } +- while (isBadDSAKeyPair(kp)); +- */ +- return kp; +- } +- } +- } +- +- public KeyPair generateKeyPair(String alg, +- int keySize, String keyCurve, PQGParams pqg) throws EBaseException { +- +- KeyPairAlgorithm kpAlg = null; +- +- if (alg.equals("RSA")) +- kpAlg = KeyPairAlgorithm.RSA; +- else if (alg.equals("EC")) +- kpAlg = KeyPairAlgorithm.EC; +- else +- kpAlg = KeyPairAlgorithm.DSA; +- +- try { +- KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg); +- +- return kp; +- } catch (InvalidParameterException e) { +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", +- "" + keySize)); +- } catch (PQGParamGenException e) { +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); +- } catch (NoSuchAlgorithmException e) { +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", +- kpAlg.toString())); +- } catch (TokenException e) { +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); +- } catch (InvalidAlgorithmParameterException e) { +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); +- } +- } +- + private static String base64Encode(byte[] bytes) throws IOException { + // All this streaming is lame, but Base64OutputStream needs a + // PrintStream +@@ -430,10 +250,11 @@ public class NetkeyKeygenService implements IService { + + CMS.debug("NetkeyKeygenService: about to generate key pair"); + +- keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */, ++ keypair = mKRA.generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */, + keysize /*Integer.parseInt(len)*/, + rKeycurve /* for "EC" only */, +- null /*pqgParams*/); ++ null /*pqgParams*/, ++ null /* usageList*/); + + if (keypair == null) { + CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); +-- +1.8.3.1 + + +From bea446868e282955d9c70028be657530eaccbe29 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 1 May 2017 18:25:59 -0400 +Subject: [PATCH 08/10] Use AES-CBC in storage unit for archival in key + wrapping + +When AES-KW or AES-KWP is not available, we need to be sure to use +a key wrap algorithm that is available for keywrap. This would +be AES-CBC. Removes some TODOs. + +Refactor so that getWrappingParams is only defined on the StorageUnit, +which is where it makes sense in any case. + +Part of Bugzilla BZ# 1386303 + +Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51 +--- + .../src/com/netscape/certsrv/security/IEncryptionUnit.java | 2 -- + .../src/com/netscape/certsrv/security/IStorageKeyUnit.java | 6 ++++++ + base/kra/src/com/netscape/kra/AsymKeyGenService.java | 11 +++-------- + base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 -- + base/kra/src/com/netscape/kra/EnrollmentService.java | 2 +- + base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 7 +++++-- + base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 2 +- + base/kra/src/com/netscape/kra/StorageKeyUnit.java | 12 +++++++++++- + base/kra/src/com/netscape/kra/SymKeyGenService.java | 7 +++++-- + base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ---- + 10 files changed, 32 insertions(+), 23 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +index add15cb..e55713d 100644 +--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java ++++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +@@ -63,7 +63,5 @@ public interface IEncryptionUnit extends IToken { + SymmetricKey.Usage usage, WrappingParams params) throws Exception; + + +- public WrappingParams getWrappingParams() throws Exception; +- + public WrappingParams getOldWrappingParams(); + } +diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +index cd94143..bfc6012 100644 +--- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java ++++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +@@ -174,4 +174,10 @@ public interface IStorageKeyUnit extends IEncryptionUnit { + public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary, + WrappingParams params) throws Exception; + ++ /** ++ * Get the wrapping parameters for this storage unit ++ * ++ */ ++ public WrappingParams getWrappingParams(boolean encrypt) throws Exception; ++ + } +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index 7351d50..cfee504 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -20,7 +20,6 @@ package com.netscape.kra; + import java.math.BigInteger; + import java.security.KeyPair; + +-import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.KeyPairGeneratorSpi; + import org.mozilla.jss.crypto.PrivateKey; + +@@ -68,7 +67,7 @@ public class AsymKeyGenService implements IService { + + @Override + public boolean serviceRequest(IRequest request) throws EBaseException { +- IConfigStore cs = CMS.getConfigStore(); ++ IConfigStore configStore = CMS.getConfigStore(); + String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); + String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); + +@@ -77,7 +76,7 @@ public class AsymKeyGenService implements IService { + + String realm = request.getRealm(); + +- boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); + + KeyPairGeneratorSpi.Usage[] usageList = null; + String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); +@@ -130,9 +129,6 @@ public class AsymKeyGenService implements IService { + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; + +- // Get the token +- CryptoToken token = kra.getKeygenToken(); +- + // Generating the asymmetric keys + KeyPair kp = null; + +@@ -162,8 +158,7 @@ public class AsymKeyGenService implements IService { + WrappingParams params = null; + + try { +- // TODO(alee) What happens if key wrap algorithm is not supported? +- params = storageUnit.getWrappingParams(); ++ params = storageUnit.getWrappingParams(allowEncDecrypt_archival); + privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params); + } catch (Exception e) { + CMS.debug("Failed to generate security data to archive: " + e); +diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java +index 02a4ca1..b460c9e 100644 +--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java ++++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java +@@ -67,8 +67,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { + + public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); + +- public abstract WrappingParams getWrappingParams() throws Exception; +- + public WrappingParams getOldWrappingParams() { + return new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index a200c34..e413a06 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -396,7 +396,7 @@ public class EnrollmentService implements IService { + WrappingParams params = null; + + try { +- params = mStorageUnit.getWrappingParams(); ++ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); + if (allowEncDecrypt_archival == true) { + privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params); + } else { +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index f068a4a..636e93e 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.MetaInfo; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; +@@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService { + + IVParameterSpec algParam = new IVParameterSpec(iv); + ++ IConfigStore configStore = CMS.getConfigStore(); ++ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); ++ + wrapped_des_key = null; + boolean archive = true; + byte[] publicKeyData = null; +@@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService { + WrappingParams params = null; + + try { +- // TODO(alee) What happens if key wrap algorithm is not supported? +- params = mStorageUnit.getWrappingParams(); ++ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); + } catch (Exception e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 701b611..95d07c4 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -217,7 +217,7 @@ public class SecurityDataProcessor { + boolean doEncrypt = false; + + try { +- params = storageUnit.getWrappingParams(); ++ params = storageUnit.getWrappingParams(allowEncDecrypt_archival); + if (securitySymKey != null && unwrapped == null) { + privateSecurityData = storageUnit.wrap(securitySymKey, params); + } else if (unwrapped != null && allowEncDecrypt_archival == true) { +diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java +index 3e7f1de..1df30f6 100644 +--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java ++++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java +@@ -133,7 +133,7 @@ public class StorageKeyUnit extends EncryptionUnit implements + throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); + } + +- public WrappingParams getWrappingParams() throws Exception { ++ public WrappingParams getWrappingParams(boolean encrypt) throws Exception { + String choice = null; + try { + choice = mConfig.getString(PROP_WRAPPING_CHOICE); +@@ -177,6 +177,16 @@ public class StorageKeyUnit extends EncryptionUnit implements + KeyRecordParser.OUT_PL_WRAP_IV_LEN); + if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv)); + ++ if (encrypt) { ++ // Some HSMs have not yet implemented AES-KW. Use AES-CBC-PAD instead ++ if (params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP) || ++ params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD)) { ++ params.setPayloadWrapAlgorithm(KeyWrapAlgorithm.AES_CBC_PAD); ++ iv = CryptoUtil.getNonceData(16); ++ params.setPayloadWrappingIV(new IVParameterSpec(iv)); ++ } ++ } ++ + return params; + } + +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index c1830ec..bf350d5 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -29,6 +29,7 @@ import org.mozilla.jss.crypto.SymmetricKey; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.key.KeyRequestResource; +@@ -107,6 +108,9 @@ public class SymKeyGenService implements IService { + throw new EBaseException("Bad data in SymKeyGenService.serviceRequest"); + } + ++ IConfigStore configStore = CMS.getConfigStore(); ++ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); ++ + CryptoToken token = mStorageUnit.getToken(); + KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm); + if (kgAlg == null) { +@@ -170,8 +174,7 @@ public class SymKeyGenService implements IService { + } + + try { +- // TODO(alee) what happens if key wrap algorithm is not supported? +- params = mStorageUnit.getWrappingParams(); ++ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); + privateSecurityData = mStorageUnit.wrap(sk, params); + } catch (Exception e) { + CMS.debug("Failed to generate security data to archive: " + e); +diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +index 513c0b2..fc66e66 100644 +--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java ++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +@@ -115,10 +115,6 @@ public class TransportKeyUnit extends EncryptionUnit implements + } + } + +- public WrappingParams getWrappingParams() { +- return getOldWrappingParams(); +- } +- + public CryptoToken getInternalToken() { + try { + return CryptoManager.getInstance().getInternalKeyStorageToken(); +-- +1.8.3.1 + + +From 00c17b3e2f81c9df12e1a89fc85dc2e3d4c3a2b1 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 5 May 2017 21:30:15 -0400 +Subject: [PATCH 09/10] Fix symmetic key retrieval in HSM + +When using an HSM, AES KeyWrapping is not available and so +some different code paths were exercised. Fixing bugs in those +paths uncovered a case where we were calling unwrapSymmetric() +with bits and not bytes for the key length. + +This does not matter for 3DES, where JSS expects a length of 0, +but very much matters for AES. Fixing this - and the KeyClient +to actually use the returned wrapping algorithm to unwrap, allows +us now to return generated symmetric keys correctly. + +Bugzilla BZ#1448521 +Pagure: 2690 + +Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890 +--- + base/common/src/com/netscape/certsrv/key/KeyClient.java | 4 ++-- + base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 +- + base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 12 ++++++++++++ + base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ++-- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ++-- + 5 files changed, 19 insertions(+), 7 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java +index 2c99e1c..9a69372 100644 +--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java ++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java +@@ -429,7 +429,7 @@ public class KeyClient extends Client { + bytes = crypto.unwrapSymmetricKeyWithSessionKey( + data.getEncryptedData(), + sessionKey, +- wrapAlgorithm, ++ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), + data.getNonceData(), + data.getAlgorithm(), + data.getSize()); +@@ -446,7 +446,7 @@ public class KeyClient extends Client { + bytes = crypto.unwrapAsymmetricKeyWithSessionKey( + data.getEncryptedData(), + sessionKey, +- wrapAlgorithm, ++ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), + data.getNonceData(), + pubKey); + } +diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java +index b460c9e..eb8a2f8 100644 +--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java ++++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java +@@ -84,7 +84,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { + return CryptoUtil.unwrap( + token, + params.getSkType(), +- 0, ++ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), + usage, wrappingKey, + encSymmKey, + params.getSkWrapAlgorithm()); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 95d07c4..344f376 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -411,6 +411,18 @@ public class SecurityDataProcessor { + String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME); + String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); + ++ if (allowEncDecrypt_recovery) { ++ if (payloadWrapName == null) { ++ // assume old client ++ payloadWrapName = "DES3/CBC/Pad"; ++ } else if (payloadWrapName.equals("AES KeyWrap/Padding") || ++ payloadWrapName.equals("AES KeyWrap")) { ++ // Some HSMs have not implemented AES-KW yet ++ // Make sure we select an algorithm that is supported. ++ payloadWrapName = "AES/CBC/PKCS5Padding"; ++ } ++ } ++ + byte[] iv = null; + byte[] iv_wrap = null; + try { +diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +index fc66e66..d0ad8b3 100644 +--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java ++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +@@ -289,7 +289,7 @@ public class TransportKeyUnit extends EncryptionUnit implements + SymmetricKey sk = CryptoUtil.unwrap( + token, + params.getSkType(), +- 0, ++ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), + SymmetricKey.Usage.DECRYPT, + wrappingKey, + encSymmKey, +@@ -360,7 +360,7 @@ public class TransportKeyUnit extends EncryptionUnit implements + SymmetricKey sk = CryptoUtil.unwrap( + token, + params.getSkType(), +- 0, ++ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), + SymmetricKey.Usage.UNWRAP, + wrappingKey, + encSymmKey, +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index d22856d..e529a0f 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2346,7 +2346,7 @@ public class CryptoUtil { + KeyWrapAlgorithm wrapAlgorithm, IVParameterSpec wrappingIV) throws Exception { + KeyWrapper wrapper = token.getKeyWrapper(wrapAlgorithm); + wrapper.initUnwrap(wrappingKey, wrappingIV); +- return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); ++ return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); + } + + public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Type keyType, +@@ -2355,7 +2355,7 @@ public class CryptoUtil { + KeyWrapper keyWrapper = token.getKeyWrapper(wrapAlgorithm); + keyWrapper.initUnwrap(wrappingKey, null); + +- return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); ++ return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); + } + + public static PrivateKey unwrap(CryptoToken token, PublicKey pubKey, boolean temporary, +-- +1.8.3.1 + + +From c0bb0ee8e36a85673e30352a7205414b215196a5 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 8 May 2017 18:53:26 +0200 +Subject: [PATCH 10/10] pkispawn: wait after final restart + +The finalization scriptlet now waits after service has been restarted. + +Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de +Bugzilla: BZ#1446364 +Pagure: 2644 +Signed-off-by: Christian Heimes +--- + .travis/40-spawn-ca | 5 ----- + .travis/50-spawn-kra | 5 ----- + .../server/python/pki/server/deployment/scriptlets/finalization.py | 7 +++++++ + 3 files changed, 7 insertions(+), 10 deletions(-) + +diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca +index d6771db..d57e6b7 100755 +--- a/.travis/40-spawn-ca ++++ b/.travis/40-spawn-ca +@@ -2,8 +2,3 @@ + set -e + + pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA +- +-echo "Waiting for port 8080" +-for i in {1..20}; do +- curl http://localhost:8080 && break || sleep 1 +-done +diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra +index 93f2f4c..f7e8fc1 100755 +--- a/.travis/50-spawn-kra ++++ b/.travis/50-spawn-kra +@@ -2,8 +2,3 @@ + set -e + + pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA +- +-echo "Waiting for port 8080" +-for i in {1..20}; do +- curl http://localhost:8080 && break || sleep 1 +-done +diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py +index 3dc7f66..941691c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py +@@ -57,6 +57,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Optionally, programmatically 'restart' the configured PKI instance + if config.str2bool(deployer.mdict['pki_restart_configured_instance']): + deployer.systemd.restart() ++ # wait for startup ++ status = deployer.instance.wait_for_startup(60) ++ if status is None: ++ config.pki_log.error( ++ "server failed to restart", ++ extra=config.PKI_INDENTATION_LEVEL_1) ++ raise RuntimeError("server failed to restart") + + # Optionally, 'purge' the entire temporary client infrastructure + # including the client NSS security databases and password files +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch b/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch new file mode 100644 index 0000000..9d3f9c7 --- /dev/null +++ b/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch @@ -0,0 +1,30 @@ +From 7f29261148fa4a27824cb2006c515d376288ec64 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 20 Jun 2017 15:04:12 -0700 +Subject: [PATCH] Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison + +(cherry picked from commit 2d69d9332eea7ddc5205dc9e44d15452be4be61f) +--- + .../com/netscape/cms/profile/constraint/UniqueKeyConstraint.java | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +index 030995a..2614576 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +@@ -240,11 +240,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { + } + // only VALID or EXPIRED certs could have reached here + X509CertImpl origCert = rec.getCertificate(); +- String certDN = +- origCert.getSubjectDN().toString(); +- CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN); +- +- sjname_in_db = new X500Name(certDN); ++ sjname_in_db = (X500Name) origCert.getSubjectDN(); + + if (sjname_in_db.equals(sjname_in_req) == false) { + msg = msg + "subject name not match in same key renewal;"; +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-server-access-banner-retrieval-validation.patch b/SOURCES/pki-core-server-access-banner-retrieval-validation.patch new file mode 100644 index 0000000..a4a20d7 --- /dev/null +++ b/SOURCES/pki-core-server-access-banner-retrieval-validation.patch @@ -0,0 +1,81 @@ +From 384cd35c5298010386047b62d6db64916dd6689c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 18 Aug 2017 23:05:24 +0200 +Subject: [PATCH] Added banner validation in InfoService. + +Previously banner was only validated during server startup. Since +banner can be modified anytime, the InfoService has been changed +such that it validates the banner on each banner retrieval. + +https://pagure.io/dogtagpki/issue/2671 + +Change-Id: I208f4c5b4ce2ce594e92acd4792aa03c729fa2cf +(cherry picked from commit 889a9c9efce62488f098fb96fcf4a1454c0b3bc2) +--- + .../src/org/dogtagpki/server/rest/InfoService.java | 27 +++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java +index 13581dd..5467bda 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java +@@ -20,12 +20,15 @@ package org.dogtagpki.server.rest; + + import javax.servlet.http.HttpSession; + import javax.ws.rs.core.Response; ++import javax.xml.bind.UnmarshalException; + + import org.dogtagpki.common.Info; + import org.dogtagpki.common.InfoResource; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; ++import org.xml.sax.SAXParseException; + ++import com.netscape.certsrv.base.PKIException; + import com.netscape.cms.servlet.base.PKIService; + + /** +@@ -42,17 +45,39 @@ public class InfoService extends PKIService implements InfoResource { + logger.debug("InfoService.getInfo(): session: " + session.getId()); + + Info info = new Info(); +- info.setVersion(getVersion()); + + boolean bannerDisplayed = session.getAttribute("bannerDisplayed") != null; + boolean bannerEnabled = isBannerEnabled(); + + // if banner not yet displayed in this session and it's enabled, return banner + if (!bannerDisplayed && bannerEnabled) { ++ + String banner = getBanner(); + info.setBanner(banner); ++ ++ // validate banner ++ try { ++ // converting Info object into XML ++ String xmlInfo = info.toString(); ++ ++ // and parse it back into Info object ++ info = Info.valueOf(xmlInfo); ++ ++ } catch (UnmarshalException e) { ++ Throwable cause = e.getCause(); ++ logger.error("InfoService: Invalid access banner: " + cause, e); ++ ++ if (cause instanceof SAXParseException) { ++ throw new PKIException("Banner contains invalid character(s)", e); ++ } else { ++ throw new PKIException("Invalid access banner: " + cause, e); ++ } ++ } + } + ++ // add other info attributes after banner validation ++ info.setVersion(getVersion()); ++ + return createOKResponse(info); + } + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-server-access-banner-validation.patch b/SOURCES/pki-core-server-access-banner-validation.patch new file mode 100644 index 0000000..ac95f33 --- /dev/null +++ b/SOURCES/pki-core-server-access-banner-validation.patch @@ -0,0 +1,523 @@ +From 9c8a4d2543e215f388e95e30f727a35eb9a7f778 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 5 Jun 2017 21:50:00 +0200 +Subject: [PATCH 1/4] Fixed access banner normalization. + +The PKIService has been modified to trim whitespaces in access +banner before returning the value to the client. The clients +have been modified to no longer trim the banner. + +https://pagure.io/dogtagpki/issue/2671 + +Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6 +(cherry picked from commit 5e0dcb69a734c9f52cca673a7a5189d31fb15774) +--- + base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 2 +- + base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +- + base/server/share/webapps/pki/js/pki-banner.js | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 51861b5..8f91f32 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -571,7 +571,7 @@ public class MainCLI extends CLI { + + if (banner != null) { + +- System.out.println(banner.trim()); ++ System.out.println(banner); + System.out.println(); + System.out.print("Do you want to proceed (y/N)? "); + System.out.flush(); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +index e023aa6..3273477 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +@@ -98,7 +98,7 @@ public class PKIService { + } + + public static String getBanner() throws IOException { +- return new String(Files.readAllBytes(bannerFile)); ++ return new String(Files.readAllBytes(bannerFile)).trim(); + } + + public static MediaType resolveFormat(MediaType format) { +diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js +index e88220e..ff64092 100644 +--- a/base/server/share/webapps/pki/js/pki-banner.js ++++ b/base/server/share/webapps/pki/js/pki-banner.js +@@ -37,7 +37,7 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { + } + + // display the banner and ask for confirmation +- var message = $.trim(data.Banner) + "\n\nDo you want to proceed?"; ++ var message = banner + "\n\nDo you want to proceed?"; + + // if banner accepted + if (confirm(message)) { +-- +1.8.3.1 + + +From 00b439b9056baef2b40a16cba2b3e46d1365ce62 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 13 Jun 2017 21:09:52 +0200 +Subject: [PATCH 2/4] Fixed access banner encoding. + +The Info service and client have been modified to transmit access +banner in Base64-encoded form. The PKI UI has been modified to +decode the access banner properly. + +https://pagure.io/dogtagpki/issue/2671 + +Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50 +(cherry picked from commit e5f6ed7be301a3531b871ef3b0ce64bea0fe1973) +--- + .../src/org/dogtagpki/common/Base64Adapter.java | 34 ++++++++++++++++++++++ + base/common/src/org/dogtagpki/common/Info.java | 2 ++ + base/server/share/webapps/pki/js/pki-banner.js | 3 ++ + 3 files changed, 39 insertions(+) + create mode 100644 base/common/src/org/dogtagpki/common/Base64Adapter.java + +diff --git a/base/common/src/org/dogtagpki/common/Base64Adapter.java b/base/common/src/org/dogtagpki/common/Base64Adapter.java +new file mode 100644 +index 0000000..f777745 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/common/Base64Adapter.java +@@ -0,0 +1,34 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package org.dogtagpki.common; ++ ++import javax.xml.bind.annotation.adapters.XmlAdapter; ++ ++public class Base64Adapter extends XmlAdapter { ++ ++ @Override ++ public String unmarshal(byte[] bytes) throws Exception { ++ return new String(bytes); ++ } ++ ++ @Override ++ public byte[] marshal(String string) throws Exception { ++ return string.getBytes(); ++ } ++} +diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java +index 0a216f4..7ea3fd7 100644 +--- a/base/common/src/org/dogtagpki/common/Info.java ++++ b/base/common/src/org/dogtagpki/common/Info.java +@@ -26,6 +26,7 @@ import javax.xml.bind.Marshaller; + import javax.xml.bind.Unmarshaller; + import javax.xml.bind.annotation.XmlElement; + import javax.xml.bind.annotation.XmlRootElement; ++import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; + + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; +@@ -66,6 +67,7 @@ public class Info extends ResourceMessage { + } + + @XmlElement(name="Banner") ++ @XmlJavaTypeAdapter(Base64Adapter.class) + public String getBanner() { + return banner; + } +diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js +index ff64092..05b5f01 100644 +--- a/base/server/share/webapps/pki/js/pki-banner.js ++++ b/base/server/share/webapps/pki/js/pki-banner.js +@@ -36,6 +36,9 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { + return; + } + ++ // decode Base64-encoded UTF-8 banner ++ var banner = decodeURIComponent(escape(atob(data.Banner))); ++ + // display the banner and ask for confirmation + var message = banner + "\n\nDo you want to proceed?"; + +-- +1.8.3.1 + + +From b5085492242307d669fb331dead66f331a07c09e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 14 Jun 2017 03:40:43 +0200 +Subject: [PATCH 3/4] Fixed access banner encoding (part 2). + +The code that reads the access banner from file has been modified +to explicitly use UTF-8 encoding. + +The Info class and the PKI UI have been modified not to encode the +access banner in Base64 since it is not necessary. + +https://pagure.io/dogtagpki/issue/2671 + +Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38 +(cherry picked from commit 4a8e1703603ab348b24d4f010e3587c340e1a032) +--- + base/common/src/org/dogtagpki/common/Info.java | 2 -- + base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +- + base/server/share/webapps/pki/js/pki-banner.js | 5 +---- + 3 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java +index 7ea3fd7..0a216f4 100644 +--- a/base/common/src/org/dogtagpki/common/Info.java ++++ b/base/common/src/org/dogtagpki/common/Info.java +@@ -26,7 +26,6 @@ import javax.xml.bind.Marshaller; + import javax.xml.bind.Unmarshaller; + import javax.xml.bind.annotation.XmlElement; + import javax.xml.bind.annotation.XmlRootElement; +-import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; + + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; +@@ -67,7 +66,6 @@ public class Info extends ResourceMessage { + } + + @XmlElement(name="Banner") +- @XmlJavaTypeAdapter(Base64Adapter.class) + public String getBanner() { + return banner; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +index 3273477..7a4727b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +@@ -98,7 +98,7 @@ public class PKIService { + } + + public static String getBanner() throws IOException { +- return new String(Files.readAllBytes(bannerFile)).trim(); ++ return new String(Files.readAllBytes(bannerFile), "UTF-8").trim(); + } + + public static MediaType resolveFormat(MediaType format) { +diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js +index 05b5f01..2bb2792 100644 +--- a/base/server/share/webapps/pki/js/pki-banner.js ++++ b/base/server/share/webapps/pki/js/pki-banner.js +@@ -36,11 +36,8 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { + return; + } + +- // decode Base64-encoded UTF-8 banner +- var banner = decodeURIComponent(escape(atob(data.Banner))); +- + // display the banner and ask for confirmation +- var message = banner + "\n\nDo you want to proceed?"; ++ var message = data.Banner + "\n\nDo you want to proceed?"; + + // if banner accepted + if (confirm(message)) { +-- +1.8.3.1 + + +From 6449371ab6cb95a10ce0ad37d4a303709e356973 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 14 Jun 2017 23:08:29 +0200 +Subject: [PATCH 4/4] Added banner validation during server startup. + +Some pki-server CLIs have been added to inspect and validate the +content of the banner file. + +The PKI server startup script has been modified to validate the +content of the banner file using the new CLI. + +https://pagure.io/dogtagpki/issue/2671 + +Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4 +(cherry picked from commit d2e247798a36225880ef6050716cc7576fe2ad7f) +--- + base/server/python/pki/server/__init__.py | 8 ++ + base/server/python/pki/server/cli/banner.py | 186 ++++++++++++++++++++++++++++ + base/server/sbin/pki-server | 2 + + base/server/scripts/operations | 6 + + 4 files changed, 202 insertions(+) + create mode 100644 base/server/python/pki/server/cli/banner.py + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 46c6711..0852b12 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -19,6 +19,7 @@ + # + + from __future__ import absolute_import ++import codecs + from lxml import etree + import functools + import getpass +@@ -501,6 +502,7 @@ class PKIInstance(object): + self.conf_dir = os.path.join(CONFIG_BASE_DIR, name) + self.log_dir = os.path.join(LOG_BASE_DIR, name) + ++ self.banner_file = os.path.join(self.conf_dir, 'banner.txt') + self.password_conf = os.path.join(self.conf_dir, 'password.conf') + self.external_certs_conf = os.path.join( + self.conf_dir, 'external_certs.conf') +@@ -792,6 +794,12 @@ class PKIInstance(object): + self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') + os.remove(context_xml) + ++ def banner_installed(self): ++ return os.path.exists(self.banner_file) ++ ++ def get_banner(self): ++ return codecs.open(self.banner_file, "UTF-8").read().strip() ++ + def __repr__(self): + if self.type == 9: + return "Dogtag 9 " + self.name +diff --git a/base/server/python/pki/server/cli/banner.py b/base/server/python/pki/server/cli/banner.py +new file mode 100644 +index 0000000..98f8f16 +--- /dev/null ++++ b/base/server/python/pki/server/cli/banner.py +@@ -0,0 +1,186 @@ ++# Authors: ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++# ++ ++from __future__ import absolute_import ++from __future__ import print_function ++import codecs ++import getopt ++from lxml import etree ++import sys ++import traceback ++ ++import pki.cli ++ ++ ++class BannerCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(BannerCLI, self).__init__('banner', ++ 'Banner management commands') ++ ++ self.add_module(BannerShowCLI()) ++ self.add_module(BannerValidateCLI()) ++ ++ ++class BannerShowCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(BannerShowCLI, self).__init__('show', 'Show banner') ++ ++ def usage(self): ++ print('Usage: pki-server banner-show [OPTIONS]') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.usage() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ if not instance.banner_installed(): ++ print('ERROR: Banner is not installed') ++ sys.exit(1) ++ ++ print(instance.get_banner()) ++ ++ ++class BannerValidateCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(BannerValidateCLI, self).__init__('validate', 'Validate banner') ++ ++ def usage(self): ++ print('Usage: pki-server banner-validate [OPTIONS]') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --file Validate specified banner file.') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', 'file=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ banner_file = None ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--file': ++ banner_file = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.usage() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ if banner_file: ++ ++ # load banner from file ++ banner = codecs.open(banner_file, "UTF-8").read().strip() ++ ++ else: ++ ++ # load banner from instance ++ instance = pki.server.PKIInstance(instance_name) ++ ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ if not instance.banner_installed(): ++ self.print_message('Banner is not installed') ++ return ++ ++ banner = instance.get_banner() ++ ++ if not banner: ++ print('ERROR: Banner is empty') ++ sys.exit(1) ++ ++ xml_banner = "" + banner + "" ++ ++ try: ++ parser = etree.XMLParser() ++ etree.fromstring(xml_banner, parser) ++ ++ self.print_message('Banner is valid') ++ ++ except etree.XMLSyntaxError as e: ++ if self.verbose: ++ traceback.print_exc() ++ print('ERROR: Banner contains invalid character(s)') ++ sys.exit(1) +diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server +index 6df70dc..ce06e28 100644 +--- a/base/server/sbin/pki-server ++++ b/base/server/sbin/pki-server +@@ -32,6 +32,7 @@ import pki.server.cli.kra + import pki.server.cli.ocsp + import pki.server.cli.tks + import pki.server.cli.tps ++import pki.server.cli.banner + import pki.server.cli.db + import pki.server.cli.instance + import pki.server.cli.subsystem +@@ -52,6 +53,7 @@ class PKIServerCLI(pki.cli.CLI): + self.add_module(pki.server.cli.tks.TKSCLI()) + self.add_module(pki.server.cli.tps.TPSCLI()) + ++ self.add_module(pki.server.cli.banner.BannerCLI()) + self.add_module(pki.server.cli.db.DBCLI()) + self.add_module(pki.server.cli.instance.InstanceCLI()) + self.add_module(pki.server.cli.subsystem.SubsystemCLI()) +diff --git a/base/server/scripts/operations b/base/server/scripts/operations +index 907dd0e..908c952 100644 +--- a/base/server/scripts/operations ++++ b/base/server/scripts/operations +@@ -1297,6 +1297,12 @@ EOF + /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy + ++ pki-server banner-validate -i "$PKI_INSTANCE_NAME" ++ rv=$? ++ if [ $rv -ne 0 ]; then ++ return $rv ++ fi ++ + if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then + # enable all subsystems + pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-snapshot-1.patch b/SOURCES/pki-core-snapshot-1.patch new file mode 100644 index 0000000..ca2391a --- /dev/null +++ b/SOURCES/pki-core-snapshot-1.patch @@ -0,0 +1,6661 @@ +From ee5af05036e87a9dad821c9dd8bc0198dac9bd65 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 12 May 2017 13:00:54 -0600 +Subject: [PATCH 01/27] Fix CA installation with HSM in FIPS mode + +Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails +dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails +--- + base/server/python/pki/server/deployment/pkihelper.py | 19 ++++++++++++++----- + .../pki/server/deployment/scriptlets/finalization.py | 3 ++- + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 051778d..a1345de 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -1017,11 +1017,20 @@ class Instance: + extra=config.PKI_INDENTATION_LEVEL_2) + raise + +- def get_instance_status(self): ++ def get_instance_status(self, secure_connection=True): ++ pki_protocol = None ++ pki_port = None ++ if secure_connection: ++ pki_protocol = "https" ++ pki_port = self.mdict['pki_https_port'] ++ else: ++ pki_protocol = "http" ++ pki_port = self.mdict['pki_http_port'] ++ + connection = pki.client.PKIConnection( +- protocol='https', ++ protocol=pki_protocol, + hostname=self.mdict['pki_hostname'], +- port=self.mdict['pki_https_port'], ++ port=pki_port, + subsystem=self.mdict['pki_subsystem_type'], + accept='application/xml', + trust_env=False) +@@ -1049,11 +1058,11 @@ class Instance: + extra=config.PKI_INDENTATION_LEVEL_3) + return None + +- def wait_for_startup(self, timeout): ++ def wait_for_startup(self, timeout, secure_connection=True): + start_time = datetime.today() + status = None + while status != "running": +- status = self.get_instance_status() ++ status = self.get_instance_status(secure_connection) + time.sleep(1) + stop_time = datetime.today() + if (stop_time - start_time).total_seconds() >= timeout: +diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py +index 941691c..75bb80e 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py +@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if config.str2bool(deployer.mdict['pki_restart_configured_instance']): + deployer.systemd.restart() + # wait for startup +- status = deployer.instance.wait_for_startup(60) ++ # (must use 'http' protocol due to potential FIPS configuration) ++ status = deployer.instance.wait_for_startup(60, False) + if status is None: + config.pki_log.error( + "server failed to restart", +-- +1.8.3.1 + + +From 4557cd497ecc3c753461617dd8f10067a3815042 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 16 May 2017 01:43:33 +0200 +Subject: [PATCH 02/27] Added log messages for server shutdown. + +Some log messages have been added to help troubleshoot the cause +of server shutdown. + +Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2 +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ + .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 3 +++ + .../server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java | 1 + + .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++ + 4 files changed, 12 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index 8f1d648..cc634cc 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -1627,6 +1627,8 @@ public final class CMS { + // Raidzilla Bug #57592: Always print error message to stdout. + System.out.println(e); + ++ CMS.debug("CMS.start(): shutdown server"); ++ + shutdown(); + throw e; + +@@ -1722,6 +1724,8 @@ public final class CMS { + ILogger.LL_INFO, + "CMSEngine: Received shutdown signal"); + ++ CMS.debug("CMS.main(): shutdown server"); ++ + CMS.shutdown(); + }; + }); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index e5a1474..f8bc34a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -750,6 +750,7 @@ public final class CMSAdminServlet extends AdminServlet { + if (stop != null) { + //XXX Send response first then shutdown + sendResponse(SUCCESS, null, params, resp); ++ CMS.debug("CMSAdminServlet.performTasks(): shutdown server"); + CMS.shutdown(); + return; + } +@@ -3271,6 +3272,8 @@ public final class CMSAdminServlet extends AdminServlet { + + "\n"; + sendResponse(ERROR, content, null, resp); + ++ CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); ++ + // shutdown the system gracefully + CMS.shutdown(); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java +index cfbf724..9609b06 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java +@@ -148,6 +148,7 @@ public class CMSStartServlet extends HttpServlet { + * This method will be called when Tomcat is shutdown. + */ + public void destroy() { ++ CMS.debug("CMSStartServlet.destroy(): shutdown server"); + CMS.shutdown(); + } + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 6ee3176..e1d6e15 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -547,6 +547,8 @@ public class SelfTestSubsystem + "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", + instanceFullName)); + ++ CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); ++ + // shutdown the system gracefully + CMS.shutdown(); + +@@ -1845,6 +1847,8 @@ public class SelfTestSubsystem + + audit(auditMessage); + ++ CMS.debug("SelfTestSubsystem.startup(): shutdown server"); ++ + // shutdown the system gracefully + CMS.shutdown(); + +-- +1.8.3.1 + + +From 587cfa90b3b065f4c9c5bd0292202d5d9a4c2f54 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 25 Apr 2017 22:12:20 +0200 +Subject: [PATCH 03/27] Simplified conditions to log CERT_REQUEST_PROCESSED. + +The conditions to log CERT_REQUEST_PROCESSED have been simplified +since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE +if the certificate object is not available in the request object. + +https://pagure.io/dogtagpki/issue/2636 + +Change-Id: I946481c17729d2c349c949def113fc5563ec90ad +--- + .../logging/event/CertRequestProcessedEvent.java | 2 +- + .../netscape/cms/servlet/cert/CertProcessor.java | 24 +++++------ + .../cms/servlet/connector/ConnectorServlet.java | 47 +++++++++------------- + .../servlet/profile/ProfileSubmitCMCServlet.java | 44 +++++++++----------- + 4 files changed, 48 insertions(+), 69 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +index 777434b..a17f7d5 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -96,7 +96,7 @@ public class CertRequestProcessedEvent extends AuditEvent { + * @param x509cert an X509CertImpl + * @return cert string containing the certificate + */ +- public static String auditInfoCertValue(X509CertImpl x509cert) { ++ String auditInfoCertValue(X509CertImpl x509cert) { + + if (x509cert == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +index d25d817..1becd1b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +@@ -246,21 +246,17 @@ public class CertProcessor extends CAProcessor { + req.setRequestStatus(RequestStatus.COMPLETE); + + X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); +- +- // TODO: simplify this condition +- if (auditInfoCertValue != null) { +- if (!(auditInfoCertValue.equals( +- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- +- audit(new CertRequestProcessedEvent( +- auditSubjectID, +- ILogger.SUCCESS, +- auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); +- } ++ ++ if (x509cert != null) { ++ ++ audit(new CertRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_ACCEPTANCE, ++ x509cert)); + } ++ + } catch (EDeferException e) { + // return defer message to the user + req.setRequestStatus(RequestStatus.PENDING); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index b5ccdd2..eeb640e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -620,40 +620,31 @@ public class ConnectorServlet extends CMSServlet { + if (isProfileRequest(thisreq)) { + + X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); +- +- // TODO: simplify this condition +- if (auditInfoCertValue != null) { +- if (!(auditInfoCertValue.equals( +- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- +- audit(new CertRequestProcessedEvent( +- auditSubjectID, +- ILogger.SUCCESS, +- auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); +- } ++ ++ if (x509cert != null) { ++ ++ audit(new CertRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_ACCEPTANCE, ++ x509cert)); + } + } ++ + } catch (EBaseException eAudit1) { + if (isProfileRequest(thisreq)) { + + X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); +- +- // TODO: simplify this condition +- if (auditInfoCertValue != null) { +- if (!(auditInfoCertValue.equals( +- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- +- audit(new CertRequestProcessedEvent( +- auditSubjectID, +- ILogger.FAILURE, +- auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); +- } ++ ++ if (x509cert != null) { ++ ++ audit(new CertRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_ACCEPTANCE, ++ x509cert)); + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 1e128d0..0e101ed 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -696,21 +696,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + reqs[k].setRequestStatus(RequestStatus.COMPLETE); + + X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); +- +- // TODO: simplify this condition +- if (auditInfoCertValue != null) { +- if (!(auditInfoCertValue.equals( +- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { +- +- audit(new CertRequestProcessedEvent( +- auditSubjectID, +- ILogger.SUCCESS, +- auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); +- } ++ ++ if (x509cert != null) { ++ ++ audit(new CertRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_ACCEPTANCE, ++ x509cert)); + } ++ + } catch (EDeferException e) { + // return defer message to the user + CMS.debug("ProfileSubmitCMCServlet: set request to PENDING"); +@@ -794,21 +790,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); + + X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); + +- // TODO: simplify this condition +- if (auditInfoCertValue != null) { +- if (!(auditInfoCertValue.equals( +- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { ++ if (x509cert != null) { + +- audit(new CertRequestProcessedEvent( +- auditSubjectID, +- ILogger.SUCCESS, +- auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); +- } ++ audit(new CertRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_ACCEPTANCE, ++ x509cert)); + } ++ + } catch (ERejectException e) { + // return error to the user + provedReq.setRequestStatus(RequestStatus.REJECTED); +-- +1.8.3.1 + + +From 3abf731d9e6f02ac8d315978d31c28c2f9c85db9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 26 Apr 2017 01:27:17 +0200 +Subject: [PATCH 04/27] Added AuditEvent attributes. + +The AuditEvent class has been modified to support variable number +of event attributes which can be used to generate more flexible +audit log entries. + +https://pagure.io/dogtagpki/issue/2655 + +Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 24 ++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 7a4aa9b..9ba9271 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -18,7 +18,9 @@ + package com.netscape.certsrv.logging; + + import java.text.MessageFormat; ++import java.util.LinkedHashMap; + import java.util.Locale; ++import java.util.Map; + + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.MessageFormatter; +@@ -265,6 +267,7 @@ public class AuditEvent implements IBundleLogEvent { + private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; + + protected Object mParams[] = null; ++ protected Map attributes = new LinkedHashMap<>(); + + private String mEventType = null; + private String mMessage = null; +@@ -574,4 +577,25 @@ public class AuditEvent implements IBundleLogEvent { + } else + return toContent(); + } ++ ++ public void setAttribute(String name, Object value) { ++ attributes.put(name, value); ++ } ++ ++ public String getAttributeList() { ++ ++ StringBuilder sb = new StringBuilder(); ++ ++ for (String name : attributes.keySet()) { ++ Object value = attributes.get(name); ++ ++ sb.append("["); ++ sb.append(name); ++ sb.append("="); ++ sb.append(value); ++ sb.append("]"); ++ } ++ ++ return sb.toString(); ++ } + } +-- +1.8.3.1 + + +From cec9efefe027ed4e7592827889eb3b487e7e485a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 26 Apr 2017 20:04:46 +0200 +Subject: [PATCH 05/27] Added ConfigTrustedPublicKeyEvent. + +A new ConfigTrustedPublicKeyEvent class of has been added to +encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events. + +https://pagure.io/dogtagpki/issue/2641 + +Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 2 - + .../logging/event/ConfigTrustedPublicKeyEvent.java | 42 ++++ + .../cms/servlet/admin/CMSAdminServlet.java | 218 +++++++-------------- + 3 files changed, 114 insertions(+), 148 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 9ba9271..ff5d344 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -63,8 +63,6 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; + public final static String CONFIG_ENCRYPTION = + "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; +- public final static String CONFIG_TRUSTED_PUBLIC_KEY = +- "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; + public final static String CONFIG_DRM = + "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; + public final static String SELFTESTS_EXECUTION = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java +new file mode 100644 +index 0000000..b0dd781 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java +@@ -0,0 +1,42 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class ConfigTrustedPublicKeyEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; ++ ++ public ConfigTrustedPublicKeyEvent( ++ String subjectID, ++ String outcome, ++ String params) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ params ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index f8bc34a..8d28408 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -62,6 +62,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ConfigTrustedPublicKeyEvent; + import com.netscape.certsrv.ocsp.IOCSPAuthority; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.security.ICryptoSubsystem; +@@ -1434,7 +1435,7 @@ public final class CMSAdminServlet extends AdminServlet { + private void issueImportCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -1484,14 +1485,11 @@ public final class CMSAdminServlet extends AdminServlet { + nicknameWithoutTokenName = nickname.substring(index + 1); + oldtokenname = nickname.substring(0, index); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } +@@ -1504,14 +1502,11 @@ public final class CMSAdminServlet extends AdminServlet { + } else if (index > 0 && (index < (canickname.length() - 1))) { + canicknameWithoutTokenName = canickname.substring(index + 1); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } +@@ -1524,14 +1519,11 @@ public final class CMSAdminServlet extends AdminServlet { + KeyPair pair = null; + + if (nickname.equals("")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } +@@ -1771,40 +1763,30 @@ public final class CMSAdminServlet extends AdminServlet { + properties.clear(); + properties = null; + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + mConfig.commit(true); + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString()); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString()); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -1890,14 +1872,11 @@ public final class CMSAdminServlet extends AdminServlet { + try { + if (pkcs == null || pkcs.equals("")) { + if (certpath == null || certpath.equals("")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + EBaseException ex = new EBaseException( + CMS.getLogMessage("BASE_INVALID_FILE_PATH")); +@@ -1924,14 +1903,11 @@ public final class CMSAdminServlet extends AdminServlet { + } + } + } catch (IOException ee) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException( + CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); +@@ -1954,14 +1930,11 @@ public final class CMSAdminServlet extends AdminServlet { + tokenName = nickname.substring(0, index); + nicknameWithoutTokenName = nickname.substring(index + 1); + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException( + CMS.getLogMessage("BASE_CERT_NOT_FOUND")); +@@ -2203,14 +2176,10 @@ public final class CMSAdminServlet extends AdminServlet { + audit(auditMessage); + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + mConfig.commit(true); + if (verified == true) { +@@ -2220,26 +2189,20 @@ public final class CMSAdminServlet extends AdminServlet { + null, resp); + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -2275,7 +2238,7 @@ public final class CMSAdminServlet extends AdminServlet { + private void importXCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported +@@ -2309,14 +2272,11 @@ public final class CMSAdminServlet extends AdminServlet { + try { + if (b64Cert == null || b64Cert.equals("")) { + if (certpath == null || certpath.equals("")) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + EBaseException ex = new EBaseException( + CMS.getLogMessage("BASE_INVALID_FILE_PATH")); +@@ -2342,14 +2302,11 @@ public final class CMSAdminServlet extends AdminServlet { + } + } + } catch (IOException ee) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + throw new EBaseException( + CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); +@@ -2376,14 +2333,11 @@ public final class CMSAdminServlet extends AdminServlet { + //this will import into internal ldap crossCerts entry + ccps.importCert(bCert); + } catch (Exception e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(1, "xcert importing failure:" + e.toString(), + null, resp); +@@ -2395,14 +2349,11 @@ public final class CMSAdminServlet extends AdminServlet { + // db to publishing directory, if turned on + ccps.publishCertPairs(); + } catch (EBaseException e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(1, "xcerts publishing failure:" + e.toString(), null, resp); + return; +@@ -2416,37 +2367,27 @@ public final class CMSAdminServlet extends AdminServlet { + results.put(Constants.PR_NICKNAME, "FBCA cross-signed cert"); + results.put(Constants.PR_CERT_CONTENT, content); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, results, resp); + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +@@ -2929,7 +2870,7 @@ public final class CMSAdminServlet extends AdminServlet { + public void setRootCertTrust(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + String nickname = req.getParameter(Constants.PR_NICK_NAME); + String serialno = req.getParameter(Constants.PR_SERIAL_NUMBER); +@@ -2943,25 +2884,20 @@ public final class CMSAdminServlet extends AdminServlet { + try { + jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust); + } catch (EBaseException e) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); ++ auditParams(req))); + +- audit(auditMessage); + // rethrow the specific exception to be handled later + throw e; + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + sendResponse(SUCCESS, null, null, resp); + } +@@ -2982,7 +2918,7 @@ public final class CMSAdminServlet extends AdminServlet { + private void trustCACert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { +- String auditMessage = null; ++ + String auditSubjectID = auditSubjectID(); + + CMS.debug("CMSAdminServlet: trustCACert()"); +@@ -3010,38 +2946,28 @@ public final class CMSAdminServlet extends AdminServlet { + } + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + //sendResponse(SUCCESS, null, null, resp); + sendResponse(RESTART, null, null, resp); + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, ++ ++ audit(new ConfigTrustedPublicKeyEvent( + auditSubjectID, + ILogger.FAILURE, +- auditParams(req)); +- +- audit(auditMessage); ++ auditParams(req))); + + // rethrow the specific exception to be handled later + throw eAudit2; +-- +1.8.3.1 + + +From 439ee21719064e60fb691c48aafdbc7fa722c8b7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 26 Apr 2017 01:32:12 +0200 +Subject: [PATCH 06/27] Refactored CertRequestProcessedEvent to use AuditEvent + attributes. + +The CertRequestProcessedEvent constructors have been modified to +log the info attributes using the new AuditEvent attributes. + +The logging property for CERT_REQUEST_PROCESSED event has been +modified to accept a list of attributes as a single string instead +of individual info attributes. + +The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced +with a constant in CertRequestProcessedEvent class which points to +the new logging property. + +https://pagure.io/dogtagpki/issue/2655 + +Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 2 -- + .../logging/event/CertRequestProcessedEvent.java | 27 ++++++++++++++-------- + base/server/cmsbundle/src/LogMessages.properties | 2 +- + 3 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index ff5d344..523b204 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -103,8 +103,6 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; + public final static String PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; +- public final static String CERT_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; + public final static String CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +index a17f7d5..5155672 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -30,6 +30,9 @@ public class CertRequestProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + ++ private final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED"; ++ + public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes"; + + public CertRequestProcessedEvent( +@@ -39,14 +42,16 @@ public class CertRequestProcessedEvent extends AuditEvent { + String infoName, + String infoValue) { + +- super(CERT_REQUEST_PROCESSED); ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("InfoName", infoName); ++ setAttribute("InfoValue", infoValue); + + setParameters(new Object[] { + subjectID, + outcome, + requesterID, +- infoName, +- infoValue ++ getAttributeList() + }); + } + +@@ -57,14 +62,16 @@ public class CertRequestProcessedEvent extends AuditEvent { + String infoName, + X509CertImpl x509cert) { + +- super(CERT_REQUEST_PROCESSED); ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("InfoName", infoName); ++ setAttribute("InfoValue", auditInfoCertValue(x509cert)); + + setParameters(new Object[] { + subjectID, + outcome, + requesterID, +- infoName, +- auditInfoCertValue(x509cert) ++ getAttributeList() + }); + } + +@@ -75,14 +82,16 @@ public class CertRequestProcessedEvent extends AuditEvent { + String infoName, + IRequest request) { + +- super(CERT_REQUEST_PROCESSED); ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("InfoName", infoName); ++ setAttribute("InfoValue", auditInfoValue(request)); + + setParameters(new Object[] { + subjectID, + outcome, + requesterID, +- infoName, +- auditInfoValue(request) ++ getAttributeList() + }); + } + +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index d3ac06a..1a5b37a 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2088,7 +2088,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEv + # InfoValue must contain the certificate (in case of success), a reject reason in + # text, or a cancel reason in text + # +-LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5=:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}][InfoName={3}][InfoValue={4}] certificate request processed ++LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}]{3} certificate request processed + # + # LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST + # - used when a certificate status change request (e.g. revocation) +-- +1.8.3.1 + + +From 3edee861f0f31910020825a4bdc18f36017b6a26 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 26 Apr 2017 02:02:34 +0200 +Subject: [PATCH 07/27] Added certificate serial number for + CERT_REQUEST_PROCESSED. + +The CertRequestProcessedEvent constructor that takes a certificate +object was modified to log the certificate serial number instead of +the base64-encoded certificate data. + +https://pagure.io/dogtagpki/issue/2655 + +Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472 +--- + .../com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +index 5155672..d095ab6 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java +@@ -64,8 +64,7 @@ public class CertRequestProcessedEvent extends AuditEvent { + + super(LOGGING_PROPERTY); + +- setAttribute("InfoName", infoName); +- setAttribute("InfoValue", auditInfoCertValue(x509cert)); ++ setAttribute("CertSerialNum", x509cert.getSerialNumber()); + + setParameters(new Object[] { + subjectID, +-- +1.8.3.1 + + +From 641180a465d7fdf12a978c9c458e39bf6829cac2 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Tue, 16 May 2017 12:58:17 -0600 +Subject: [PATCH 08/27] Added FIPS class to pkispawn + +Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails +dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails +--- + .../python/pki/server/deployment/__init__.py | 2 ++ + .../python/pki/server/deployment/pkihelper.py | 41 ++++++++++++++++++++++ + .../python/pki/server/deployment/pkimessages.py | 4 +++ + .../server/deployment/scriptlets/finalization.py | 10 ++++-- + base/server/sbin/pkispawn | 10 ++++++ + 5 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py +index 3d719de..709fe70 100644 +--- a/base/server/python/pki/server/deployment/__init__.py ++++ b/base/server/python/pki/server/deployment/__init__.py +@@ -55,6 +55,7 @@ class PKIDeployer: + self.symlink = None + self.war = None + self.password = None ++ self.fips = None + self.hsm = None + self.certutil = None + self.modutil = None +@@ -99,6 +100,7 @@ class PKIDeployer: + self.symlink = util.Symlink(self) + self.war = util.War(self) + self.password = util.Password(self) ++ self.fips = util.FIPS(self) + self.hsm = util.HSM(self) + self.certutil = util.Certutil(self) + self.modutil = util.Modutil(self) +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index a1345de..cf2a748 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -2172,6 +2172,47 @@ class Password: + return token_pwd + + ++class FIPS: ++ """PKI Deployment FIPS class""" ++ ++ def __init__(self, deployer): ++ self.mdict = deployer.mdict ++ ++ def is_fips_enabled(self, critical_failure=False): ++ try: ++ # Always initialize FIPS mode as NOT enabled ++ self.mdict['pki_fips_mode_enabled'] = False ++ ++ # Check to see if FIPS is enabled on this system ++ command = ["sysctl", "crypto.fips_enabled", "-bn"] ++ ++ # Execute this "sysctl" command. ++ with open(os.devnull, "w") as fnull: ++ output = subprocess.check_output(command, stderr=fnull, ++ close_fds=True) ++ if (output != "0"): ++ # Set FIPS mode as enabled ++ self.mdict['pki_fips_mode_enabled'] = True ++ config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED, ++ extra=config.PKI_INDENTATION_LEVEL_3) ++ return True ++ else: ++ config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, ++ extra=config.PKI_INDENTATION_LEVEL_3) ++ return False ++ except subprocess.CalledProcessError as exc: ++ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ if critical_failure: ++ raise ++ except OSError as exc: ++ config.pki_log.error(log.PKI_OSERROR_1, exc, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ if critical_failure: ++ raise ++ return False ++ ++ + class HSM: + """PKI Deployment HSM class""" + +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index c8821bb..52c8e62 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -222,6 +222,10 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." + PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." + PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" + PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" ++PKIHELPER_FIPS_MODE_IS_ENABLED = "FIPS mode is enabled on this operating "\ ++ "system." ++PKIHELPER_FIPS_MODE_IS_NOT_ENABLED = "FIPS mode is NOT enabled on this "\ ++ "operating system." + PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \ + "Since clones using Hardware Security Modules (HSMs) must share their "\ + "master's private keys, the 'pki_clone_pkcs12_path' and "\ +diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py +index 75bb80e..ef750b9 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py +@@ -58,8 +58,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if config.str2bool(deployer.mdict['pki_restart_configured_instance']): + deployer.systemd.restart() + # wait for startup +- # (must use 'http' protocol due to potential FIPS configuration) +- status = deployer.instance.wait_for_startup(60, False) ++ status = None ++ if deployer.fips.is_fips_enabled(): ++ # must use 'http' protocol when FIPS mode is enabled ++ status = deployer.instance.wait_for_startup( ++ 60, secure_connection=False) ++ else: ++ status = deployer.instance.wait_for_startup( ++ 60, secure_connection=True) + if status is None: + config.pki_log.error( + "server failed to restart", +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index e6e337b..9394b8e 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -756,6 +756,16 @@ def print_final_install_information(mdict): + " is a clone." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + ++ if mdict['pki_fips_mode_enabled']: ++ print() ++ print(" This %s subsystem of the '%s' instance\n" ++ " has FIPS mode enabled on this operating system." % ++ (deployer.subsystem_name, mdict['pki_instance_name'])) ++ print() ++ print(" REMINDER: Don't forget to update the appropriate FIPS\n" ++ " algorithms in server.xml in the '%s' instance." ++ % mdict['pki_instance_name']) ++ + print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name']) + print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name']) + +-- +1.8.3.1 + + +From dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 02:53:59 +0200 +Subject: [PATCH 10/27] Fixed audit event outcome for agent-rejected cert + request. + +The outcome of CERT_REQUEST_PROCESSED event has been changed to +Failure when the certificate request is rejected by an agent. + +https://pagure.io/dogtagpki/issue/2693 + +Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40 +--- + base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index 4494d2c..d8d8803 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -311,7 +311,7 @@ public class RequestProcessor extends CertProcessor { + + audit(new CertRequestProcessedEvent( + auditSubjectID, +- ILogger.SUCCESS, ++ ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + req)); +-- +1.8.3.1 + + +From e54873d6dbb95e82632f888b90dc6d0d7836ad4d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 17:43:00 +0200 +Subject: [PATCH 11/27] Fixed audit event outcome for agent-canceled cert + request. + +The outcome of CERT_REQUEST_PROCESSED event has been changed to +Failure when the certificate request is canceled by an agent. + +https://pagure.io/dogtagpki/issue/2694 + +Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a +--- + base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +index d8d8803..df5aae0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +@@ -281,7 +281,7 @@ public class RequestProcessor extends CertProcessor { + + audit(new CertRequestProcessedEvent( + auditSubjectID, +- ILogger.SUCCESS, ++ ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_CANCELLATION, + req)); +-- +1.8.3.1 + + +From c6ed9679acba5d0072a16878ecf98e0843ab6a3a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 19:25:20 +0200 +Subject: [PATCH 12/27] Refactored UpdateCRL.process() (part 1). + +The UpdateCRL.process() has been refactored to reduce deeply +nested if-statements with early return. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198 +--- + base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index d873b1a..1182922 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -331,7 +331,11 @@ public class UpdateCRL extends CMSServlet { + header.addStringValue("crlIssuingPoint", crlIssuingPointId); + IPublisherProcessor lpm = mCA.getPublisherProcessor(); + +- if (crlIssuingPoint != null) { ++ if (crlIssuingPoint == null) { ++ CMS.debug("UpdateCRL: no CRL issuing point"); ++ return; ++ } ++ + if (clearCache != null && clearCache.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && +@@ -523,7 +527,5 @@ public class UpdateCRL extends CMSServlet { + header.addStringValue("crlUpdate", "Scheduled"); + } + } +- } +- return; + } + } +-- +1.8.3.1 + + +From 69d5dc82f8664d1eb5dfcdcec615088127c0ad97 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 19:40:51 +0200 +Subject: [PATCH 13/27] Refactored UpdateCRL.process() (part 2). + +The UpdateCRL.process() has been refactored to reduce deeply +nested if-statements with early return. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5 +--- + .../com/netscape/cms/servlet/cert/UpdateCRL.java | 32 +++++++++++----------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index 1182922..8669361 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -343,11 +343,25 @@ public class UpdateCRL extends CMSServlet { + == ICRLIssuingPoint.CRL_IP_INITIALIZED) { + crlIssuingPoint.clearCRLCache(); + } +- if (waitForUpdate != null && waitForUpdate.equals("true") && ++ if (!(waitForUpdate != null && waitForUpdate.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && + crlIssuingPoint.isCRLIssuingPointInitialized() +- == ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { ++ if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ header.addStringValue("crlUpdate", "notInitialized"); ++ } else if (crlIssuingPoint.isCRLUpdateInProgress() ++ != ICRLIssuingPoint.CRL_UPDATE_DONE || ++ crlIssuingPoint.isManualUpdateSet()) { ++ header.addStringValue("crlUpdate", "inProgress"); ++ } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { ++ header.addStringValue("crlUpdate", "Disabled"); ++ } else { ++ crlIssuingPoint.setManualUpdate(signatureAlgorithm); ++ header.addStringValue("crlUpdate", "Scheduled"); ++ } ++ return; ++ } + if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + (!mTesting.contains(crlIssuingPointId))) { +@@ -513,19 +527,5 @@ public class UpdateCRL extends CMSServlet { + } + } + } +- } else { +- if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { +- header.addStringValue("crlUpdate", "notInitialized"); +- } else if (crlIssuingPoint.isCRLUpdateInProgress() +- != ICRLIssuingPoint.CRL_UPDATE_DONE || +- crlIssuingPoint.isManualUpdateSet()) { +- header.addStringValue("crlUpdate", "inProgress"); +- } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { +- header.addStringValue("crlUpdate", "Disabled"); +- } else { +- crlIssuingPoint.setManualUpdate(signatureAlgorithm); +- header.addStringValue("crlUpdate", "Scheduled"); +- } +- } + } + } +-- +1.8.3.1 + + +From ce9e6f1704d6c821429faafc778358202e1a233e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 19:43:06 +0200 +Subject: [PATCH 14/27] Refactored UpdateCRL.process() (part 3). + +The UpdateCRL.process() has been refactored to reduce deeply +nested if-statements with early return. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47 +--- + base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index 8669361..ca4a5bf 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -436,14 +436,17 @@ public class UpdateCRL extends CMSServlet { + + mTesting.remove(crlIssuingPointId); + CMS.debug("CRL test finished."); ++ return; + } else if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + mTesting.contains(crlIssuingPointId)) { + header.addStringValue("crlUpdate", "testingInProgress"); ++ return; + } else if (test != null && test.equals("true") && + (!crlIssuingPoint.isCRLCacheTestingEnabled())) { + header.addStringValue("crlUpdate", "testingNotEnabled"); +- } else { ++ return; ++ } + try { + EBaseException publishError = null; + +@@ -526,6 +529,5 @@ public class UpdateCRL extends CMSServlet { + throw e; + } + } +- } + } + } +-- +1.8.3.1 + + +From 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 19:45:39 +0200 +Subject: [PATCH 15/27] Reformatted UpdateCRL.process(). + +The UpdateCRL.process() has been reformatted to adjust the +indentations after refactoring. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c +--- + .../com/netscape/cms/servlet/cert/UpdateCRL.java | 348 ++++++++++----------- + 1 file changed, 174 insertions(+), 174 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index ca4a5bf..7faecf1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -336,198 +336,198 @@ public class UpdateCRL extends CMSServlet { + return; + } + +- if (clearCache != null && clearCache.equals("true") && +- crlIssuingPoint.isCRLGenerationEnabled() && +- crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && +- crlIssuingPoint.isCRLIssuingPointInitialized() +- == ICRLIssuingPoint.CRL_IP_INITIALIZED) { +- crlIssuingPoint.clearCRLCache(); ++ if (clearCache != null && clearCache.equals("true") && ++ crlIssuingPoint.isCRLGenerationEnabled() && ++ crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && ++ crlIssuingPoint.isCRLIssuingPointInitialized() ++ == ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ crlIssuingPoint.clearCRLCache(); ++ } ++ if (!(waitForUpdate != null && waitForUpdate.equals("true") && ++ crlIssuingPoint.isCRLGenerationEnabled() && ++ crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && ++ crlIssuingPoint.isCRLIssuingPointInitialized() ++ == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { ++ if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ header.addStringValue("crlUpdate", "notInitialized"); ++ } else if (crlIssuingPoint.isCRLUpdateInProgress() ++ != ICRLIssuingPoint.CRL_UPDATE_DONE || ++ crlIssuingPoint.isManualUpdateSet()) { ++ header.addStringValue("crlUpdate", "inProgress"); ++ } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { ++ header.addStringValue("crlUpdate", "Disabled"); ++ } else { ++ crlIssuingPoint.setManualUpdate(signatureAlgorithm); ++ header.addStringValue("crlUpdate", "Scheduled"); + } +- if (!(waitForUpdate != null && waitForUpdate.equals("true") && +- crlIssuingPoint.isCRLGenerationEnabled() && +- crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && +- crlIssuingPoint.isCRLIssuingPointInitialized() +- == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { +- if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { +- header.addStringValue("crlUpdate", "notInitialized"); +- } else if (crlIssuingPoint.isCRLUpdateInProgress() +- != ICRLIssuingPoint.CRL_UPDATE_DONE || +- crlIssuingPoint.isManualUpdateSet()) { +- header.addStringValue("crlUpdate", "inProgress"); +- } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { +- header.addStringValue("crlUpdate", "Disabled"); +- } else { +- crlIssuingPoint.setManualUpdate(signatureAlgorithm); +- header.addStringValue("crlUpdate", "Scheduled"); ++ return; ++ } ++ if (test != null && test.equals("true") && ++ crlIssuingPoint.isCRLCacheTestingEnabled() && ++ (!mTesting.contains(crlIssuingPointId))) { ++ CMS.debug("CRL test started."); ++ mTesting.add(crlIssuingPointId); ++ BigInteger addLen = null; ++ BigInteger startFrom = null; ++ if (add != null && add.length() > 0 && ++ from != null && from.length() > 0) { ++ try { ++ addLen = new BigInteger(add); ++ startFrom = new BigInteger(from); ++ } catch (Exception e) { + } +- return; + } +- if (test != null && test.equals("true") && +- crlIssuingPoint.isCRLCacheTestingEnabled() && +- (!mTesting.contains(crlIssuingPointId))) { +- CMS.debug("CRL test started."); +- mTesting.add(crlIssuingPointId); +- BigInteger addLen = null; +- BigInteger startFrom = null; +- if (add != null && add.length() > 0 && +- from != null && from.length() > 0) { +- try { +- addLen = new BigInteger(add); +- startFrom = new BigInteger(from); +- } catch (Exception e) { +- } +- } +- if (addLen != null && startFrom != null) { +- Date revocationDate = CMS.getCurrentDate(); +- String err = null; +- +- CRLExtensions entryExts = crlEntryExtensions(reason, invalidity); +- +- BigInteger serialNumber = startFrom; +- BigInteger counter = addLen; +- BigInteger stepBy = null; +- if (by != null && by.length() > 0) { +- try { +- stepBy = new BigInteger(by); +- } catch (Exception e) { +- } +- } ++ if (addLen != null && startFrom != null) { ++ Date revocationDate = CMS.getCurrentDate(); ++ String err = null; + +- long t1 = System.currentTimeMillis(); +- long t2 = 0; +- +- while (counter.compareTo(BigInteger.ZERO) > 0) { +- RevokedCertImpl revokedCert = +- new RevokedCertImpl(serialNumber, revocationDate, entryExts); +- crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); +- serialNumber = serialNumber.add(BigInteger.ONE); +- counter = counter.subtract(BigInteger.ONE); +- +- if ((counter.compareTo(BigInteger.ZERO) == 0) || +- (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { +- t2 = System.currentTimeMillis(); +- long t0 = t2 - t1; +- t1 = t2; +- try { +- if (signatureAlgorithm != null) { +- crlIssuingPoint.updateCRLNow(signatureAlgorithm); +- } else { +- crlIssuingPoint.updateCRLNow(); +- } +- } catch (Throwable e) { +- counter = BigInteger.ZERO; +- err = e.toString(); +- } +- if (results != null && results.equals("1")) { +- addInfo(argSet, crlIssuingPoint, t0); +- } +- } +- } +- if (err != null) { +- header.addStringValue("crlUpdate", "Failure"); +- header.addStringValue("error", err); +- } else { +- header.addStringValue("crlUpdate", "Success"); +- } +- } else { +- CMS.debug("CRL test error: missing parameters."); +- header.addStringValue("crlUpdate", "missingParameters"); +- } ++ CRLExtensions entryExts = crlEntryExtensions(reason, invalidity); + +- mTesting.remove(crlIssuingPointId); +- CMS.debug("CRL test finished."); +- return; +- } else if (test != null && test.equals("true") && +- crlIssuingPoint.isCRLCacheTestingEnabled() && +- mTesting.contains(crlIssuingPointId)) { +- header.addStringValue("crlUpdate", "testingInProgress"); +- return; +- } else if (test != null && test.equals("true") && +- (!crlIssuingPoint.isCRLCacheTestingEnabled())) { +- header.addStringValue("crlUpdate", "testingNotEnabled"); +- return; +- } ++ BigInteger serialNumber = startFrom; ++ BigInteger counter = addLen; ++ BigInteger stepBy = null; ++ if (by != null && by.length() > 0) { + try { +- EBaseException publishError = null; ++ stepBy = new BigInteger(by); ++ } catch (Exception e) { ++ } ++ } + ++ long t1 = System.currentTimeMillis(); ++ long t2 = 0; ++ ++ while (counter.compareTo(BigInteger.ZERO) > 0) { ++ RevokedCertImpl revokedCert = ++ new RevokedCertImpl(serialNumber, revocationDate, entryExts); ++ crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); ++ serialNumber = serialNumber.add(BigInteger.ONE); ++ counter = counter.subtract(BigInteger.ONE); ++ ++ if ((counter.compareTo(BigInteger.ZERO) == 0) || ++ (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { ++ t2 = System.currentTimeMillis(); ++ long t0 = t2 - t1; ++ t1 = t2; + try { +- long now1 = System.currentTimeMillis(); +- + if (signatureAlgorithm != null) { + crlIssuingPoint.updateCRLNow(signatureAlgorithm); + } else { + crlIssuingPoint.updateCRLNow(); + } ++ } catch (Throwable e) { ++ counter = BigInteger.ZERO; ++ err = e.toString(); ++ } ++ if (results != null && results.equals("1")) { ++ addInfo(argSet, crlIssuingPoint, t0); ++ } ++ } ++ } ++ if (err != null) { ++ header.addStringValue("crlUpdate", "Failure"); ++ header.addStringValue("error", err); ++ } else { ++ header.addStringValue("crlUpdate", "Success"); ++ } ++ } else { ++ CMS.debug("CRL test error: missing parameters."); ++ header.addStringValue("crlUpdate", "missingParameters"); ++ } + +- long now2 = System.currentTimeMillis(); ++ mTesting.remove(crlIssuingPointId); ++ CMS.debug("CRL test finished."); ++ return; ++ } else if (test != null && test.equals("true") && ++ crlIssuingPoint.isCRLCacheTestingEnabled() && ++ mTesting.contains(crlIssuingPointId)) { ++ header.addStringValue("crlUpdate", "testingInProgress"); ++ return; ++ } else if (test != null && test.equals("true") && ++ (!crlIssuingPoint.isCRLCacheTestingEnabled())) { ++ header.addStringValue("crlUpdate", "testingNotEnabled"); ++ return; ++ } ++ try { ++ EBaseException publishError = null; + +- header.addStringValue("time", "" + (now2 - now1)); +- } catch (EErrorPublishCRL e) { +- publishError = e; +- } ++ try { ++ long now1 = System.currentTimeMillis(); + +- if (lpm != null && lpm.isCRLPublishingEnabled()) { +- Enumeration rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL); +- if (rules != null && rules.hasMoreElements()) { +- if (publishError != null) { +- header.addStringValue("crlPublished", "Failure"); +- header.addStringValue("error", publishError.toString(locale)); +- } else { +- header.addStringValue("crlPublished", "Success"); +- } +- } +- } ++ if (signatureAlgorithm != null) { ++ crlIssuingPoint.updateCRLNow(signatureAlgorithm); ++ } else { ++ crlIssuingPoint.updateCRLNow(); ++ } + +- // for audit log +- SessionContext sContext = SessionContext.getContext(); +- String agentId = (String) sContext.get(SessionContext.USER_ID); +- IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN); +- String authMgr = AuditFormat.NOAUTH; ++ long now2 = System.currentTimeMillis(); + +- if (authToken != null) { +- authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); +- } +- long endTime = CMS.getCurrentDate().getTime(); +- +- if (crlIssuingPoint.getNextUpdate() != null) { +- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, +- AuditFormat.LEVEL, +- AuditFormat.CRLUPDATEFORMAT, +- new Object[] { +- AuditFormat.FROMAGENT + " agentID: " + agentId, +- authMgr, +- "completed", +- crlIssuingPoint.getId(), +- crlIssuingPoint.getCRLNumber(), +- crlIssuingPoint.getLastUpdate(), +- crlIssuingPoint.getNextUpdate(), +- Long.toString(crlIssuingPoint.getCRLSize()) +- + " time: " + (endTime - startTime) } +- ); +- } else { +- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, +- AuditFormat.LEVEL, +- AuditFormat.CRLUPDATEFORMAT, +- new Object[] { +- AuditFormat.FROMAGENT + " agentID: " + agentId, +- authMgr, +- "completed", +- crlIssuingPoint.getId(), +- crlIssuingPoint.getCRLNumber(), +- crlIssuingPoint.getLastUpdate(), +- "not set", +- Long.toString(crlIssuingPoint.getCRLSize()) +- + " time: " + (endTime - startTime) } +- ); +- } +- } catch (EBaseException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); +- if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { +- header.addStringValue("crlPublished", "Failure"); +- header.addStringValue("error", e.toString(locale)); +- } else { +- throw e; +- } ++ header.addStringValue("time", "" + (now2 - now1)); ++ } catch (EErrorPublishCRL e) { ++ publishError = e; ++ } ++ ++ if (lpm != null && lpm.isCRLPublishingEnabled()) { ++ Enumeration rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL); ++ if (rules != null && rules.hasMoreElements()) { ++ if (publishError != null) { ++ header.addStringValue("crlPublished", "Failure"); ++ header.addStringValue("error", publishError.toString(locale)); ++ } else { ++ header.addStringValue("crlPublished", "Success"); + } ++ } ++ } ++ ++ // for audit log ++ SessionContext sContext = SessionContext.getContext(); ++ String agentId = (String) sContext.get(SessionContext.USER_ID); ++ IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN); ++ String authMgr = AuditFormat.NOAUTH; ++ ++ if (authToken != null) { ++ authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); ++ } ++ long endTime = CMS.getCurrentDate().getTime(); ++ ++ if (crlIssuingPoint.getNextUpdate() != null) { ++ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, ++ AuditFormat.LEVEL, ++ AuditFormat.CRLUPDATEFORMAT, ++ new Object[] { ++ AuditFormat.FROMAGENT + " agentID: " + agentId, ++ authMgr, ++ "completed", ++ crlIssuingPoint.getId(), ++ crlIssuingPoint.getCRLNumber(), ++ crlIssuingPoint.getLastUpdate(), ++ crlIssuingPoint.getNextUpdate(), ++ Long.toString(crlIssuingPoint.getCRLSize()) ++ + " time: " + (endTime - startTime) } ++ ); ++ } else { ++ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, ++ AuditFormat.LEVEL, ++ AuditFormat.CRLUPDATEFORMAT, ++ new Object[] { ++ AuditFormat.FROMAGENT + " agentID: " + agentId, ++ authMgr, ++ "completed", ++ crlIssuingPoint.getId(), ++ crlIssuingPoint.getCRLNumber(), ++ crlIssuingPoint.getLastUpdate(), ++ "not set", ++ Long.toString(crlIssuingPoint.getCRLSize()) ++ + " time: " + (endTime - startTime) } ++ ); ++ } ++ } catch (EBaseException e) { ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); ++ if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { ++ header.addStringValue("crlPublished", "Failure"); ++ header.addStringValue("error", e.toString(locale)); ++ } else { ++ throw e; ++ } ++ } + } + } +-- +1.8.3.1 + + +From 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 15 May 2017 18:15:36 -0700 +Subject: [PATCH 16/27] Tocket2673- CMC: allow enrollment key signed + (self-signed) CMC with identity proof + +This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches. +--- + base/ca/shared/conf/CS.cfg | 9 +- + .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 85 ++++ + base/ca/shared/webapps/ca/WEB-INF/web.xml | 28 ++ + .../certsrv/authentication/IAuthManager.java | 1 + + .../certsrv/authentication/IAuthSubsystem.java | 5 + + .../com/netscape/certsrv/logging/AuditEvent.java | 12 +- + .../src/com/netscape/cmstools/CMCRequest.java | 166 ++++++- + .../src/com/netscape/cmstools/CRMFPopClient.java | 32 ++ + .../src/com/netscape/cmstools/PKCS10Client.java | 87 ++-- + .../cms/authentication/CMCUserSignedAuth.java | 543 +++++++++++++-------- + .../netscape/cms/profile/common/EnrollProfile.java | 223 +++++++-- + .../netscape/cms/profile/def/CAEnrollDefault.java | 37 +- + .../def/SubjectKeyIdentifierExtDefault.java | 21 +- + .../netscape/cms/profile/input/EnrollInput.java | 19 +- + .../cms/servlet/processors/CRMFProcessor.java | 35 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 49 +- + base/server/cmsbundle/src/LogMessages.properties | 24 +- + .../com/netscape/cmscore/security/KeyCertUtil.java | 12 +- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 181 ++++++- + base/util/src/netscape/security/pkcs/PKCS10.java | 31 +- + .../netscape/security/pkcs/PKCS10Attributes.java | 2 + + 21 files changed, 1204 insertions(+), 398 deletions(-) + create mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 3eb5b1b..f6297a3 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -735,7 +735,6 @@ ca.publish.rule.instance.LdapXCertRule.predicate= + ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher + ca.publish.rule.instance.LdapXCertRule.type=xcert + cmc.cert.confirmRequired=false +-cmc.lraPopWitness.verify.allow=false + cmc.popLinkWitnessRequired=false + cmc.revokeCert.verify=true + cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +@@ -908,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +@@ -971,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -1018,6 +1017,8 @@ profile.caFullCMCUserCert.class_id=caEnrollImpl + profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg + profile.caFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg ++profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl ++profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg + profile.caInternalAuthOCSPCert.class_id=caEnrollImpl + profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg + profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +new file mode 100644 +index 0000000..db3fbd6 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request ++enable=true ++enableBy=admin ++name=Self-Signed CMC User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.constraint.params.pattern=.* ++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml +index dc61ab3..a550142 100644 +--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml ++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml +@@ -1576,6 +1576,29 @@ + + + ++ caProfileSubmitSelfSignedCMCFull ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caFullCMCSelfSignedCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitSelfSignedCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ + caProfileList + com.netscape.cms.servlet.profile.ProfileListServlet + GetClientCert +@@ -2284,6 +2307,11 @@ + /ee/ca/profileSubmitUserSignedCMCFull + + ++ ++ caProfileSubmitSelfSignedCMCFull ++ /ee/ca/profileSubmitSelfSignedCMCFull ++ ++ + + caProfileList + /ee/ca/profileList +diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java +index 21639e2..7d30d2e 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java ++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java +@@ -33,6 +33,7 @@ public interface IAuthManager { + + /* standard credential for CMC request signing cert */ + public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert"; ++ public static final String CRED_CMC_SELF_SIGNED = "cmcSelfSigned"; + + /** + * Standard credential for client cert's serial number from revocation. +diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java +index e1ccc2d..9089527 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java ++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java +@@ -119,6 +119,11 @@ public interface IAuthSubsystem extends ISubsystem { + public static final String CMCAUTH_AUTHMGR_ID = "CMCAuth"; + + /** ++ * Constant for CMC user-signed authentication manager ID. ++ */ ++ public static final String CMC_USER_SIGNED_AUTH_AUTHMGR_ID = "CMCUserSignedAuth"; ++ ++ /** + * Authenticate the given credentials using the given manager name. + * + * @param authCred The authentication credentials +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 523b204..059363e 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -125,7 +125,11 @@ public class AuditEvent implements IBundleLogEvent { + public final static String CERT_PROFILE_APPROVAL = + "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; + public final static String PROOF_OF_POSSESSION = +- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; ++ "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3"; ++ public final static String CMC_PROOF_OF_IDENTIFICATION = ++ "LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3"; ++ public final static String CMC_ID_POP_LINK_WITNESS = ++ "LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3"; + + public final static String CRL_RETRIEVAL = + "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; +@@ -143,8 +147,10 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; + public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = + "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; +- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY = +- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5"; ++ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5"; ++ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = ++ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6"; + + public final static String COMPUTE_RANDOM_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index ac523ad..6e27cb1 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -103,6 +103,9 @@ import com.netscape.cmsutil.util.HMACDigest; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.SubjectKeyIdentifierExtension; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CertImpl; + +@@ -121,6 +124,7 @@ public class CMCRequest { + public static final int ARGC = 1; + public static final String HEADER = "-----BEGIN"; + public static final String TRAILER = "-----END"; ++ public static SubjectKeyIdentifierExtension skiExtn = null; + + void cleanArgs(String[] s) { + +@@ -193,7 +197,7 @@ public class CMCRequest { + } + + /** +- * signData signs the request PKIData ++ * signData signs the request PKIData using existing cert + * + * @param signerCert the certificate of the authorized signer of the CMC revocation request. + * @param nickname the nickname of the certificate inside the token. +@@ -212,6 +216,15 @@ public class CMCRequest { + SignedData req = null; + System.out.println(method + "begins: "); + ++ if (signerCert == null || ++ tokenName == null || ++ nickname == null || ++ manager == null || ++ pkidata == null) { ++ System.out.println(method + "method parameters cannot be null"); ++ System.exit(1); ++ } ++ + try { + java.security.PrivateKey privKey = null; + SignerIdentifier si = null; +@@ -232,7 +245,72 @@ public class CMCRequest { + privKey = getPrivateKey(tokenName, nickname); + if (privKey != null) + System.out.println(method + " got signer privKey"); ++ else { ++ System.out.println(method + " signer privKey not foudn on token"); ++ System.exit(1); ++ } ++ ++ org.mozilla.jss.crypto.X509Certificate[] certChain = manager.buildCertificateChain(signerCert); ++ req = createSignedData(privKey, si, certChain, pkidata); ++ ++ System.out.println(method + "signed request generated."); ++ } catch (Exception e) { ++ e.printStackTrace(); ++ System.exit(1); ++ } ++ ++ return req; ++ } ++ ++ /* ++ * signData self-signs the PKIData using the private key that matches ++ * the public key in the request ++ */ ++ static SignedData signData( ++ java.security.PrivateKey privKey, ++ PKIData pkidata) { ++ String method = "signData for selfSign: "; ++ System.out.println(method + "begins: "); ++ SignedData req = null; ++ ++ if (privKey == null || ++ pkidata == null) { ++ System.out.println(method + "method parameters cannot be null"); ++ System.exit(1); ++ } ++ ++ KeyIdentifier keyIdObj = null; ++ try { ++ keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); ++ SignerIdentifier si = new SignerIdentifier( ++ SignerIdentifier.SUBJECT_KEY_IDENTIFIER, ++ null, new OCTET_STRING(keyIdObj.getIdentifier())); ++ req = createSignedData(privKey, si, null /*certChain*/, pkidata); ++ } catch (Exception e) { ++ e.printStackTrace(); ++ System.exit(1); ++ } ++ return req; ++ } + ++ static SignedData createSignedData( ++ java.security.PrivateKey privKey, ++ SignerIdentifier signerId, ++ org.mozilla.jss.crypto.X509Certificate[] certChain, ++ PKIData pkidata) { ++ ++ String method = "createSignedData: "; ++ System.out.println(method + "begins"); ++ if (privKey == null || ++ signerId == null || ++ pkidata == null) { ++ // certChain could be null ++ System.out.println(method + "method parameters cannot be null"); ++ System.exit(1); ++ } ++ ++ SignedData req = null; ++ try { + EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); + DigestAlgorithm digestAlg = null; + SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey); +@@ -251,11 +329,18 @@ public class CMCRequest { + pkidata.encode(ostream); + digest = SHADigest.digest(ostream.toByteArray()); + } catch (NoSuchAlgorithmException e) { +- System.out.println(e); System.exit(1);} ++ System.out.println(e); ++ System.exit(1); ++ } + System.out.println(method + "digest created for pkidata"); + +- SignerInfo signInfo = new SignerInfo(si, null, null, OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg, ++ SignerInfo signInfo = new SignerInfo(signerId, null, null, ++ OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg, + (org.mozilla.jss.crypto.PrivateKey) privKey); ++ ++ String digestAlgName = signInfo.getDigestEncryptionAlgorithm().toString(); ++ System.out.println(method + "digest algorithm =" + digestAlgName); ++ + SET signInfos = new SET(); + signInfos.addElement(signInfo); + +@@ -266,21 +351,20 @@ public class CMCRequest { + digestAlgs.addElement(ai); + } + +- org.mozilla.jss.crypto.X509Certificate[] agentChain = manager.buildCertificateChain(signerCert); + SET certs = new SET(); +- +- for (int i = 0; i < agentChain.length; i++) { +- ANY cert = new ANY(agentChain[i].getEncoded()); +- certs.addElement(cert); ++ if (certChain != null) { ++ System.out.println(method + "building cert chain"); ++ for (int i = 0; i < certChain.length; i++) { ++ ANY cert = new ANY(certChain[i].getEncoded()); ++ certs.addElement(cert); ++ } + } + + req = new SignedData(digestAlgs, ci, certs, null, signInfos); +- System.out.println(method + "signed request generated."); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); + } +- + return req; + } + +@@ -325,6 +409,7 @@ public class CMCRequest { + * @return request in PKIData + */ + static PKIData createPKIData( ++ String selfSign, + String[] rValue, String format, String transactionMgtEnable, + String transactionMgtId, + String identificationEnable, String identification, +@@ -387,13 +472,26 @@ public class CMCRequest { + } + certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0); + ++ CertRequest certReq = certReqMsg.getCertReq(); ++ CertTemplate certTemplate = certReq.getCertTemplate(); ++ if (selfSign.equals("true")) { ++ skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate( ++ certTemplate, ++ PKIXExtensions.SubjectKey_Id); ++ if (skiExtn != null) { ++ System.out.println(method + ++ " SubjectKeyIdentifier extension found in self-signed request"); ++ } else { ++ System.out.println(method + ++ " SubjectKeyIdentifier extension missing in self-signed request"); ++ System.exit(1); ++ } ++ } + if (popLinkWitnessV2Enable.equals("true")) { + System.out.println(method + + "popLinkWitnessV2 enabled. reconstructing crmf"); + //crmf reconstruction to include PopLinkWitnessV2 control +- CertRequest certReq = certReqMsg.getCertReq(); + INTEGER certReqId = certReq.getCertReqId(); +- CertTemplate certTemplate = certReq.getCertTemplate(); + SEQUENCE controls = certReq.getControls(); + controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, + popLinkWitnessV2Control)); +@@ -449,6 +547,22 @@ public class CMCRequest { + System.out.println(method + " Excception:" + e2.toString()); + System.exit(1); + } ++ ++ if (selfSign.equals("true")) { ++ try { ++ skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10( ++ pkcs, "SubjectKeyIdentifier"); ++ } catch (IOException e) { ++ System.out.println(method + "getting SubjectKeyIdentifiere..." + e); ++ } ++ ++ if (skiExtn != null) { ++ System.out.println(method + " SubjectKeyIdentifier extension found"); ++ } else { ++ System.out.println(method + " SubjectKeyIdentifier extension missing"); ++ System.exit(1); ++ } ++ } + ByteArrayInputStream crInputStream = new ByteArrayInputStream( + pkcs.toByteArray()); + CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate() +@@ -661,8 +775,13 @@ public class CMCRequest { + System.out.println(""); + System.out.println("#nickname: nickname for agent certificate which will be used"); + System.out.println("#to sign the CMC full request."); ++ System.out.println("#selfSign: if selfSign is true, the CMC request will be"); ++ System.out.println("#signed with the pairing private key of the request;"); ++ System.out.println("#and in which case the nickname will be ignored"); + System.out.println("nickname=CMS Agent Certificate"); + System.out.println(""); ++ System.out.println("selfSign=false"); ++ System.out.println(""); + System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); + System.out.println("dbdir=./"); + System.out.println(""); +@@ -1700,6 +1819,7 @@ public class CMCRequest { + String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; + String popLinkWitnessEnable = "false"; + String bodyPartIDs = null, lraPopWitnessEnable = "false"; ++ String selfSign = "false"; + + System.out.println(""); + +@@ -1760,6 +1880,8 @@ public class CMCRequest { + decryptedPopEnable = val; + } else if (name.equals("encryptedPopResponseFile")) { + encryptedPopResponseFile = val; ++ } else if (name.equals("request.selfSign")) { ++ selfSign = val; + } else if (name.equals("request.privKeyId")) { + privKeyId = val; + } else if (name.equals("decryptedPopRequestFile")) { +@@ -1846,7 +1968,7 @@ public class CMCRequest { + printUsage(); + } + +- if (nickname == null) { ++ if (!selfSign.equals("true") && nickname == null) { + System.out.println("Missing nickname."); + printUsage(); + } +@@ -1898,14 +2020,14 @@ public class CMCRequest { + System.out.println("got signerCert: "+ certname.toString()); + } + +- //cfu + ContentInfo cmcblob = null; + PKIData pkidata = null; + PrivateKey privk = null; +- if (decryptedPopEnable.equalsIgnoreCase("true") || ++ if (selfSign.equalsIgnoreCase("true") || ++ decryptedPopEnable.equalsIgnoreCase("true") || + popLinkWitnessV2Enable.equalsIgnoreCase("true")) { + if (privKeyId == null) { +- System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); ++ System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); + printUsage(); + } else { + System.out.println("got request privKeyId: " + privKeyId); +@@ -2095,6 +2217,7 @@ public class CMCRequest { + + // create the request PKIData + pkidata = createPKIData( ++ selfSign, + requests, + format, transactionMgtEnable, transactionMgtId, + identificationEnable, identification, +@@ -2114,7 +2237,16 @@ public class CMCRequest { + } + + // sign the request +- SignedData signedData = signData(signerCert, tokenName, nickname, cm, pkidata); ++ SignedData signedData = null; ++ if (selfSign.equalsIgnoreCase("true")) { ++ // selfSign signes with private key ++ System.out.println("selfSign is true..."); ++ signedData = signData(privk, pkidata); ++ } else { ++ // none selfSign signes with existing cert ++ System.out.println("selfSign is false..."); ++ signedData = signData(signerCert, tokenName, nickname, cm, pkidata); ++ } + if (signedData == null) { + System.out.println("signData() returns null. Exiting with error"); + System.exit(1); +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index d0e5c27..0057a1d 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -86,6 +86,8 @@ import com.netscape.cmsutil.util.HMACDigest; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.util.WrappingParams; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.PKIXExtensions; + import netscape.security.x509.X500Name; + + /** +@@ -196,6 +198,8 @@ public class CRMFPopClient { + option.setArgName("keySet"); + options.addOption(option); + ++ options.addOption("y", false, "for Self-signed cmc."); ++ + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "help", false, "Show help message."); + +@@ -214,6 +218,9 @@ public class CRMFPopClient { + System.out.println(" -k Attribute value encoding in subject DN (default: false)"); + System.out.println(" - true: enabled"); + System.out.println(" - false: disabled"); ++ System.out.println(" -y Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)"); ++ System.out.println(" - true: enabled"); ++ System.out.println(" - false: disabled"); + System.out.println(" -a Key algorithm (default: rsa)"); + System.out.println(" - rsa: RSA"); + System.out.println(" - ec: ECC"); +@@ -320,6 +327,8 @@ public class CRMFPopClient { + int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); + int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + ++ boolean self_sign = cmd.hasOption("y"); ++ + // get the key wrapping mechanism + boolean keyWrap = true; + if (cmd.hasOption("g")) { +@@ -516,6 +525,7 @@ public class CRMFPopClient { + + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( ++ self_sign, + token, transportCert, algorithm, keyPair, + subject, archivalMechanism, wrappingKeySet); + +@@ -629,6 +639,19 @@ public class CRMFPopClient { + Name subject, + String archivalMechanism, + String wrappingKeySet) throws Exception { ++ return createCertRequest(false, token, transportCert, algorithm, keyPair, ++ subject, archivalMechanism, wrappingKeySet); ++ } ++ ++ public CertRequest createCertRequest( ++ boolean self_sign, ++ CryptoToken token, ++ X509Certificate transportCert, ++ String algorithm, ++ KeyPair keyPair, ++ Name subject, ++ String archivalMechanism, ++ String wrappingKeySet) throws Exception { + EncryptionAlgorithm encryptAlg = null; + + if (wrappingKeySet == null) { +@@ -663,6 +686,15 @@ public class CRMFPopClient { + seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); + */ + ++ if (self_sign) { // per rfc 5272 ++ System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension."); ++ KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair); ++ OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); ++ SEQUENCE extns = new SEQUENCE(); ++ extns.addElement(new AVA(oid, new OCTET_STRING(subjKeyId.getIdentifier()))); ++ certTemplate.setExtensions(extns); ++ } ++ + return new CertRequest(new INTEGER(1), certTemplate, seq); + } + +diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +index fd1d087..795c24b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java ++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +@@ -17,19 +17,15 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.cmstools; + +-import java.io.ByteArrayOutputStream; + import java.io.FileOutputStream; + import java.io.IOException; + import java.io.PrintStream; + import java.security.KeyPair; +-import java.security.PublicKey; + + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.BMPString; +-import org.mozilla.jss.asn1.INTEGER; + import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; + import org.mozilla.jss.asn1.PrintableString; +-import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.asn1.TeletexString; + import org.mozilla.jss.asn1.UTF8String; + import org.mozilla.jss.asn1.UniversalString; +@@ -37,20 +33,17 @@ import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.KeyPairAlgorithm; + import org.mozilla.jss.crypto.KeyPairGenerator; + import org.mozilla.jss.crypto.PrivateKey; +-import org.mozilla.jss.crypto.SignatureAlgorithm; +-import org.mozilla.jss.pkcs10.CertificationRequest; +-import org.mozilla.jss.pkcs10.CertificationRequestInfo; + import org.mozilla.jss.pkix.primitive.AVA; + import org.mozilla.jss.pkix.primitive.Name; +-import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + import org.mozilla.jss.util.Password; + + import com.netscape.cmsutil.crypto.CryptoUtil; +-import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.Extensions; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.SubjectKeyIdentifierExtension; + import netscape.security.x509.X500Name; +-import netscape.security.x509.X509Key; + + /** + * Generates an ECC or RSA key pair in the security database, constructs a +@@ -91,6 +84,8 @@ public class PKCS10Client { + " -x \n"); + System.out.println( + " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); ++ System.out.println( ++ "In addition: -y \n"); + } + + public static void main(String args[]) throws Exception { +@@ -105,6 +100,8 @@ public class PKCS10Client { + boolean ec_ssl_ecdh = false; + int rsa_keylen = 2048; + ++ boolean self_sign = false; ++ + if (args.length < 4) { + printUsage(); + System.exit(1); +@@ -171,6 +168,12 @@ public class PKCS10Client { + subjectName = args[i+1]; + } else if (name.equals("-h")) { + tokenName = args[i+1]; ++ } else if (name.equals("-y")) { ++ String temp = args[i+1]; ++ if (temp.equals("true")) ++ self_sign = true; ++ else ++ self_sign = false; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + name); +@@ -273,55 +276,29 @@ public class PKCS10Client { + Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); + ***/ + +- SET attributes = new SET(); +- //attributes.addElement(attr); +- Name n = getJssName(enable_encoding, subjectName); +- SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); +- System.out.println("PKCS10Client: pair.getPublic() called."); +- CertificationRequestInfo certReqInfo = +- new CertificationRequestInfo(new INTEGER(0), n, subjectPub, attributes); +- System.out.println("PKCS10Client: CertificationRequestInfo() created."); + +- String b64E = ""; +- if (alg.equals("rsa")) { +- CertificationRequest certRequest = null; +- certRequest = new CertificationRequest(certReqInfo, +- pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest); +- System.out.println("PKCS10Client: CertificationRequest created."); ++ Extensions extns = new Extensions(); ++ if (self_sign) { // per rfc 5272 ++ System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension."); ++ KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair); ++ SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false, ++ subjKeyId.getIdentifier()); ++ extns.add(extn); ++ } + +- ByteArrayOutputStream bos = new ByteArrayOutputStream(); +- certRequest.encode(bos); +- byte[] bb = bos.toByteArray(); ++ String b64E = ""; ++ PKCS10 certReq = CryptoUtil.createCertificationRequest( ++ subjectName, pair, extns); + +- System.out.println("PKCS10Client: calling Utils.b64encode."); +- b64E = Utils.base64encode(bb); +- System.out.println("PKCS10Client: b64encode completes."); +- } else { // "ec" ++ if (certReq == null) { ++ System.out.println("PKCS10Client: cert request null"); ++ System.exit(1); ++ } else ++ System.out.println("PKCS10Client: CertificationRequest created."); ++ byte[] certReqb = certReq.toByteArray(); ++ b64E = CryptoUtil.base64Encode(certReqb); + +- CryptoToken t = cm.getThreadToken(); +- System.out.println("PKCS10Client: token is: "+ t.getName()); +- PublicKey pubk = pair.getPublic(); +- if (pubk == null) { +- System.out.println("PKCS10Client: pubk null."); +- System.exit(1); +- } +- X509Key xKey = null; +- byte pubk_encoded[] = pubk.getEncoded(); +- xKey = CryptoUtil.getPublicX509ECCKey(pubk_encoded); +- System.out.println("PKCS10Client: calling CryptoUtil.createCertificationRequest"); +- PKCS10 certReq = CryptoUtil.createCertificationRequest( +- subjectName, xKey, (org.mozilla.jss.crypto.PrivateKey) pair.getPrivate(), +- "SHA256withEC"); +- +- System.out.println("PKCS10Client: created cert request"); +- if (certReq == null) { +- System.out.println("PKCS10Client: cert request null"); +- System.exit(1); +- } else +- System.out.println("PKCS10Client: cert request not null"); +- byte[] certReqb = certReq.toByteArray(); +- b64E = CryptoUtil.base64Encode(certReqb); +- } ++ System.out.println("PKCS10Client: b64encode completes."); + + // print out keyid to be used in cmc popLinkWitnessV2 + PrivateKey privateKey = (PrivateKey) pair.getPrivate(); +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index a72ce58..2128c1e 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -39,6 +39,7 @@ import java.util.Vector; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NotInitializedException; + import org.mozilla.jss.asn1.ASN1Util; ++import org.mozilla.jss.asn1.BIT_STRING; + import org.mozilla.jss.asn1.INTEGER; + import org.mozilla.jss.asn1.InvalidBERException; + import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +@@ -66,6 +67,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; + import org.mozilla.jss.pkix.crmf.CertTemplate; + import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; + import org.mozilla.jss.pkix.primitive.Name; ++import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; +@@ -90,6 +92,9 @@ import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.SubjectKeyIdentifierExtension; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509CertInfo; +@@ -103,14 +108,15 @@ import netscape.security.x509.X509Key; + /** + * User Signed CMC authentication plug-in + * note: +- * - this version differs from CMCAuth in that it allows non-agent users +- * to sign own cmc requests; It is expected to be used with +- * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint +- * so that the resulting cert will bear the same subjectDN of that of the CMC +- * signing cert +- * - it originates from CMCAuth with modification for user-signed cmc ++ * - this version differs from CMCAuth in that it allows non-agent users ++ * to sign own cmc requests; It is expected to be used with ++ * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint ++ * so that the resulting cert will bear the same subjectDN of that of the CMC ++ * signing cert ++ * - it originates from CMCAuth with modification for user-signed cmc ++ * + * @author cfu - user signed cmc authentication +- *

    ++ *

    + * + * @version $Revision$, $Date$ + */ +@@ -121,6 +127,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // default parameters // + //////////////////////// + ++ // only one request for self-signed ++ boolean selfSigned = false; ++ SubjectKeyIdentifierExtension selfsign_skiExtn = null; ++ PK11PubKey selfsign_pubK = null; ++ byte[] selfsign_digest = null; ++ + ///////////////////////////// + // IAuthManager parameters // + ///////////////////////////// +@@ -144,8 +156,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + * for instances of this implementation can be configured through the + * console. + */ +- protected static String[] mConfigParams = +- new String[] {}; ++ protected static String[] mConfigParams = new String[] {}; + + /* authentication plug-in values */ + +@@ -171,7 +182,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + mExtendedPluginInfo + .add(IExtendedPluginInfo.HELP_TEXT + +- ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); ++ ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authentication"); + } +@@ -185,10 +196,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + /* signed audit parameters */ + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); +- private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = +- "enrollment"; +- private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = +- "revocation"; ++ private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment"; ++ private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation"; + + ///////////////////// + // default methods // +@@ -228,7 +237,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + *

    + * + *

      +- *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert ++ *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC ++ * (user-pre-signed or self-signed) cert + * requests or revocation requests are submitted and signature is verified + *
    + * +@@ -245,6 +255,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, + EBaseException { + String method = "CMCUserSignedAuth: authenticate: "; ++ String msg = ""; + CMS.debug(method + "begins"); + + String auditMessage = null; +@@ -273,40 +284,19 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + if (cmc == null) { + CMS.debug(method + " Authentication failed. Missing CMC."); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); +- + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); + } + + if (cmc.equals("")) { +- log(ILogger.LL_FAILURE, +- "cmc : attempted login with empty CMC."); +- +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); +- +- throw new EInvalidCredentials(CMS.getUserMessage( +- "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ msg = "attempted login with empty cert_request in authCred."; ++ CMS.debug(method + msg); ++ ++ throw new EInvalidCredentials(msg); + } + ++ SessionContext auditContext = SessionContext.getExistingContext(); ++ + // authenticate by checking CMC. + + // everything OK. +@@ -330,84 +320,88 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + asciiBASE64Blob = cmc; + + byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); +- ByteArrayInputStream cmcBlobIn = new +- ByteArrayInputStream(cmcBlob); ++ ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = +- (org.mozilla.jss.pkix.cms.ContentInfo) +- org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( ++ (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo ++ .getTemplate().decode( + cmcBlobIn); + + if (!cmcReq.getContentType().equals( + org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || + !cmcReq.hasContent()) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); + +- audit(auditMessage); +- +- // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); +- +- throw new EBaseException("NO_CMC_CONTENT"); ++ cmcBlobIn.close(); ++ msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA"; ++ CMS.debug(msg); ++ throw new EBaseException(msg); + } + +- SignedData cmcFullReq = (SignedData) +- cmcReq.getInterpretedContent(); ++ SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); ++ ++ String userid = ILogger.UNIDENTIFIED; ++ String uid = ILogger.UNIDENTIFIED; + + IConfigStore cmc_config = CMS.getConfigStore(); +- boolean checkSignerInfo = +- cmc_config.getBoolean("cmc.signerInfo.verify", true); +- String userid = "defUser"; +- String uid = "defUser"; ++ boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); + if (checkSignerInfo) { +- IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq); ++ // selfSigned will be set in verifySignerInfo if applicable ++ IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); + if (userToken == null) { +- CMS.debug(method + " authenticate() userToken null"); +- throw new EBaseException(method + " verifySignerInfo failure"); ++ msg = "userToken null; verifySignerInfo failure"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } else { ++ if (selfSigned) { ++ CMS.debug(method ++ + " self-signed cmc request will not have user identification info at this point."); ++ auditSignerInfo = "selfSigned"; ++ } else { ++ CMS.debug(method + "signed with user cert"); ++ userid = userToken.getInString("userid"); ++ uid = userToken.getInString("cn"); ++ if (userid == null && uid == null) { ++ msg = " verifySignerInfo failure... missing userid and cn"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } ++ // reset value of auditSignerInfo ++ if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { ++ CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); ++ auditSignerInfo = uid.trim(); ++ auditSubjectID = uid.trim(); ++ authToken.set(IAuthToken.USER_ID, auditSubjectID); ++ } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { ++ CMS.debug(method + "setting auditSignerInfo to userid:" + userid); ++ auditSignerInfo = userid.trim(); ++ auditSubjectID = userid.trim(); ++ authToken.set(IAuthToken.USER_ID, auditSubjectID); ++ } ++ } + } +- userid = userToken.getInString("userid"); +- uid = userToken.getInString("cn"); + } else { +- CMS.debug(method + " authenticate() signerInfo verification bypassed"); +- } +- // reset value of auditSignerInfo +- if (uid != null) { +- auditSignerInfo = uid.trim(); ++ CMS.debug(method + " signerInfo verification bypassed"); + } + + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); ++ SET sis = cmcFullReq.getSignerInfos(); ++ // only one SignerInfo for selfSigned ++ org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = ++ (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); + + OBJECT_IDENTIFIER id = ci.getContentType(); + + if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || + !ci.hasContent()) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); ++ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; ++ CMS.debug(method + msg); + +- // throw new ECMSGWException( +- // CMSGWResources.NO_PKIDATA); +- +- throw new EBaseException("NO_PKIDATA"); ++ throw new EBaseException(msg); + } + + OCTET_STRING content = ci.getContent(); + +- ByteArrayInputStream s = new +- ByteArrayInputStream(content.toByteArray()); ++ ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); + + SEQUENCE reqSequence = pkiData.getReqSequence(); +@@ -426,13 +420,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + if (controlSize > 0) { + for (int i = 0; i < controlSize; i++) { +- TaggedAttribute taggedAttribute = +- (TaggedAttribute) controlSequence.elementAt(i); ++ TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence.elementAt(i); + OBJECT_IDENTIFIER type = taggedAttribute.getType(); + + if (type.equals( + OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { +-/* TODO: user-signed revocation to be handled in next ticket ++ /* TODO: user-signed revocation to be handled in next ticket + // if( i ==1 ) { + // taggedAttribute.getType() == + // OBJECT_IDENTIFIER.id_cmc_revokeRequest +@@ -479,10 +472,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + Integer IntObject = Integer.valueOf((int) reasonCode); + authToken.set(REASON_CODE, IntObject); + +- authToken.set("uid", uid); +- authToken.set("userid", userid); ++ ++ //authToken.set("uid", uid); ++ //authToken.set("userid", userid); ++ + } +-*/ ++ */ ++ + } + } + +@@ -499,8 +495,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + for (int i = 0; i < numReqs; i++) { + // decode message. +- TaggedRequest taggedRequest = +- (TaggedRequest) reqSequence.elementAt(i); ++ TaggedRequest taggedRequest = (TaggedRequest) reqSequence.elementAt(i); + + TaggedRequest.Type type = taggedRequest.getType(); + +@@ -508,18 +503,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + CMS.debug(method + " type is PKCS10"); + authToken.set("cert_request_type", "cmc-pkcs10"); + +- TaggedCertificationRequest tcr = +- taggedRequest.getTcr(); ++ TaggedCertificationRequest tcr = taggedRequest.getTcr(); + int p10Id = tcr.getBodyPartID().intValue(); + + reqIdArray[i] = String.valueOf(p10Id); + +- CertificationRequest p10 = +- tcr.getCertificationRequest(); ++ CertificationRequest p10 = tcr.getCertificationRequest(); + + // transfer to sun class +- ByteArrayOutputStream ostream = +- new ByteArrayOutputStream(); ++ ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + + p10.encode(ostream); + boolean sigver = true; +@@ -533,8 +525,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + try { + cm = CryptoManager.getInstance(); + if (sigver == true) { +- String tokenName = +- CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); ++ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", ++ CryptoUtil.INTERNAL_TOKEN_NAME); + savedToken = cm.getThreadToken(); + signToken = CryptoUtil.getCryptoToken(tokenName); + if (!savedToken.getName().equals(signToken.getName())) { +@@ -543,65 +535,92 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + } + +- PKCS10 pkcs10 = +- new PKCS10(ostream.toByteArray(), sigver); ++ PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); ++ // reset value of auditCertSubject ++ X500Name tempName = pkcs10.getSubjectName(); ++ CMS.debug(method + "request subject name=" + tempName.toString()); ++ if (tempName != null) { ++ auditCertSubject = tempName.toString().trim(); ++ if (auditCertSubject.equals("")) { ++ auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ } ++ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ++ auditCertSubject/*tempName.toString()*/); ++ } ++ ++ if (selfSigned) { ++ // prepare for checking SKI extension ++ try { ++ selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil ++ .getExtensionFromPKCS10(pkcs10, "SubjectKeyIdentifier"); ++ if (selfsign_skiExtn != null) ++ CMS.debug(method + "SubjectKeyIdentifierExtension found:"); ++ else { ++ msg = "missing SubjectKeyIdentifierExtension in request"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } ++ } catch (IOException e) { ++ msg = method + "SubjectKeyIdentifierExtension not found:" + e; ++ CMS.debug(msg); ++ throw new EBaseException(msg); ++ } catch (Exception e) { ++ msg = method + "SubjectKeyIdentifierExtension not found:" + e; ++ CMS.debug(msg); ++ throw new EBaseException(msg); ++ } ++ ++ X509Key pubKey = pkcs10.getSubjectPublicKeyInfo(); ++ PrivateKey.Type keyType = null; ++ String alg = pubKey.getAlgorithm(); ++ ++ if (alg.equals("RSA")) { ++ CMS.debug(method + "signing key alg=RSA"); ++ keyType = PrivateKey.RSA; ++ selfsign_pubK = PK11PubKey.fromRaw(keyType, pubKey.getKey()); ++ } else if (alg.equals("EC")) { ++ CMS.debug(method + "signing key alg=EC"); ++ keyType = PrivateKey.EC; ++ byte publicKeyData[] = (pubKey).getEncoded(); ++ selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); ++ } else { ++ msg = "unsupported signature algorithm: " + alg; ++ CMS.debug(method + msg); ++ throw new EInvalidCredentials(msg); ++ } ++ CMS.debug(method + "public key retrieved"); ++ verifySelfSignedCMC(selfsign_signerInfo, id); ++ ++ } //selfSigned + + // xxx do we need to do anything else? +- X509CertInfo certInfo = +- CMS.getDefaultX509CertInfo(); ++ X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); + + // fillPKCS10(certInfo,pkcs10,authToken,null); + + // authToken.set( + // pkcs10.getSubjectPublicKeyInfo()); + +- X500Name tempName = pkcs10.getSubjectName(); +- +- // reset value of auditCertSubject +- if (tempName != null) { +- auditCertSubject = +- tempName.toString().trim(); +- if (auditCertSubject.equals("")) { +- auditCertSubject = +- ILogger.SIGNED_AUDIT_EMPTY_VALUE; +- } +- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, +- tempName.toString()); +- } +- ++ /* + authToken.set("uid", uid); + authToken.set("userid", userid); ++ */ + + certInfoArray[i] = certInfo; + } catch (Exception e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); +- +- //throw new ECMSGWException( +- //CMSGWResources.ERROR_PKCS101, e.toString()); +- + e.printStackTrace(); + throw new EBaseException(e.toString()); + } finally { +- if ((sigver == true) && (tokenSwitched == true)){ ++ if ((sigver == true) && (tokenSwitched == true)) { + cm.setThreadToken(savedToken); + } +- } ++ } + } else if (type.equals(TaggedRequest.CRMF)) { + + CMS.debug(method + " type is CRMF"); + authToken.set("cert_request_type", "cmc-crmf"); + try { +- CertReqMsg crm = +- taggedRequest.getCrm(); ++ CertReqMsg crm = taggedRequest.getCrm(); + CertRequest certReq = crm.getCertReq(); + INTEGER reqID = certReq.getCertReqId(); + reqIdArray[i] = reqID.toString(); +@@ -609,70 +628,82 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + Name name = template.getSubject(); + + // xxx do we need to do anything else? +- X509CertInfo certInfo = +- CMS.getDefaultX509CertInfo(); ++ X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); + + // reset value of auditCertSubject + if (name != null) { + String ss = name.getRFC1485(); + ++ CMS.debug(method + "setting auditCertSubject to: " + ss); + auditCertSubject = ss; + if (auditCertSubject.equals("")) { +- auditCertSubject = +- ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); +- authToken.set("uid", uid); +- authToken.set("userid", userid); ++ //authToken.set("uid", uid); ++ //authToken.set("userid", userid); + } + certInfoArray[i] = certInfo; +- } catch (Exception e) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); + +- audit(auditMessage); ++ if (selfSigned) { ++ selfsign_skiExtn = ++ (SubjectKeyIdentifierExtension) CryptoUtil ++ .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id); ++ if (selfsign_skiExtn != null) { ++ CMS.debug(method + ++ "SubjectKeyIdentifierExtension found"); ++ } else { ++ CMS.debug(method + ++ "SubjectKeyIdentifierExtension not found"); ++ } ++ ++ // get public key for verifying signature later ++ SubjectPublicKeyInfo pkinfo = template.getPublicKey(); ++ PrivateKey.Type keyType = null; ++ String alg = pkinfo.getAlgorithm(); ++ BIT_STRING bitString = pkinfo.getSubjectPublicKey(); ++ byte[] publicKeyData = bitString.getBits(); ++ if (alg.equals("RSA")) { ++ CMS.debug(method + "signing key alg=RSA"); ++ keyType = PrivateKey.RSA; ++ selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData); ++ } else if (alg.equals("EC")) { ++ CMS.debug(method + "signing key alg=EC"); ++ keyType = PrivateKey.EC; ++ selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); ++ } else { ++ msg = "unsupported signature algorithm: " + alg; ++ CMS.debug(method + msg); ++ throw new EInvalidCredentials(msg); ++ } ++ CMS.debug(method + "public key retrieved"); + +- //throw new ECMSGWException( +- //CMSGWResources.ERROR_PKCS101, e.toString()); ++ verifySelfSignedCMC(selfsign_signerInfo, id); ++ } //selfSigned + ++ } catch (Exception e) { + e.printStackTrace(); ++ cmcBlobIn.close(); ++ s.close(); + throw new EBaseException(e.toString()); + } + } + +- // authToken.set(AgentAuthentication.CRED_CERT, new +- // com.netscape.certsrv.usrgrp.Certificates( +- // x509Certs)); + } + } ++ ++ authToken.set("uid", uid); ++ authToken.set("userid", userid); + } catch (Exception e) { + CMS.debug(method + e); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, +- auditSubjectID, +- ILogger.FAILURE, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); +- + //Debug.printStackTrace(e); +- throw new EInvalidCredentials(CMS.getUserMessage( +- "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ throw new EInvalidCredentials(e.toString()); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditReqType, +@@ -687,12 +718,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + CMS.debug(method + eAudit1); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, +- auditSignerInfo); ++ auditSignerInfo, ++ eAudit1.toString()); + + audit(auditMessage); + +@@ -702,12 +734,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + CMS.debug(method + eAudit2); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, +- auditSignerInfo); ++ auditSignerInfo, ++ eAudit2.toString()); + + audit(auditMessage); + +@@ -717,17 +750,70 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + CMS.debug(method + eAudit3); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, +- auditSignerInfo); ++ auditSignerInfo, ++ eAudit3.toString()); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit3; ++ } catch (Exception eAudit4) { ++ CMS.debug(method + eAudit4); ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo, ++ eAudit4.toString()); ++ ++ audit(auditMessage); ++ ++ // rethrow the specific exception to be handled later ++ throw eAudit4; ++ } ++ } ++ ++ /* ++ * verifySelfSignedCMC() verifies the following ++ * a. the required (per RFC 5272) SKI extension in the request matches that in the ++ * SignerIdentifier ++ * b. the signature in the request ++ */ ++ protected void verifySelfSignedCMC( ++ org.mozilla.jss.pkix.cms.SignerInfo signerInfo, ++ OBJECT_IDENTIFIER id) ++ throws EBaseException { ++ String method = "CMCUserSignedAuth: verifySelfSignedCMC: "; ++ CMS.debug(method + "begins"); ++ try { ++ SignerIdentifier sid = signerInfo.getSignerIdentifier(); ++ OCTET_STRING subjKeyId = sid.getSubjectKeyIdentifier(); ++ KeyIdentifier keyIdObj = ++ (KeyIdentifier) selfsign_skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); ++ boolean match = CryptoUtil.compare(subjKeyId.toByteArray(), keyIdObj.getIdentifier()); ++ if (match) { ++ CMS.debug(method + ++ " SignerIdentifier SUBJECT_KEY_IDENTIFIER matches SKI of request"); ++ } else { ++ CMS.debug(method + ++ " SignerIdentifier SUBJECT_KEY_IDENTIFIER failed to match"); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ // verify sig using public key in request ++ CMS.debug(method + "verifying request signature with public key"); ++ signerInfo.verify(selfsign_digest, id, selfsign_pubK); ++ CMS.debug(method + " signature verified"); ++ } catch (Exception e) { ++ CMS.debug(method + e.toString()); ++ throw new EBaseException(method + e.toString()); + } + } + +@@ -825,10 +911,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + level, "CMC User Signed Authentication: " + msg); + } + +- protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { ++ /** ++ * User-signed CMC requests can be signed in two ways: ++ * a. signed with previously issued user signing cert ++ * b. self-signed with the private key paired with the public key in ++ * the request ++ * ++ * In case "a", the resulting authToke would contain ++ * (IAuthManager.CRED_CMC_SIGNING_CERT, signing cert serial number) ++ * In case "b", the resulting authToke would not contain the attribute ++ * IAuthManager.CRED_CMC_SIGNING_CERT ++ */ ++ protected IAuthToken verifySignerInfo( ++ SessionContext auditContext, // to capture info in case of failure ++ AuthToken authToken, ++ SignedData cmcFullReq) ++ throws EBaseException { + String method = "CMCUserSignedAuth: verifySignerInfo: "; + CMS.debug(method + "begins"); +- + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OBJECT_IDENTIFIER id = ci.getContentType(); + OCTET_STRING content = ci.getContent(); +@@ -849,13 +949,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + //if request key is used for signing, there MUST be only one signerInfo + //object in the signedData object. + for (int i = 0; i < numDig; i++) { +- AlgorithmIdentifier dai = +- (AlgorithmIdentifier) dais.elementAt(i); +- String name = +- DigestAlgorithm.fromOID(dai.getOID()).toString(); ++ AlgorithmIdentifier dai = (AlgorithmIdentifier) dais.elementAt(i); ++ String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); + +- MessageDigest md = +- MessageDigest.getInstance(name); ++ MessageDigest md = MessageDigest.getInstance(name); + + byte[] digest = md.digest(content.toByteArray()); + +@@ -867,6 +964,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + for (int i = 0; i < numSis; i++) { + org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); ++ //selfsign_SignerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); + + String name = si.getDigestAlgorithm().toString(); + byte[] digest = digs.get(name); +@@ -879,11 +977,14 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + digest = md.digest(ostream.toByteArray()); + + } ++ + // signed by previously certified signature key + SignerIdentifier sid = si.getSignerIdentifier(); +- // TODO: need to handle signing key being the matching key from +- // the request + if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { ++ CMS.debug(method + "SignerIdentifier type: ISSUER_AND_SERIALNUMBER"); ++ selfSigned = false; ++ CMS.debug(method + "selfSigned is false"); ++ + IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); + // find from the certs in the signedData + java.security.cert.X509Certificate cert = null; +@@ -899,14 +1000,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + Name issuer = certI.getIssuer(); + + byte[] issuerB = ASN1Util.encode(issuer); +-CMS.debug(method + "issuer = " + new String(issuerB)); + INTEGER sn = certI.getSerialNumber(); + // if this cert is the signer cert, not a cert in the chain + if (new String(issuerB).equals(new String( + ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) + && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { +- ByteArrayOutputStream os = new +- ByteArrayOutputStream(); ++ ByteArrayOutputStream os = new ByteArrayOutputStream(); + + certJss.encode(os); + certByteArray = os.toByteArray(); +@@ -919,13 +1018,23 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + + } + } ++ + CMS.debug(method + "start checking signature"); ++ String CN = null; + if (cert == null) { + // find from certDB + CMS.debug(method + "verifying signature"); + si.verify(digest, id); + } else { + CMS.debug(method + "found signing cert... verifying"); ++ ++ //capture auditSubjectID first in case of failure ++ netscape.security.x509.X500Name tempPrincipal = ++ (X500Name) x509Certs[0].getSubjectDN(); ++ CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); ++ CMS.debug(method + " Principal name = " + CN); ++ auditContext.put(SessionContext.USER_ID, CN); ++ + PublicKey signKey = cert.getPublicKey(); + PrivateKey.Type keyType = null; + String alg = signKey.getAlgorithm(); +@@ -942,21 +1051,24 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else { + CMS.debug(method + "unsupported signature algorithm: " + alg); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ s.close(); ++ throw new EInvalidCredentials( ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + +- String tokenName = +- CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); ++ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", ++ CryptoUtil.INTERNAL_TOKEN_NAME); + // by default JSS will use internal crypto token + if (!CryptoUtil.isInternalToken(tokenName)) { + savedToken = cm.getThreadToken(); + signToken = CryptoUtil.getCryptoToken(tokenName); +- if(signToken != null) { ++ if (signToken != null) { + cm.setThreadToken(signToken); + tokenSwitched = true; +- CMS.debug(method + "verifySignerInfo token switched:"+ tokenName); ++ CMS.debug(method + "verifySignerInfo token switched:" + tokenName); + } else { +- CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal"); ++ CMS.debug(method + "verifySignerInfo token not found:" + tokenName ++ + ", trying internal"); + } + } + +@@ -967,6 +1079,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + // verify signer's certificate using the revocator + if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { + CMS.debug(method + "CMC signature failed to be verified"); ++ s.close(); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } else { + CMS.debug(method + "CMC signature verified; but signer not yet;"); +@@ -974,23 +1087,38 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + // At this point, the signature has been verified; + + IAuthToken tempToken = new AuthToken(null); ++/* + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); + String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); + CMS.debug(method + " Principal name = " + CN); ++*/ + + BigInteger certSerial = x509Certs[0].getSerialNumber(); + CMS.debug(method + " verified cert serial=" + certSerial.toString()); + authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); + tempToken.set("cn", CN); + ++ s.close(); + return tempToken; + ++ } else { ++ CMS.debug(method + "no certificate found in cmcFullReq"); + } +- ++ } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) { ++ CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER"); ++ CMS.debug(method + "selfSigned is true"); ++ selfSigned = true; ++ selfsign_digest = digest; ++ ++ IAuthToken tempToken = new AuthToken(null); ++ authToken.set(IAuthManager.CRED_CMC_SELF_SIGNED, "true"); ++ s.close(); ++ return tempToken; + } else { + CMS.debug(method + "unsupported SignerIdentifier type"); + } +- } ++ } //for ++ + } catch (InvalidBERException e) { + CMS.debug(method + e.toString()); + } catch (IOException e) { +@@ -1001,7 +1129,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + CMS.debug(method + e.toString()); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } finally { +- if ((tokenSwitched == true) && (savedToken != null)){ ++ if ((tokenSwitched == true) && (savedToken != null)) { + cm.setThreadToken(savedToken); + CMS.debug(method + "verifySignerInfo token restored"); + } +@@ -1123,8 +1251,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { +- subjectID = (String) +- auditContext.get(SessionContext.USER_ID); ++ subjectID = (String) auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 7d52fc8..1443a0a 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -110,6 +110,8 @@ import netscape.security.x509.CertificateVersion; + import netscape.security.x509.CertificateX509Key; + import netscape.security.x509.Extension; + import netscape.security.x509.Extensions; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.SubjectKeyIdentifierExtension; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509CertInfo; +@@ -656,6 +658,8 @@ public abstract class EnrollProfile extends BasicProfile + String msg = ""; // for capturing debug and throw info + //CMS.debug(method + " Start parseCMC(): " + certreq); + CMS.debug(method + "starts"); ++ String auditMessage = ""; ++ String auditSubjectID = auditSubjectID(); + + /* cert request must not be null */ + if (certreq == null) { +@@ -742,22 +746,27 @@ public abstract class EnrollProfile extends BasicProfile + + msg = " id_cmc_identification attribute value not found in"; + CMS.debug(method + msg); ++/* + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + + msg); ++*/ ++ } else { ++ ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), ++ ASN1Util.encode(ident.elementAt(0)))); + } +- ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), +- ASN1Util.encode(ident.elementAt(0)))); +- if (ident_s == null) { ++ if (ident == null && ident_s == null) { + msg = " id_cmc_identification contains invalid content"; + CMS.debug(method + msg); + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); + + CMS.debug(method + msg); ++/* + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + + msg); ++*/ + } + } + +@@ -776,19 +785,27 @@ public abstract class EnrollProfile extends BasicProfile + } + } else if (id_cmc_identityProofV2 && (attr != null)) { + // either V2 or not V2; can't be both +- CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;"); +- if (!id_cmc_identification) { ++ CMS.debug(method + ++ "not pre-signed CMC request; calling verifyIdentityProofV2;"); ++ if (!id_cmc_identification || ident_s == null) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identification", bpids); + context.put("identityProofV2", bpids); + msg = "id_cmc_identityProofV2 missing id_cmc_identification"; + CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); ++ + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + + msg); + } + +- boolean valid = verifyIdentityProofV2(attr, ident_s, ++ boolean valid = verifyIdentityProofV2(context, attr, ident_s, + reqSeq); + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); +@@ -815,10 +832,18 @@ public abstract class EnrollProfile extends BasicProfile + "CMS_POI_VERIFICATION_ERROR") + msg); + } else { + CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); ++ // in case it was set ++ auditSubjectID = auditSubjectID(); + } + } else { + msg = "not pre-signed CMC request; missing Proof of Identification control"; + CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); + throw new EProfileException(CMS.getUserMessage(locale, + "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); + } +@@ -837,6 +862,13 @@ public abstract class EnrollProfile extends BasicProfile + } else { //decPopVals == null + msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; + CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.PROOF_OF_POSSESSION, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ method + msg); ++ audit(auditMessage); ++ + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("decryptedPOP", bpids); + } +@@ -877,6 +909,11 @@ public abstract class EnrollProfile extends BasicProfile + String configName = "cmc.popLinkWitnessRequired"; + CMS.debug(method + "getting :" + configName); + popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false); ++ if (popLinkWitnessRequired) { ++ CMS.debug(method + "popLinkWitness(V2) required"); ++ } else { ++ CMS.debug(method + "popLinkWitness(V2) not required"); ++ } + } catch (Exception e) { + // unlikely to get here + msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; +@@ -897,8 +934,16 @@ public abstract class EnrollProfile extends BasicProfile + !context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { + CMS.debug(method + "popLinkWitness(V2) required"); +- if (randomSeed == null) { +- CMS.debug(method + "no randomSeed found"); ++ if (randomSeed == null || ident_s == null) { ++ msg = "no randomSeed or identification found needed for popLinkWitness(V2)"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_ID_POP_LINK_WITNESS, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); ++ + context.put("POPLinkWitnessV2", bpids); + return null; + } +@@ -913,11 +958,26 @@ public abstract class EnrollProfile extends BasicProfile + else if (context.containsKey("POPLinkWitness")) + msg = " in POPLinkWitness"; + else +- msg = " unspecified failure from verifyPOPLinkWitness"; ++ msg = " failure from verifyPOPLinkWitness"; + ++ msg = msg + ": ident_s=" + ident_s; + CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_ID_POP_LINK_WITNESS, ++ auditSubjectID, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); + throw new EProfileException(CMS.getUserMessage(locale, + "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); ++ } else { ++ msg = ": ident_s=" + ident_s; ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_ID_POP_LINK_WITNESS, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ method + msg); ++ audit(auditMessage); + } + } + } //for +@@ -1441,22 +1501,37 @@ public abstract class EnrollProfile extends BasicProfile + * @author cfu + */ + private boolean verifyIdentityProofV2( ++ SessionContext sessionContext, + TaggedAttribute attr, + UTF8String ident, + SEQUENCE reqSeq) { + String method = "EnrollProfile:verifyIdentityProofV2: "; ++ String msg = ""; + CMS.debug(method + " begins"); ++ boolean verified = false; ++ String auditMessage = method; ++ + if ((attr == null) || + (ident == null) || + (reqSeq == null)) { + CMS.debug(method + "method parameters cannot be null"); ++ // this is internal error + return false; + } + + String ident_string = ident.toString(); ++ String auditAttemptedCred = null; + + SET vals = attr.getValues(); // getting the IdentityProofV2 structure + if (vals.size() < 1) { ++ msg = " invalid TaggedAttribute in request"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditAttemptedCred, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); + return false; + } + +@@ -1464,18 +1539,33 @@ public abstract class EnrollProfile extends BasicProfile + ISharedToken tokenClass = getSharedTokenClass(configName); + + if (tokenClass == null) { +- CMS.debug(method + " Failed to retrieve shared secret plugin class"); ++ msg = " Failed to retrieve shared secret plugin class"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditAttemptedCred, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); + return false; + } + + String token = null; +- if (ident_string != null) ++ if (ident_string != null) { ++ auditAttemptedCred = ident_string; + token = tokenClass.getSharedToken(ident_string); +- else ++ } else + token = tokenClass.getSharedToken(mCMCData); + + if (token == null) { +- CMS.debug(method + " Failed to retrieve shared secret"); ++ msg = " Failed to retrieve shared secret"; ++ CMS.debug(method + msg); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditAttemptedCred, ++ ILogger.FAILURE, ++ method + msg); ++ audit(auditMessage); + return false; + } + +@@ -1493,26 +1583,64 @@ public abstract class EnrollProfile extends BasicProfile + + OCTET_STRING witness = idV2val.getWitness(); + if (witness == null) { +- CMS.debug(method + " witness reurned by idV2val.getWitness is null"); +- return false; ++ msg = " witness reurned by idV2val.getWitness is null"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); + } + + byte[] witness_bytes = witness.toByteArray(); + byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field +- return verifyDigest( ++ verified = verifyDigest( + (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(), + request_bytes, + witness_bytes, + hashAlg, macAlg); ++ ++ String authMgrID = ++ (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); ++ String auditSubjectID = null; ++ ++ if (verified) { ++ // update auditSubjectID ++ if (sessionContext != null) { ++ auditSubjectID = (String) ++ sessionContext.get(SessionContext.USER_ID); ++ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); ++ CMS.debug(method + "identity verified. Updating auditSubjectID"); ++ CMS.debug(method + "updated auditSubjectID is:"+ ident_string); ++ auditSubjectID = ident_string; ++ sessionContext.put(SessionContext.USER_ID, auditSubjectID); ++ } else { //very unlikely ++ CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); ++ } ++ ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ "method=" + method); ++ audit(auditMessage); ++ } else { ++ throw new EBaseException("failed to verify"); ++ } ++ return verified; + } catch (Exception e) { + CMS.debug(method + " Failed with Exception: " + e.toString()); ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, ++ auditAttemptedCred, ++ ILogger.FAILURE, ++ method + e.toString()); ++ audit(auditMessage); + return false; + } + + } // verifyIdentityProofV2 + +- private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { ++ private boolean verifyIdentityProof( ++ TaggedAttribute attr, SEQUENCE reqSeq) { + String method = "verifyIdentityProof: "; ++ boolean verified = false; + + SET vals = attr.getValues(); + if (vals.size() < 1) +@@ -1537,7 +1665,11 @@ public abstract class EnrollProfile extends BasicProfile + byte[] b = ostr.toByteArray(); + byte[] text = ASN1Util.encode(reqSeq); + +- return verifyDigest(token.getBytes(), text, b); ++ verified = verifyDigest(token.getBytes(), text, b); ++ if (verified) {// update auditSubjectID ++ //placeholder. Should probably just disable this v1 method ++ } ++ return verified; + } + + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, +@@ -1592,13 +1724,22 @@ public abstract class EnrollProfile extends BasicProfile + + p10.encode(ostream); + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); ++ if (sigver) { ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.PROOF_OF_POSSESSION, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ "method="+method); ++ audit(auditMessage); ++ } + + req.setExtData("bodyPartId", tcr.getBodyPartID()); + fillPKCS10(locale, pkcs10, info, req); + } catch (Exception e) { + CMS.debug(method + e); + // this will throw +- popFailed(locale, auditSubjectID, auditMessage, e); ++ if (sigver) ++ popFailed(locale, auditSubjectID, auditMessage, e); + } finally { + if ((sigver == true) && (tokenSwitched == true)){ + cm.setThreadToken(savedToken); +@@ -1787,8 +1928,9 @@ public abstract class EnrollProfile extends BasicProfile + public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, + IRequest req) + throws EProfileException { ++ String method = "EnrollProfile: fillCertReqMsg: "; + try { +- CMS.debug("Start parseCertReqMsg "); ++ CMS.debug(method + "Start parseCertReqMsg "); + CertRequest certReq = certReqMsg.getCertReq(); + req.setExtData("bodyPartId", certReq.getCertReqId()); + // handle PKIArchiveOption (key archival) +@@ -1897,12 +2039,20 @@ public abstract class EnrollProfile extends BasicProfile + extensions = new CertificateExtensions(); + int numexts = certTemplate.numExtensions(); + ++ /* ++ * there seems to be an issue with constructor in Extension ++ * when feeding SubjectKeyIdentifierExtension; ++ * Special-case it ++ */ ++ OBJECT_IDENTIFIER SKIoid = ++ new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); + for (int j = 0; j < numexts; j++) { + org.mozilla.jss.pkix.cert.Extension jssext = + certTemplate.extensionAt(j); + boolean isCritical = jssext.getCritical(); + org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = + jssext.getExtnId(); ++ CMS.debug(method + "found extension:" + jssoid.toString()); + long[] numbers = jssoid.getNumbers(); + int[] oidNumbers = new int[numbers.length]; + +@@ -1919,8 +2069,14 @@ public abstract class EnrollProfile extends BasicProfile + jssvalue.encode(jssvalueout); + byte[] extValue = jssvalueout.toByteArray(); + +- Extension ext = +- new Extension(oid, isCritical, extValue); ++ Extension ext = null; ++ if (jssoid.equals(SKIoid)) { ++ CMS.debug(method + "found SUBJECT_KEY_IDENTIFIER extension"); ++ ext = new SubjectKeyIdentifierExtension(false, ++ jssext.getExtnValue().toByteArray()); ++ } else { ++ new Extension(oid, isCritical, extValue); ++ } + + extensions.parseExtension(ext); + } +@@ -2042,12 +2198,12 @@ public abstract class EnrollProfile extends BasicProfile + DerInputStream extIn = new DerInputStream(extB); + CertificateExtensions exts = new CertificateExtensions(extIn); + if (exts != null) { +- CMS.debug(method + "Set extensions " + exts); ++ CMS.debug(method + "PKCS10 found extensions " + exts); + // info.set(X509CertInfo.EXTENSIONS, exts); + req.setExtData(REQUEST_EXTENSIONS, exts); + } + } else { +- CMS.debug(method + "PKCS10 extension Not Found"); ++ CMS.debug(method + "PKCS10 no extension found"); + } + } + +@@ -2406,7 +2562,7 @@ public abstract class EnrollProfile extends BasicProfile + String method = "EnrollProfile: verifyPOP: "; + CMS.debug(method + "for signing keys begins."); + +- String auditMessage = null; ++ String auditMessage = method; + String auditSubjectID = auditSubjectID(); + + if (!certReqMsg.hasPop()) { +@@ -2437,7 +2593,8 @@ public abstract class EnrollProfile extends BasicProfile + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.SUCCESS); ++ ILogger.SUCCESS, ++ "method="+method); + audit(auditMessage); + } catch (Exception e) { + CMS.debug(method + "Unable to verify POP: " + e); +@@ -2446,19 +2603,21 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + "done."); + } + +- private void popFailed(Locale locale, String auditSubjectID, String auditMessage) ++ private void popFailed(Locale locale, String auditSubjectID, String msg) + throws EProfileException { +- popFailed(locale, auditSubjectID, auditMessage, null); ++ popFailed(locale, auditSubjectID, msg, null); + } +- private void popFailed(Locale locale, String auditSubjectID, String auditMessage, Exception e) ++ private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e) + throws EProfileException { + ++ if (e != null) ++ msg = msg + e.toString(); + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( ++ String auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.FAILURE); +- ++ ILogger.FAILURE, ++ msg); + audit(auditMessage); + + if (e != null) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +index 14484e0..635c044 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +@@ -25,6 +25,7 @@ import java.security.cert.CertificateException; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.ca.ICertificateAuthority; ++import com.netscape.cmsutil.crypto.CryptoUtil; + + import netscape.security.x509.CertificateX509Key; + import netscape.security.x509.KeyIdentifier; +@@ -46,30 +47,29 @@ public abstract class CAEnrollDefault extends EnrollDefault { + } + + public KeyIdentifier getKeyIdentifier(X509CertInfo info) { ++ String method = "CAEnrollDefault: getKeyIdentifier: "; + try { + CertificateX509Key ckey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY); +- MessageDigest md = MessageDigest.getInstance("SHA-1"); +- +- md.update(key.getKey()); +- byte[] hash = md.digest(); ++ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); ++ if (hash == null) { ++ CMS.debug(method + ++ "CryptoUtil.generateKeyIdentifier returns null"); ++ return null; ++ } + + return new KeyIdentifier(hash); + } catch (IOException e) { +- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + +- e.toString()); ++ CMS.debug(method + e.toString()); + } catch (CertificateException e) { +- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + +- e.toString()); +- } catch (NoSuchAlgorithmException e) { +- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + +- e.toString()); ++ CMS.debug(method + e.toString()); + } + return null; + } + + public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseException { ++ String method = "CAEnrollDefault: getCAKeyIdentifier: "; + X509CertImpl caCert = ca.getCACert(); + if (caCert == null) { + // during configuration, we dont have the CA certificate +@@ -89,16 +89,11 @@ public abstract class CAEnrollDefault extends EnrollDefault { + } + } + +- try { +- MessageDigest md = MessageDigest.getInstance("SHA-1"); +- +- md.update(key.getKey()); +- byte[] hash = md.digest(); +- +- return new KeyIdentifier(hash); +- } catch (NoSuchAlgorithmException e) { +- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + +- e.toString()); ++ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); ++ if (hash == null) { ++ CMS.debug(method + ++ "CryptoUtil.generateKeyIdentifier returns null"); ++ return null; + } + return null; + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java +index a8f6a74..d787575 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java +@@ -37,6 +37,7 @@ import com.netscape.certsrv.property.Descriptor; + import com.netscape.certsrv.property.EPropertyException; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; ++import com.netscape.cmsutil.crypto.CryptoUtil; + + /** + * This class implements an enrollment default policy +@@ -195,22 +196,26 @@ public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault { + } + + public KeyIdentifier getKeyIdentifier(X509CertInfo info) { ++ String method = "SubjectKeyIdentifierExtDefault: getKeyIdentifier: "; + try { + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); +- MessageDigest md = MessageDigest.getInstance("SHA-1"); + +- md.update(key.getKey()); +- byte[] hash = md.digest(); ++ // "SHA-1" is default for CryptoUtil.generateKeyIdentifier. ++ // you could specify different algorithm with the alg parameter ++ // like this: ++ //byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), "SHA-256"); ++ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); + ++ if (hash == null) { ++ CMS.debug(method + ++ "CryptoUtil.generateKeyIdentifier returns null"); ++ return null; ++ } + return new KeyIdentifier(hash); +- } catch (NoSuchAlgorithmException e) { +- CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + +- e.toString()); + } catch (Exception e) { +- CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + +- e.toString()); ++ CMS.debug(method + e.toString()); + } + return null; + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +index 84a6398..2affaf3 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java ++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +@@ -179,26 +179,27 @@ public abstract class EnrollInput implements IProfileInput { + + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) + throws EProfileException { ++ String method = "EnrollInput: verifyPOP: "; + CMS.debug("EnrollInput ::in verifyPOP"); + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + if (!certReqMsg.hasPop()) { +- CMS.debug("CertReqMsg has not POP, return"); ++ CMS.debug(method + "CertReqMsg has not POP, return"); + return; + } + ProofOfPossession pop = certReqMsg.getPop(); + ProofOfPossession.Type popType = pop.getType(); + + if (popType != ProofOfPossession.SIGNATURE) { +- CMS.debug("not POP SIGNATURE, return"); ++ CMS.debug(method + "not POP SIGNATURE, return"); + return; + } + + try { + if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) { +- CMS.debug("skipPOPVerify on, return"); ++ CMS.debug(method + "skipPOPVerify on, return"); + return; + } + CMS.debug("POP verification begins:"); +@@ -207,10 +208,10 @@ public abstract class EnrollInput implements IProfileInput { + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); + if (CryptoUtil.isInternalToken(tokenName)) { +- CMS.debug("POP verification using internal token"); ++ CMS.debug(method + "POP verification using internal token"); + certReqMsg.verify(); + } else { +- CMS.debug("POP verification using token:" + tokenName); ++ CMS.debug(method + "POP verification using token:" + tokenName); + verifyToken = CryptoUtil.getCryptoToken(tokenName); + certReqMsg.verify(verifyToken); + } +@@ -219,18 +220,20 @@ public abstract class EnrollInput implements IProfileInput { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.SUCCESS); ++ ILogger.SUCCESS, ++ "method="+method); + audit(auditMessage); + } catch (Exception e) { + +- CMS.debug("Failed POP verify! " + e.toString()); ++ CMS.debug(method + "Failed POP verify! " + e.toString()); + CMS.debug(e); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.FAILURE); ++ ILogger.FAILURE, ++ method + e.toString()); + + audit(auditMessage); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java +index 70a4a42..c57c532 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java +@@ -23,17 +23,6 @@ import java.io.IOException; + import java.security.InvalidKeyException; + import java.security.cert.CertificateException; + +-import netscape.security.util.ObjectIdentifier; +-import netscape.security.x509.CertificateExtensions; +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.CertificateVersion; +-import netscape.security.x509.CertificateX509Key; +-import netscape.security.x509.Extension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertInfo; +-import netscape.security.x509.X509Key; +- + import org.mozilla.jss.asn1.INTEGER; + import org.mozilla.jss.asn1.InvalidBERException; + import org.mozilla.jss.asn1.SEQUENCE; +@@ -56,6 +45,17 @@ import com.netscape.certsrv.request.IRequest; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.ECMSGWException; + ++import netscape.security.util.ObjectIdentifier; ++import netscape.security.x509.CertificateExtensions; ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.CertificateVersion; ++import netscape.security.x509.CertificateX509Key; ++import netscape.security.x509.Extension; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++import netscape.security.x509.X509Key; ++ + /** + * Process CRMF requests, according to RFC 2511 + * See http://www.ietf.org/rfc/rfc2511.txt +@@ -98,6 +98,7 @@ public class CRMFProcessor extends PKIProcessor { + */ + private void verifyPOP(CertReqMsg certReqMsg) + throws EBaseException { ++ String method = "CRMFProcessor: verifyPOP: "; + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + +@@ -118,7 +119,8 @@ public class CRMFProcessor extends PKIProcessor { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.SUCCESS); ++ ILogger.SUCCESS, ++ "method=" + method); + + audit(auditMessage); + } catch (Exception e) { +@@ -131,7 +133,8 @@ public class CRMFProcessor extends PKIProcessor { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.FAILURE); ++ ILogger.FAILURE, ++ method + e.toString()); + + audit(auditMessage); + +@@ -148,7 +151,8 @@ public class CRMFProcessor extends PKIProcessor { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.FAILURE); ++ ILogger.FAILURE, ++ method + "required POP missing"); + + audit(auditMessage); + +@@ -161,7 +165,8 @@ public class CRMFProcessor extends PKIProcessor { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, +- ILogger.FAILURE); ++ ILogger.FAILURE, ++ method + eAudit1.toString()); + + audit(auditMessage); + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 0e101ed..93039a4 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -39,12 +39,16 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.EInvalidCredentials; ++import com.netscape.certsrv.authentication.EMissingCredential; + import com.netscape.certsrv.authentication.IAuthManager; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AuthFailEvent; ++import com.netscape.certsrv.logging.event.AuthSuccessEvent; + import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; +@@ -143,6 +147,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + public IAuthToken authenticate(IProfileAuthenticator authenticator, + HttpServletRequest request) throws EBaseException { ++ String method = "ProfileSubmitCMCServlet: authenticate: "; + AuthCredentials credentials = new AuthCredentials(); + + // build credential +@@ -158,15 +163,47 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + credentials.set(authName, request.getParameter(authName)); + } + } +- IAuthToken authToken = authenticator.authenticate(credentials); + ++ IAuthToken authToken = null; ++ String auditSubjectID = null; ++ String authMgrID = authenticator.getName(); + SessionContext sc = SessionContext.getContext(); +- if (sc != null) { +- sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); +- String userid = authToken.getInString(IAuthToken.USER_ID); +- if (userid != null) { +- sc.put(SessionContext.USER_ID, userid); ++ ++ try { ++ authToken = authenticator.authenticate(credentials); ++ if (sc != null) { ++ sc.put(SessionContext.AUTH_MANAGER_ID, authMgrID); ++ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); ++ if (auditSubjectID != null) { ++ CMS.debug(method + "setting auditSubjectID in SessionContext:" + ++ auditSubjectID); ++ sc.put(SessionContext.USER_ID, auditSubjectID); ++ } else { ++ CMS.debug(method + "no auditSubjectID found in authToken"); ++ } ++ } ++ ++ if (!auditSubjectID.equals(ILogger.UNIDENTIFIED) && ++ !auditSubjectID.equals(ILogger.NONROLEUSER)) { ++ audit(new AuthSuccessEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ authMgrID)); ++ } ++ ++ } catch (EBaseException e) { ++ CMS.debug(method + e); ++ String attempted_auditSubjectID = null; ++ if (sc != null) { ++ attempted_auditSubjectID = ++ (String) sc.get(SessionContext.USER_ID); + } ++ audit(new AuthFailEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ authMgrID, ++ attempted_auditSubjectID)); ++ throw(e); + } + + return authToken; +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 1a5b37a..6bc2d82 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2181,9 +2181,18 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3=:[AuditEvent=AUTH_SUCCESS + LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval + # + # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION +-# - used when proof of possession is checked during certificate enrollment ++# - used for proof of possession during certificate enrollment processing + # +-LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}] checking proof of possession ++LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession ++# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION ++# - used for proof of identification during CMC request processing ++# - In case of success, "SubjectID" is the actual identified identification; ++# - In case of failure, "SubjectID" is the attempted identification ++# ++LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request ++# - used for identification and POP linking verification during CMC request processing ++# ++LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification + # + # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL + # - used when CRLs are retrieved by the OCSP Responder +@@ -2235,7 +2244,16 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification ++# ++# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY ++# - used when CMC (user-signed or self-signed) certificate requests or revocation requests ++# are submitted and signature is verified ++# ReqType must be the request type (enrollment, or revocation) ++# CertSubject must be the certificate subject name of the certificate request ++# SignerInfo must be a unique String representation for the signer ++# ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure + + # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST + # - used for TPS to TKS to get random challenge data +diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java +index 6dabd0c..177d540 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java +@@ -1032,13 +1032,17 @@ public class KeyCertUtil { + + public static KeyIdentifier createKeyIdentifier(KeyPair keypair) + throws NoSuchAlgorithmException, InvalidKeyException { +- MessageDigest md = MessageDigest.getInstance("SHA-1"); + X509Key subjectKeyInfo = convertPublicKeyToX509Key( + keypair.getPublic()); + +- //md.update(subjectKeyInfo.getEncoded()); +- md.update(subjectKeyInfo.getKey()); +- return new KeyIdentifier(md.digest()); ++ byte[] hash = CryptoUtil.generateKeyIdentifier(subjectKeyInfo.getKey()); ++ ++ if (hash == null) { ++ CMS.debug("KeyCertUtil: createKeyIdentifier " + ++ "CryptoUtil.generateKeyIdentifier returns null"); ++ return null; ++ } ++ return new KeyIdentifier(hash); + } + + public static BigInteger getSerialNumber(LDAPConnection conn, String baseDN) +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index e529a0f..8b8c443 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -27,6 +27,7 @@ import java.net.SocketException; + import java.security.InvalidAlgorithmParameterException; + import java.security.InvalidKeyException; + import java.security.KeyPair; ++import java.security.MessageDigest; + import java.security.NoSuchAlgorithmException; + import java.security.NoSuchProviderException; + import java.security.PublicKey; +@@ -127,6 +128,7 @@ import netscape.security.util.DerValue; + import netscape.security.util.ObjectIdentifier; + import netscape.security.util.WrappingParams; + import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.CertAttrSet; + import netscape.security.x509.CertificateAlgorithmId; + import netscape.security.x509.CertificateChain; + import netscape.security.x509.CertificateExtensions; +@@ -136,7 +138,11 @@ import netscape.security.x509.CertificateSubjectName; + import netscape.security.x509.CertificateValidity; + import netscape.security.x509.CertificateVersion; + import netscape.security.x509.CertificateX509Key; ++import netscape.security.x509.Extension; + import netscape.security.x509.Extensions; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.SubjectKeyIdentifierExtension; + import netscape.security.x509.X500Name; + import netscape.security.x509.X500Signer; + import netscape.security.x509.X509CertImpl; +@@ -1536,10 +1542,33 @@ public class CryptoUtil { + * This createCertificationRequest() allows extensions to be added to the CSR + */ + public static PKCS10 createCertificationRequest(String subjectName, ++ KeyPair keyPair, Extensions exts) ++ throws NoSuchAlgorithmException, NoSuchProviderException, ++ InvalidKeyException, IOException, CertificateException, ++ SignatureException { ++ String method = "CryptoUtil: createCertificationRequest: "; ++ ++ String alg = "SHA256withRSA"; ++ PublicKey pubk = keyPair.getPublic(); ++ X509Key key = convertPublicKeyToX509Key(pubk); ++ if (pubk instanceof RSAPublicKey) { ++ alg = "SHA256withRSA"; ++ } else if (isECCKey(key)) { ++ alg = "SHA256withEC"; ++ } else { ++ throw new NoSuchAlgorithmException(method + alg); ++ } ++ ++ return createCertificationRequest( ++ subjectName, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), ++ alg, exts); ++ } ++ ++ public static PKCS10 createCertificationRequest(String subjectName, + X509Key pubk, PrivateKey prik, String alg, Extensions exts) + throws NoSuchAlgorithmException, NoSuchProviderException, +- InvalidKeyException, IOException, CertificateException, +- SignatureException { ++ InvalidKeyException, IOException, CertificateException, ++ SignatureException { + X509Key key = pubk; + java.security.Signature sig = java.security.Signature.getInstance(alg, + "Mozilla-JSS"); +@@ -1548,11 +1577,12 @@ public class CryptoUtil { + PKCS10 pkcs10 = null; + + if (exts != null && !exts.isEmpty()) { +- PKCS10Attribute attr = new +- PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, +- exts); ++ PKCS10Attribute attr = new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ++ exts); + PKCS10Attributes attrs = new PKCS10Attributes(); + ++ System.out.println("PKCS10: createCertificationRequest: adding attribute name =" + ++ attr.getAttributeValue().getName()); + attrs.setAttribute(attr.getAttributeValue().getName(), attr); + + pkcs10 = new PKCS10(key, attrs); +@@ -1566,6 +1596,51 @@ public class CryptoUtil { + return pkcs10; + } + ++ public static KeyIdentifier createKeyIdentifier(KeyPair keypair) ++ throws NoSuchAlgorithmException, InvalidKeyException { ++ String method = "CryptoUtil: createKeyIdentifier: "; ++ System.out.println(method + "begins"); ++ ++ X509Key subjectKeyInfo = convertPublicKeyToX509Key( ++ keypair.getPublic()); ++ ++ byte[] hash = generateKeyIdentifier(subjectKeyInfo.getKey()); ++ ++ if (hash == null) { ++ System.out.println(method + ++ "generateKeyIdentifier returns null"); ++ return null; ++ } ++ return new KeyIdentifier(hash); ++ } ++ ++ public static byte[] generateKeyIdentifier(byte[] rawKey) { ++ return generateKeyIdentifier(rawKey, null); ++ } ++ ++ public static byte[] generateKeyIdentifier(byte[] rawKey, String alg) { ++ String method = "CryptoUtil: generateKeyIdentifier: "; ++ String msg = ""; ++ if (alg == null) { ++ alg = "SHA-1"; ++ } ++ try { ++ MessageDigest md = MessageDigest.getInstance(alg); ++ ++ md.update(rawKey); ++ byte[] hash = md.digest(); ++ ++ return hash; ++ } catch (NoSuchAlgorithmException e) { ++ msg = method + e; ++ System.out.println(msg); ++ } catch (Exception e) { ++ msg = method + e; ++ System.out.println(msg); ++ } ++ return null; ++ } ++ + /** + * Creates a PKCS#10 request. + */ +@@ -1611,6 +1686,102 @@ public class CryptoUtil { + return pkcs10; + } + ++ /* ++ * get extention from PKCS10 request ++ */ ++ public static netscape.security.x509.Extension getExtensionFromPKCS10(PKCS10 pkcs10, String extnName) ++ throws IOException, CertificateException { ++ Extension extn = null; ++ ++ String method = "CryptoUtiil: getExtensionFromPKCS10: "; ++ System.out.println(method + "begins"); ++ ++ PKCS10Attributes attributeSet = pkcs10.getAttributes(); ++ if (attributeSet == null) { ++ System.out.println(method + "attributeSet not found"); ++ return null; ++ } ++ PKCS10Attribute attr = attributeSet.getAttribute("extensions"); ++ if (attr == null) { ++ System.out.println(method + "extensions attribute not found"); ++ return null; ++ } ++ System.out.println(method + attr.toString()); ++ ++ CertAttrSet cas = attr.getAttributeValue(); ++ if (cas == null) { ++ System.out.println(method + "CertAttrSet not found in PKCS10Attribute"); ++ return null; ++ } ++ ++ Enumeration en = cas.getAttributeNames(); ++ while (en.hasMoreElements()) { ++ String name = en.nextElement(); ++ System.out.println(method + " checking extension in request:" + name); ++ if (name.equals(extnName)) { ++ System.out.println(method + "extension matches"); ++ extn = (Extension)cas.get(name); ++ } ++ } ++ ++ System.out.println(method + "ends"); ++ return extn; ++ } ++ ++ /* ++ * get extension from CRMF cert request (CertTemplate) ++ */ ++ public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, ObjectIdentifier csOID) { ++ //ObjectIdentifier csOID = PKIXExtensions.SubjectKey_Id; ++ OBJECT_IDENTIFIER jssOID = ++ new OBJECT_IDENTIFIER(csOID.toString()); ++/* ++ return getExtensionFromCertTemplate(certTemplate, jssOID); ++ } ++ public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssOID) { ++*/ ++ ++ String method = "CryptoUtil: getSKIExtensionFromCertTemplate: "; ++ Extension extn = null; ++ ++ /* ++ * there seems to be an issue with constructor in Extension ++ * when feeding SubjectKeyIdentifierExtension; ++ * Special-case it ++ */ ++ OBJECT_IDENTIFIER SKIoid = ++ new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); ++ ++ if (certTemplate.hasExtensions()) { ++ int numexts = certTemplate.numExtensions(); ++ for (int j = 0; j < numexts; j++) { ++ org.mozilla.jss.pkix.cert.Extension jssext = ++ certTemplate.extensionAt(j); ++ org.mozilla.jss.asn1.OBJECT_IDENTIFIER extnoid = ++ jssext.getExtnId(); ++ System.out.println(method + "checking extension in request:" + extnoid.toString()); ++ if (extnoid.equals(jssOID)) { ++ System.out.println(method + "extension found"); ++ try { ++ if (jssOID.equals(SKIoid)) { ++ extn = ++ new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray()); ++ } else { ++ extn = ++ new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray()); ++ } ++ } catch (IOException e) { ++ System.out.println(method + e); ++ } ++ } ++ } ++ } else { ++ System.out.println(method + "no extension found"); ++ } ++ ++ return extn; ++ } ++ + public static void unTrustCert(InternalCertificate cert) { + // remove TRUSTED_CA + int flag = cert.getSSLTrust(); +diff --git a/base/util/src/netscape/security/pkcs/PKCS10.java b/base/util/src/netscape/security/pkcs/PKCS10.java +index 0702e82..10933b0 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS10.java ++++ b/base/util/src/netscape/security/pkcs/PKCS10.java +@@ -123,6 +123,13 @@ public class PKCS10 { + byte sigData[]; + Signature sig; + ++ String method = "PKCS10: PKCS10: "; ++ String msg = ""; ++ ++ System.out.println(method + "begins"); ++ if (data == null) { ++ throw new IllegalArgumentException(method + "param data cann't be null"); ++ } + certificateRequest = data; + + // +@@ -131,9 +138,12 @@ public class PKCS10 { + // + in = new DerInputStream(data); + seq = in.getSequence(3); ++ if (seq == null) { ++ throw new IllegalArgumentException(method + "in.getSequence null"); ++ } + + if (seq.length != 3) +- throw new IllegalArgumentException("not a PKCS #10 request"); ++ throw new IllegalArgumentException(method + "not a PKCS #10 request"); + + data = seq[0].toByteArray(); // reusing this variable + certRequestInfo = seq[0].toByteArray(); // make a copy +@@ -152,20 +162,22 @@ public class PKCS10 { + */ + + subject = new X500Name(seq[0].data); ++ msg = "Request Subject: " + subject + ": "; + + byte val1[] = seq[0].data.getDerValue().toByteArray(); + subjectPublicKeyInfo = X509Key.parse(new DerValue(val1)); + PublicKey publicKey = X509Key.parsePublicKey(new DerValue(val1)); + if (publicKey == null) { +- System.out.println("PKCS10: publicKey null"); +- throw new SignatureException ("publicKey null"); ++ System.out.println(method + msg + "publicKey null"); ++ throw new SignatureException (method + msg + "publicKey null"); + } + + // Cope with a somewhat common illegal PKCS #10 format +- if (seq[0].data.available() != 0) ++ if (seq[0].data.available() != 0) { + attributeSet = new PKCS10Attributes(seq[0].data); +- else ++ } else { + attributeSet = new PKCS10Attributes(); ++ } + + // + // OK, we parsed it all ... validate the signature using the +@@ -202,14 +214,15 @@ public class PKCS10 { + sig.initVerify(publicKey); + sig.update(data); + if (!sig.verify(sigData)) { +- System.out.println("PKCS10: sig.verify() failed"); +- throw new SignatureException("Invalid PKCS #10 signature"); ++ System.out.println(method + msg + "sig.verify() failed"); ++ throw new SignatureException(method + msg + "Invalid PKCS #10 signature"); + } + } + } catch (InvalidKeyException e) { +- System.out.println("PKCS10: "+ e.toString()); +- throw new SignatureException("invalid key"); ++ System.out.println(method + msg + e.toString()); ++ throw new SignatureException(method + msg + "invalid key"); + } ++ System.out.println(method + "ends"); + } + + public PKCS10(byte data[]) +diff --git a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java +index 4c97218..45d5695 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java ++++ b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java +@@ -66,6 +66,8 @@ public class PKCS10Attributes extends Vector implements DerEnco + for (int i = 0; i < attrs.length; i++) { + PKCS10Attribute attr = new PKCS10Attribute(attrs[i]); + addElement(attr); ++ System.out.println("PKCS10Attributes: adding attribute: " + ++ attr.getAttributeValue().getName()); + map.put(attr.getAttributeValue().getName(), attr); + } + } +-- +1.8.3.1 + + +From 8751cd2c5cc0c41c5d85724fddfd5d872ad994ed Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 16:30:52 +0200 +Subject: [PATCH 17/27] Fixed CERT_REQUEST_PROCESSED events in + ConnectorServlet. + +The code that generates CERT_REQUEST_PROCESSED events in +ConnectorServlet.processRequest() has been moved into a finally- +clause that wraps around IRequestQueue.processRequest() to ensure +that the events are generated properly. + +If a cert was issued for the request that has just been processed +the event outcome is a Success, otherwise it's a Failure. + +Any exception thrown by the IRequestQueue.processRequest() will be +passed to the ConnectorServlet.processRequest()'s callers. + +https://pagure.io/dogtagpki/issue/2690 + +Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e +--- + .../cms/servlet/connector/ConnectorServlet.java | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +index eeb640e..82f3071 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +@@ -617,6 +617,8 @@ public class ConnectorServlet extends CMSServlet { + try { + queue.processRequest(thisreq); + ++ } finally { ++ + if (isProfileRequest(thisreq)) { + + X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +@@ -629,28 +631,17 @@ public class ConnectorServlet extends CMSServlet { + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + x509cert)); +- } +- } + +- } catch (EBaseException eAudit1) { +- if (isProfileRequest(thisreq)) { +- +- X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); +- +- if (x509cert != null) { ++ } else { + + audit(new CertRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, +- ILogger.SIGNED_AUDIT_ACCEPTANCE, +- x509cert)); ++ ILogger.SIGNED_AUDIT_REJECTION, ++ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); + } + } +- +- // rethrow EBaseException to primary catch clause +- // within this method +- throw eAudit1; + } + + replymsg = CMS.getHttpPKIMessage(); +-- +1.8.3.1 + + +From 579ed7eed16c9fc6e02928f71656d2a326d68c22 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 16 May 2017 02:42:12 +0200 +Subject: [PATCH 18/27] Added CertStatusChangeRequestProcessedEvent. + +A new CertStatusChangeRequestProcessedEvent class has been added to +encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events. + +https://pagure.io/dogtagpki/issue/2636 + +Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 2 - + .../CertStatusChangeRequestProcessedEvent.java | 52 ++++++++++++++++++++ + .../cms/servlet/cert/CMCRevReqServlet.java | 55 +++++++++------------- + .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 33 +++++-------- + .../netscape/cms/servlet/cert/DoUnrevokeTPS.java | 17 +++---- + .../cms/servlet/cert/RevocationProcessor.java | 8 ++-- + 6 files changed, 98 insertions(+), 69 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 059363e..21cac27 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -105,8 +105,6 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + public final static String CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; +- public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + + public final static String AUTHZ_SUCCESS = + "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java +new file mode 100644 +index 0000000..f583ad2 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java +@@ -0,0 +1,52 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.request.RequestStatus; ++ ++public class CertStatusChangeRequestProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; ++ ++ public CertStatusChangeRequestProcessedEvent( ++ String subjectID, ++ String outcome, ++ String requesterID, ++ String serialNumber, ++ String requestType, ++ String reasonNum, ++ RequestStatus approvalStatus) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requesterID, ++ serialNumber, ++ requestType, ++ reasonNum, ++ approvalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : approvalStatus.toString() ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +index f4d7f8f..24ba494 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +@@ -31,13 +31,6 @@ import javax.servlet.ServletOutputStream; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +-import netscape.security.x509.CRLExtensions; +-import netscape.security.x509.CRLReasonExtension; +-import netscape.security.x509.InvalidityDateExtension; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.RevokedCertImpl; +-import netscape.security.x509.X509CertImpl; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.EMissingCredential; +@@ -56,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.ra.IRegistrationAuthority; + import com.netscape.certsrv.request.IRequest; +@@ -69,6 +63,13 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; + import com.netscape.cms.servlet.common.ECMSGWException; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.x509.CRLExtensions; ++import netscape.security.x509.CRLReasonExtension; ++import netscape.security.x509.InvalidityDateExtension; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.RevokedCertImpl; ++import netscape.security.x509.X509CertImpl; ++ + /** + * Revoke a certificate with a CMC-formatted revocation request + * +@@ -810,17 +811,15 @@ public class CMCRevReqServlet extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + + } catch (CertificateException e) { +@@ -844,17 +843,15 @@ public class CMCRevReqServlet extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +@@ -882,17 +879,15 @@ public class CMCRevReqServlet extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +@@ -921,17 +916,15 @@ public class CMCRevReqServlet extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +@@ -957,17 +950,15 @@ public class CMCRevReqServlet extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +index 68ac6da..a9a6238 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -557,17 +558,15 @@ public class DoRevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + + return; +@@ -748,17 +747,15 @@ public class DoRevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, "error " + e); +@@ -783,17 +780,15 @@ public class DoRevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +@@ -822,17 +817,15 @@ public class DoRevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java +index 30bde76..36a6802 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java +@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -461,17 +462,15 @@ public class DoUnrevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + + } catch (EBaseException eAudit1) { +@@ -495,17 +494,15 @@ public class DoUnrevokeTPS extends CMSServlet { + if (auditApprovalStatus == RequestStatus.COMPLETE || + auditApprovalStatus == RequestStatus.REJECTED || + auditApprovalStatus == RequestStatus.CANCELED) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ ++ audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); +- +- audit(auditMessage); ++ auditApprovalStatus)); + } + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java +index b90966e..570aea2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java +@@ -39,6 +39,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -505,17 +506,14 @@ public class RevocationProcessor extends CertProcessor { + || requestStatus == RequestStatus.REJECTED + || requestStatus == RequestStatus.CANCELED)) return; + +- String auditMessage = CMS.getLogMessage( +- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, ++ auditor.log(new CertStatusChangeRequestProcessedEvent( + auditor.getSubjectID(), + status, + requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), + serialNumber == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : serialNumber.toHexString(), + requestType, + String.valueOf(revocationReason.toInt()), +- requestStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : requestStatus.toString()); +- +- auditor.log(auditMessage); ++ requestStatus)); + } + + public void log(int level, String message) { +-- +1.8.3.1 + + +From 0b32d55d6c41dcdfbd63840a6681b12ad6675946 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 22:06:38 +0200 +Subject: [PATCH 19/27] Refactored RevocationRequestListener.accept(). + +The RevocationRequestListener.accept() has been refactored to +reduce deeply nested if-statements with early return. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index a593eb8..d105386 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -3068,10 +3068,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + public void accept(IRequest r) { + String requestType = r.getRequestType(); + +- if (requestType.equals(IRequest.REVOCATION_REQUEST) || ++ if (!(requestType.equals(IRequest.REVOCATION_REQUEST) || + requestType.equals(IRequest.UNREVOCATION_REQUEST) || + requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) || +- requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { ++ requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST))) { ++ return; ++ } ++ + CMS.debug("Revocation listener called."); + // check if serial number is in begin/end range if set. + if (mBeginSerial != null || mEndSerial != null) { +@@ -3136,7 +3139,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); + } + } +- } + } + } + } +-- +1.8.3.1 + + +From 0af026413a65386a0e8c8aba81fe667412ef7f0d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 May 2017 22:12:19 +0200 +Subject: [PATCH 20/27] Reformatted RevocationRequestListener.accept(). + +The RevocationRequestListener.accept() has been reformatted to +adjust the indentations after refactoring. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3 +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 142 +++++++++++------------ + 1 file changed, 71 insertions(+), 71 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index d105386..64101d7 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -31,23 +31,6 @@ import java.util.StringTokenizer; + import java.util.TimeZone; + import java.util.Vector; + +-import netscape.security.util.BitArray; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.CRLExtensions; +-import netscape.security.x509.CRLNumberExtension; +-import netscape.security.x509.CRLReasonExtension; +-import netscape.security.x509.DeltaCRLIndicatorExtension; +-import netscape.security.x509.Extension; +-import netscape.security.x509.FreshestCRLExtension; +-import netscape.security.x509.IssuingDistributionPoint; +-import netscape.security.x509.IssuingDistributionPointExtension; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.RevokedCertImpl; +-import netscape.security.x509.RevokedCertificate; +-import netscape.security.x509.X509CRLImpl; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509ExtensionException; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; +@@ -83,6 +66,23 @@ import com.netscape.cmscore.dbs.CertRecord; + import com.netscape.cmscore.dbs.CertificateRepository; + import com.netscape.cmscore.util.Debug; + ++import netscape.security.util.BitArray; ++import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.CRLExtensions; ++import netscape.security.x509.CRLNumberExtension; ++import netscape.security.x509.CRLReasonExtension; ++import netscape.security.x509.DeltaCRLIndicatorExtension; ++import netscape.security.x509.Extension; ++import netscape.security.x509.FreshestCRLExtension; ++import netscape.security.x509.IssuingDistributionPoint; ++import netscape.security.x509.IssuingDistributionPointExtension; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.RevokedCertImpl; ++import netscape.security.x509.RevokedCertificate; ++import netscape.security.x509.X509CRLImpl; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509ExtensionException; ++ + /** + * This class encapsulates CRL issuing mechanism. CertificateAuthority + * contains a map of CRLIssuingPoint indexed by string ids. Each issuing +@@ -3075,70 +3075,70 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + return; + } + +- CMS.debug("Revocation listener called."); +- // check if serial number is in begin/end range if set. +- if (mBeginSerial != null || mEndSerial != null) { +- CMS.debug( +- "Checking if serial number is between " + +- mBeginSerial + " and " + mEndSerial); +- BigInteger[] serialNos = +- r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); ++ CMS.debug("Revocation listener called."); ++ // check if serial number is in begin/end range if set. ++ if (mBeginSerial != null || mEndSerial != null) { ++ CMS.debug( ++ "Checking if serial number is between " + ++ mBeginSerial + " and " + mEndSerial); ++ BigInteger[] serialNos = ++ r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + +- if (serialNos == null || serialNos.length == 0) { +- X509CertImpl oldCerts[] = +- r.getExtDataInCertArray(IRequest.OLD_CERTS); ++ if (serialNos == null || serialNos.length == 0) { ++ X509CertImpl oldCerts[] = ++ r.getExtDataInCertArray(IRequest.OLD_CERTS); + +- if (oldCerts == null || oldCerts.length == 0) +- return; +- serialNos = new BigInteger[oldCerts.length]; +- for (int i = 0; i < oldCerts.length; i++) { +- serialNos[i] = oldCerts[i].getSerialNumber(); +- } ++ if (oldCerts == null || oldCerts.length == 0) ++ return; ++ serialNos = new BigInteger[oldCerts.length]; ++ for (int i = 0; i < oldCerts.length; i++) { ++ serialNos[i] = oldCerts[i].getSerialNumber(); + } ++ } + +- boolean inRange = false; ++ boolean inRange = false; + +- for (int i = 0; i < serialNos.length; i++) { +- if ((mBeginSerial == null || +- serialNos[i].compareTo(mBeginSerial) >= 0) && +- (mEndSerial == null || +- serialNos[i].compareTo(mEndSerial) <= 0)) { +- inRange = true; +- } +- } +- if (!inRange) { +- return; ++ for (int i = 0; i < serialNos.length; i++) { ++ if ((mBeginSerial == null || ++ serialNos[i].compareTo(mBeginSerial) >= 0) && ++ (mEndSerial == null || ++ serialNos[i].compareTo(mEndSerial) <= 0)) { ++ inRange = true; + } + } ++ if (!inRange) { ++ return; ++ } ++ } + +- if (mAlwaysUpdate) { +- try { +- updateCRLNow(); +- r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); +- if (mPublisherProcessor != null) { +- r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); +- } +- } catch (EErrorPublishCRL e) { +- // error already logged in updateCRLNow(); +- r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); +- if (mPublisherProcessor != null) { +- r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); +- r.setExtData(mCrlPublishError, e); +- } +- } catch (EBaseException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); +- r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); +- r.setExtData(mCrlUpdateError, e); +- } catch (Exception e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); +- if (Debug.on()) +- Debug.printStackTrace(e); +- r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); +- r.setExtData(mCrlUpdateError, +- new EBaseException( +- CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); ++ if (mAlwaysUpdate) { ++ try { ++ updateCRLNow(); ++ r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); ++ if (mPublisherProcessor != null) { ++ r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); ++ } ++ } catch (EErrorPublishCRL e) { ++ // error already logged in updateCRLNow(); ++ r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); ++ if (mPublisherProcessor != null) { ++ r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); ++ r.setExtData(mCrlPublishError, e); + } ++ } catch (EBaseException e) { ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); ++ r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); ++ r.setExtData(mCrlUpdateError, e); ++ } catch (Exception e) { ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); ++ if (Debug.on()) ++ Debug.printStackTrace(e); ++ r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); ++ r.setExtData(mCrlUpdateError, ++ new EBaseException( ++ CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); + } ++ } + } + } + } +-- +1.8.3.1 + + +From ea036b22d7d15cefb8f7a56e9c9781b545dec8ee Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Wed, 17 May 2017 17:17:42 -0600 +Subject: [PATCH 21/27] Correct section headings in user deployment + configuration file + +Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation +dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance + creation +--- + base/server/sbin/pkispawn | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 9394b8e..9e2ebc8 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -30,9 +30,12 @@ if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print("Please upgrade to at least Python 2.7.0.") + sys.exit(1) + try: ++ import fileinput + import ldap + import os + import requests ++ import time ++ from time import strftime as date + import traceback + import pki + from pki.server.deployment import pkiconfig as config +@@ -105,6 +108,8 @@ def main(argv): + interactive = True + parser.indent = 0 + print(log.PKISPAWN_INTERACTIVE_INSTALLATION) ++ else: ++ sanitize_user_deployment_cfg(config.user_deployment_cfg) + + # Only run this program as "root". + if not os.geteuid() == 0: +@@ -574,6 +579,40 @@ def main(argv): + print_final_install_information(parser.mdict) + + ++def sanitize_user_deployment_cfg(cfg): ++ # Generate a timestamp ++ ticks = time.time() ++ timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) ++ ++ # Correct any section headings in the user's configuration file ++ for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp): ++ # Remove extraneous leading and trailing whitespace from all lines ++ line = line.strip() ++ # Normalize section headings to match '/etc/pki/default.cfg' ++ if line.startswith("["): ++ if line.upper().startswith("[DEFAULT"): ++ line = "[DEFAULT]" ++ elif line.upper().startswith("[TOMCAT"): ++ line = "[Tomcat]" ++ elif line.upper().startswith("[CA"): ++ line = "[CA]" ++ elif line.upper().startswith("[KRA"): ++ line = "[KRA]" ++ elif line.upper().startswith("[OCSP"): ++ line = "[OCSP]" ++ elif line.upper().startswith("[RA"): ++ line = "[RA]" ++ elif line.upper().startswith("[TKS"): ++ line = "[TKS]" ++ elif line.upper().startswith("[TPS"): ++ line = "[TPS]" ++ else: ++ # Notify user of the existence of an invalid section heading ++ sys.stderr.write("'%s' contains an invalid section " ++ "heading called '%s'!\n" % (cfg, line)) ++ print(line) ++ ++ + def start_logging(): + # Enable 'pkispawn' logging. + config.pki_log_dir = config.pki_root_prefix + \ +-- +1.8.3.1 + + +From 202c747564868432df93c6cf272fcd9d2979d8d8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 May 2017 00:09:29 +0200 +Subject: [PATCH 22/27] Added debug logs for UpdateCRL servlet. + +Some debug logs have been added into UpdateCRL servlet to improve +code clarity. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839 +--- + .../com/netscape/cms/servlet/cert/UpdateCRL.java | 46 ++++++++++++++++++++-- + 1 file changed, 43 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index 7faecf1..b4d9d29 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -294,6 +294,7 @@ public class UpdateCRL extends CMSServlet { + String signatureAlgorithm, + Locale locale) + throws EBaseException { ++ + long startTime = CMS.getCurrentDate().getTime(); + String waitForUpdate = + req.getParameter("waitForUpdate"); +@@ -322,6 +323,7 @@ public class UpdateCRL extends CMSServlet { + crlIssuingPointId = null; + } + } ++ + if (crlIssuingPointId == null) { + crlIssuingPointId = ICertificateAuthority.PROP_MASTER_CRL; + } +@@ -336,39 +338,61 @@ public class UpdateCRL extends CMSServlet { + return; + } + ++ CMS.debug("UpdateCRL: CRL issuing point: " + crlIssuingPoint.getId()); ++ + if (clearCache != null && clearCache.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && + crlIssuingPoint.isCRLIssuingPointInitialized() + == ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ ++ CMS.debug("UpdateCRL: clearing CRL cache"); + crlIssuingPoint.clearCRLCache(); + } ++ + if (!(waitForUpdate != null && waitForUpdate.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && + crlIssuingPoint.isCRLIssuingPointInitialized() + == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { ++ + if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { ++ ++ CMS.debug("UpdateCRL: CRL issuing point not initialized"); + header.addStringValue("crlUpdate", "notInitialized"); ++ + } else if (crlIssuingPoint.isCRLUpdateInProgress() + != ICRLIssuingPoint.CRL_UPDATE_DONE || + crlIssuingPoint.isManualUpdateSet()) { ++ ++ CMS.debug("UpdateCRL: CRL update in progress"); + header.addStringValue("crlUpdate", "inProgress"); ++ + } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { ++ ++ CMS.debug("UpdateCRL: CRL update disabled"); + header.addStringValue("crlUpdate", "Disabled"); ++ + } else { ++ ++ CMS.debug("UpdateCRL: scheduling CRL update"); + crlIssuingPoint.setManualUpdate(signatureAlgorithm); + header.addStringValue("crlUpdate", "Scheduled"); + } ++ + return; + } ++ + if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + (!mTesting.contains(crlIssuingPointId))) { +- CMS.debug("CRL test started."); ++ ++ CMS.debug("UpdateCRL: CRL test started"); ++ + mTesting.add(crlIssuingPointId); + BigInteger addLen = null; + BigInteger startFrom = null; ++ + if (add != null && add.length() > 0 && + from != null && from.length() > 0) { + try { +@@ -377,6 +401,7 @@ public class UpdateCRL extends CMSServlet { + } catch (Exception e) { + } + } ++ + if (addLen != null && startFrom != null) { + Date revocationDate = CMS.getCurrentDate(); + String err = null; +@@ -386,6 +411,7 @@ public class UpdateCRL extends CMSServlet { + BigInteger serialNumber = startFrom; + BigInteger counter = addLen; + BigInteger stepBy = null; ++ + if (by != null && by.length() > 0) { + try { + stepBy = new BigInteger(by); +@@ -397,6 +423,7 @@ public class UpdateCRL extends CMSServlet { + long t2 = 0; + + while (counter.compareTo(BigInteger.ZERO) > 0) { ++ + RevokedCertImpl revokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExts); + crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); +@@ -405,9 +432,11 @@ public class UpdateCRL extends CMSServlet { + + if ((counter.compareTo(BigInteger.ZERO) == 0) || + (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { ++ + t2 = System.currentTimeMillis(); + long t0 = t2 - t1; + t1 = t2; ++ + try { + if (signatureAlgorithm != null) { + crlIssuingPoint.updateCRLNow(signatureAlgorithm); +@@ -418,35 +447,43 @@ public class UpdateCRL extends CMSServlet { + counter = BigInteger.ZERO; + err = e.toString(); + } ++ + if (results != null && results.equals("1")) { + addInfo(argSet, crlIssuingPoint, t0); + } + } + } ++ + if (err != null) { + header.addStringValue("crlUpdate", "Failure"); + header.addStringValue("error", err); + } else { + header.addStringValue("crlUpdate", "Success"); + } ++ + } else { +- CMS.debug("CRL test error: missing parameters."); ++ CMS.debug("UpdateCRL: CRL test error: missing parameters"); + header.addStringValue("crlUpdate", "missingParameters"); + } + + mTesting.remove(crlIssuingPointId); +- CMS.debug("CRL test finished."); ++ CMS.debug("UpdateCRL: CRL test finished"); + return; ++ + } else if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + mTesting.contains(crlIssuingPointId)) { + header.addStringValue("crlUpdate", "testingInProgress"); + return; ++ + } else if (test != null && test.equals("true") && + (!crlIssuingPoint.isCRLCacheTestingEnabled())) { + header.addStringValue("crlUpdate", "testingNotEnabled"); + return; + } ++ ++ CMS.debug("UpdateCRL: updating CRL"); ++ + try { + EBaseException publishError = null; + +@@ -462,6 +499,7 @@ public class UpdateCRL extends CMSServlet { + long now2 = System.currentTimeMillis(); + + header.addStringValue("time", "" + (now2 - now1)); ++ + } catch (EErrorPublishCRL e) { + publishError = e; + } +@@ -487,6 +525,7 @@ public class UpdateCRL extends CMSServlet { + if (authToken != null) { + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + } ++ + long endTime = CMS.getCurrentDate().getTime(); + + if (crlIssuingPoint.getNextUpdate() != null) { +@@ -520,6 +559,7 @@ public class UpdateCRL extends CMSServlet { + + " time: " + (endTime - startTime) } + ); + } ++ + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); + if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { +-- +1.8.3.1 + + +From e1fd9685e5442e5e2efa9a26e07bf45274b6fb93 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 19 May 2017 09:47:47 -0600 +Subject: [PATCH 23/27] Fixed hardcoded values in ca CS.cfg + +- Bugzilla Bug #1452123 - CA CS.cfg shows default port +- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port +--- + base/ca/shared/conf/CS.cfg | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index f6297a3..8f9af5c 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -290,7 +290,7 @@ ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.exten + ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt + ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints + ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints +-ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:8080/ocsp ++ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp + ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL + ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp + ca.Policy.rule.AuthInfoAccessExt.enable=false +@@ -773,8 +773,8 @@ cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have + cmsgateway._028=## already been reset. + cmsgateway._029=## + cmsgateway.enableAdminEnroll=false +-https.port=8443 +-http.port=8080 ++https.port=[PKI_SECURE_PORT] ++http.port=[PKI_UNSECURE_PORT] + dbs.enableSerialManagement=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] + dbs.enableRandomSerialNumbers=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] + dbs.randomSerialNumberCounter=0 +-- +1.8.3.1 + + +From f30be692453ccb323f874e5a751e2381cbb4ebb0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 May 2017 21:35:00 +0200 +Subject: [PATCH 24/27] Added debug logs for JssSubsystem. + +Some debug logs have been added into JssSubsystem to improve code +clarity. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc +--- + .../netscape/cmscore/security/JssSubsystem.java | 31 ++++++++++++++-------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +index dab9ac9..9031a92 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +@@ -264,12 +264,15 @@ public final class JssSubsystem implements ICryptoSubsystem { + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { ++ ++ CMS.debug("JssSubsystem: initializing JSS subsystem"); ++ + mLogger = CMS.getLogger(); + + if (mInited) { + // This used to throw an exeception (e.g. - on Solaris). + // If JSS is already initialized simply return. +- CMS.debug("JssSubsystem already inited.. returning."); ++ CMS.debug("JssSubsystem: already initialized"); + return; + } + +@@ -277,9 +280,11 @@ public final class JssSubsystem implements ICryptoSubsystem { + + // If disabled, just return + boolean enabled = config.getBoolean(PROP_ENABLE, true); ++ CMS.debug("JssSubsystem: enabled: " + enabled); + +- if (!enabled) ++ if (!enabled) { + return; ++ } + + try { + devRandomInputStream = new FileInputStream("/dev/urandom"); +@@ -287,28 +292,28 @@ public final class JssSubsystem implements ICryptoSubsystem { + // XXX - add new exception + } + +- // get hardcoded password (for debugging. +- String pw; ++ // get debugging password from config file ++ String pw = config.getString(PASSWORD_ALIAS, null); + +- if ((pw = config.getString(PASSWORD_ALIAS, null)) != null) { +- // hardcoded password in config file ++ if (pw != null) { ++ CMS.debug("JssSubsystem: use debug password"); + mPWCB = new Password(pw.toCharArray()); +- CMS.debug("JssSubsystem init() got password from hardcoded in config"); + } + +- String certDir; +- +- certDir = config.getString(CONFIG_DIR, null); ++ String certDir = config.getString(CONFIG_DIR, null); ++ CMS.debug("JssSubsystem: NSS database: " + certDir); + + CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(certDir, "", "", "secmod.db"); +- + vals.removeSunProvider = false; + vals.installJSSProvider = true; ++ + try { ++ CMS.debug("JssSubsystem: initializing CryptoManager"); + CryptoManager.initialize(vals); + } catch (AlreadyInitializedException e) { + // do nothing + } catch (Exception e) { ++ CMS.debug(e); + String[] params = { mId, e.toString() }; + EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params)); + +@@ -317,9 +322,11 @@ public final class JssSubsystem implements ICryptoSubsystem { + } + + try { ++ CMS.debug("JssSubsystem: initializing SSL"); + mCryptoManager = CryptoManager.getInstance(); + initSSL(); + } catch (CryptoManager.NotInitializedException e) { ++ CMS.debug(e); + String[] params = { mId, e.toString() }; + EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params)); + +@@ -328,6 +335,8 @@ public final class JssSubsystem implements ICryptoSubsystem { + } + + mInited = true; ++ ++ CMS.debug("JssSubsystem: initialization complete"); + } + + public String getCipherVersion() throws EBaseException { +-- +1.8.3.1 + + +From 62841380c6400023cf973e273ab974352885fabd Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 04:06:17 +0200 +Subject: [PATCH 25/27] Fixed problem with --ignore-banner option. + +The pki CLI has been modified to parse the --ignore-banner option +properly and pass it only to Java-based CLI commands. + +https://pagure.io/dogtagpki/issue/2683 + +Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5 +--- + base/common/python/pki/cli/main.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py +index 268547b..f201c1d 100644 +--- a/base/common/python/pki/cli/main.py ++++ b/base/common/python/pki/cli/main.py +@@ -44,6 +44,7 @@ class PKICLI(pki.cli.CLI): + self.password = None + self.password_file = None + self.token = None ++ self.ignore_banner = False + + self.add_module(pki.cli.pkcs12.PKCS12CLI()) + +@@ -96,6 +97,9 @@ class PKICLI(pki.cli.CLI): + if self.token and self.token != 'internal': + cmd.extend(['--token', self.token]) + ++ if self.ignore_banner: ++ cmd.extend(['--ignore-banner']) ++ + if self.verbose: + cmd.extend(['--verbose']) + +@@ -157,6 +161,12 @@ class PKICLI(pki.cli.CLI): + pki_options.append(args[i + 1]) + i = i + 2 + ++ # check ignore banner option ++ elif args[i] == '--ignore-banner': ++ self.ignore_banner = True ++ pki_options.append(args[i]) ++ i = i + 1 ++ + # check verbose option + elif args[i] == '-v' or args[i] == '--verbose': + self.set_verbose(True) +-- +1.8.3.1 + + +From 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 19 May 2017 11:55:14 -0700 +Subject: [PATCH 26/27] Ticket#2618 feature: pre-signed CMC renewal request + +This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. +The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. +UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. +The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. +--- + .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 13 ++- + .../src/com/netscape/cmstools/CMCRequest.java | 14 ++- + .../constraint/RenewGracePeriodConstraint.java | 26 +++-- + .../profile/constraint/UniqueKeyConstraint.java | 123 ++++++++++++++++----- + 4 files changed, 132 insertions(+), 44 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +index 229a3cd..63a4bca 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -10,12 +10,23 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8 + policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl + policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint + policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl + policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default + policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl ++policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint ++policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true ++policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl ++policyset.cmcUserCertSet.9.default.name=No Default ++policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl ++policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint ++policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30 ++policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30 ++policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl ++policyset.cmcUserCertSet.10.default.name=No Default + policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl + policyset.cmcUserCertSet.2.constraint.name=Validity Constraint + policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 6e27cb1..9c41403 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -2014,10 +2014,12 @@ public class CMCRequest { + certname.append(tokenName); + certname.append(":"); + } +- certname.append(nickname); +- signerCert = cm.findCertByNickname(certname.toString()); +- if (signerCert != null) { +- System.out.println("got signerCert: "+ certname.toString()); ++ if (!selfSign.equals("true") && nickname != null) { ++ certname.append(nickname); ++ signerCert = cm.findCertByNickname(certname.toString()); ++ if (signerCert != null) { ++ System.out.println("got signerCert: "+ certname.toString()); ++ } + } + + ContentInfo cmcblob = null; +@@ -2239,11 +2241,11 @@ public class CMCRequest { + // sign the request + SignedData signedData = null; + if (selfSign.equalsIgnoreCase("true")) { +- // selfSign signes with private key ++ // selfSign signs with private key + System.out.println("selfSign is true..."); + signedData = signData(privk, pkidata); + } else { +- // none selfSign signes with existing cert ++ // none selfSign signs with existing cert + System.out.println("selfSign is false..."); + signedData = signData(signerCert, tokenName, nickname, cm, pkidata); + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java +index d140396..a5f7994 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java +@@ -87,14 +87,16 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { + + public void validate(IRequest req, X509CertInfo info) + throws ERejectException { ++ String method = "RenewGracePeriodConstraint: validate: "; ++ String msg = ""; ++ + String origExpDate_s = req.getExtDataInString("origNotAfter"); +- // probably not for renewal +- if (origExpDate_s == null) { ++ if (origExpDate_s == null) { // probably not for renewal ++ CMS.debug(method + " original cert expiration date not found...return without validation"); + return; +- } else { +- CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing"); ++ } else { //should occur when it's renewal ++ CMS.debug(method + " original cert expiration date found... validating"); + } +- CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins"); + BigInteger origExpDate_BI = new BigInteger(origExpDate_s); + Date origExpDate = new Date(origExpDate_BI.longValue()); + String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); +@@ -122,7 +124,7 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { + + Date current = CMS.getCurrentDate(); + long millisDiff = origExpDate.getTime() - current.getTime(); +- CMS.debug("validateRenewGracePeriod: millisDiff=" ++ CMS.debug(method + " millisDiff=" + + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime()); + + /* +@@ -134,17 +136,17 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { + */ + if (millisDiff >= 0) { + if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) { ++ msg = renew_grace_before + " days before and " + ++ renew_grace_after + " days after original cert expiration date"; + throw new ERejectException(CMS.getUserMessage(getLocale(req), +- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", +- renew_grace_before + " days before and " + +- renew_grace_after + " days after original cert expiration date")); ++ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg)); + } + } else { + if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) { ++ msg = renew_grace_before + " days before and " + ++ renew_grace_after + " days after original cert expiration date"; + throw new ERejectException(CMS.getUserMessage(getLocale(req), +- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", +- renew_grace_before + " days before and " + +- renew_grace_after + " days after original cert expiration date")); ++ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg)); + } + } + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +index 869f0e2..33cc7a9 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +@@ -17,16 +17,11 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.cms.profile.constraint; + ++import java.math.BigInteger; ++import java.util.Date; + import java.util.Enumeration; + import java.util.Locale; + +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.CertificateX509Key; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +-import netscape.security.x509.X509Key; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; +@@ -41,6 +36,13 @@ import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + import com.netscape.cms.profile.def.NoDefault; + ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.CertificateX509Key; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++import netscape.security.x509.X509Key; ++ + /** + * This constraint is to check for publickey uniqueness. + * The config param "allowSameKeyRenewal" enables the +@@ -102,9 +104,29 @@ public class UniqueKeyConstraint extends EnrollConstraint { + /** + * Validates the request. The request is not modified + * during the validation. ++ * ++ * It will try to capture orig cert expiration info for renewal later. ++ * Renewal can be either renewal with same key or new key. ++ * ++ * In case of renewing with same key, the old cert record ++ * can be retrieved and used to fill original info such as ++ * original expiration date for use with RenewGracePeriodConstraint. ++ * ++ * In case of renewing with new key, it would be no different from ++ * regular enrollment ++ * ++ * Search by ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA ++ * would tell us if its reusing the same key or not. ++ * If any cert with the same key in the repository is found ++ * to be revoked, then the request is rejected ++ * ++ * This contraint has to go before the RenewGracePeriodConstraint, ++ * but after any of the SubjectName Default and Constraint + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { ++ String method = "UniqueKeyConstraint: validate: "; ++ String msg = ""; + boolean rejected = false; + int size = 0; + ICertRecordList list; +@@ -114,6 +136,8 @@ public class UniqueKeyConstraint extends EnrollConstraint { + getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); + */ + mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); ++ msg = msg + ": allowSameKeyRenewal=" + mAllowSameKeyRenewal + ";"; ++ CMS.debug(method + msg); + + try { + CertificateX509Key infokey = (CertificateX509Key) +@@ -131,18 +155,18 @@ public class UniqueKeyConstraint extends EnrollConstraint { + + } catch (Exception e) { + throw new ERejectException( +- CMS.getUserMessage( +- getLocale(request), +- "CMS_PROFILE_INTERNAL_ERROR", e.toString())); ++ CMS.getUserMessage( ++ getLocale(request), ++ "CMS_PROFILE_INTERNAL_ERROR", method + e.toString())); + } + + /* + * It does not matter if the corresponding cert's status +- * is valid or not, we don't want a key that was once +- * generated before ++ * is valid or not, if mAllowSameKeyRenewal is false, ++ * we don't want a key that was once generated before + */ + if (size > 0) { +- CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); ++ CMS.debug(method + "found existing cert with same key"); + + /* + The following code revokes the existing certs that have +@@ -189,45 +213,94 @@ public class UniqueKeyConstraint extends EnrollConstraint { + + sjname_in_req = + (X500Name) subName.get(CertificateSubjectName.DN_NAME); +- CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString()); ++ CMS.debug(method +" cert request subject DN =" + sjname_in_req.toString()); + Enumeration e = list.getCertRecords(0, size - 1); ++ Date latestOrigNotAfter = null; ++ Date origNotAfter = null; ++ boolean first = true; + while (e != null && e.hasMoreElements()) { + ICertRecord rec = e.nextElement(); +- X509CertImpl cert = rec.getCertificate(); ++ BigInteger serial = rec.getSerialNumber(); ++ ++ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) ++ || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { ++ msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";"; ++ CMS.debug(method + msg); ++ rejected = true; ++ // this has to break ++ break; ++ } ++ if (!rec.getStatus().equals(ICertRecord.STATUS_VALID) ++ && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) { ++ CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString()); ++ // can still find another one to renew ++ continue; ++ } ++ // only VALID or EXPIRED certs could have reached here ++ X509CertImpl origCert = rec.getCertificate(); + String certDN = +- cert.getSubjectDN().toString(); +- CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN); ++ origCert.getSubjectDN().toString(); ++ CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN); + + sjname_in_db = new X500Name(certDN); + + if (sjname_in_db.equals(sjname_in_req) == false) { ++ msg = msg + "subject name not match in same key renewal;"; + rejected = true; + break; + } else { +- rejected = false; ++ CMS.debug("subject name match in same key renewal"); + } ++ ++ // find the latest expiration date to keep for ++ // Renewal Grace Period Constraint later ++ origNotAfter = origCert.getNotAfter(); ++ CMS.debug(method + "origNotAfter =" + origNotAfter.toString()); ++ if (first) { ++ latestOrigNotAfter = origNotAfter; ++ first = false; ++ } else if (latestOrigNotAfter.before(origNotAfter)) { ++ CMS.debug(method + "newer cert found"); ++ latestOrigNotAfter = origNotAfter; ++ } ++ ++ // yes, this could be overwritten by later ++ // found cert(s) that has violations ++ rejected = false; + } // while ++ ++ if (latestOrigNotAfter != null) { ++ String existingOrigExpDate_s = request.getExtDataInString("origNotAfter"); ++ if (existingOrigExpDate_s != null) { ++ // make sure not to interfere with renewal by serial ++ CMS.debug(method + ++ " original cert expiration date already exists. Not overriding."); ++ } else { ++ // set origNotAfter for RenewGracePeriodConstraint ++ CMS.debug(method + "setting latest original cert expiration in request"); ++ request.setExtData("origNotAfter", BigInteger.valueOf(latestOrigNotAfter.getTime())); ++ } ++ } + } else { //subName is null ++ msg = msg +"subject name not found in cert request info;"; + rejected = true; + } + } catch (Exception ex1) { +- CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString()); ++ CMS.debug(method + msg + ex1.toString()); + rejected = true; + } // try + + } else { ++ msg = msg + "found existing cert with same key;"; + rejected = true; + }// allowSameKeyRenewal + } // (size > 0) + + if (rejected == true) { +- CMS.debug("UniqueKeyConstraint: rejected"); +- throw new ERejectException( +- CMS.getUserMessage( +- getLocale(request), +- "CMS_PROFILE_DUPLICATE_KEY")); ++ CMS.debug(method + " rejected"); ++ throw new ERejectException(msg); + } else { +- CMS.debug("UniqueKeyConstraint: approved"); ++ CMS.debug(method + " approved"); + } + } + +-- +1.8.3.1 + + +From b66409ba4a9ffa8cb58f643e891a4a50a67fb29a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 00:06:41 +0200 +Subject: [PATCH 27/27] Added configurable random number generator in + JssSubsystem. + +The JssSubsystem has been modified to provide a configurable +random number generator which uses PK11SecureRandom from JSS by +default. + +The CertificateRepository has been modified to use the new random +number generator to generate random serial number. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75 +--- + .../cmscore/dbs/CertificateRepository.java | 32 +++++++++++----------- + .../netscape/cmscore/security/JssSubsystem.java | 27 ++++++++++++++++++ + 2 files changed, 43 insertions(+), 16 deletions(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +index 8406f36..9a333fe 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +@@ -19,27 +19,18 @@ package com.netscape.cmscore.dbs; + + import java.io.Serializable; + import java.math.BigInteger; ++import java.security.SecureRandom; + import java.security.cert.Certificate; + import java.util.Arrays; + import java.util.Date; + import java.util.Enumeration; + import java.util.Hashtable; +-import java.util.Random; + import java.util.Vector; + import java.util.concurrent.Executors; + import java.util.concurrent.ScheduledExecutorService; + import java.util.concurrent.ThreadFactory; + import java.util.concurrent.TimeUnit; + +-import netscape.ldap.LDAPAttributeSet; +-import netscape.ldap.LDAPEntry; +-import netscape.ldap.LDAPSearchResults; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.RevokedCertImpl; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; +@@ -62,6 +53,16 @@ import com.netscape.certsrv.dbs.certdb.RenewableCertificateCollection; + import com.netscape.certsrv.dbs.repository.IRepository; + import com.netscape.certsrv.dbs.repository.IRepositoryRecord; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.cmscore.security.JssSubsystem; ++ ++import netscape.ldap.LDAPAttributeSet; ++import netscape.ldap.LDAPEntry; ++import netscape.ldap.LDAPSearchResults; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.RevokedCertImpl; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; + + /** + * A class represents a certificate repository. It +@@ -99,7 +100,6 @@ public class CertificateRepository extends Repository + private int mTransitMaxRecords = 1000000; + private int mTransitRecordPageSize = 200; + +- private Random mRandom = null; + private int mBitLength = 0; + private BigInteger mRangeSize = null; + private int mMinRandomBitLength = 4; +@@ -169,11 +169,7 @@ public class CertificateRepository extends Repository + } + + private BigInteger getRandomNumber() throws EBaseException { +- BigInteger randomNumber = null; + +- if (mRandom == null) { +- mRandom = new Random(); +- } + super.initCacheIfNeeded(); + + if (mRangeSize == null) { +@@ -189,7 +185,11 @@ public class CertificateRepository extends Repository + CMS.debug("CertificateRepository: getRandomNumber: Range size is too small to support random certificate serial numbers."); + throw new EBaseException ("Range size is too small to support random certificate serial numbers."); + } +- randomNumber = new BigInteger((mBitLength), mRandom); ++ ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); ++ ++ BigInteger randomNumber = new BigInteger(mBitLength, random); + randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength); + CMS.debug("CertificateRepository: getRandomNumber randomNumber="+randomNumber); + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +index 9031a92..d346a12 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +@@ -32,6 +32,7 @@ import java.security.NoSuchAlgorithmException; + import java.security.NoSuchProviderException; + import java.security.Principal; + import java.security.PublicKey; ++import java.security.SecureRandom; + import java.security.SignatureException; + import java.security.cert.CertificateEncodingException; + import java.security.cert.CertificateException; +@@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem { + private boolean mInited = false; + private ILogger mLogger = null; + private CryptoManager mCryptoManager = null; ++ private SecureRandom random; + + protected PasswordCallback mPWCB = null; + +@@ -334,11 +336,36 @@ public final class JssSubsystem implements ICryptoSubsystem { + throw ex; + } + ++ // read jss.random.* properties ++ // by default use PK11SecureRandom from JSS ++ // see http://pki.fedoraproject.org/wiki/Random_Number_Generator ++ ++ IConfigStore randomConfig = config.getSubStore("random"); ++ CMS.debug("JssSubsystem: random:"); ++ ++ String algorithm = randomConfig.getString("algorithm", "pkcs11prng"); ++ CMS.debug("JssSubsystem: - algorithm: " + algorithm); ++ ++ String provider = randomConfig.getString("provider", "Mozilla-JSS"); ++ CMS.debug("JssSubsystem: - provider: " + provider); ++ ++ try { ++ random = SecureRandom.getInstance(algorithm, provider); ++ ++ } catch (NoSuchAlgorithmException | NoSuchProviderException e) { ++ CMS.debug(e); ++ throw new EBaseException(e); ++ } ++ + mInited = true; + + CMS.debug("JssSubsystem: initialization complete"); + } + ++ public SecureRandom getRandomNumberGenerator() { ++ return random; ++ } ++ + public String getCipherVersion() throws EBaseException { + return "cipherdomestic"; + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-snapshot-2.patch b/SOURCES/pki-core-snapshot-2.patch new file mode 100644 index 0000000..54a39b3 --- /dev/null +++ b/SOURCES/pki-core-snapshot-2.patch @@ -0,0 +1,15017 @@ +From 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 16 May 2017 17:29:45 -0400 +Subject: [PATCH 01/38] Encapsulate the archival audit log + +This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and +PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. + +The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the +SECURITY_DATA ones to simplify the whole structure. They +used to provide an archivalID parameter which was pretty much +meaningless as it was at best just the same as the request id +which is alreadty logged. So this is now dropped. + +Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2 +--- + base/ca/src/com/netscape/ca/CAService.java | 45 +++-------- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 - + .../logging/event/SecurityDataArchivalEvent.java | 59 ++++++++++++++ + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/EnrollmentService.java | 92 ++++++---------------- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 27 ++----- + .../src/com/netscape/kra/NetkeyKeygenService.java | 15 +--- + .../server/kra/rest/KeyRequestService.java | 9 +-- + .../cms/profile/common/CAEnrollProfile.java | 40 +++------- + .../cms/servlet/base/SubsystemService.java | 10 +++ + base/server/cmsbundle/src/LogMessages.properties | 14 +--- + 11 files changed, 132 insertions(+), 187 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 2ad1967..45fae66 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList; + import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileSubsystem; +@@ -368,10 +369,8 @@ public class CAService implements ICAService, IService { + * @return true or false + */ + public boolean serviceRequest(IRequest request) { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); +- String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE; + + boolean completed = false; + +@@ -392,7 +391,7 @@ public class CAService implements ICAService, IService { + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, e.toString()); + +- audit(auditMessage); ++ // TODO(alee) New audit message needed here + + return false; + } +@@ -420,14 +419,10 @@ public class CAService implements ICAService, IService { + CMS.debug("CAService: Sending enrollment request to KRA"); + + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + + boolean sendStatus = mKRAConnector.send(request); + +@@ -439,14 +434,10 @@ public class CAService implements ICAService, IService { + new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); + + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + + return true; + } else { +@@ -457,14 +448,10 @@ public class CAService implements ICAService, IService { + } + if (request.getExtDataInString(IRequest.ERROR) != null) { + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + + return true; + } +@@ -484,14 +471,10 @@ public class CAService implements ICAService, IService { + // store a message in the signed audit log file + if (!(type.equals(IRequest.REVOCATION_REQUEST) || + type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + } + + return true; +@@ -504,14 +487,10 @@ public class CAService implements ICAService, IService { + if (!(type.equals(IRequest.REVOCATION_REQUEST) || + type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + } + + return completed; +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 21cac27..a224ae6 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String LOG_PATH_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + +- public final static String PRIVATE_KEY_ARCHIVE_REQUEST = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = +@@ -182,8 +180,6 @@ public class AuditEvent implements IBundleLogEvent { + + public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; +- public static final String SECURITY_DATA_ARCHIVAL_REQUEST = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; + public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; + public static final String SECURITY_DATA_RECOVERY_REQUEST = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java +new file mode 100644 +index 0000000..43f7525 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java +@@ -0,0 +1,59 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SecurityDataArchivalEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST"; ++ ++ public SecurityDataArchivalEvent( ++ String subjectID, ++ String outcome, ++ RequestId requestID, ++ String clientKeyID) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID ++ }); ++ } ++ ++ public SecurityDataArchivalEvent( ++ String subjectID, ++ String outcome, ++ String requestID) { ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ null ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index bd49a8d..be4ce71 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index e413a06..0a1fe1f 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.ProofOfArchival; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -155,13 +156,10 @@ public class EnrollmentService implements IService { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); +- String auditArchiveID = ILogger.UNIDENTIFIED; + String auditPublicKey = ILogger.UNIDENTIFIED; + + String id = request.getRequestId().toString(); +- if (id != null) { +- auditArchiveID = id.trim(); +- } ++ + if (CMS.debugOn()) + CMS.debug("EnrollmentServlet: KRA services enrollment request"); + +@@ -198,15 +196,11 @@ public class EnrollmentService implements IService { + aOpts = CRMFParser.getPKIArchiveOptions( + request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); + } catch (IOException e) { +- +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } +@@ -247,14 +241,11 @@ public class EnrollmentService implements IService { + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } +@@ -283,14 +274,11 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } +@@ -325,14 +313,11 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); + } + } // !allowEncDecrypt_archival +@@ -346,14 +331,11 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } +@@ -371,14 +353,11 @@ public class EnrollmentService implements IService { + if (owner == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + +@@ -406,14 +385,11 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + +@@ -433,14 +409,11 @@ public class EnrollmentService implements IService { + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + } else if (keyAlg.equals("EC")) { +@@ -483,14 +456,11 @@ public class EnrollmentService implements IService { + CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", + rec.getSerialNumber().toString())); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + +@@ -505,14 +475,11 @@ public class EnrollmentService implements IService { + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); + // TODO(alee) Set correct audit message here +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + +@@ -523,14 +490,11 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + if (i == 0) { +@@ -580,14 +544,10 @@ public class EnrollmentService implements IService { + ); + + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 54953d1..de097b2 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -58,6 +58,7 @@ import com.netscape.certsrv.kra.IKeyService; + import com.netscape.certsrv.listeners.EListenersException; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.request.ARequestNotifier; + import com.netscape.certsrv.request.IPolicy; + import com.netscape.certsrv.request.IRequest; +@@ -751,11 +752,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditPublicKey = auditPublicKey(rec); +- String auditArchiveID = ILogger.UNIDENTIFIED; + + IRequestQueue queue = null; + IRequest r = null; +- String id = null; + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures +@@ -764,34 +763,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + r = queue.newRequest(KRAService.ENROLLMENT); + +- if (r != null) { +- // overwrite "auditArchiveID" if and only if "id" != null +- id = r.getRequestId().toString(); +- if (id != null) { +- auditArchiveID = id.trim(); +- } +- } +- + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); +- ++ auditRequesterID)); + throw eAudit1; + } + +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 636e93e..0885469 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.security.IStorageKeyUnit; +@@ -142,7 +143,6 @@ public class NetkeyKeygenService implements IService { + throws EBaseException { + String auditMessage = null; + String auditSubjectID = null; +- String auditArchiveID = ILogger.UNIDENTIFIED; + byte[] wrapped_des_key; + + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +@@ -165,11 +165,6 @@ public class NetkeyKeygenService implements IService { + ; + String PubKey = ""; + +- String id = request.getRequestId().toString(); +- if (id != null) { +- auditArchiveID = id.trim(); +- } +- + String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); + if (rArchive.equals("true")) { + archive = true; +@@ -395,14 +390,10 @@ public class NetkeyKeygenService implements IService { + // + // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit( new SecurityDataArchivalEvent( + agentId, + ILogger.SUCCESS, +- auditSubjectID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditSubjectID)); + + CMS.debug("KRA encrypts private key to put on internal ldap db"); + byte privateKeyData[] = null; +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index 38f7e93..b0bcff2 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.key.KeyRequestResponse; + import com.netscape.certsrv.key.SymKeyGenerationRequest; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestNotFoundException; + import com.netscape.cms.realm.PKIPrincipal; +@@ -354,13 +355,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + } + + public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { +- String msg = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST, ++ audit(new SecurityDataArchivalEvent( + getRequestor(), + status, +- requestId != null? requestId.toString(): "null", +- clientKeyID); +- auditor.log(msg); ++ requestId, ++ clientKeyID)); + } + + public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +index 02aa8c8..85db2cb 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +@@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID; + import com.netscape.certsrv.ca.ICAService; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.connector.IConnector; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; + import com.netscape.certsrv.profile.IProfileUpdater; +@@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile { + throw new EProfileException("Profile Not Enabled"); + } + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); +- String auditArchiveID = ILogger.UNIDENTIFIED; +- + String id = request.getRequestId().toString(); +- if (id != null) { +- auditArchiveID = id.trim(); +- } ++ + + CMS.debug("CAEnrollProfile: execute request ID " + id); + +@@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile { + CMS.debug("CAEnrollProfile: KRA connector " + + "not configured"); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); +- ++ auditRequesterID)); + } else { + CMS.debug("CAEnrollProfile: execute send request"); + kraConnector.send(request); + + // check response + if (!request.isSuccess()) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + if (request.getError(getLocale(request)) != null && + (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { + CMS.debug("CAEnrollProfile: execute set request status: REJECTED"); +@@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile { + request.getError(getLocale(request))); + } + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID, +- auditArchiveID); +- +- audit(auditMessage); ++ auditRequesterID)); + } + } catch (Exception e) { + +@@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile { + CMS.debug("CAEnrollProfile: " + e); + CMS.debug(e); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, ++ audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID, +- auditArchiveID); ++ auditRequesterID)); + +- audit(auditMessage); + throw new EProfileException(e); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +index 30d6b9c..2bcde64 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +@@ -81,6 +81,16 @@ public class SubsystemService extends PKIService { + getClass().getSimpleName() + ": " + message); + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ auditor.log(message); ++ } ++ + public void audit(String message, String scope, String type, String id, Map params, String status) { + + String auditMessage = CMS.getLogMessage( +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 6bc2d82..03af216 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -1943,18 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA + # -- feature disabled -- + #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt + # +-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST +-# - used when user private key archive request is made +-# this is an option in a certificate enrollment request detected by RA or CA +-# so should be seen logged right following the certificate request, if selected +-# ReqID must be the certificate enrollment request ID associated with the +-# CA archive option (even if the request was originally submitted via +-# an RA) (this field is set to the "EntityID" in caase of server-side key gen) +-# ArchiveID must be the DRM request ID associated with the enrollment ID, +-# ReqID (this field will be "N/A" when logged by the CA) +-# +-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request +-# + # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED + # - used when user private key archive request is processed + # this is when DRM receives and processed the request +@@ -2490,7 +2478,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made + # + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED +-- +1.8.3.1 + + +From 3a35eceffed65862e66806c20cff3a3b64d75ae8 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 16 May 2017 22:16:30 -0400 +Subject: [PATCH 02/38] Encapsulate archival processed audit logs + +Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED +and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the +two audit events. + +Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + .../event/SecurityDataArchivalProcessedEvent.java | 49 ++++++++++++++++++++++ + base/kra/shared/conf/CS.cfg | 2 +- + .../src/com/netscape/kra/EnrollmentService.java | 15 ++++--- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 33 ++++++++------- + .../src/com/netscape/kra/NetkeyKeygenService.java | 13 +++--- + .../com/netscape/kra/SecurityDataProcessor.java | 8 ++-- + base/server/cmsbundle/src/LogMessages.properties | 10 +---- + 8 files changed, 86 insertions(+), 48 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index a224ae6..ce5cc4b 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String LOG_PATH_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + +- public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; + public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = +@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String CONFIG_SERIAL_NUMBER = + "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; + +- public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; + public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; + public static final String SECURITY_DATA_RECOVERY_REQUEST = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +new file mode 100644 +index 0000000..8d7593b +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +@@ -0,0 +1,49 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class SecurityDataArchivalProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED"; ++ ++ public SecurityDataArchivalProcessedEvent( ++ String subjectID, ++ String outcome, ++ String requestID, ++ String clientKeyID, ++ String keyID, ++ String failureReason, ++ String pubkey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID, ++ keyID, ++ failureReason, ++ pubkey ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index be4ce71..23d2508 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index 0a1fe1f..cf2a88f 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -51,6 +51,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -153,13 +154,10 @@ public class EnrollmentService implements IService { + statsSub.startTiming("archival", true /* main action */); + } + +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditPublicKey = ILogger.UNIDENTIFIED; + +- String id = request.getRequestId().toString(); +- + if (CMS.debugOn()) + CMS.debug("EnrollmentServlet: KRA services enrollment request"); + +@@ -551,13 +549,14 @@ public class EnrollmentService implements IService { + + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditPublicKey); +- +- audit(auditMessage); ++ request.getRequestId().toString(), ++ null, ++ rec.getSerialNumber().toString(), ++ null, ++ auditPublicKey)); + + // Xxx - should sign this proof of archival + ProofOfArchival mProof = new ProofOfArchival(serialNo, +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index de097b2..bc58d14 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -59,6 +59,7 @@ import com.netscape.certsrv.listeners.EListenersException; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.request.ARequestNotifier; + import com.netscape.certsrv.request.IPolicy; + import com.netscape.certsrv.request.IRequest; +@@ -786,23 +787,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + queue.processRequest(r); + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.SUCCESS, +- auditPublicKey); +- +- audit(auditMessage); ++ audit(new SecurityDataArchivalProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ r.getRequestId().toString(), ++ null, ++ rec.getSerialNumber().toString(), ++ null, ++ auditPublicKey)); + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditPublicKey); +- +- audit(auditMessage); ++ audit(new SecurityDataArchivalProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ r.getRequestId().toString(), ++ null, ++ rec.getSerialNumber().toString(), ++ eAudit1.getMessage(), ++ auditPublicKey)); + + throw eAudit1; + } +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 0885469..cd1079d 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.security.IStorageKeyUnit; +@@ -480,14 +481,14 @@ public class NetkeyKeygenService implements IService { + storage.addKeyRecord(rec); + CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, ++ audit(new SecurityDataArchivalProcessedEvent( + agentId, + ILogger.SUCCESS, +- PubKey); +- +- audit(auditMessage); +- ++ request.getRequestId().toString(), ++ null, ++ serialNo.toString(), ++ null, ++ PubKey)); + } //if archive + + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 344f376..fa12805 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -40,6 +40,7 @@ import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.RequestId; +@@ -867,14 +868,13 @@ public class SecurityDataProcessor { + + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, + String keyID, String reason) { +- String auditMessage = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, ++ audit(new SecurityDataArchivalProcessedEvent( + subjectID, + status, + requestID.toString(), + clientKeyID, + keyID != null ? keyID : "None", +- reason); +- audit(auditMessage); ++ reason, ++ null)); + } + } +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 03af216..a7ce567 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -1943,14 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA + # -- feature disabled -- + #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt + # +-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED +-# - used when user private key archive request is processed +-# this is when DRM receives and processed the request +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be archived +-# +-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][PubKey={2}] private key archive request processed +-# + # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS + # - used when user private key export request is made and processed with success + # - this is used in case of server-side keygen when keys generated on the server +@@ -2471,7 +2463,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv + # Client ID must be the user supplied client ID associated with + # the security data to be archived + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] security data archival request processed ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST + # - used when security data recovery request is made +-- +1.8.3.1 + + +From 90f6d8ece46d70a3566b97b549efb1053895f407 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 16 May 2017 23:11:34 -0400 +Subject: [PATCH 03/38] Encapsulate key recovery audit events + +Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and +KEY_RECOVERY_REQUEST audit events as audit event objects. +We have collapse to a single audit event type. + +Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + .../event/SecurityDataArchivalProcessedEvent.java | 6 ++- + .../logging/event/SecurityDataRecoveryEvent.java | 48 +++++++++++++++++++++ + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/EnrollmentService.java | 5 ++- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 49 ++++++++++++++-------- + .../src/com/netscape/kra/NetkeyKeygenService.java | 5 ++- + .../com/netscape/kra/SecurityDataProcessor.java | 9 ++-- + .../com/netscape/kra/TokenKeyRecoveryService.java | 18 ++++---- + .../server/kra/rest/KeyRequestService.java | 10 ++--- + base/server/cmsbundle/src/LogMessages.properties | 2 +- + 11 files changed, 114 insertions(+), 46 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index ce5cc4b..da571fe 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -82,8 +82,6 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; + public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; +- public final static String KEY_RECOVERY_REQUEST = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + public final static String KEY_RECOVERY_REQUEST_ASYNC = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; + public final static String KEY_RECOVERY_AGENT_LOGIN = +@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { + + public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; +- public static final String SECURITY_DATA_RECOVERY_REQUEST = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; + public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; + public final static String SECURITY_DATA_RETRIEVE_KEY = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +index 8d7593b..eb4f6b3 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +@@ -17,7 +17,9 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.logging.event; + ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; + + public class SecurityDataArchivalProcessedEvent extends AuditEvent { + +@@ -28,9 +30,9 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { + public SecurityDataArchivalProcessedEvent( + String subjectID, + String outcome, +- String requestID, ++ RequestId requestID, + String clientKeyID, +- String keyID, ++ KeyId keyID, + String failureReason, + String pubkey) { + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java +new file mode 100644 +index 0000000..97e3c96 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java +@@ -0,0 +1,48 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SecurityDataRecoveryEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST"; ++ ++ public SecurityDataRecoveryEvent( ++ String subjectID, ++ String outcome, ++ RequestId recoveryID, ++ KeyId keyID, ++ String pubkey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ recoveryID, ++ keyID, ++ pubkey ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 23d2508..54adae1 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index cf2a88f..b28fbc6 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.MetaInfo; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.ProofOfArchival; +@@ -552,9 +553,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, +- request.getRequestId().toString(), ++ request.getRequestId(), + null, +- rec.getSerialNumber().toString(), ++ new KeyId(rec.getSerialNumber()), + null, + auditPublicKey)); + +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index bc58d14..8f86eef 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.base.ISubsystem; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.IDBSubsystem; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.IKeyService; +@@ -60,6 +61,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.request.ARequestNotifier; + import com.netscape.certsrv.request.IPolicy; + import com.netscape.certsrv.request.IRequest; +@@ -749,7 +751,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + */ + public IRequest archiveKey(KeyRecord rec) + throws EBaseException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditPublicKey = auditPublicKey(rec); +@@ -790,18 +791,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, +- r.getRequestId().toString(), ++ r.getRequestId(), + null, +- rec.getSerialNumber().toString(), ++ new KeyId(rec.getSerialNumber()), + null, + auditPublicKey)); + } catch (EBaseException eAudit1) { + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- r.getRequestId().toString(), ++ r.getRequestId(), + null, +- rec.getSerialNumber().toString(), ++ new KeyId(rec.getSerialNumber()), + eAudit1.getMessage(), + auditPublicKey)); + +@@ -994,7 +995,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); ++ ++ // temporary variable till other audit events are converted + String auditRecoveryID = auditRecoveryID(); ++ ++ RequestId auditRequestID = auditRequestID(); + String auditPublicKey = auditPublicKey(cert); + String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + +@@ -1029,24 +1034,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); + + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST, ++ audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRecoveryID, +- auditPublicKey); +- +- audit(auditMessage); ++ auditRequestID, ++ null, ++ auditPublicKey)); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST, ++ audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- auditPublicKey); +- +- audit(auditMessage); ++ auditRequestID, ++ null, ++ auditPublicKey)); + + throw eAudit1; + } +@@ -1680,6 +1681,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + return recoveryID; + } ++ /* ++ * temporary function till other audit messages are converted ++ */ ++ private RequestId auditRequestID() { ++ SessionContext auditContext = SessionContext.getExistingContext(); ++ if (auditContext != null) { ++ String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); ++ if (recoveryID != null) { ++ return new RequestId(recoveryID.trim()); ++ } ++ } ++ ++ return null; ++ } + + /** + * Signed Audit Log Public Key +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index cd1079d..5463b92 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -46,6 +46,7 @@ import com.netscape.certsrv.base.MetaInfo; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; +@@ -484,9 +485,9 @@ public class NetkeyKeygenService implements IService { + audit(new SecurityDataArchivalProcessedEvent( + agentId, + ILogger.SUCCESS, +- request.getRequestId().toString(), ++ request.getRequestId(), + null, +- serialNo.toString(), ++ new KeyId(serialNo), + null, + PubKey)); + } //if archive +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index fa12805..da8dd9b 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +@@ -300,7 +301,7 @@ public class SecurityDataProcessor { + keyRepository.addKeyRecord(rec); + + auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId, +- clientKeyId, serialNo.toString(), "None"); ++ clientKeyId, new KeyId(serialNo), "None"); + + request.setExtData(ATTR_KEY_RECORD, serialNo); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); +@@ -867,13 +868,13 @@ public class SecurityDataProcessor { + } + + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, +- String keyID, String reason) { ++ KeyId keyID, String reason) { + audit(new SecurityDataArchivalProcessedEvent( + subjectID, + status, +- requestID.toString(), ++ requestID, + clientKeyID, +- keyID != null ? keyID : "None", ++ keyID, + reason, + null)); + } +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index 64f65a0..7aca24c 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -47,8 +47,10 @@ import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cmscore.dbs.KeyRecord; +@@ -211,6 +213,10 @@ public class TokenKeyRecoveryService implements IService { + if (id != null) { + auditRecoveryID = id.trim(); + } ++ ++ // temporary variable till other audit messages have been replaced ++ RequestId auditRequestID = request.getRequestId(); ++ + SessionContext sContext = SessionContext.getContext(); + String agentId = ""; + if (sContext != null) { +@@ -563,14 +569,12 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService: RSA PubKey base64 encoded"); + } + +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST, ++ audit(new SecurityDataRecoveryEvent( + auditSubjectID, +- ILogger.SUCCESS, +- auditRecoveryID, +- PubKey); +- +- audit(auditMessage); ++ ILogger.SUCCESS, ++ auditRequestID, ++ null, ++ PubKey)); + + if (PubKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index b0bcff2..a2d01f1 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -51,6 +51,7 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestNotFoundException; + import com.netscape.cms.realm.PKIPrincipal; +@@ -345,13 +346,12 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + } + + public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { +- String msg = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST, ++ audit(new SecurityDataRecoveryEvent( + getRequestor(), + status, +- requestId != null? requestId.toString(): "null", +- dataId.toString()); +- auditor.log(msg); ++ requestId, ++ dataId, ++ null)); + } + + public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index a7ce567..d594f1c 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2486,7 +2486,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}] security data recovery request made ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}][PubKey={4}] security data recovery request made + # + # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE + # - used when DRM agents login as recovery agents to change +-- +1.8.3.1 + + +From 58927bc0573769480dd35b564b9791eb086b267e Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 17 May 2017 14:10:37 -0400 +Subject: [PATCH 04/38] Encapsulate recovery processed audit events + +This creates audit events for KEY_RECOVERY_PROCESSED and +SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by +reducing the logs to the SECURITY_DATA ones. + +Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 - + .../event/SecurityDataRecoveryProcessedEvent.java | 50 ++++++ + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 94 +++-------- + .../com/netscape/kra/SecurityDataProcessor.java | 45 ++--- + .../com/netscape/kra/TokenKeyRecoveryService.java | 182 ++++++++++----------- + base/server/cmsbundle/src/LogMessages.properties | 12 +- + 7 files changed, 184 insertions(+), 207 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index da571fe..c9c8f96 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -86,8 +86,6 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; + public final static String KEY_RECOVERY_AGENT_LOGIN = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; +- public final static String KEY_RECOVERY_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; + public final static String KEY_GEN_ASYMMETRIC = +@@ -174,8 +172,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String CONFIG_SERIAL_NUMBER = + "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; + +- public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; + public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; + public final static String SECURITY_DATA_RETRIEVE_KEY = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java +new file mode 100644 +index 0000000..8e5ad4b +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java +@@ -0,0 +1,50 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SecurityDataRecoveryProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED"; ++ ++ public SecurityDataRecoveryProcessedEvent( ++ String subjectID, ++ String outcome, ++ RequestId recoveryID, ++ KeyId keyID, ++ String failureReason, ++ String recoveryAgents) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ recoveryID, ++ keyID, ++ failureReason, ++ recoveryAgents ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 54adae1..8f55a37 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 8f86eef..670279e 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -62,6 +62,7 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.request.ARequestNotifier; + import com.netscape.certsrv.request.IPolicy; + import com.netscape.certsrv.request.IRequest; +@@ -980,7 +981,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + * @param kid key identifier + * @param creds list of recovery agent credentials + * @param password password of the PKCS12 package +- * @param cert certficate that will be put in PKCS12 ++ * @param cert certificate that will be put in PKCS12 + * @param delivery file, mail or something else + * @param nickname string containing the nickname of the id cert for this + * subsystem +@@ -993,13 +994,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + String delivery, String nickname, + String agent) + throws EBaseException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); +- +- // temporary variable till other audit events are converted +- String auditRecoveryID = auditRecoveryID(); +- +- RequestId auditRequestID = auditRequestID(); ++ RequestId auditRecoveryID = auditRecoveryID(); + String auditPublicKey = auditPublicKey(cert); + String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + +@@ -1037,16 +1033,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequestID, +- null, ++ auditRecoveryID, ++ new KeyId(kid), + auditPublicKey)); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequestID, +- null, ++ auditRecoveryID, ++ new KeyId(kid), + auditPublicKey)); + + throw eAudit1; +@@ -1063,43 +1059,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + auditAgents = auditAgents(creds); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +- auditAgents); +- +- audit(auditMessage); ++ new KeyId(kid), ++ null, ++ auditAgents)); + + destroyVolatileRequest(r.getRequestId()); + + return pkcs12; + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +- auditAgents); +- +- audit(auditMessage); ++ new KeyId(kid), ++ r.getExtDataInString(IRequest.ERROR), ++ auditAgents)); + + throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); + } + } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- auditAgents); +- +- audit(auditMessage); +- ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRecoveryID, ++ new KeyId(kid), ++ eAudit1.getMessage(), ++ auditAgents)); + throw eAudit1; + } + } +@@ -1646,45 +1635,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + return requesterID; + } + +- /** +- * Signed Audit Log Recovery ID +- * +- * This method is called to obtain the "RecoveryID" for +- * a signed audit log message. +- *

    +- * +- * @return id string containing the signed audit log message RecoveryID +- */ +- private String auditRecoveryID() { +- // if no signed audit object exists, bail +- if (mSignedAuditLogger == null) { +- return null; +- } +- +- String recoveryID = null; +- +- // Initialize recoveryID +- SessionContext auditContext = SessionContext.getExistingContext(); +- +- if (auditContext != null) { +- recoveryID = (String) +- auditContext.get(SessionContext.RECOVERY_ID); +- +- if (recoveryID != null) { +- recoveryID = recoveryID.trim(); +- } else { +- recoveryID = ILogger.UNIDENTIFIED; +- } +- } else { +- recoveryID = ILogger.UNIDENTIFIED; +- } +- +- return recoveryID; +- } + /* +- * temporary function till other audit messages are converted ++ * Returns the requestID for the recovery request for audit logs. + */ +- private RequestId auditRequestID() { ++ private RequestId auditRecoveryID() { + SessionContext auditContext = SessionContext.getExistingContext(); + if (auditContext != null) { + String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index da8dd9b..a44eb2f 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -42,6 +42,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.RequestId; +@@ -326,14 +327,15 @@ public class SecurityDataProcessor { + + Hashtable params = kra.getVolatileRequest( + request.getRequestId()); +- BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); +- request.setExtData(ATTR_KEY_RECORD, serialno); ++ KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); ++ request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); + RequestId requestID = request.getRequestId(); ++ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + + if (params == null) { + CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), +- "cannot get volatile params"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, ++ "cannot get volatile params", approvers); + throw new EBaseException("Can't obtain volatile params!"); + } + +@@ -355,7 +357,7 @@ public class SecurityDataProcessor { + return false; + } + +- KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(serialno); ++ KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(keyId.toBigInteger()); + + String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE); + if (dataType == null) dataType = KeyRequestResource.ASYMMETRIC_KEY_TYPE; +@@ -455,8 +457,8 @@ public class SecurityDataProcessor { + iv != null? new IVParameterSpec(iv): null, + iv_wrap != null? new IVParameterSpec(iv_wrap): null); + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), +- "Cannot generate wrapping params"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, ++ "Cannot generate wrapping params", approvers); + throw new EBaseException("Cannot generate wrapping params: " + e, e); + } + } +@@ -512,8 +514,8 @@ public class SecurityDataProcessor { + params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), +- "Cannot unwrap passphrase"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, ++ "Cannot unwrap passphrase", approvers); + throw new EBaseException("Cannot unwrap passphrase: " + e, e); + + } finally { +@@ -554,8 +556,8 @@ public class SecurityDataProcessor { + } + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), +- "Cannot wrap symmetric key"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, ++ "Cannot wrap symmetric key", approvers); + throw new EBaseException("Cannot wrap symmetric key: " + e, e); + } + +@@ -573,7 +575,7 @@ public class SecurityDataProcessor { + wrapParams.getPayloadEncryptionIV()); + } catch (Exception e) { + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, +- serialno.toString(), "Cannot encrypt passphrase"); ++ keyId, "Cannot encrypt passphrase", approvers); + throw new EBaseException("Cannot encrypt passphrase: " + e, e); + } + +@@ -604,8 +606,8 @@ public class SecurityDataProcessor { + } + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), +- "Cannot wrap private key"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, ++ "Cannot wrap private key", approvers); + throw new EBaseException("Cannot wrap private key: " + e, e); + } + } +@@ -639,8 +641,8 @@ public class SecurityDataProcessor { + + params.put(IRequest.SECURITY_DATA_TYPE, dataType); + +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(), +- "None"); ++ auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, ++ null, approvers); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + + return false; //return true ? TODO +@@ -856,15 +858,14 @@ public class SecurityDataProcessor { + } + + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, +- String keyID, String reason) { +- String auditMessage = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, ++ KeyId keyID, String reason, String recoveryAgents) { ++ audit(new SecurityDataRecoveryProcessedEvent( + subjectID, + status, +- requestID.toString(), ++ requestID, + keyID, +- reason); +- audit(auditMessage); ++ reason, ++ recoveryAgents)); + } + + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index 7aca24c..2519a4d 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -43,11 +43,13 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.request.RequestId; +@@ -183,9 +185,7 @@ public class TokenKeyRecoveryService implements IService { + * @exception EBaseException failed to serve + */ + public synchronized boolean serviceRequest(IRequest request) throws EBaseException { +- String auditMessage = null; + String auditSubjectID = null; +- String auditRecoveryID = ILogger.UNIDENTIFIED; + String iv_s = ""; + + CMS.debug("KRA services token key recovery request"); +@@ -209,12 +209,6 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); + } + +- String id = request.getRequestId().toString(); +- if (id != null) { +- auditRecoveryID = id.trim(); +- } +- +- // temporary variable till other audit messages have been replaced + RequestId auditRequestID = request.getRequestId(); + + SessionContext sContext = SessionContext.getContext(); +@@ -240,7 +234,7 @@ public class TokenKeyRecoveryService implements IService { + String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); + String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); +- // the request reocrd field delayLDAPCommit == "true" will cause ++ // the request record field delayLDAPCommit == "true" will cause + // updateRequest() to delay actual write to ldap + request.setExtData("delayLDAPCommit", "true"); + // wrappedDesKey no longer needed. removing. +@@ -272,32 +266,32 @@ public class TokenKeyRecoveryService implements IService { + } else { + CMS.debug("TokenKeyRecoveryService: not receive des key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); ++ auditRequestID, ++ null, ++ "TokenRecoveryService: Did not receive DES key", ++ agentId)); + +- audit(auditMessage); + return false; + } + + // retrieve based on Certificate + String cert_s = request.getExtDataInString(ATTR_USER_CERT); + String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); ++ KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID)); + /* have to have at least one */ + if ((cert_s == null) && (keyid_s == null)) { + CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); + request.setExtData(IRequest.RESULT, Integer.valueOf(3)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequestID, ++ keyId, ++ "TokenRecoveryService: Did not receive cert or keyid", ++ agentId)); + return false; + } + +@@ -311,27 +305,25 @@ public class TokenKeyRecoveryService implements IService { + if (x509cert == null) { + CMS.debug("cert mapping failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(5)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenRecoveryService: cert mapping failed", ++ agentId)); + return false; + } + } catch (IOException e) { + CMS.debug("TokenKeyRecoveryService: mapCert failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(6)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenRecoveryService: mapCert failed: " + e.getMessage(), ++ agentId)); + return false; + } + } else { +@@ -363,27 +355,25 @@ public class TokenKeyRecoveryService implements IService { + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenRecoveryService: key record not found", ++ agentId)); + return false; + } + } catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenRecoveryService: error reading key record: " + e.getMessage(), ++ agentId)); + return false; + } + +@@ -410,14 +400,14 @@ public class TokenKeyRecoveryService implements IService { + + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); ++ auditRequestID, ++ keyId, ++ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), ++ agentId)); + +- audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } +@@ -425,14 +415,13 @@ public class TokenKeyRecoveryService implements IService { + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), ++ agentId)); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } +@@ -455,13 +444,13 @@ public class TokenKeyRecoveryService implements IService { + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- audit(auditMessage); ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequestID, ++ keyId, ++ "TokenKeyRecoveryService: failed getting private key", ++ agentId)); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); +@@ -485,14 +474,13 @@ public class TokenKeyRecoveryService implements IService { + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequestID, ++ keyId, ++ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"), ++ agentId)); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { +@@ -511,14 +499,13 @@ public class TokenKeyRecoveryService implements IService { + if (privKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequestID, ++ keyId, ++ "TokenKeyRecoveryService: failed getting private key", ++ agentId)); + return false; + } + +@@ -541,14 +528,13 @@ public class TokenKeyRecoveryService implements IService { + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenKeyRecoveryService: failed generating wrapped private key", ++ agentId)); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); +@@ -579,14 +565,13 @@ public class TokenKeyRecoveryService implements IService { + if (PubKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); ++ auditRequestID, ++ keyId, ++ "TokenKeyRecoveryService: failed getting publickey encoded", ++ agentId)); + return false; + } else { + //CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + +@@ -594,15 +579,14 @@ public class TokenKeyRecoveryService implements IService { + CMS.debug("TokenKeyRecoveryService: got publicKeyData"); + } + request.setExtData("public_key", PubKey); +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, ++ ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRecoveryID, +- agentId); +- +- audit(auditMessage); +- ++ auditRequestID, ++ keyId, ++ null, ++ agentId)); + return true; + + } catch (Exception e) { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index d594f1c..b85310c 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2009,15 +2009,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login + # +-# +-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED +-# - used when key recovery request is processed +-# RecoveryID must be the recovery request ID +-# RecoveryAgents must be a comma-separated list of +-# UIDs of the recovery agents approving this request +-# +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgents={3}] key recovery request processed +-# + # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC + # - used when key recovery request is processed + # RequestID must be the recovery request ID +@@ -2477,8 +2468,9 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data recovery request processed ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}][RecoveryAgents={5}] security data recovery request processed + # + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST +-- +1.8.3.1 + + +From f52f5be832e37cc45e665708d3b59d2a3aa04370 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 17 May 2017 16:17:30 -0400 +Subject: [PATCH 05/38] Eliminate async recovery audit events + +There are now many ways to recover keys. From an +auditing point of view, its not helpful to distinguish +between sync or async requests. So we just use +SECURITY_DATA ... + +Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 75 +++++++++------------- + base/server/cmsbundle/src/LogMessages.properties | 17 ----- + 4 files changed, 34 insertions(+), 66 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index c9c8f96..03340e1 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -82,12 +82,8 @@ public class AuditEvent implements IBundleLogEvent { + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; + public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; +- public final static String KEY_RECOVERY_REQUEST_ASYNC = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; + public final static String KEY_RECOVERY_AGENT_LOGIN = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; +- public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = +- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; + public final static String KEY_GEN_ASYMMETRIC = + "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; + +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 8f55a37..90ef4bc 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 670279e..3c29bbf 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -820,8 +820,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + throws EBaseException { + + String auditPublicKey = auditPublicKey(cert); +- String auditRecoveryID = "undefined"; +- String auditMessage = null; ++ RequestId auditRecoveryID = null; + String auditSubjectID = auditSubjectID(); + + IRequestQueue queue = null; +@@ -838,28 +837,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + r.setRequestStatus(RequestStatus.PENDING); + r.setRealm(realm); + queue.updateRequest(r); +- auditRecoveryID = r.getRequestId().toString(); ++ auditRecoveryID = r.getRequestId(); + + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, ++ audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +- auditPublicKey); +- +- audit(auditMessage); ++ null, ++ auditPublicKey)); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- auditPublicKey); +- +- audit(auditMessage); +- ++ audit(new SecurityDataRecoveryEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRecoveryID, ++ null, ++ auditPublicKey)); + throw eAudit1; + } + +@@ -1115,10 +1109,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + String reqID, + String password) + throws EBaseException { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); +- String auditRecoveryID = reqID; ++ RequestId auditRecoveryID = new RequestId(reqID); + String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; ++ KeyId keyID = null; + + IRequestQueue queue = null; + IRequest r = null; +@@ -1129,6 +1123,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + r = queue.findRequest(new RequestId(reqID)); + + auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); ++ keyID = new KeyId(r.getExtDataInBigInteger("serialNumber")); + + // set transient parameters + params = createVolatileRequest(r.getRequestId()); +@@ -1147,42 +1142,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + byte pkcs12[] = (byte[]) params.get( + RecoveryService.ATTR_PKCS12); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, +- auditAgents); +- +- audit(auditMessage); ++ keyID, ++ null, ++ auditAgents)); + + destroyVolatileRequest(r.getRequestId()); + + return pkcs12; + } else { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, +- auditSubjectID, +- ILogger.FAILURE, +- auditRecoveryID, +- auditAgents); +- +- audit(auditMessage); +- +- throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); +- } +- } catch (EBaseException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, ++ audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, +- auditAgents); ++ keyID, ++ r.getExtDataInString(IRequest.ERROR), ++ auditAgents)); + +- audit(auditMessage); ++ throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); ++ } ++ } catch (EBaseException eAudit1) { ++ audit(new SecurityDataRecoveryProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRecoveryID, ++ keyID, ++ eAudit1.getMessage(), ++ auditAgents)); + throw eAudit1; + } + } +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index b85310c..5a01e13 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -1991,15 +1991,6 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made + # +-# +-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC +-# - used when asynchronous key recovery request is made +-# RequestID must be the recovery request ID +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be recovered +-# +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][PubKey={3}] asynchronous key recovery request made +-# + # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN + # - used when DRM agents login as recovery agents to approve + # key recovery requests +@@ -2009,14 +2000,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login + # +-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC +-# - used when key recovery request is processed +-# RequestID must be the recovery request ID +-# RecoveryAgents must be a comma-separated list of +-# UIDs of the recovery agents approving this request +-# +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][RecoveryAgents={3}] asynchronous key recovery request processed +-# + # LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC + # - used when asymmetric keys are generated + # (like when CA certificate requests are generated - +-- +1.8.3.1 + + +From 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 18 May 2017 01:27:12 -0400 +Subject: [PATCH 06/38] Encapsulate key retrieval audit events + +Key retrieval is when the key/secret is extracted and returned +to the client (once the recovery request is approved). We combine +SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. + +Note: an analysis of the key retrieval rest flow (and the auditing +there will be done in a subsequent patch). + +Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 6 -- + .../logging/event/SecurityDataExportEvent.java | 70 ++++++++++++++++++++++ + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/NetkeyKeygenService.java | 18 +++--- + .../org/dogtagpki/server/kra/rest/KeyService.java | 14 ++--- + .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 25 ++++---- + .../src/com/netscape/cms/servlet/key/GetPk12.java | 26 ++++---- + base/server/cmsbundle/src/LogMessages.properties | 26 ++------ + 8 files changed, 117 insertions(+), 72 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 03340e1..45907d0 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -72,10 +72,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String LOG_PATH_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + +- public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; +- public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; + public final static String SERVER_SIDE_KEYGEN_REQUEST = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; + public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = +@@ -170,8 +166,6 @@ public class AuditEvent implements IBundleLogEvent { + + public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; +- public final static String SECURITY_DATA_RETRIEVE_KEY = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; + public final static String KEY_STATUS_CHANGE = + "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; + public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java +new file mode 100644 +index 0000000..a2c7939 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java +@@ -0,0 +1,70 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SecurityDataExportEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY"; ++ ++ public SecurityDataExportEvent( ++ String subjectID, ++ String outcome, ++ RequestId recoveryID, ++ KeyId keyID, ++ String failureReason, ++ String pubKey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ recoveryID, ++ keyID, ++ failureReason, ++ pubKey ++ }); ++ } ++ ++ public SecurityDataExportEvent( ++ String subjectID, ++ String outcome, ++ String recoveryID, ++ KeyId keyID, ++ String failureReason, ++ String pubKey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ recoveryID, ++ keyID, ++ failureReason, ++ pubKey ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 90ef4bc..298e35a 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 5463b92..df42a4f 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataExportEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.security.IStorageKeyUnit; +@@ -356,25 +357,26 @@ public class NetkeyKeygenService implements IService { + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ audit(new SecurityDataExportEvent( + agentId, + ILogger.FAILURE, + auditSubjectID, +- PubKey); ++ null, ++ "NetkeyKeygenService: failed generating wrapped private key", ++ PubKey)); + + audit(auditMessage); + return false; + } else { + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ ++ audit(new SecurityDataExportEvent( + agentId, + ILogger.SUCCESS, + auditSubjectID, +- PubKey); +- +- audit(auditMessage); ++ null, ++ null, ++ PubKey)); + } + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index 7a21971..87e6f15 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -62,6 +62,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.IKeyService; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataExportEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; + import com.netscape.certsrv.request.RequestId; +@@ -601,15 +602,14 @@ public class KeyService extends SubsystemService implements KeyResource { + } + + public void auditRetrieveKey(String status, String reason) { +- String msg = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_RETRIEVE_KEY, ++ audit(new SecurityDataExportEvent( + servletRequest.getUserPrincipal().getName(), + status, +- requestId != null ? requestId.toString(): "null", +- keyId != null ? keyId.toString(): "null", +- (reason != null) ? auditInfo + ";" + reason : auditInfo +- ); +- auditor.log(msg); ++ requestId, ++ keyId, ++ (reason != null) ? auditInfo + ";" + reason : auditInfo, ++ null ++ )); + } + + public void auditRetrieveKey(String status) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +index f0065e1..b28132d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +@@ -35,8 +35,9 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataExportEvent; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.common.CMSTemplate; +@@ -207,14 +208,13 @@ public class GetAsyncPk12 extends CMSServlet { + resp.getOutputStream().write(pkcs12); + mRenderResult = false; + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ audit(new SecurityDataExportEvent( + agent, + ILogger.SUCCESS, +- reqID, +- ""); +- +- audit(auditMessage); ++ new RequestId(reqID), ++ null, ++ null, ++ null)); + + return; + } catch (IOException e) { +@@ -233,14 +233,13 @@ public class GetAsyncPk12 extends CMSServlet { + } + + if ((agent != null) && (reqID != null)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ audit(new SecurityDataExportEvent( + agent, + ILogger.FAILURE, +- reqID, +- ""); +- +- audit(auditMessage); ++ new RequestId(reqID), ++ null, ++ null, ++ null)); + } + + try { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +index 9bb52cd..c878605 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +@@ -36,8 +36,9 @@ import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataExportEvent; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.common.CMSTemplate; +@@ -201,15 +202,13 @@ public class GetPk12 extends CMSServlet { + resp.getOutputStream().write(pkcs12); + mRenderResult = false; + +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, ++ audit(new SecurityDataExportEvent( + agent, + ILogger.SUCCESS, +- recoveryID, +- ""); +- +- audit(auditMessage); +- ++ new RequestId(recoveryID), ++ null, ++ null, ++ null)); + return; + } catch (IOException e) { + header.addStringValue(OUT_ERROR, +@@ -227,14 +226,13 @@ public class GetPk12 extends CMSServlet { + } + + if ((agent != null) && (recoveryID != null)) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, ++ audit(new SecurityDataExportEvent( + agent, + ILogger.FAILURE, +- recoveryID, +- ""); +- +- audit(auditMessage); ++ new RequestId(recoveryID), ++ null, ++ null, ++ null)); + } + + try { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 5a01e13..9cdcae6 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -1943,26 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA + # -- feature disabled -- + #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt + # +-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS +-# - used when user private key export request is made and processed with success +-# - this is used in case of server-side keygen when keys generated on the server +-# need to be transported back to the client +-# EntityID must be the id that represents the client +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be archived +-# +-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with success +-# +-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE +-# - used when user private key export request is made and processed with failure +-# - this is used in case of server-side keygen when keys generated on the server +-# need to be transported back to the client +-# EntityID must be the id that represents the client +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be archived +-# +-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with failure +-# + # LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST + # - used when server-side key generation request is made + # This is for tokenkeys +@@ -2476,9 +2456,11 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}] security data retrieval request ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request + # + # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE + # - used when modify key status is executed +-- +1.8.3.1 + + +From 8016ed7972d9211e7f0db14e45bc9658a7b292ef Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 22 May 2017 22:34:58 +0200 +Subject: [PATCH 07/38] Enabling all subsystems on startup. + +The operations script has been modified to enable all subsystems +on startup by default. If the selftest fails, the subsystem will +be shutdown again automatically as before. A pki.conf option has +been added to configure this behavior. + +https://pagure.io/dogtagpki/issue/2699 + +Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50 +--- + base/common/share/etc/pki.conf | 6 +++ + base/server/python/pki/server/cli/subsystem.py | 58 +++++++++++++++++++------- + base/server/scripts/operations | 14 +++++-- + 3 files changed, 59 insertions(+), 19 deletions(-) + +diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf +index e9b5522..14bb8dd 100644 +--- a/base/common/share/etc/pki.conf ++++ b/base/common/share/etc/pki.conf +@@ -60,3 +60,9 @@ export SSL_CIPHERS + # Key Wrapping: AES KeyWrap with Padding + KEY_WRAP_PARAMETER_SET=1 + export KEY_WRAP_PARAMETER_SET ++ ++# Auto-enable subsystems ++# This boolean parameter determines whether to automatically enable all ++# subsystems on startup. ++PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS="true" ++export PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index ee5d2d2..8395bd2 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -200,7 +200,7 @@ class SubsystemEnableCLI(pki.cli.CLI): + + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ +- 'instance=', ++ 'instance=', 'all', + 'verbose', 'help']) + + except getopt.GetoptError as e: +@@ -209,11 +209,15 @@ class SubsystemEnableCLI(pki.cli.CLI): + sys.exit(1) + + instance_name = 'pki-tomcat' ++ all_subsystems = False + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + ++ elif o == '--all': ++ all_subsystems = True ++ + elif o in ('-v', '--verbose'): + self.set_verbose(True) + +@@ -226,13 +230,6 @@ class SubsystemEnableCLI(pki.cli.CLI): + self.usage() + sys.exit(1) + +- if len(args) != 1: +- print('ERROR: missing subsystem ID') +- self.usage() +- sys.exit(1) +- +- subsystem_name = args[0] +- + instance = pki.server.PKIInstance(instance_name) + + if not instance.is_valid(): +@@ -241,6 +238,22 @@ class SubsystemEnableCLI(pki.cli.CLI): + + instance.load() + ++ if all_subsystems: ++ for subsystem in instance.subsystems: ++ if not subsystem.is_enabled(): ++ subsystem.enable() ++ ++ self.print_message('Enabled all subsystems') ++ ++ return ++ ++ if len(args) != 1: ++ print('ERROR: missing subsystem ID') ++ self.usage() ++ sys.exit(1) ++ ++ subsystem_name = args[0] ++ + subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' +@@ -276,7 +289,7 @@ class SubsystemDisableCLI(pki.cli.CLI): + + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ +- 'instance=', ++ 'instance=', 'all', + 'verbose', 'help']) + + except getopt.GetoptError as e: +@@ -285,11 +298,15 @@ class SubsystemDisableCLI(pki.cli.CLI): + sys.exit(1) + + instance_name = 'pki-tomcat' ++ all_subsystems = False + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + ++ elif o == '--all': ++ all_subsystems = True ++ + elif o in ('-v', '--verbose'): + self.set_verbose(True) + +@@ -302,13 +319,6 @@ class SubsystemDisableCLI(pki.cli.CLI): + self.usage() + sys.exit(1) + +- if len(args) != 1: +- print('ERROR: missing subsystem ID') +- self.usage() +- sys.exit(1) +- +- subsystem_name = args[0] +- + instance = pki.server.PKIInstance(instance_name) + + if not instance.is_valid(): +@@ -317,6 +327,22 @@ class SubsystemDisableCLI(pki.cli.CLI): + + instance.load() + ++ if all_subsystems: ++ for subsystem in instance.subsystems: ++ if subsystem.is_enabled(): ++ subsystem.disable() ++ ++ self.print_message('Disabled all subsystems') ++ ++ return ++ ++ if len(args) != 1: ++ print('ERROR: missing subsystem ID') ++ self.usage() ++ sys.exit(1) ++ ++ subsystem_name = args[0] ++ + subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' +diff --git a/base/server/scripts/operations b/base/server/scripts/operations +index 5b50178..907dd0e 100644 +--- a/base/server/scripts/operations ++++ b/base/server/scripts/operations +@@ -30,11 +30,14 @@ + # 200-254 reserved + # + +-# Read default PKI configuration. ++# default PKI configuration + . /usr/share/pki/etc/pki.conf + +-# Read user-defined PKI configuration. +-. /etc/pki/pki.conf ++# system-wide PKI configuration ++if [ -f /etc/pki/pki.conf ] ++then ++ . /etc/pki/pki.conf ++fi + + default_error=0 + +@@ -1294,6 +1297,11 @@ EOF + /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy + ++ if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then ++ # enable all subsystems ++ pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all ++ fi ++ + # We no longer start tomcat instances here. + # instead we rely on the tomcat unit scripts + +-- +1.8.3.1 + + +From 3027b565320c96857b7f7fdffed9a5fbec084bab Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 18 May 2017 16:05:07 -0400 +Subject: [PATCH 08/38] Fix auditing in retrieveKey + +The auditing in retrieveKey is all messed up. +* Added new audit event to track accesses to KeyInfo queries. + They may produce a lot of events, especially if events are + generated for every listing of data. By default, this event + may be turned off. +* Added audit events for generation and processing of key + recovery requests. + +Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182 +--- + .../logging/event/SecurityDataInfoEvent.java | 49 ++++++++++++ + base/kra/shared/conf/CS.cfg | 2 +- + .../org/dogtagpki/server/kra/rest/KeyService.java | 88 +++++++++++++++++----- + base/server/cmsbundle/src/LogMessages.properties | 12 ++- + 4 files changed, 132 insertions(+), 19 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java +new file mode 100644 +index 0000000..82c049e +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java +@@ -0,0 +1,49 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class SecurityDataInfoEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO"; ++ ++ public SecurityDataInfoEvent( ++ String subjectID, ++ String outcome, ++ KeyId keyID, ++ String clientKeyID, ++ String failureReason, ++ String pubKey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ keyID, ++ clientKeyID, ++ failureReason, ++ pubKey ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 298e35a..4b6ff74 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index 87e6f15..52799e6 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -63,6 +63,9 @@ import com.netscape.certsrv.kra.IKeyService; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataExportEvent; ++import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; + import com.netscape.certsrv.request.RequestId; +@@ -92,6 +95,7 @@ public class KeyService extends SubsystemService implements KeyResource { + private RequestId requestId; + private KeyId keyId; + private String auditInfo; ++ private String approvers; + + public KeyService() { + kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); +@@ -112,12 +116,14 @@ public class KeyService extends SubsystemService implements KeyResource { + @Override + public Response retrieveKey(KeyRecoveryRequest data) { + try { +- return retrieveKeyImpl(data); ++ Response response = retrieveKeyImpl(data); ++ auditRetrieveKey(ILogger.SUCCESS); ++ return response; + } catch(RuntimeException e) { +- auditError(e.getMessage()); ++ auditRetrieveKeyError(e.getMessage()); + throw e; + } catch (Exception e) { +- auditError(e.getMessage()); ++ auditRetrieveKeyError(e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + } +@@ -191,17 +197,20 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + queue.updateRequest(request); + } catch (EBaseException e) { ++ auditRecoveryRequest(ILogger.FAILURE); + e.printStackTrace(); + throw new PKIException(e.getMessage(), e); + } + + CMS.debug("Returning created recovery request"); +- auditRetrieveKey(ILogger.SUCCESS, "Created recovery request"); ++ auditRecoveryRequest(ILogger.SUCCESS); + + KeyData keyData = new KeyData(); + keyData.setRequestID(requestId); + return createOKResponse(keyData); + } ++ ++ auditRecoveryRequest(ILogger.SUCCESS); + } + + data.setRequestId(requestId); +@@ -226,15 +235,19 @@ public class KeyService extends SubsystemService implements KeyResource { + throw new BadRequestException("Invalid request type: " + type); + } + } catch (Exception e) { ++ auditRecoveryRequestProcessed(ILogger.FAILURE, e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + + if (keyData == null) { ++ auditRecoveryRequestProcessed(ILogger.FAILURE, "No key record"); + throw new HTTPGoneException("No key record."); + } + ++ approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); ++ auditRecoveryRequestProcessed(ILogger.SUCCESS, null); ++ + CMS.debug("KeyService: key retrieved"); +- auditRetrieveKey(ILogger.SUCCESS); + return createOKResponse(keyData); + } + +@@ -408,10 +421,8 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + return createOKResponse(listKeyInfos(clientKeyID, status, maxResults, maxTime, start, size, realm)); + } catch (RuntimeException e) { +- auditError(e.getMessage()); + throw e; + } catch (Exception e) { +- auditError(e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + } +@@ -449,7 +460,6 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + Enumeration e = repo.searchKeys(filter, maxResults, maxTime); + if (e == null) { +- auditRetrieveKey(ILogger.SUCCESS); + return infos; + } + +@@ -458,7 +468,11 @@ public class KeyService extends SubsystemService implements KeyResource { + while (e.hasMoreElements()) { + IKeyRecord rec = e.nextElement(); + if (rec == null) continue; +- results.add(createKeyDataInfo(rec, false)); ++ ++ KeyInfo info = createKeyDataInfo(rec, false); ++ results.add(info); ++ ++ auditKeyInfoSuccess(info.getKeyId(), null); + } + + int total = results.size(); +@@ -482,7 +496,6 @@ public class KeyService extends SubsystemService implements KeyResource { + } catch (EBaseException e) { + throw new PKIException(e.getMessage(), e); + } +- auditRetrieveKey(ILogger.SUCCESS); + + return infos; + } +@@ -492,10 +505,10 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + return getActiveKeyInfoImpl(clientKeyID); + } catch (RuntimeException e) { +- auditError(e.getMessage()); ++ auditKeyInfoError(null, clientKeyID, e.getMessage()); + throw e; + } catch (Exception e) { +- auditError(e.getMessage()); ++ auditKeyInfoError(null, clientKeyID, e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + } +@@ -531,7 +544,7 @@ public class KeyService extends SubsystemService implements KeyResource { + throw new PKIException(e.toString(), e); + } + +- auditRetrieveKey(ILogger.SUCCESS); ++ auditKeyInfoSuccess(info.getKeyId(), clientKeyID); + + return createOKResponse(info); + } +@@ -616,11 +629,31 @@ public class KeyService extends SubsystemService implements KeyResource { + auditRetrieveKey(status, null); + } + +- public void auditError(String message) { ++ public void auditRetrieveKeyError(String message) { + CMS.debug(message); + auditRetrieveKey(ILogger.FAILURE, message); + } + ++ public void auditKeyInfo(KeyId keyId, String clientKeyId, String status, String reason) { ++ audit(new SecurityDataInfoEvent( ++ servletRequest.getUserPrincipal().getName(), ++ status, ++ keyId, ++ clientKeyId, ++ (reason != null) ? auditInfo + ";" + reason : auditInfo, ++ null ++ )); ++ } ++ ++ public void auditKeyInfoSuccess(KeyId keyid, String clientKeyId) { ++ auditKeyInfo(keyId, clientKeyId, ILogger.SUCCESS, null); ++ } ++ ++ public void auditKeyInfoError(KeyId keyId, String clientKeyId, String message) { ++ CMS.debug(message); ++ auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); ++ } ++ + public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, + String newKeyStatus, String info) { + String msg = CMS.getLogMessage( +@@ -634,6 +667,27 @@ public class KeyService extends SubsystemService implements KeyResource { + auditor.log(msg); + } + ++ public void auditRecoveryRequest(String status) { ++ audit(new SecurityDataRecoveryEvent( ++ servletRequest.getUserPrincipal().getName(), ++ status, ++ requestId, ++ keyId, ++ null ++ )); ++ } ++ ++ public void auditRecoveryRequestProcessed(String status, String reason) { ++ audit(new SecurityDataRecoveryProcessedEvent( ++ servletRequest.getUserPrincipal().getName(), ++ status, ++ requestId, ++ keyId, ++ (reason != null) ? auditInfo + ";" + reason : auditInfo, ++ approvers ++ )); ++ } ++ + /** + * Used to retrieve a key + * @param data +@@ -697,10 +751,10 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + return getKeyInfoImpl(keyId); + } catch (RuntimeException e) { +- auditError(e.getMessage()); ++ auditKeyInfoError(keyId, null, e.getMessage()); + throw e; + } catch (Exception e) { +- auditError(e.getMessage()); ++ auditKeyInfoError(keyId, null, e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + } +@@ -715,7 +769,7 @@ public class KeyService extends SubsystemService implements KeyResource { + rec = repo.readKeyRecord(keyId.toBigInteger()); + authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read"); + KeyInfo info = createKeyDataInfo(rec, true); +- auditRetrieveKey(ILogger.SUCCESS); ++ auditKeyInfoSuccess(keyId, null); + + return createOKResponse(info); + } catch (EAuthzAccessDenied e) { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 9cdcae6..3b998d9 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2451,7 +2451,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change + # +-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY ++# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY + # - used when user attempts to retrieve key after the recovery request + # has been approved. + # +@@ -2462,6 +2462,16 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request + # ++# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO ++# - used when user attempts to get metadata information about a key ++# ++# RecoveryID must be the recovery request ID ++# KeyID is the key being retrieved ++# Info is the failure reason if the export fails. ++# PubKey is the public key for the private key being retrieved ++# ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO][SubjectID={0}][Outcome={1}][KeyID={2}][ClientKeyId={3}[Info={4}][PubKey={5}] security data info request ++# + # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE + # - used when modify key status is executed + # keyID must be an existing key id in the database +-- +1.8.3.1 + + +From f40d0aaf446b162994e9c8598a7b00a6d4c906f2 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 23 May 2017 10:01:47 -0400 +Subject: [PATCH 09/38] Encapsulate recovery request approval audit logs + +The audit logs where an agent grants an asynchronous recovery request +and the case where recovery request is appproved from the REST API +are consolidated and encapsulated in a class. + +Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701 +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 2 - + .../SecurityDataRecoveryStateChangeEvent.java | 45 +++++++++++++++ + .../server/kra/rest/KeyRequestService.java | 9 ++- + .../cms/servlet/key/GrantAsyncRecovery.java | 65 ++++------------------ + base/server/cmsbundle/src/LogMessages.properties | 2 +- + 5 files changed, 61 insertions(+), 62 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 45907d0..891398d 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -164,8 +164,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String CONFIG_SERIAL_NUMBER = + "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; + +- public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = +- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; + public final static String KEY_STATUS_CHANGE = + "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; + public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java +new file mode 100644 +index 0000000..d0e97f8 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java +@@ -0,0 +1,45 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SecurityDataRecoveryStateChangeEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE"; ++ ++ public SecurityDataRecoveryStateChangeEvent( ++ String subjectID, ++ String outcome, ++ RequestId recoveryID, ++ String operation) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ recoveryID, ++ operation ++ }); ++ } ++} +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index a2d01f1..12040e0 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestNotFoundException; + import com.netscape.cms.realm.PKIPrincipal; +@@ -336,13 +337,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + } + + public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { +- String msg = CMS.getLogMessage( +- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, ++ audit(new SecurityDataRecoveryStateChangeEvent( + getRequestor(), + status, +- requestId.toString(), +- operation); +- auditor.log(msg); ++ requestId, ++ operation)); + } + + public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java +index c410525..2a50067 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java +@@ -34,8 +34,9 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; + import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.kra.IKeyService; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.common.CMSTemplate; +@@ -194,32 +195,7 @@ public class GrantAsyncRecovery extends CMSServlet { + String agentID, + HttpServletRequest req, HttpServletResponse resp, + Locale locale) { +- String auditMessage = null; + String auditSubjectID = auditSubjectID(); +- String auditRequestID = reqID; +- String auditAgentID = agentID; +- +- // "normalize" the "reqID" +- if (auditRequestID != null) { +- auditRequestID = auditRequestID.trim(); +- +- if (auditRequestID.equals("")) { +- auditRequestID = ILogger.UNIDENTIFIED; +- } +- } else { +- auditRequestID = ILogger.UNIDENTIFIED; +- } +- +- // "normalize" the "auditAgentID" +- if (auditAgentID != null) { +- auditAgentID = auditAgentID.trim(); +- +- if (auditAgentID.equals("")) { +- auditAgentID = ILogger.UNIDENTIFIED; +- } +- } else { +- auditAgentID = ILogger.UNIDENTIFIED; +- } + + try { + header.addStringValue(OUT_OP, +@@ -233,40 +209,21 @@ public class GrantAsyncRecovery extends CMSServlet { + header.addStringValue("requestID", reqID); + header.addStringValue("agentID", agentID); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, +- auditSubjectID, +- ILogger.SUCCESS, +- auditRequestID, +- auditAgentID); + +- audit(auditMessage); +- +- } catch (EBaseException e) { +- header.addStringValue(OUT_ERROR, e.toString(locale)); +- +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, ++ audit(new SecurityDataRecoveryStateChangeEvent( + auditSubjectID, +- ILogger.FAILURE, +- auditRequestID, +- auditAgentID); ++ ILogger.SUCCESS, ++ new RequestId(reqID), ++ "approve")); + +- audit(auditMessage); + } catch (Exception e) { + header.addStringValue(OUT_ERROR, e.toString()); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, +- auditSubjectID, +- ILogger.FAILURE, +- auditRequestID, +- auditAgentID); +- +- audit(auditMessage); ++ audit(new SecurityDataRecoveryStateChangeEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ new RequestId(reqID), ++ "approve")); + } + } + } +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 3b998d9..44eec23 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2449,7 +2449,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY + # - used when user attempts to retrieve key after the recovery request +-- +1.8.3.1 + + +From 6dd0800d8bb24d9d2d3f9e377a90f641612c7c78 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 02:37:18 +0200 +Subject: [PATCH 10/38] Moved TokenServlet into pki-tks package. + +The TokenServlet has been moved into pki-tks package in order to +use the JssSubsystem in pki-cmscore package. + +Some constants in SecureChannelProtocol have been made public so +they can be accessed by the TokenServlet. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c +--- + .../cms/servlet/tks/SecureChannelProtocol.java | 27 +- + .../com/netscape/cms/servlet/tks/TokenServlet.java | 3223 ------------------- + base/tks/shared/webapps/tks/WEB-INF/web.xml | 8 +- + .../dogtagpki/server/tks/servlet/TokenServlet.java | 3226 ++++++++++++++++++++ + 4 files changed, 3244 insertions(+), 3240 deletions(-) + delete mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java + create mode 100644 base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +index ef0c61b..0542470 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +@@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; + import org.mozilla.jss.crypto.SymmetricKeyDeriver; + import org.mozilla.jss.crypto.TokenException; + +-import sun.security.pkcs11.wrapper.PKCS11Constants; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.cmsutil.crypto.CryptoUtil; + ++import sun.security.pkcs11.wrapper.PKCS11Constants; ++ + public class SecureChannelProtocol { + + static String sharedSecretKeyName = null; +@@ -47,17 +47,18 @@ public class SecureChannelProtocol { + static final String DEFKEYSET_NAME = "defKeySet"; + static int protocol = 1; + +- static final String encType = "enc"; +- static final String macType = "mac"; +- static final String kekType = "kek"; +- static final String authType = "auth"; +- static final String dekType = "dek"; +- static final String rmacType = "rmac"; +- static final int PROTOCOL_ONE = 1; +- static final int PROTOCOL_TWO = 2; +- static final int PROTOCOL_THREE = 3; +- static final int HOST_CRYPTOGRAM = 0; +- static final int CARD_CRYPTOGRAM = 1; ++ public static final String encType = "enc"; ++ public static final String macType = "mac"; ++ public static final String kekType = "kek"; ++ public static final String authType = "auth"; ++ public static final String dekType = "dek"; ++ public static final String rmacType = "rmac"; ++ public static final int PROTOCOL_ONE = 1; ++ public static final int PROTOCOL_TWO = 2; ++ public static final int PROTOCOL_THREE = 3; ++ public static final int HOST_CRYPTOGRAM = 0; ++ public static final int CARD_CRYPTOGRAM = 1; ++ + //Size of long type in bytes, since java7 has no define for this + static final int LONG_SIZE = 8; + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +deleted file mode 100644 +index 1377055..0000000 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java ++++ /dev/null +@@ -1,3223 +0,0 @@ +-// --- BEGIN COPYRIGHT BLOCK --- +-// This program is free software; you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation; version 2 of the License. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License along +-// with this program; if not, write to the Free Software Foundation, Inc., +-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-// +-// (C) 2007 Red Hat, Inc. +-// All rights reserved. +-// --- END COPYRIGHT BLOCK --- +-package com.netscape.cms.servlet.tks; +- +-import java.io.ByteArrayOutputStream; +-import java.io.IOException; +-import java.io.OutputStream; +-import java.security.PublicKey; +-import java.security.SecureRandom; +-import java.util.ArrayList; +-import java.util.StringTokenizer; +- +-import javax.servlet.ServletConfig; +-import javax.servlet.ServletException; +-import javax.servlet.http.HttpServletRequest; +-import javax.servlet.http.HttpServletResponse; +- +-import org.dogtagpki.server.connector.IRemoteRequest; +-import org.mozilla.jss.CryptoManager; +-import org.mozilla.jss.CryptoManager.NotInitializedException; +-import org.mozilla.jss.crypto.CryptoToken; +-import org.mozilla.jss.crypto.KeyWrapAlgorithm; +-import org.mozilla.jss.crypto.KeyWrapper; +-import org.mozilla.jss.crypto.SymmetricKey; +-import org.mozilla.jss.crypto.X509Certificate; +-import org.mozilla.jss.pkcs11.PK11SymKey; +- +-import com.netscape.certsrv.apps.CMS; +-import com.netscape.certsrv.authentication.IAuthToken; +-import com.netscape.certsrv.authorization.AuthzToken; +-import com.netscape.certsrv.base.EBaseException; +-import com.netscape.certsrv.base.IConfigStore; +-import com.netscape.certsrv.base.IPrettyPrintFormat; +-import com.netscape.certsrv.base.SessionContext; +-import com.netscape.certsrv.logging.AuditEvent; +-import com.netscape.certsrv.logging.ILogger; +-import com.netscape.cms.servlet.base.CMSServlet; +-import com.netscape.cms.servlet.common.CMSRequest; +-import com.netscape.cmsutil.crypto.CryptoUtil; +-import com.netscape.symkey.SessionKey; +- +-/** +- * A class representings an administration servlet for Token Key +- * Service Authority. This servlet is responsible to serve +- * tks administrative operation such as configuration +- * parameter updates. +- * +- * @version $Revision$, $Date$ +- */ +-public class TokenServlet extends CMSServlet { +- /** +- * +- */ +- private static final long serialVersionUID = 8687436109695172791L; +- protected static final String PROP_ENABLED = "enabled"; +- protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; +- private final static String INFO = "TokenServlet"; +- public static int ERROR = 1; +- String mKeyNickName = null; +- String mNewKeyNickName = null; +- String mCurrentUID = null; +- IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); +- +- // Derivation Constants for SCP02 +- public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; +- public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; +- public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; +- public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; +- +- /** +- * Constructs tks servlet. +- */ +- public TokenServlet() { +- super(); +- +- } +- +- public static String trim(String a) { +- StringBuffer newa = new StringBuffer(); +- StringTokenizer tokens = new StringTokenizer(a, "\n"); +- while (tokens.hasMoreTokens()) { +- newa.append(tokens.nextToken()); +- } +- return newa.toString(); +- } +- +- public void init(ServletConfig config) throws ServletException { +- super.init(config); +- } +- +- /** +- * Returns serlvet information. +- * +- * @return name of this servlet +- */ +- public String getServletInfo() { +- return INFO; +- } +- +- /** +- * Process the HTTP request. +- * +- * @param s The URL to decode. +- */ +- protected String URLdecode(String s) { +- if (s == null) +- return null; +- ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); +- +- for (int i = 0; i < s.length(); i++) { +- int c = s.charAt(i); +- +- if (c == '+') { +- out.write(' '); +- } else if (c == '%') { +- int c1 = Character.digit(s.charAt(++i), 16); +- int c2 = Character.digit(s.charAt(++i), 16); +- +- out.write((char) (c1 * 16 + c2)); +- } else { +- out.write(c); +- } +- } // end for +- return out.toString(); +- } +- +- private void setDefaultSlotAndKeyName(HttpServletRequest req) { +- try { +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- CMS.debug("keySet selected: " + keySet); +- +- String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); +- String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx +- String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; +- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- if (mappingValue != null) { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- int tokenNumber = 0; +- while (st.hasMoreTokens()) { +- +- String currentToken = st.nextToken(); +- if (tokenNumber == 1) +- mKeyNickName = currentToken; +- tokenNumber++; +- +- } +- } +- if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification +- { +- temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx +- String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; +- String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); +- if (newMappingValue != null) { +- StringTokenizer st = new StringTokenizer(newMappingValue, ":"); +- int tokenNumber = 0; +- while (st.hasMoreTokens()) { +- String currentToken = st.nextToken(); +- if (tokenNumber == 1) +- mNewKeyNickName = currentToken; +- tokenNumber++; +- +- } +- } +- } +- +- CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); +- +- SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); +- /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ +- +- } catch (Exception e) { +- e.printStackTrace(); +- CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); +- } +- +- } +- +- // AC: KDF SPEC CHANGE - read new setting value from config file +- // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) +- // CAREFUL: Result returned may be negative due to java's lack of unsigned types. +- // Negative values need to be treated as higher key numbers than positive key numbers. +- private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { +- String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; +- // KDF phase1: default to 00 +- String nistSP800_108KdfOnKeyVersion_value = +- CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); +- short nistSP800_108KdfOnKeyVersion_short = 0; +- // if value does not exist in file +- if (nistSP800_108KdfOnKeyVersion_value == null) { +- // throw +- // (we want admins to pay attention to this configuration item rather than guessing for them) +- throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map +- + "\" missing from configuration file."); +- } +- // convert setting value (in ASCII-hex) to short +- try { +- nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); +- if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { +- throw new Exception("Out of range."); +- } +- } catch (Throwable t) { +- throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map +- + "\" is in incorrect format. " + +- "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map +- + "=xx\" where xx is key version specified in ASCII-HEX format.", t); +- } +- // convert to byte (anything higher than 0x7F is represented as a negative) +- byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; +- return nistSP800_108KdfOnKeyVersion_byte; +- } +- +- // AC: KDF SPEC CHANGE - read new setting value from config file +- // (This value allows configuration of the NIST SP800-108 KDF: +- // If "true" we use the CUID parameter within the NIST SP800-108 KDF. +- // If "false" we use the KDD parameter within the NIST SP800-108 KDF. +- private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { +- String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; +- // KDF phase1: default to "false" +- String setting_str = +- CMS.getConfigStore().getString(setting_map, "false" /*null*/); +- boolean setting_boolean = false; +- // if value does not exist in file +- if (setting_str == null) { +- // throw +- // (we want admins to pay attention to this configuration item rather than guessing for them) +- throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); +- } +- // convert setting value to boolean +- try { +- setting_boolean = Boolean.parseBoolean(setting_str); +- } catch (Throwable t) { +- throw new Exception("Configuration value \"" + setting_map +- + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); +- } +- return setting_boolean; +- } +- +- // AC: KDF SPEC CHANGE - Audit logging helper functions. +- // Converts a byte array to an ASCII-hex string. +- // We implemented this ourselves rather than using this.pp.toHexArray() because +- // the team preferred CUID and KDD strings to be without ":" separators every byte. +- final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); +- +- private String bytesToHex(byte[] bytes) { +- char[] hexChars = new char[bytes.length * 2]; +- for (int i = 0; i < bytes.length; i++) { +- int thisChar = bytes[i] & 0x000000FF; +- hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 +- hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; +- } +- return new String(hexChars); +- } +- +- // AC: KDF SPEC CHANGE - Audit logging helper functions. +- // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa +- // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. +- // Returns "null" if parameter is null. +- // Returns "invalid" if parameter.length < 1 +- private String log_string_from_keyInfo(byte[] xkeyInfo) { +- return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" +- + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); +- } +- +- // AC: KDF SPEC CHANGE - Audit logging helper functions. +- // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. +- // Parameters: +- // specialDecoded - byte array containing data. May be null. +- // Returns: +- // if specialDecoded is blank, returns "null" +- // if specialDecoded != null, returns +- private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { +- if (specialDecoded == null) { +- return "null"; +- } else { +- return bytesToHex(specialDecoded); +- } +- } +- +- /* Compute Session Key for SCP02 +- * For simplicity compute just one session key,unless it is the DEK key case. +- */ +- +- private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { +- +- CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); +- String auditMessage = null; +- String errorMsg = ""; +- String badParams = ""; +- String transportKeyName = ""; +- boolean missingParam = false; +- String selectedToken = null; +- String keyNickName = null; +- byte[] drm_trans_wrapped_desKey = null; +- +- byte[] xKDD = null; +- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; +- boolean nistSP800_108KdfUseCuidAsKdd = false; +- +- IConfigStore sconfig = CMS.getConfigStore(); +- +- boolean isCryptoValidate = false; +- byte[] keyInfo, xCUID = null, session_key = null; +- +- Exception missingSettingException = null; +- +- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); +- +- String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); +- +- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- +- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { +- badParams += " KeyInfo,"; +- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); +- missingParam = true; +- } +- +- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); +- +- boolean serversideKeygen = false; +- +- String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); +- String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); +- +- if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { +- badParams += " derivation_constant,"; +- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); +- missingParam = true; +- } +- +- if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { +- badParams += " sequence_counter,"; +- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); +- missingParam = true; +- } +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, +- rCUID, +- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. +- ILogger.SUCCESS, +- agentId); +- +- audit(auditMessage); +- +- if (!missingParam) { +- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); +- +- if (xCUID == null || xCUID.length != 10) { +- badParams += " CUID length,"; +- CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); +- missingParam = true; +- } +- +- if ((rKDD == null) || (rKDD.length() == 0)) { +- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); +- badParams += " KDD,"; +- missingParam = true; +- } +- +- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); +- if (xKDD == null || xKDD.length != 10) { +- badParams += " KDD length,"; +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); +- missingParam = true; +- } +- +- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- if (keyInfo == null || keyInfo.length != 2) { +- badParams += " KeyInfo length,"; +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); +- missingParam = true; +- } +- +- try { +- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); +- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); +- +- // log settings read in to debug log along with xkeyInfo +- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" +- + Integer.toHexString((keyInfo[0]) & 0x0000000FF) +- + ", xkeyInfo[1] = 0x" +- + Integer.toHexString((keyInfo[1]) & 0x0000000FF) +- ); +- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" +- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) +- ); +- if (nistSP800_108KdfUseCuidAsKdd == true) { +- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); +- } else { +- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); +- } +- // conform to the set-an-error-flag mentality +- } catch (Exception e) { +- missingSettingException = e; +- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " +- + e.toString()); +- } +- +- } +- +- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx +- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- if (mappingValue == null) { +- selectedToken = +- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- keyNickName = rKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- if (st.hasMoreTokens()) +- selectedToken = st.nextToken(); +- if (st.hasMoreTokens()) +- keyNickName = st.nextToken(); +- } +- +- keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx +- try { +- mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- } catch (EBaseException e1) { +- +- e1.printStackTrace(); +- } +- if (mappingValue == null) { +- try { +- selectedToken = +- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- } catch (EBaseException e) { +- +- e.printStackTrace(); +- } +- keyNickName = rKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- if (st.hasMoreTokens()) +- selectedToken = st.nextToken(); +- if (st.hasMoreTokens()) +- keyNickName = st.nextToken(); +- } +- +- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); +- String useSoftToken_s = null; +- try { +- useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); +- } catch (EBaseException e1) { +- // TODO Auto-generated catch block +- e1.printStackTrace(); +- } +- if (!useSoftToken_s.equalsIgnoreCase("true")) +- useSoftToken_s = "false"; +- +- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); +- if (rServersideKeygen.equals("true")) { +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); +- serversideKeygen = true; +- } else { +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); +- } +- +- transportKeyName = null; +- try { +- transportKeyName = getSharedSecretName(sconfig); +- } catch (EBaseException e1) { +- // TODO Auto-generated catch block +- e1.printStackTrace(); +- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); +- +- } +- +- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); +- +- try { +- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); +- } catch (EBaseException eee) { +- } +- +- byte macKeyArray[] = null; +- byte sequenceCounter[] = null; +- byte derivationConstant[] = null; +- +- boolean errorFound = false; +- +- String dek_wrapped_desKeyString = null; +- String keycheck_s = null; +- +- if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { +- try { +- macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".mac_key")); +- +- sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); +- derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); +- +- //Use old style for the moment. +- //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey +- //Perform in next ticket to fully implement nistXP800 +- +- session_key = SessionKey.ComputeSessionKeySCP02( +- selectedToken, keyNickName, +- keyInfo, +- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value +- nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, +- useSoftToken_s, keySet, +- transportKeyName); +- +- if (session_key == null) { +- CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); +- throw new EBaseException("Can't compute session key for SCP02!"); +- +- } +- +- //Only do this for the dekSessionKey and if we are in the server side keygen case. +- if (derivationConstant[0] == DEKDerivationConstant[0] +- && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { +- +- CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); +- +- /** +- * 0. generate des key +- * 1. encrypt des key with dek key +- * 2. encrypt des key with DRM transport key +- * These two wrapped items are to be sent back to +- * TPS. 2nd item is to DRM +- **/ +- +- PK11SymKey desKey = null; +- PK11SymKey dekKey = null; +- +- /*generate it on whichever token the master key is at*/ +- if (useSoftToken_s.equals("true")) { +- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); +- +- desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); +- +- } else { +- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " +- + selectedToken); +- desKey = SessionKey.GenerateSymkey(selectedToken); +- } +- if (desKey != null) +- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); +- else { +- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " +- + rCUID); +- throw new EBaseException( +- "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); +- } +- +- CryptoToken token = null; +- if (useSoftToken_s.equals("true")) { +- token = CryptoUtil.getCryptoToken(null); +- } else { +- token = CryptoUtil.getCryptoToken(selectedToken); +- } +- +- //Now we have to create a sym key object for the wrapped session_key (dekKey) +- // session_key wrapped by the shared Secret +- +- PK11SymKey sharedSecret = getSharedSecretKey(); +- +- if (sharedSecret == null) { +- throw new EBaseException( +- "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); +- } +- +- dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, +- session_key); +- +- if (dekKey == null) { +- throw new EBaseException( +- "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); +- } +- +- /* +- * ECBencrypt actually takes the 24 byte DES2 key +- * and discard the last 8 bytes before it encrypts. +- * This is done so that the applet can digest it +- */ +- byte[] encDesKey = +- SessionKey.ECBencrypt(dekKey, +- desKey); +- +- if (encDesKey == null) { +- throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); +- } +- +- dek_wrapped_desKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); +- +- byte[] keycheck = +- SessionKey.ComputeKeyCheck(desKey); +- +- if (keycheck == null) { +- throw new EBaseException( +- "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); +- } +- +- keycheck_s = +- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); +- +- //use DRM transport cert to wrap desKey +- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); +- +- if ((drmTransNickname == null) || (drmTransNickname == "")) { +- CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); +- throw new EBaseException("can't find DRM transport certificate nickname"); +- } else { +- CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); +- } +- +- X509Certificate drmTransCert = null; +- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); +- // wrap kek session key with DRM transport public key +- +- PublicKey pubKey = drmTransCert.getPublicKey(); +- String pubKeyAlgo = pubKey.getAlgorithm(); +- +- KeyWrapper keyWrapper = null; +- //For wrapping symmetric keys don't need IV, use ECB +- if (pubKeyAlgo.equals("EC")) { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); +- keyWrapper.initWrap(pubKey, null); +- } else { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); +- keyWrapper.initWrap(pubKey, null); +- } +- +- drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); +- CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); +- +- CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); +- +- } +- +- } catch (Exception e) { +- CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); +- errorFound = true; +- +- } +- +- } +- +- String status = "0"; +- String value = ""; +- String outputString = ""; +- +- boolean statusDeclared = false; +- +- if (session_key != null && session_key.length > 0 && errorFound == false) { +- outputString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); +- } else { +- +- status = "1"; +- statusDeclared = true; +- } +- +- if (selectedToken == null || keyNickName == null) { +- if (!statusDeclared) { +- status = "4"; +- statusDeclared = true; +- } +- } +- +- if (missingSettingException != null) { +- if (!statusDeclared) { +- status = "6"; +- statusDeclared = true; +- } +- } +- +- if (missingParam) { +- status = "3"; +- } +- +- String drm_trans_wrapped_desKeyString = null; +- +- if (!status.equals("0")) { +- if (status.equals("1")) { +- errorMsg = "Problem generating session key info."; +- } +- +- if (status.equals("4")) { +- errorMsg = "Problem obtaining token information."; +- } +- +- if (status.equals("3")) { +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters :" + badParams; +- } +- +- if (status.equals("6")) { +- errorMsg = "Problem reading required configuration value."; +- } +- +- } else { +- +- if (serversideKeygen == true) { +- +- if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { +- drm_trans_wrapped_desKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); +- } +- +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); +- sb.append(outputString); +- +- //Now add the trans wrapped des key +- +- if (drm_trans_wrapped_desKeyString != null) { +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); +- sb.append(drm_trans_wrapped_desKeyString); +- } +- +- if (dek_wrapped_desKeyString != null) { +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); +- sb.append(dek_wrapped_desKeyString); +- } +- +- if (keycheck_s != null) { +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); +- sb.append(keycheck_s); +- } +- +- value = sb.toString(); +- } else { +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); +- sb.append(outputString); +- value = sb.toString(); +- } +- +- } +- +- //CMS.debug("TokenServlet:outputString.encode " + value); +- +- try { +- resp.setContentLength(value.length()); +- CMS.debug("TokenServlet:outputString.length " + value.length()); +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (IOException e) { +- CMS.debug("TokenServlet: " + e.toString()); +- } +- +- if (status.equals("0")) { +- +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.SUCCESS, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, +- logParams); +- +- } else { +- +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.FAILURE, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd +- errorMsg // Error +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, +- logParams); +- } +- +- audit(auditMessage); +- +- } +- +- private void processComputeSessionKey(HttpServletRequest req, +- HttpServletResponse resp) throws EBaseException { +- byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD +- +- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) +- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; +- boolean nistSP800_108KdfUseCuidAsKdd = false; +- +- byte[] card_crypto, host_cryptogram, input_card_crypto; +- byte[] xcard_challenge, xhost_challenge; +- byte[] enc_session_key, xkeyInfo; +- String auditMessage = null; +- String errorMsg = ""; +- String badParams = ""; +- String transportKeyName = ""; +- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- String rKDD = req.getParameter("KDD"); +- if ((rKDD == null) || (rKDD.length() == 0)) { +- // KDF phase1: default to rCUID if not present +- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); +- rKDD = rCUID; +- } +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- CMS.debug("keySet selected: " + keySet); +- +- boolean serversideKeygen = false; +- byte[] drm_trans_wrapped_desKey = null; +- SymmetricKey desKey = null; +- // PK11SymKey kek_session_key; +- SymmetricKey kek_key; +- +- IConfigStore sconfig = CMS.getConfigStore(); +- boolean isCryptoValidate = true; +- boolean missingParam = false; +- +- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting +- Exception missingSetting_exception = null; +- +- session_key = null; +- card_crypto = null; +- host_cryptogram = null; +- enc_session_key = null; +- // kek_session_key = null; +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID +- auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, +- rCUID, +- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. +- ILogger.SUCCESS, +- agentId); +- +- audit(auditMessage); +- +- String kek_wrapped_desKeyString = null; +- String keycheck_s = null; +- +- CMS.debug("processComputeSessionKey:"); +- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); +- if (!useSoftToken_s.equalsIgnoreCase("true")) +- useSoftToken_s = "false"; +- +- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); +- if (rServersideKeygen.equals("true")) { +- CMS.debug("TokenServlet: serversideKeygen requested"); +- serversideKeygen = true; +- } else { +- CMS.debug("TokenServlet: serversideKeygen not requested"); +- } +- +- try { +- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); +- } catch (EBaseException eee) { +- } +- +- transportKeyName = getSharedSecretName(sconfig); +- +- String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); +- String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); +- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); +- if ((rCUID == null) || (rCUID.equals(""))) { +- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); +- badParams += " CUID,"; +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- if ((rKDD == null) || (rKDD.length() == 0)) { +- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); +- badParams += " KDD,"; +- missingParam = true; +- } +- +- if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { +- badParams += " card_challenge,"; +- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); +- missingParam = true; +- } +- +- if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { +- badParams += " host_challenge,"; +- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); +- missingParam = true; +- } +- +- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { +- badParams += " KeyInfo,"; +- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); +- missingParam = true; +- } +- +- String selectedToken = null; +- String keyNickName = null; +- boolean sameCardCrypto = true; +- +- // AC: KDF SPEC CHANGE +- xCUID = null; // avoid errors about non-initialization +- xKDD = null; // avoid errors about non-initialization +- xkeyInfo = null; // avoid errors about non-initialization +- +- if (!missingParam) { +- +- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); +- if (xCUID == null || xCUID.length != 10) { +- badParams += " CUID length,"; +- CMS.debug("TokenServlet: Invalid CUID length"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); +- if (xKDD == null || xKDD.length != 10) { +- badParams += " KDD length,"; +- CMS.debug("TokenServlet: Invalid KDD length"); +- missingParam = true; +- } +- +- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- if (xkeyInfo == null || xkeyInfo.length != 2) { +- badParams += " KeyInfo length,"; +- CMS.debug("TokenServlet: Invalid key info length."); +- missingParam = true; +- } +- xcard_challenge = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); +- if (xcard_challenge == null || xcard_challenge.length != 8) { +- badParams += " card_challenge length,"; +- CMS.debug("TokenServlet: Invalid card challenge length."); +- missingParam = true; +- } +- +- xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); +- if (xhost_challenge == null || xhost_challenge.length != 8) { +- badParams += " host_challenge length,"; +- CMS.debug("TokenServlet: Invalid host challenge length"); +- missingParam = true; +- } +- +- } +- +- if (!missingParam) { +- card_challenge = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); +- +- host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); +- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- +- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) +- //ToDo: Will use these values after completing next ticket +- try { +- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); +- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); +- +- // log settings read in to debug log along with xkeyInfo +- CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" +- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) +- + ", xkeyInfo[1] = 0x" +- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) +- ); +- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" +- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) +- ); +- if (nistSP800_108KdfUseCuidAsKdd == true) { +- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); +- } else { +- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); +- } +- // conform to the set-an-error-flag mentality +- } catch (Exception e) { +- missingSetting_exception = e; +- CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " +- + e.toString()); +- } +- +- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx +- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- if (mappingValue == null) { +- selectedToken = +- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- keyNickName = rKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- if (st.hasMoreTokens()) +- selectedToken = st.nextToken(); +- if (st.hasMoreTokens()) +- keyNickName = st.nextToken(); +- } +- +- if (selectedToken != null && keyNickName != null +- // AC: KDF SPEC CHANGE - check for error flag +- && missingSetting_exception == null) { +- +- try { +- +- byte macKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".mac_key")); +- CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" +- + selectedToken + " keyNickName=" + keyNickName); +- +- SecureChannelProtocol protocol = new SecureChannelProtocol(); +- SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, +- selectedToken, +- keyNickName, card_challenge, +- host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, +- xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); +- +- session_key = protocol.wrapSessionKey(selectedToken, macKey, null); +- +- if (session_key == null) { +- CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); +- throw new Exception("Can't compute session key!"); +- +- } +- +- byte encKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".auth_key")); +- SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, +- selectedToken, +- keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, +- nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, +- transportKeyName); +- +- enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); +- +- if (enc_session_key == null) { +- CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); +- throw new Exception("Can't compute enc session key!"); +- +- } +- +- if (serversideKeygen == true) { +- +- /** +- * 0. generate des key +- * 1. encrypt des key with kek key +- * 2. encrypt des key with DRM transport key +- * These two wrapped items are to be sent back to +- * TPS. 2nd item is to DRM +- **/ +- CMS.debug("TokenServlet: calling ComputeKekKey"); +- +- byte kekKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".kek_key")); +- +- kek_key = protocol.computeKEKKey_SCP01(selectedToken, +- keyNickName, +- keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, +- xCUID, +- xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); +- +- CMS.debug("TokenServlet: called ComputeKekKey"); +- +- if (kek_key == null) { +- CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); +- throw new Exception("Can't compute kek key!"); +- +- } +- // now use kek key to wrap kek session key.. +- CMS.debug("computeSessionKey:kek key len =" + +- kek_key.getLength()); +- +- // (1) generate DES key +- /* applet does not support DES3 +- org.mozilla.jss.crypto.KeyGenerator kg = +- internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); +- desKey = kg.generate();*/ +- +- /* +- * GenerateSymkey firt generates a 16 byte DES2 key. +- * It then pads it into a 24 byte key with last +- * 8 bytes copied from the 1st 8 bytes. Effectively +- * making it a 24 byte DES2 key. We need this for +- * wrapping private keys on DRM. +- */ +- /*generate it on whichever token the master key is at*/ +- if (useSoftToken_s.equals("true")) { +- CMS.debug("TokenServlet: key encryption key generated on internal"); +- //cfu audit here? sym key gen +- +- desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); +- //cfu audit here? sym key gen done +- } else { +- CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); +- desKey = protocol.generateSymKey(selectedToken); +- } +- if (desKey != null) { +- // AC: KDF SPEC CHANGE - Output using CUID and KDD +- CMS.debug("TokenServlet: key encryption key generated for CUID=" + +- trim(pp.toHexString(xCUID)) + +- ", KDD=" + +- trim(pp.toHexString(xKDD))); +- } else { +- // AC: KDF SPEC CHANGE - Output using CUID and KDD +- CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + +- trim(pp.toHexString(xCUID)) + +- ", KDD=" + +- trim(pp.toHexString(xKDD))); +- +- throw new Exception("can't generate key encryption key"); +- } +- +- /* +- * ECBencrypt actually takes the 24 byte DES2 key +- * and discard the last 8 bytes before it encrypts. +- * This is done so that the applet can digest it +- */ +- +- byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); +- +- /* +- CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); +- CMS.debug(encDesKey); +- */ +- +- kek_wrapped_desKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); +- +- // get keycheck +- +- byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); +- /* +- CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); +- CMS.debug(keycheck); +- */ +- keycheck_s = +- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); +- +- //use DRM transport cert to wrap desKey +- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); +- +- if ((drmTransNickname == null) || (drmTransNickname == "")) { +- CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); +- throw new Exception("can't find DRM transport certificate nickname"); +- } else { +- CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); +- } +- +- X509Certificate drmTransCert = null; +- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); +- // wrap kek session key with DRM transport public key +- CryptoToken token = null; +- if (useSoftToken_s.equals("true")) { +- token = CryptoUtil.getCryptoToken(null); +- } else { +- token = CryptoUtil.getCryptoToken(selectedToken); +- } +- PublicKey pubKey = drmTransCert.getPublicKey(); +- String pubKeyAlgo = pubKey.getAlgorithm(); +- CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); +- KeyWrapper keyWrapper = null; +- //For wrapping symmetric keys don't need IV, use ECB +- if (pubKeyAlgo.equals("EC")) { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); +- keyWrapper.initWrap(pubKey, null); +- } else { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); +- keyWrapper.initWrap(pubKey, null); +- } +- CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); +- drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); +- CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); +- +- } // if (serversideKeygen == true) +- +- byte authKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".auth_key")); +- +- host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, +- host_challenge, +- xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, +- authKeyArray, useSoftToken_s, keySet, transportKeyName); +- +- if (host_cryptogram == null) { +- CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); +- throw new Exception("Can't compute host cryptogram!"); +- +- } +- +- card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, +- host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, +- xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); +- +- if (card_crypto == null) { +- CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); +- throw new Exception("Can't compute card cryptogram!"); +- +- } +- +- if (isCryptoValidate) { +- if (rcard_cryptogram == null) { +- CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); +- throw new Exception("Missing card cryptogram"); +- } +- input_card_crypto = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); +- +- //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); +- //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); +- +- if (card_crypto.length == input_card_crypto.length) { +- for (int i = 0; i < card_crypto.length; i++) { +- if (card_crypto[i] != input_card_crypto[i]) { +- sameCardCrypto = false; +- break; +- } +- } +- } else { +- // different length; must be different +- sameCardCrypto = false; +- } +- } +- +- // AC: KDF SPEC CHANGE - print both KDD and CUID +- CMS.getLogger().log(ILogger.EV_AUDIT, +- ILogger.S_TKS, +- ILogger.LL_INFO, "processComputeSessionKey for CUID=" + +- trim(pp.toHexString(xCUID)) + +- ", KDD=" + +- trim(pp.toHexString(xKDD))); +- } catch (Exception e) { +- CMS.debug(e); +- CMS.debug("TokenServlet Computing Session Key: " + e.toString()); +- if (isCryptoValidate) +- sameCardCrypto = false; +- } +- } +- } // ! missingParam +- +- String value = ""; +- +- resp.setContentType("text/html"); +- +- String outputString = ""; +- String encSessionKeyString = ""; +- String drm_trans_wrapped_desKeyString = ""; +- String cryptogram = ""; +- String status = "0"; +- if (session_key != null && session_key.length > 0) { +- outputString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); +- } else { +- +- status = "1"; +- } +- +- if (enc_session_key != null && enc_session_key.length > 0) { +- encSessionKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); +- } else { +- status = "1"; +- } +- +- if (serversideKeygen == true) { +- if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) +- drm_trans_wrapped_desKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); +- else { +- status = "1"; +- } +- } +- +- if (host_cryptogram != null && host_cryptogram.length > 0) { +- cryptogram = +- com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); +- } else { +- // AC: Bugfix: Don't override status's value if an error was already flagged +- if (status.equals("0") == true) { +- status = "2"; +- } +- } +- +- if (selectedToken == null || keyNickName == null) { +- // AC: Bugfix: Don't override status's value if an error was already flagged +- if (status.equals("0") == true) { +- status = "4"; +- } +- } +- +- if (!sameCardCrypto) { +- // AC: Bugfix: Don't override status's value if an error was already flagged +- if (status.equals("0") == true) { +- // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues +- status = "5"; +- } +- } +- +- // AC: KDF SPEC CHANGE - check for settings file issue (flag) +- if (missingSetting_exception != null) { +- // AC: Intentionally override previous errors if config file settings were missing. +- status = "6"; +- } +- +- if (missingParam) { +- // AC: Intentionally override previous errors if parameters were missing. +- status = "3"; +- } +- +- if (!status.equals("0")) { +- +- if (status.equals("1")) { +- errorMsg = "Problem generating session key info."; +- } +- +- if (status.equals("2")) { +- errorMsg = "Problem creating host_cryptogram."; +- } +- +- // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues +- if (status.equals("5")) { +- errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; +- } +- +- if (status.equals("4")) { +- errorMsg = "Problem obtaining token information."; +- } +- +- // AC: KDF SPEC CHANGE - handle missing configuration item +- if (status.equals("6")) { +- errorMsg = "Problem reading required configuration value."; +- } +- +- if (status.equals("3")) { +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters :" + badParams; +- } +- +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } else { +- if (serversideKeygen == true) { +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); +- sb.append(outputString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); +- sb.append(cryptogram); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); +- sb.append(encSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); +- sb.append(kek_wrapped_desKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); +- sb.append(keycheck_s); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); +- sb.append(drm_trans_wrapped_desKeyString); +- value = sb.toString(); +- } else { +- +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); +- sb.append(outputString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); +- sb.append(cryptogram); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); +- sb.append(encSessionKeyString); +- value = sb.toString(); +- } +- +- } +- //CMS.debug("TokenServlet:outputString.encode " + value); +- +- try { +- resp.setContentLength(value.length()); +- CMS.debug("TokenServlet:outputString.length " + value.length()); +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (IOException e) { +- CMS.debug("TokenServlet: " + e.toString()); +- } +- +- if (status.equals("0")) { +- // AC: KDF SPEC CHANGE - Log both CUID and KDD. +- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.SUCCESS, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, +- logParams); +- +- } else { +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.FAILURE, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd +- errorMsg // Error +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, +- logParams); +- +- } +- +- audit(auditMessage); +- } +- +- // This method will return the shared secret name. In new 10.1 subsystems, this +- // name will be stored in tps.X.nickname. +- // +- // Until multiple TKS/TPS connections is fully supported, this method will just +- // return the first shared secret nickname found, on the assumption that only +- // one nickname will be configured. This will have to be changed to return the correct +- // key based on some parameter in the request in future. +- // +- // On legacy systems, this method just returns what was previously returned. +- private String getSharedSecretName(IConfigStore cs) throws EBaseException { +- boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); +- +- if (useNewNames) { +- String tpsList = cs.getString("tps.list", ""); +- String firstSharedSecretName = null; +- if (!tpsList.isEmpty()) { +- for (String tpsID : tpsList.split(",")) { +- String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); +- +- // This one will be a fall back in case we can't get a specific one +- if (firstSharedSecretName == null) { +- firstSharedSecretName = sharedSecretName; +- } +- +- if (!sharedSecretName.isEmpty()) { +- if (mCurrentUID != null) { +- String csUid = cs.getString("tps." + tpsID + ".userid", ""); +- +- if (mCurrentUID.equalsIgnoreCase(csUid)) { +- CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); +- return sharedSecretName; +- } +- } +- } +- } +- +- if (firstSharedSecretName != null) { +- //Return the first in the list if we couldn't isolate one +- return firstSharedSecretName; +- } +- } +- CMS.debug("getSharedSecretName: no shared secret has been configured"); +- throw new EBaseException("No shared secret has been configured"); +- } +- +- // legacy system - return as before +- return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); +- } +- +- //Accepts protocol param and supports scp03. +- private void processDiversifyKey(HttpServletRequest req, +- HttpServletResponse resp) throws EBaseException { +- +- String method = "TokenServlet.processDiversifyKey: "; +- byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD +- +- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. +- String oldKeyNickName = null; +- String newKeyNickName = null; +- +- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) +- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; +- boolean nistSP800_108KdfUseCuidAsKdd = false; +- +- // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. +- byte[] xkeyInfo = null, xnewkeyInfo = null; +- +- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting +- Exception missingSetting_exception = null; +- +- boolean missingParam = false; +- String errorMsg = ""; +- String badParams = ""; +- byte[] xWrappedDekKey = null; +- +- IConfigStore sconfig = CMS.getConfigStore(); +- String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); +- String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); +- String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- String rKDD = req.getParameter("KDD"); +- if ((rKDD == null) || (rKDD.length() == 0)) { +- // temporarily make it friendly before TPS change +- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); +- rKDD = rCUID; +- } +- +- String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); +- String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); +- +- CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); +- +- int protocol = 1; +- String auditMessage = ""; +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- CMS.debug("keySet selected: " + keySet); +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID +- auditMessage = CMS.getLogMessage( +- AuditEvent.DIVERSIFY_KEY_REQUEST, +- rCUID, +- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. +- ILogger.SUCCESS, +- agentId, +- oldMasterKeyName, +- newMasterKeyName); +- +- audit(auditMessage); +- +- if ((rCUID == null) || (rCUID.equals(""))) { +- badParams += " CUID,"; +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- if ((rKDD == null) || (rKDD.length() == 0)) { +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); +- badParams += " KDD,"; +- missingParam = true; +- } +- +- if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { +- badParams += " newKeyInfo,"; +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); +- missingParam = true; +- } +- if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { +- badParams += " KeyInfo,"; +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE +- xCUID = null; // avoid errors about non-initialization +- xKDD = null; // avoid errors about non-initialization +- xkeyInfo = null; // avoid errors about non-initialization +- xnewkeyInfo = null; // avoid errors about non-initialization +- +- if (!missingParam) { +- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); +- if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { +- badParams += " KeyInfo length,"; +- CMS.debug("TokenServlet: Invalid key info length"); +- missingParam = true; +- } +- xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); +- if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { +- badParams += " NewKeyInfo length,"; +- CMS.debug("TokenServlet: Invalid new key info length"); +- missingParam = true; +- } +- +- if (rProtocol != null) { +- try { +- protocol = Integer.parseInt(rProtocol); +- } catch (NumberFormatException e) { +- protocol = 1; +- } +- } +- CMS.debug("process DiversifyKey: protocol value: " + protocol); +- +- if (protocol == 2) { +- if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { +- badParams += " WrappedDekKey,"; +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); +- missingParam = true; +- } else { +- +- CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); +- xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); +- } +- +- } +- } +- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); +- if (!useSoftToken_s.equalsIgnoreCase("true")) +- useSoftToken_s = "false"; +- +- KeySetData = null; +- if (!missingParam) { +- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); +- if (xCUID == null || xCUID.length != 10) { +- badParams += " CUID length,"; +- CMS.debug("TokenServlet: Invalid CUID length"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); +- if (xKDD == null || xKDD.length != 10) { +- badParams += " KDD length,"; +- CMS.debug("TokenServlet: Invalid KDD length"); +- missingParam = true; +- } +- } +- if (!missingParam) { +- // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. +- +- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) +- +- //ToDo: Refactor this, this same block occurs several times in the file +- try { +- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); +- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); +- +- // log settings read in to debug log along with xkeyInfo and xnewkeyInfo +- CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" +- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) +- + ", xkeyInfo[1] (old) = 0x" +- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) +- + ", xnewkeyInfo[0] = 0x" +- + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) +- + ", xnewkeyInfo[1] = 0x" +- + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) +- ); +- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" +- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) +- ); +- if (nistSP800_108KdfUseCuidAsKdd == true) { +- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); +- } else { +- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); +- } +- // conform to the set-an-error-flag mentality +- } catch (Exception e) { +- missingSetting_exception = e; +- CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " +- + e.toString()); +- } +- +- if (mKeyNickName != null) +- oldMasterKeyName = mKeyNickName; +- if (mNewKeyNickName != null) +- newMasterKeyName = mNewKeyNickName; +- +- String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- +- // Get the first 6 characters, since scp03 gives us extra characters. +- tokKeyInfo = tokKeyInfo.substring(0,6); +- String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx +- CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); +- String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); +- String oldSelectedToken = null; +- if (oldMappingValue == null) { +- oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- } else { +- StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); +- oldSelectedToken = st.nextToken(); +- oldKeyNickName = st.nextToken(); +- } +- +- +- String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx +- CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); +- String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); +- String newSelectedToken = null; +- if (newMappingValue == null) { +- newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- newKeyNickName = rnewKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(newMappingValue, ":"); +- newSelectedToken = st.nextToken(); +- newKeyNickName = st.nextToken(); +- } +- +- CMS.debug("process DiversifyKey for oldSelectedToke=" + +- oldSelectedToken + " newSelectedToken=" + newSelectedToken + +- " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + +- newKeyNickName); +- +- byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); +- byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); +- byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); +- +- // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); +- +- //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset +- // passed down to the SecureChannelProtocol functions that deal with SCP03 +- +- GPParams gp3Params = readGPSettings(keySet); +- +- SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); +- // AC: KDF SPEC CHANGE - check for error reading settings +- if (missingSetting_exception == null) { +- if (protocol == 1 || protocol == 3) { +- KeySetData = secProtocol.diversifyKey(oldSelectedToken, +- newSelectedToken, oldKeyNickName, +- newKeyNickName, +- xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use +- xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] +- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value +- nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value +- xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' +- xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use +- kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); +- +- } else if (protocol == 2) { +- KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, +- newKeyNickName, xkeyInfo, +- xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, +- (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); +- } +- //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); +- CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); +- +- if (KeySetData == null || KeySetData.length <= 1) { +- CMS.getLogger().log(ILogger.EV_AUDIT, +- ILogger.S_TKS, +- ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); +- } +- +- CMS.getLogger().log(ILogger.EV_AUDIT, +- ILogger.S_TKS, +- ILogger.LL_INFO, +- "process DiversifyKey for CUID=" + +- trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD +- ", KDD=" + +- trim(pp.toHexString(xKDD)) +- + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName +- + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); +- +- resp.setContentType("text/html"); +- +- } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file +- +- } // ! missingParam +- +- String value = ""; +- String status = "0"; +- +- if (KeySetData != null && KeySetData.length > 1) { +- value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + +- com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); +- //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); +- CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); +- // AC: KDF SPEC CHANGE - check for settings file issue (flag) +- } else if (missingSetting_exception != null) { +- status = "6"; +- errorMsg = "Problem reading required configuration value."; +- value = "status=" + status; +- } else if (missingParam) { +- status = "3"; +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters: " + badParams; +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } else { +- errorMsg = "Problem diversifying key data."; +- status = "1"; +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } +- +- resp.setContentLength(value.length()); +- CMS.debug("TokenServlet:outputString.length " + value.length()); +- +- try { +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (Exception e) { +- CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); +- } +- +- if (status.equals("0")) { +- +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.SUCCESS, // Outcome +- status, // status +- agentId, // AgentID +- +- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. +- oldKeyNickName, // oldMasterKeyName +- newKeyNickName, // newMasterKeyName +- +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion +- log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); +- } else { +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.FAILURE, // Outcome +- status, // status +- agentId, // AgentID +- +- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. +- oldKeyNickName, // oldMasterKeyName +- newKeyNickName, // newMasterKeyName +- +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion +- log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd +- errorMsg // Error +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); +- } +- +- audit(auditMessage); +- } +- +- private void processEncryptData(HttpServletRequest req, +- HttpServletResponse resp) throws EBaseException { +- byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD +- +- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) +- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; +- boolean nistSP800_108KdfUseCuidAsKdd = false; +- +- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting +- Exception missingSetting_exception = null; +- +- boolean missingParam = false; +- byte[] data = null; +- boolean isRandom = true; // randomly generate the data to be encrypted +- +- String errorMsg = ""; +- String badParams = ""; +- IConfigStore sconfig = CMS.getConfigStore(); +- encryptedData = null; +- String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); +- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); +- +- String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- String rKDD = req.getParameter("KDD"); +- if ((rKDD == null) || (rKDD.length() == 0)) { +- // temporarily make it friendly before TPS change +- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); +- rKDD = rCUID; +- } +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- CMS.debug("keySet selected: " + keySet); +- +- String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); +- if (s_isRandom.equalsIgnoreCase("false")) { +- CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); +- isRandom = false; +- } else { +- CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); +- isRandom = true; +- } +- +- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID +- String auditMessage = CMS.getLogMessage( +- AuditEvent.ENCRYPT_DATA_REQUEST, +- rCUID, +- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. +- ILogger.SUCCESS, +- agentId, +- s_isRandom); +- audit(auditMessage); +- +- GPParams gp3Params = readGPSettings(keySet); +- +- if (isRandom) { +- if ((rdata == null) || (rdata.equals(""))) { +- CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); +- } else { +- CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); +- } +- try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); +- data = new byte[16]; +- random.nextBytes(data); +- } catch (Exception e) { +- CMS.debug("TokenServlet: processEncryptData():" + e.toString()); +- badParams += " Random Number,"; +- missingParam = true; +- } +- } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { +- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); +- badParams += " data,"; +- missingParam = true; +- } +- +- if ((rCUID == null) || (rCUID.equals(""))) { +- badParams += " CUID,"; +- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- if ((rKDD == null) || (rKDD.length() == 0)) { +- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); +- badParams += " KDD,"; +- missingParam = true; +- } +- +- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { +- badParams += " KeyInfo,"; +- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE +- xCUID = null; // avoid errors about non-initialization +- xKDD = null; // avoid errors about non-initialization +- xkeyInfo = null; // avoid errors about non-initialization +- +- if (!missingParam) { +- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); +- if (xCUID == null || xCUID.length != 10) { +- badParams += " CUID length,"; +- CMS.debug("TokenServlet: Invalid CUID length"); +- missingParam = true; +- } +- +- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS +- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); +- if (xKDD == null || xKDD.length != 10) { +- badParams += " KDD length,"; +- CMS.debug("TokenServlet: Invalid KDD length"); +- missingParam = true; +- } +- +- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { +- badParams += " KeyInfo length,"; +- CMS.debug("TokenServlet: Invalid key info length"); +- missingParam = true; +- } +- } +- +- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); +- if (!useSoftToken_s.equalsIgnoreCase("true")) +- useSoftToken_s = "false"; +- +- String selectedToken = null; +- String keyNickName = null; +- if (!missingParam) { +- +- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey +- try { +- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); +- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); +- +- // log settings read in to debug log along with xkeyInfo +- CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" +- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) +- + ", xkeyInfo[1] = 0x" +- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) +- ); +- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" +- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) +- ); +- if (nistSP800_108KdfUseCuidAsKdd == true) { +- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); +- } else { +- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); +- } +- // conform to the set-an-error-flag mentality +- } catch (Exception e) { +- missingSetting_exception = e; +- CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " +- + e.toString()); +- } +- +- if (!isRandom) +- data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); +- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- +- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); +- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- if (mappingValue == null) { +- selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); +- keyNickName = rKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- selectedToken = st.nextToken(); +- keyNickName = st.nextToken(); +- } +- +- +- //calculate the protocol +- +- int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; +- try +- { +- protocolInt = Integer.parseInt(protocolValue); +- } +- catch (NumberFormatException nfe) +- { +- protocolInt = SecureChannelProtocol.PROTOCOL_ONE; +- } +- +- CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); +- +- //Check for reasonable sanity, leave room for future versions +- if(protocolInt <= 0 || protocolInt > 20) { +- CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); +- protocolInt = 1; +- +- } +- +- byte kekKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); +- // AC: KDF SPEC CHANGE - check for error reading settings +- if (missingSetting_exception == null) { +- +- +- SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); +- +- if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { +- +- encryptedData = protocol.encryptData( +- selectedToken, keyNickName, data, keyInfo, +- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value +- nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value +- xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' +- xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use +- kekKeyArray, useSoftToken_s, keySet); +- +- } else { +- +- encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, +- nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, +- useSoftToken_s, keySet,gp3Params); +- +- } +- +- SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); +- +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- +- CMS.getLogger().log(ILogger.EV_AUDIT, +- ILogger.S_TKS, +- ILogger.LL_INFO, "process EncryptData for CUID=" + +- trim(pp.toHexString(xCUID)) + +- ", KDD=" + +- trim(pp.toHexString(xKDD))); +- +- } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file +- +- } // !missingParam +- +- resp.setContentType("text/html"); +- +- String value = ""; +- String status = "0"; +- if (encryptedData != null && encryptedData.length > 0) { +- // sending both the pre-encrypted and encrypted data back +- value = IRemoteRequest.RESPONSE_STATUS + "=0&" +- + IRemoteRequest.TOKEN_DATA + "=" + +- com.netscape.cmsutil.util.Utils.SpecialEncode(data) + +- "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + +- com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); +- // AC: KDF SPEC CHANGE - check for settings file issue (flag) +- } else if (missingSetting_exception != null) { +- status = "6"; +- errorMsg = "Problem reading required configuration value."; +- value = "status=" + status; +- } else if (missingParam) { +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters: " + badParams; +- status = "3"; +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } else { +- errorMsg = "Problem encrypting data."; +- status = "1"; +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } +- +- //CMS.debug("TokenServlet:process EncryptData.encode " + value); +- +- try { +- resp.setContentLength(value.length()); +- CMS.debug("TokenServlet:outputString.lenght " + value.length()); +- +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (Exception e) { +- CMS.debug("TokenServlet: " + e.toString()); +- } +- +- if (status.equals("0")) { +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.SUCCESS, // Outcome +- status, // status +- agentId, // AgentID +- s_isRandom, // isRandom +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); +- } else { +- // AC: KDF SPEC CHANGE - Log both CUID and KDD +- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.FAILURE, // Outcome +- status, // status +- agentId, // AgentID +- s_isRandom, // isRandom +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion +- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd +- errorMsg // Error +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); +- } +- +- audit(auditMessage); +- } +- +- /* +- * For EncryptData: +- * data=value1 +- * CUID=value2 // missing from RA +- * versionID=value3 // missing from RA +- * +- * For ComputeSession: +- * card_challenge=value1 +- * host_challenge=value2 +- +- * For DiversifyKey: +- * new_master_key_index +- * master_key_index +- */ +- +- private void processComputeRandomData(HttpServletRequest req, +- HttpServletResponse resp) throws EBaseException { +- +- byte[] randomData = null; +- String status = "0"; +- String errorMsg = ""; +- String badParams = ""; +- boolean missingParam = false; +- int dataSize = 0; +- +- CMS.debug("TokenServlet::processComputeRandomData"); +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); +- +- if (sDataSize == null || sDataSize.equals("")) { +- CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); +- badParams += " Random Data size, "; +- missingParam = true; +- status = "1"; +- } else { +- try { +- dataSize = Integer.parseInt(sDataSize.trim()); +- } catch (NumberFormatException nfe) { +- CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); +- badParams += " Random Data size, "; +- missingParam = true; +- status = "1"; +- } +- +- } +- +- CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); +- +- String auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, +- ILogger.SUCCESS, +- agentId); +- +- audit(auditMessage); +- +- if (!missingParam) { +- try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); +- randomData = new byte[dataSize]; +- random.nextBytes(randomData); +- } catch (Exception e) { +- CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); +- errorMsg = "Can't generate random data!"; +- status = "2"; +- } +- } +- +- String randomDataOut = ""; +- if (status.equals("0")) { +- if (randomData != null && randomData.length == dataSize) { +- randomDataOut = +- com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); +- } else { +- status = "2"; +- errorMsg = "Can't convert random data!"; +- } +- } +- +- if (status.equals("1") && missingParam) { +- +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters :" + badParams; +- } +- +- resp.setContentType("text/html"); +- String value = ""; +- +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- if (status.equals("0")) { +- value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; +- } +- +- try { +- resp.setContentLength(value.length()); +- CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); +- +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (Exception e) { +- CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); +- } +- +- if (status.equals("0")) { +- auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, +- ILogger.SUCCESS, +- status, +- agentId); +- } else { +- auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, +- ILogger.FAILURE, +- status, +- agentId, +- errorMsg); +- } +- +- audit(auditMessage); +- } +- +- public void process(CMSRequest cmsReq) throws EBaseException { +- HttpServletRequest req = cmsReq.getHttpReq(); +- HttpServletResponse resp = cmsReq.getHttpResp(); +- +- IAuthToken authToken = authenticate(cmsReq); +- AuthzToken authzToken = null; +- +- mCurrentUID = (String) authToken.get(IAuthToken.UID) ; +- +- try { +- authzToken = authorize(mAclMethod, authToken, +- mAuthzResourceName, "execute"); +- } catch (Exception e) { +- } +- +- if (authzToken == null) { +- +- try { +- resp.setContentType("text/html"); +- String value = "unauthorized="; +- CMS.debug("TokenServlet: Unauthorized"); +- +- resp.setContentLength(value.length()); +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (Exception e) { +- CMS.debug("TokenServlet: " + e.toString()); +- } +- +- // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); +- return; +- } +- +- String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); +- String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); +- String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); +- //CMS.debug("Protocol: " + protocol + " temp: " + temp); +- +- setDefaultSlotAndKeyName(req); +- if (temp != null && protocol == null) { +- processComputeSessionKey(req, resp); +- } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { +- processEncryptData(req, resp); +- } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { +- processDiversifyKey(req, resp); +- } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { +- processComputeRandomData(req, resp); +- } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { +- //SCP02 compute one session key. +- processComputeSessionKeySCP02(req, resp); +- +- } else if (protocol != null && protocol.contains("3") ) { +- processComputeSessionKeysSCP03(req,resp); +- } else { +- throw new EBaseException("Process: Can't decide upon function to call!"); +- } +- } +- +- //Create all the session keys for scp03 at once and return. +- //ToDo: calcualte the optional rmac key +- private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { +- String method = "processComputeSessionKeysSCP03:"; +- CMS.debug(method + " entering ..."); +- +- byte[] card_challenge, host_challenge, xCUID, xKDD; +- byte[] card_crypto, host_cryptogram, input_card_crypto; +- byte[] xcard_challenge, xhost_challenge; +- byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; +- String auditMessage = null; +- String errorMsg = ""; +- String badParams = ""; +- String transportKeyName = ""; +- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); +- +- String rKDD = req.getParameter("KDD"); +- if ((rKDD == null) || (rKDD.length() == 0)) { +- // KDF phase1: default to rCUID if not present +- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); +- rKDD = rCUID; +- } +- +- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); +- if (keySet == null || keySet.equals("")) { +- keySet = "defKeySet"; +- } +- CMS.debug("keySet selected: " + keySet); +- +- GPParams gp3Params = readGPSettings(keySet); +- +- boolean serversideKeygen = false; +- +- IConfigStore sconfig = CMS.getConfigStore(); +- boolean isCryptoValidate = true; +- boolean missingParam = false; +- +- Exception missingSetting_exception = null; +- +- mac_session_key = null; +- kek_session_key = null; +- card_crypto = null; +- host_cryptogram = null; +- enc_session_key = null; +- +- SessionContext sContext = SessionContext.getContext(); +- +- String agentId = ""; +- if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); +- } +- +- auditMessage = CMS.getLogMessage( +- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, +- rCUID, +- rKDD, +- ILogger.SUCCESS, +- agentId); +- +- audit(auditMessage); +- +- String kek_wrapped_desKeyString = null; +- String keycheck_s = null; +- +- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); +- if (!useSoftToken_s.equalsIgnoreCase("true")) +- useSoftToken_s = "false"; +- +- CMS.debug(method + " useSoftToken: " + useSoftToken_s); +- +- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); +- if (rServersideKeygen.equals("true")) { +- +- serversideKeygen = true; +- } +- +- CMS.debug(method + " serversideKeygen: " + serversideKeygen); +- +- try { +- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); +- } catch (EBaseException eee) { +- } +- +- CMS.debug(method + " Do crypto validation: " + isCryptoValidate); +- +- transportKeyName = getSharedSecretName(sconfig); +- +- String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); +- String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); +- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); +- String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); +- +- if ((rCUID == null) || (rCUID.equals(""))) { +- CMS.debug(method + " missing request parameter: CUID"); +- badParams += " CUID,"; +- missingParam = true; +- } +- +- if ((rKDD == null) || (rKDD.length() == 0)) { +- CMS.debug(method + " missing request parameter: KDD"); +- badParams += " KDD,"; +- missingParam = true; +- } +- +- if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { +- badParams += " card_challenge,"; +- CMS.debug(method + " missing request parameter: card challenge"); +- missingParam = true; +- } +- +- if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { +- badParams += " host_challenge,"; +- CMS.debug(method + " missing request parameter: host challenge"); +- missingParam = true; +- } +- +- if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { +- badParams += " card_cryptogram,"; +- CMS.debug(method + " missing request parameter: card_cryptogram"); +- missingParam = true; +- } +- +- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { +- badParams += " KeyInfo,"; +- CMS.debug(method + "missing request parameter: key info"); +- missingParam = true; +- } +- +- String selectedToken = null; +- String keyNickName = null; +- boolean sameCardCrypto = true; +- +- xCUID = null; +- xKDD = null; +- xkeyInfo = null; +- xcard_challenge = null; +- xhost_challenge = null; +- +- if (!missingParam) { +- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); +- if (xCUID == null || xCUID.length != 10) { +- badParams += " CUID length,"; +- CMS.debug("TokenServlet: Invalid CUID length"); +- missingParam = true; +- } +- +- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); +- if (xKDD == null || xKDD.length != 10) { +- badParams += " KDD length,"; +- CMS.debug("TokenServlet: Invalid KDD length"); +- missingParam = true; +- } +- +- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); +- if (xkeyInfo == null || xkeyInfo.length != 3) { +- badParams += " KeyInfo length,"; +- CMS.debug("TokenServlet: Invalid key info length."); +- missingParam = true; +- } +- xcard_challenge = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); +- if (xcard_challenge == null || xcard_challenge.length != 8) { +- badParams += " card_challenge length,"; +- CMS.debug("TokenServlet: Invalid card challenge length."); +- missingParam = true; +- } +- +- xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); +- if (xhost_challenge == null || xhost_challenge.length != 8) { +- badParams += " host_challenge length,"; +- CMS.debug("TokenServlet: Invalid host challenge length"); +- missingParam = true; +- } +- } +- +- ArrayList serverSideValues = null; +- +- if (!missingParam) { +- card_challenge = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); +- +- host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); +- +- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx +- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); +- +- +- if (mappingValue == null) { +- selectedToken = +- CMS.getConfigStore().getString("tks.defaultSlot", "internal"); +- keyNickName = rKeyInfo; +- } else { +- StringTokenizer st = new StringTokenizer(mappingValue, ":"); +- if (st.hasMoreTokens()) +- selectedToken = st.nextToken(); +- if (st.hasMoreTokens()) +- keyNickName = st.nextToken(); +- } +- +- CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); +- +- SymmetricKey macSessionKey = null; +- SymmetricKey encSessionKey = null; +- SymmetricKey kekSessionKey = null; +- +- if (selectedToken != null && keyNickName != null +- && missingSetting_exception == null) { +- +- try { +- +- byte macKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".mac_key")); +- CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" +- + selectedToken + " keyNickName=" + keyNickName); +- +- SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); +- +- macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, +- SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, +- transportKeyName,gp3Params); +- +- mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); +- +- if (mac_session_key == null) { +- CMS.debug(method + " Can't get mac session key bytes"); +- throw new Exception(method + " Can't get mac session key bytes"); +- +- } +- +- byte encKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".auth_key")); +- +- encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, +- SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, +- transportKeyName,gp3Params); +- +- enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); +- +- if (enc_session_key == null) { +- CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); +- throw new Exception("Can't compute enc session key!"); +- +- } +- +- byte kekKeyArray[] = +- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + ".kek_key")); +- +- kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, +- SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, +- xcard_challenge, +- transportKeyName,gp3Params); +- +- kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); +- +- +- //Offload some of the tedious params gathering to another method +- //ToDo, create a method that reads all this stuff at once for all major methods +- if (serversideKeygen) { +- try { +- serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, +- kekSessionKey, protocol); +- } catch (EBaseException e) { +- +- CMS.debug(method + " Can't calcualte server side keygen required values..."); +- +- } +- } +- +- try { +- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); +- } catch (EBaseException eee) { +- } +- +- ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); +- try { +- contextStream.write(host_challenge); +- contextStream.write(card_challenge); +- } catch (IOException e) { +- throw new EBaseException(method + " Error calculating derivation data!"); +- } +- +- host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); +- SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); +- +- +- if( isCryptoValidate) { +- if (rcard_cryptogram == null) { +- CMS.debug(method + " missing card cryptogram"); +- throw new Exception(method + "Missing card cryptogram"); +- } +- input_card_crypto = +- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); +- card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); +- SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); +- SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); +- +- if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { +- throw new Exception(method + "Card cryptogram mismatch!"); +- } +- +- } +- } catch (Exception e) { +- CMS.debug(e); +- CMS.debug("TokenServlet Computing Session Key: " + e.toString()); +- if (isCryptoValidate) +- sameCardCrypto = false; +- } +- } +- } // ! missingParam +- +- String value = ""; +- +- resp.setContentType("text/html"); +- +- String encSessionKeyString = ""; +- String macSessionKeyString = ""; +- String kekSessionKeyString = ""; +- +- String drm_trans_wrapped_desKeyString = ""; +- String cryptogram = ""; +- String status = "0"; +- +- if (enc_session_key != null && enc_session_key.length > 0) { +- encSessionKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); +- } else { +- status = "1"; +- } +- +- if (mac_session_key != null && mac_session_key.length > 0) { +- macSessionKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); +- } else { +- status = "1"; +- } +- +- if (kek_session_key != null && kek_session_key.length > 0) { +- kekSessionKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); +- } else { +- status = "1"; +- } +- +- if (serversideKeygen == true) { +- if (serverSideValues.size() == 3) { +- drm_trans_wrapped_desKeyString = serverSideValues.get(2); +- kek_wrapped_desKeyString = serverSideValues.get(0); +- keycheck_s = serverSideValues.get(1); +- } +- else { +- status = "1"; +- } +- } +- +- if (host_cryptogram != null && host_cryptogram.length > 0) { +- cryptogram = +- com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); +- } else { +- if (status.equals("0") == true) { +- status = "2"; +- } +- } +- +- if (selectedToken == null || keyNickName == null) { +- // AC: Bugfix: Don't override status's value if an error was already flagged +- if (status.equals("0") == true) { +- status = "4"; +- } +- } +- +- if (!sameCardCrypto) { +- if (status.equals("0") == true) { +- status = "5"; +- } +- } +- +- if (missingSetting_exception != null) { +- status = "6"; +- } +- +- if (missingParam) { +- status = "3"; +- } +- +- if (!status.equals("0")) { +- +- if (status.equals("1")) { +- errorMsg = "Problem generating session key info."; +- } +- +- if (status.equals("2")) { +- errorMsg = "Problem creating host_cryptogram."; +- } +- +- if (status.equals("5")) { +- errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; +- } +- +- if (status.equals("4")) { +- errorMsg = "Problem obtaining token information."; +- } +- +- if (status.equals("6")) { +- errorMsg = "Problem reading required configuration value."; +- } +- +- if (status.equals("3")) { +- if (badParams.endsWith(",")) { +- badParams = badParams.substring(0, badParams.length() - 1); +- } +- errorMsg = "Missing input parameters :" + badParams; +- } +- +- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; +- } else { +- if (serversideKeygen == true) { +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); +- sb.append(macSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); +- sb.append(cryptogram); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); +- sb.append(encSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); +- sb.append(kekSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); +- sb.append(kek_wrapped_desKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); +- sb.append(keycheck_s); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); +- sb.append(drm_trans_wrapped_desKeyString); +- value = sb.toString(); +- } else { +- StringBuffer sb = new StringBuffer(); +- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); +- sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); +- sb.append(macSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); +- sb.append(cryptogram); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); +- sb.append(encSessionKeyString); +- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); +- value = sb.toString(); +- } +- +- } +- //CMS.debug(method + "outputString.encode " + value); +- +- try { +- resp.setContentLength(value.length()); +- CMS.debug("TokenServlet:outputString.length " + value.length()); +- OutputStream ooss = resp.getOutputStream(); +- ooss.write(value.getBytes()); +- ooss.flush(); +- mRenderResult = false; +- } catch (IOException e) { +- CMS.debug("TokenServlet: " + e.toString()); +- } +- +- if (status.equals("0")) { +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.SUCCESS, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, +- logParams); +- +- } else { +- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded +- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded +- ILogger.FAILURE, // Outcome +- status, // status +- agentId, // AgentID +- isCryptoValidate ? "true" : "false", // IsCryptoValidate +- serversideKeygen ? "true" : "false", // IsServerSideKeygen +- selectedToken, // SelectedToken +- keyNickName, // KeyNickName +- keySet, // TKSKeyset +- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion +- errorMsg // Error +- }; +- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, +- logParams); +- +- } +- +- audit(auditMessage); +- +- } +- +- /** +- * Serves HTTP admin request. +- * +- * @param req HTTP request +- * @param resp HTTP response +- */ +- public void service(HttpServletRequest req, HttpServletResponse resp) +- throws ServletException, IOException { +- super.service(req, resp); +- } +- +- private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { +- +- IConfigStore configStore = CMS.getConfigStore(); +- String sharedSecretName = null; +- try { +- +- sharedSecretName = getSharedSecretName(configStore); +- +- } catch (EBaseException e) { +- throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " +- + e); +- +- } +- +- CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); +- +- String symmKeys = null; +- boolean keyPresent = false; +- try { +- symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); +- CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); +- } catch (Exception e) { +- // TODO Auto-generated catch block +- CMS.debug(e); +- } +- +- for (String keyName : symmKeys.split(",")) { +- if (sharedSecretName.equals(keyName)) { +- CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); +- keyPresent = true; +- break; +- } +- +- } +- +- if (!keyPresent) { +- throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); +- } +- +- // We know for now that shared secret is on this token +- String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; +- PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); +- +- CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); +- +- return sharedSecret; +- +- } +- +- //returns ArrayList of following values +- // 0 : Kek wrapped des key +- // 1 : keycheck value +- // 2 : trans wrapped des key +- private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, +- SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { +- +- SymmetricKey desKey = null; +- String method = "TokenServlet.calculateSErverSideKeygenValues: "; +- ArrayList values = new ArrayList(); +- +- /** +- * 0. generate des key +- * 1. encrypt des key with kek key +- * 2. encrypt des key with DRM transport key +- * These two wrapped items are to be sent back to +- * TPS. 2nd item is to DRM +- **/ +- CMS.debug(method + " entering..."); +- +- // (1) generate DES key +- /* applet does not support DES3 +- org.mozilla.jss.crypto.KeyGenerator kg = +- internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); +- desKey = kg.generate();*/ +- +- /* +- * GenerateSymkey firt generates a 16 byte DES2 key. +- * It then pads it into a 24 byte key with last +- * 8 bytes copied from the 1st 8 bytes. Effectively +- * making it a 24 byte DES2 key. We need this for +- * wrapping private keys on DRM. +- */ +- /*generate it on whichever token the master key is at*/ +- +- if (useSoftToken.equals("true")) { +- CMS.debug(method + " key encryption key generated on internal"); +- desKey = protocol.generateSymKey("internal"); +- //cfu audit here? sym key gen done +- } else { +- CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); +- desKey = protocol.generateSymKey(selectedToken); +- } +- if (desKey == null) { +- throw new EBaseException(method + "can't generate key encryption key"); +- } +- +- /* +- * ECBencrypt actually takes the 24 byte DES2 key +- * and discard the last 8 bytes before it encrypts. +- * This is done so that the applet can digest it +- */ +- +- +- // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) +- +- byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); +- +- String kek_wrapped_desKeyString = +- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); +- +- CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); +- +- values.add(kek_wrapped_desKeyString); +- +- // get keycheck +- +- byte[] keycheck = null; +- +- keycheck = protocol.computeKeyCheck(desKey, selectedToken); +- +- String keycheck_s = +- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); +- +- CMS.debug(method + "keycheck_s " + keycheck_s); +- +- values.add(keycheck_s); +- +- //use DRM transport cert to wrap desKey +- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); +- +- if ((drmTransNickname == null) || (drmTransNickname == "")) { +- CMS.debug(method + " did not find DRM transport certificate nickname"); +- throw new EBaseException(method + "can't find DRM transport certificate nickname"); +- } else { +- CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); +- } +- +- X509Certificate drmTransCert = null; +- try { +- +- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); +- // wrap kek session key with DRM transport public key +- CryptoToken token = null; +- if (useSoftToken.equals("true")) { +- //token = CryptoManager.getInstance().getTokenByName(selectedToken); +- token = CryptoManager.getInstance().getInternalCryptoToken(); +- } else { +- token = CryptoManager.getInstance().getTokenByName(selectedToken); +- } +- PublicKey pubKey = drmTransCert.getPublicKey(); +- String pubKeyAlgo = pubKey.getAlgorithm(); +- CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); +- KeyWrapper keyWrapper = null; +- //For wrapping symmetric keys don't need IV, use ECB +- if (pubKeyAlgo.equals("EC")) { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); +- keyWrapper.initWrap(pubKey, null); +- } else { +- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); +- keyWrapper.initWrap(pubKey, null); +- } +- CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); +- byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); +- +- String drmWrappedDesStr = +- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); +- +- CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); +- values.add(drmWrappedDesStr); +- +- } catch (Exception e) { +- throw new EBaseException(e); +- } +- +- return values; +- } +- +- private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { +- boolean sameCardCrypto = true; +- +- if (original_cryptogram == null || calculated_cryptogram == null) { +- return false; +- } +- if (original_cryptogram.length == calculated_cryptogram.length) { +- for (int i = 0; i < original_cryptogram.length; i++) { +- if (original_cryptogram[i] != calculated_cryptogram[i]) { +- sameCardCrypto = false; +- break; +- } +- } +- } else { +- // different length; must be different +- sameCardCrypto = false; +- } +- +- return sameCardCrypto; +- } +- +- //For now only used for scp03 +- +- static GPParams readGPSettings(String keySet) { +- GPParams params = new GPParams(); +- +- String method = "TokenServlet.readGPSettings: "; +- String gp3Settings = "tks." + keySet + ".prot3"; +- +- String divers = "emv"; +- try { +- divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); +- } catch (EBaseException e) { +- } +- +- params.setDiversificationScheme(divers); +- +- CMS.debug(method + " Divers: " + divers); +- +- String diversVer1Keys = "emv"; +- +- try { +- diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); +- } catch (EBaseException e) { +- } +- +- params.setVersion1DiversificationScheme(diversVer1Keys); +- CMS.debug(method + " Version 1 keys Divers: " + divers); +- +- String keyType = null; +- try { +- keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); +- } catch (EBaseException e) { +- } +- +- CMS.debug(method + " devKeyType: " + keyType); +- +- params.setDevKeyType(keyType); +- +- try { +- keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); +- } catch (EBaseException e) { +- } +- +- params.setMasterKeyType(keyType); +- +- CMS.debug(method + " masterKeyType: " + keyType); +- +- +- return params; +- } +- +- private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { +- byte devKeyArray[] = null; +- try { +- devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." +- + keySet + "." + keyType)); +- } catch (Exception e) { +- throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); +- } +- +- return devKeyArray; +- } +- +- +-} +diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml +index 18c85a3..ddbea88 100644 +--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml ++++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml +@@ -108,7 +108,7 @@ + + + tksEncryptData +- com.netscape.cms.servlet.tks.TokenServlet ++ org.dogtagpki.server.tks.servlet.TokenServlet + GetClientCert + true + AuthzMgr +@@ -125,7 +125,7 @@ + + + tksCreateKeySetData +- com.netscape.cms.servlet.tks.TokenServlet ++ org.dogtagpki.server.tks.servlet.TokenServlet + GetClientCert + true + AuthzMgr +@@ -142,7 +142,7 @@ + + + tksSessionKey +- com.netscape.cms.servlet.tks.TokenServlet ++ org.dogtagpki.server.tks.servlet.TokenServlet + GetClientCert + true + AuthzMgr +@@ -159,7 +159,7 @@ + + + tksRandomData +- com.netscape.cms.servlet.tks.TokenServlet ++ org.dogtagpki.server.tks.servlet.TokenServlet + GetClientCert + true + AuthzMgr +diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java +new file mode 100644 +index 0000000..c8150a9 +--- /dev/null ++++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java +@@ -0,0 +1,3226 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2007 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package org.dogtagpki.server.tks.servlet; ++ ++import java.io.ByteArrayOutputStream; ++import java.io.IOException; ++import java.io.OutputStream; ++import java.security.PublicKey; ++import java.security.SecureRandom; ++import java.util.ArrayList; ++import java.util.StringTokenizer; ++ ++import javax.servlet.ServletConfig; ++import javax.servlet.ServletException; ++import javax.servlet.http.HttpServletRequest; ++import javax.servlet.http.HttpServletResponse; ++ ++import org.dogtagpki.server.connector.IRemoteRequest; ++import org.mozilla.jss.CryptoManager; ++import org.mozilla.jss.CryptoManager.NotInitializedException; ++import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.KeyWrapAlgorithm; ++import org.mozilla.jss.crypto.KeyWrapper; ++import org.mozilla.jss.crypto.SymmetricKey; ++import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.pkcs11.PK11SymKey; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.authorization.AuthzToken; ++import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.base.IPrettyPrintFormat; ++import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.cms.servlet.base.CMSServlet; ++import com.netscape.cms.servlet.common.CMSRequest; ++import com.netscape.cms.servlet.tks.GPParams; ++import com.netscape.cms.servlet.tks.NistSP800_108KDF; ++import com.netscape.cms.servlet.tks.SecureChannelProtocol; ++import com.netscape.cmsutil.crypto.CryptoUtil; ++import com.netscape.symkey.SessionKey; ++ ++/** ++ * A class representings an administration servlet for Token Key ++ * Service Authority. This servlet is responsible to serve ++ * tks administrative operation such as configuration ++ * parameter updates. ++ * ++ * @version $Revision$, $Date$ ++ */ ++public class TokenServlet extends CMSServlet { ++ /** ++ * ++ */ ++ private static final long serialVersionUID = 8687436109695172791L; ++ protected static final String PROP_ENABLED = "enabled"; ++ protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; ++ private final static String INFO = "TokenServlet"; ++ public static int ERROR = 1; ++ String mKeyNickName = null; ++ String mNewKeyNickName = null; ++ String mCurrentUID = null; ++ IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); ++ ++ // Derivation Constants for SCP02 ++ public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; ++ public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; ++ public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; ++ public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; ++ ++ /** ++ * Constructs tks servlet. ++ */ ++ public TokenServlet() { ++ super(); ++ ++ } ++ ++ public static String trim(String a) { ++ StringBuffer newa = new StringBuffer(); ++ StringTokenizer tokens = new StringTokenizer(a, "\n"); ++ while (tokens.hasMoreTokens()) { ++ newa.append(tokens.nextToken()); ++ } ++ return newa.toString(); ++ } ++ ++ public void init(ServletConfig config) throws ServletException { ++ super.init(config); ++ } ++ ++ /** ++ * Returns serlvet information. ++ * ++ * @return name of this servlet ++ */ ++ public String getServletInfo() { ++ return INFO; ++ } ++ ++ /** ++ * Process the HTTP request. ++ * ++ * @param s The URL to decode. ++ */ ++ protected String URLdecode(String s) { ++ if (s == null) ++ return null; ++ ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); ++ ++ for (int i = 0; i < s.length(); i++) { ++ int c = s.charAt(i); ++ ++ if (c == '+') { ++ out.write(' '); ++ } else if (c == '%') { ++ int c1 = Character.digit(s.charAt(++i), 16); ++ int c2 = Character.digit(s.charAt(++i), 16); ++ ++ out.write((char) (c1 * 16 + c2)); ++ } else { ++ out.write(c); ++ } ++ } // end for ++ return out.toString(); ++ } ++ ++ private void setDefaultSlotAndKeyName(HttpServletRequest req) { ++ try { ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ CMS.debug("keySet selected: " + keySet); ++ ++ String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); ++ String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx ++ String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; ++ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ if (mappingValue != null) { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ int tokenNumber = 0; ++ while (st.hasMoreTokens()) { ++ ++ String currentToken = st.nextToken(); ++ if (tokenNumber == 1) ++ mKeyNickName = currentToken; ++ tokenNumber++; ++ ++ } ++ } ++ if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification ++ { ++ temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx ++ String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; ++ String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); ++ if (newMappingValue != null) { ++ StringTokenizer st = new StringTokenizer(newMappingValue, ":"); ++ int tokenNumber = 0; ++ while (st.hasMoreTokens()) { ++ String currentToken = st.nextToken(); ++ if (tokenNumber == 1) ++ mNewKeyNickName = currentToken; ++ tokenNumber++; ++ ++ } ++ } ++ } ++ ++ CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); ++ ++ SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); ++ /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ ++ ++ } catch (Exception e) { ++ e.printStackTrace(); ++ CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); ++ } ++ ++ } ++ ++ // AC: KDF SPEC CHANGE - read new setting value from config file ++ // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) ++ // CAREFUL: Result returned may be negative due to java's lack of unsigned types. ++ // Negative values need to be treated as higher key numbers than positive key numbers. ++ private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { ++ String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; ++ // KDF phase1: default to 00 ++ String nistSP800_108KdfOnKeyVersion_value = ++ CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); ++ short nistSP800_108KdfOnKeyVersion_short = 0; ++ // if value does not exist in file ++ if (nistSP800_108KdfOnKeyVersion_value == null) { ++ // throw ++ // (we want admins to pay attention to this configuration item rather than guessing for them) ++ throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map ++ + "\" missing from configuration file."); ++ } ++ // convert setting value (in ASCII-hex) to short ++ try { ++ nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); ++ if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { ++ throw new Exception("Out of range."); ++ } ++ } catch (Throwable t) { ++ throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map ++ + "\" is in incorrect format. " + ++ "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map ++ + "=xx\" where xx is key version specified in ASCII-HEX format.", t); ++ } ++ // convert to byte (anything higher than 0x7F is represented as a negative) ++ byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; ++ return nistSP800_108KdfOnKeyVersion_byte; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new setting value from config file ++ // (This value allows configuration of the NIST SP800-108 KDF: ++ // If "true" we use the CUID parameter within the NIST SP800-108 KDF. ++ // If "false" we use the KDD parameter within the NIST SP800-108 KDF. ++ private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { ++ String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; ++ // KDF phase1: default to "false" ++ String setting_str = ++ CMS.getConfigStore().getString(setting_map, "false" /*null*/); ++ boolean setting_boolean = false; ++ // if value does not exist in file ++ if (setting_str == null) { ++ // throw ++ // (we want admins to pay attention to this configuration item rather than guessing for them) ++ throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); ++ } ++ // convert setting value to boolean ++ try { ++ setting_boolean = Boolean.parseBoolean(setting_str); ++ } catch (Throwable t) { ++ throw new Exception("Configuration value \"" + setting_map ++ + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); ++ } ++ return setting_boolean; ++ } ++ ++ // AC: KDF SPEC CHANGE - Audit logging helper functions. ++ // Converts a byte array to an ASCII-hex string. ++ // We implemented this ourselves rather than using this.pp.toHexArray() because ++ // the team preferred CUID and KDD strings to be without ":" separators every byte. ++ final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); ++ ++ private String bytesToHex(byte[] bytes) { ++ char[] hexChars = new char[bytes.length * 2]; ++ for (int i = 0; i < bytes.length; i++) { ++ int thisChar = bytes[i] & 0x000000FF; ++ hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 ++ hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; ++ } ++ return new String(hexChars); ++ } ++ ++ // AC: KDF SPEC CHANGE - Audit logging helper functions. ++ // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa ++ // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. ++ // Returns "null" if parameter is null. ++ // Returns "invalid" if parameter.length < 1 ++ private String log_string_from_keyInfo(byte[] xkeyInfo) { ++ return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" ++ + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); ++ } ++ ++ // AC: KDF SPEC CHANGE - Audit logging helper functions. ++ // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. ++ // Parameters: ++ // specialDecoded - byte array containing data. May be null. ++ // Returns: ++ // if specialDecoded is blank, returns "null" ++ // if specialDecoded != null, returns ++ private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { ++ if (specialDecoded == null) { ++ return "null"; ++ } else { ++ return bytesToHex(specialDecoded); ++ } ++ } ++ ++ /* Compute Session Key for SCP02 ++ * For simplicity compute just one session key,unless it is the DEK key case. ++ */ ++ ++ private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { ++ ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); ++ String auditMessage = null; ++ String errorMsg = ""; ++ String badParams = ""; ++ String transportKeyName = ""; ++ boolean missingParam = false; ++ String selectedToken = null; ++ String keyNickName = null; ++ byte[] drm_trans_wrapped_desKey = null; ++ ++ byte[] xKDD = null; ++ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; ++ boolean nistSP800_108KdfUseCuidAsKdd = false; ++ ++ IConfigStore sconfig = CMS.getConfigStore(); ++ ++ boolean isCryptoValidate = false; ++ byte[] keyInfo, xCUID = null, session_key = null; ++ ++ Exception missingSettingException = null; ++ ++ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); ++ ++ String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); ++ ++ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ ++ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { ++ badParams += " KeyInfo,"; ++ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); ++ missingParam = true; ++ } ++ ++ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); ++ ++ boolean serversideKeygen = false; ++ ++ String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); ++ String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); ++ ++ if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { ++ badParams += " derivation_constant,"; ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); ++ missingParam = true; ++ } ++ ++ if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { ++ badParams += " sequence_counter,"; ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); ++ missingParam = true; ++ } ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, ++ rCUID, ++ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ++ ILogger.SUCCESS, ++ agentId); ++ ++ audit(auditMessage); ++ ++ if (!missingParam) { ++ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); ++ ++ if (xCUID == null || xCUID.length != 10) { ++ badParams += " CUID length,"; ++ CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); ++ missingParam = true; ++ } ++ ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); ++ badParams += " KDD,"; ++ missingParam = true; ++ } ++ ++ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); ++ if (xKDD == null || xKDD.length != 10) { ++ badParams += " KDD length,"; ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); ++ missingParam = true; ++ } ++ ++ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ if (keyInfo == null || keyInfo.length != 2) { ++ badParams += " KeyInfo length,"; ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); ++ missingParam = true; ++ } ++ ++ try { ++ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); ++ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); ++ ++ // log settings read in to debug log along with xkeyInfo ++ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" ++ + Integer.toHexString((keyInfo[0]) & 0x0000000FF) ++ + ", xkeyInfo[1] = 0x" ++ + Integer.toHexString((keyInfo[1]) & 0x0000000FF) ++ ); ++ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" ++ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) ++ ); ++ if (nistSP800_108KdfUseCuidAsKdd == true) { ++ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); ++ } else { ++ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); ++ } ++ // conform to the set-an-error-flag mentality ++ } catch (Exception e) { ++ missingSettingException = e; ++ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " ++ + e.toString()); ++ } ++ ++ } ++ ++ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx ++ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ if (mappingValue == null) { ++ selectedToken = ++ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ keyNickName = rKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ if (st.hasMoreTokens()) ++ selectedToken = st.nextToken(); ++ if (st.hasMoreTokens()) ++ keyNickName = st.nextToken(); ++ } ++ ++ keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx ++ try { ++ mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ } catch (EBaseException e1) { ++ ++ e1.printStackTrace(); ++ } ++ if (mappingValue == null) { ++ try { ++ selectedToken = ++ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ } catch (EBaseException e) { ++ ++ e.printStackTrace(); ++ } ++ keyNickName = rKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ if (st.hasMoreTokens()) ++ selectedToken = st.nextToken(); ++ if (st.hasMoreTokens()) ++ keyNickName = st.nextToken(); ++ } ++ ++ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); ++ String useSoftToken_s = null; ++ try { ++ useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); ++ } catch (EBaseException e1) { ++ // TODO Auto-generated catch block ++ e1.printStackTrace(); ++ } ++ if (!useSoftToken_s.equalsIgnoreCase("true")) ++ useSoftToken_s = "false"; ++ ++ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); ++ if (rServersideKeygen.equals("true")) { ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); ++ serversideKeygen = true; ++ } else { ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); ++ } ++ ++ transportKeyName = null; ++ try { ++ transportKeyName = getSharedSecretName(sconfig); ++ } catch (EBaseException e1) { ++ // TODO Auto-generated catch block ++ e1.printStackTrace(); ++ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); ++ ++ } ++ ++ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); ++ ++ try { ++ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); ++ } catch (EBaseException eee) { ++ } ++ ++ byte macKeyArray[] = null; ++ byte sequenceCounter[] = null; ++ byte derivationConstant[] = null; ++ ++ boolean errorFound = false; ++ ++ String dek_wrapped_desKeyString = null; ++ String keycheck_s = null; ++ ++ if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { ++ try { ++ macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".mac_key")); ++ ++ sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); ++ derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); ++ ++ //Use old style for the moment. ++ //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey ++ //Perform in next ticket to fully implement nistXP800 ++ ++ session_key = SessionKey.ComputeSessionKeySCP02( ++ selectedToken, keyNickName, ++ keyInfo, ++ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value ++ nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, ++ useSoftToken_s, keySet, ++ transportKeyName); ++ ++ if (session_key == null) { ++ CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); ++ throw new EBaseException("Can't compute session key for SCP02!"); ++ ++ } ++ ++ //Only do this for the dekSessionKey and if we are in the server side keygen case. ++ if (derivationConstant[0] == DEKDerivationConstant[0] ++ && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { ++ ++ CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); ++ ++ /** ++ * 0. generate des key ++ * 1. encrypt des key with dek key ++ * 2. encrypt des key with DRM transport key ++ * These two wrapped items are to be sent back to ++ * TPS. 2nd item is to DRM ++ **/ ++ ++ PK11SymKey desKey = null; ++ PK11SymKey dekKey = null; ++ ++ /*generate it on whichever token the master key is at*/ ++ if (useSoftToken_s.equals("true")) { ++ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); ++ ++ desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); ++ ++ } else { ++ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " ++ + selectedToken); ++ desKey = SessionKey.GenerateSymkey(selectedToken); ++ } ++ if (desKey != null) ++ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); ++ else { ++ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " ++ + rCUID); ++ throw new EBaseException( ++ "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); ++ } ++ ++ CryptoToken token = null; ++ if (useSoftToken_s.equals("true")) { ++ token = CryptoUtil.getCryptoToken(null); ++ } else { ++ token = CryptoUtil.getCryptoToken(selectedToken); ++ } ++ ++ //Now we have to create a sym key object for the wrapped session_key (dekKey) ++ // session_key wrapped by the shared Secret ++ ++ PK11SymKey sharedSecret = getSharedSecretKey(); ++ ++ if (sharedSecret == null) { ++ throw new EBaseException( ++ "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); ++ } ++ ++ dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, ++ session_key); ++ ++ if (dekKey == null) { ++ throw new EBaseException( ++ "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); ++ } ++ ++ /* ++ * ECBencrypt actually takes the 24 byte DES2 key ++ * and discard the last 8 bytes before it encrypts. ++ * This is done so that the applet can digest it ++ */ ++ byte[] encDesKey = ++ SessionKey.ECBencrypt(dekKey, ++ desKey); ++ ++ if (encDesKey == null) { ++ throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); ++ } ++ ++ dek_wrapped_desKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); ++ ++ byte[] keycheck = ++ SessionKey.ComputeKeyCheck(desKey); ++ ++ if (keycheck == null) { ++ throw new EBaseException( ++ "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); ++ } ++ ++ keycheck_s = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); ++ ++ //use DRM transport cert to wrap desKey ++ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); ++ ++ if ((drmTransNickname == null) || (drmTransNickname == "")) { ++ CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); ++ throw new EBaseException("can't find DRM transport certificate nickname"); ++ } else { ++ CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); ++ } ++ ++ X509Certificate drmTransCert = null; ++ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); ++ // wrap kek session key with DRM transport public key ++ ++ PublicKey pubKey = drmTransCert.getPublicKey(); ++ String pubKeyAlgo = pubKey.getAlgorithm(); ++ ++ KeyWrapper keyWrapper = null; ++ //For wrapping symmetric keys don't need IV, use ECB ++ if (pubKeyAlgo.equals("EC")) { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); ++ keyWrapper.initWrap(pubKey, null); ++ } else { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); ++ keyWrapper.initWrap(pubKey, null); ++ } ++ ++ drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); ++ CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); ++ ++ CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); ++ ++ } ++ ++ } catch (Exception e) { ++ CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); ++ errorFound = true; ++ ++ } ++ ++ } ++ ++ String status = "0"; ++ String value = ""; ++ String outputString = ""; ++ ++ boolean statusDeclared = false; ++ ++ if (session_key != null && session_key.length > 0 && errorFound == false) { ++ outputString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); ++ } else { ++ ++ status = "1"; ++ statusDeclared = true; ++ } ++ ++ if (selectedToken == null || keyNickName == null) { ++ if (!statusDeclared) { ++ status = "4"; ++ statusDeclared = true; ++ } ++ } ++ ++ if (missingSettingException != null) { ++ if (!statusDeclared) { ++ status = "6"; ++ statusDeclared = true; ++ } ++ } ++ ++ if (missingParam) { ++ status = "3"; ++ } ++ ++ String drm_trans_wrapped_desKeyString = null; ++ ++ if (!status.equals("0")) { ++ if (status.equals("1")) { ++ errorMsg = "Problem generating session key info."; ++ } ++ ++ if (status.equals("4")) { ++ errorMsg = "Problem obtaining token information."; ++ } ++ ++ if (status.equals("3")) { ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters :" + badParams; ++ } ++ ++ if (status.equals("6")) { ++ errorMsg = "Problem reading required configuration value."; ++ } ++ ++ } else { ++ ++ if (serversideKeygen == true) { ++ ++ if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { ++ drm_trans_wrapped_desKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); ++ } ++ ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); ++ sb.append(outputString); ++ ++ //Now add the trans wrapped des key ++ ++ if (drm_trans_wrapped_desKeyString != null) { ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); ++ sb.append(drm_trans_wrapped_desKeyString); ++ } ++ ++ if (dek_wrapped_desKeyString != null) { ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); ++ sb.append(dek_wrapped_desKeyString); ++ } ++ ++ if (keycheck_s != null) { ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); ++ sb.append(keycheck_s); ++ } ++ ++ value = sb.toString(); ++ } else { ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); ++ sb.append(outputString); ++ value = sb.toString(); ++ } ++ ++ } ++ ++ //CMS.debug("TokenServlet:outputString.encode " + value); ++ ++ try { ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServlet:outputString.length " + value.length()); ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (IOException e) { ++ CMS.debug("TokenServlet: " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.SUCCESS, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ logParams); ++ ++ } else { ++ ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.FAILURE, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd ++ errorMsg // Error ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ logParams); ++ } ++ ++ audit(auditMessage); ++ ++ } ++ ++ private void processComputeSessionKey(HttpServletRequest req, ++ HttpServletResponse resp) throws EBaseException { ++ byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD ++ ++ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) ++ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; ++ boolean nistSP800_108KdfUseCuidAsKdd = false; ++ ++ byte[] card_crypto, host_cryptogram, input_card_crypto; ++ byte[] xcard_challenge, xhost_challenge; ++ byte[] enc_session_key, xkeyInfo; ++ String auditMessage = null; ++ String errorMsg = ""; ++ String badParams = ""; ++ String transportKeyName = ""; ++ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ String rKDD = req.getParameter("KDD"); ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ // KDF phase1: default to rCUID if not present ++ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); ++ rKDD = rCUID; ++ } ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ CMS.debug("keySet selected: " + keySet); ++ ++ boolean serversideKeygen = false; ++ byte[] drm_trans_wrapped_desKey = null; ++ SymmetricKey desKey = null; ++ // PK11SymKey kek_session_key; ++ SymmetricKey kek_key; ++ ++ IConfigStore sconfig = CMS.getConfigStore(); ++ boolean isCryptoValidate = true; ++ boolean missingParam = false; ++ ++ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting ++ Exception missingSetting_exception = null; ++ ++ session_key = null; ++ card_crypto = null; ++ host_cryptogram = null; ++ enc_session_key = null; ++ // kek_session_key = null; ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, ++ rCUID, ++ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ++ ILogger.SUCCESS, ++ agentId); ++ ++ audit(auditMessage); ++ ++ String kek_wrapped_desKeyString = null; ++ String keycheck_s = null; ++ ++ CMS.debug("processComputeSessionKey:"); ++ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); ++ if (!useSoftToken_s.equalsIgnoreCase("true")) ++ useSoftToken_s = "false"; ++ ++ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); ++ if (rServersideKeygen.equals("true")) { ++ CMS.debug("TokenServlet: serversideKeygen requested"); ++ serversideKeygen = true; ++ } else { ++ CMS.debug("TokenServlet: serversideKeygen not requested"); ++ } ++ ++ try { ++ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); ++ } catch (EBaseException eee) { ++ } ++ ++ transportKeyName = getSharedSecretName(sconfig); ++ ++ String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); ++ String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); ++ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); ++ if ((rCUID == null) || (rCUID.equals(""))) { ++ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); ++ badParams += " CUID,"; ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); ++ badParams += " KDD,"; ++ missingParam = true; ++ } ++ ++ if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { ++ badParams += " card_challenge,"; ++ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); ++ missingParam = true; ++ } ++ ++ if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { ++ badParams += " host_challenge,"; ++ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); ++ missingParam = true; ++ } ++ ++ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { ++ badParams += " KeyInfo,"; ++ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); ++ missingParam = true; ++ } ++ ++ String selectedToken = null; ++ String keyNickName = null; ++ boolean sameCardCrypto = true; ++ ++ // AC: KDF SPEC CHANGE ++ xCUID = null; // avoid errors about non-initialization ++ xKDD = null; // avoid errors about non-initialization ++ xkeyInfo = null; // avoid errors about non-initialization ++ ++ if (!missingParam) { ++ ++ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); ++ if (xCUID == null || xCUID.length != 10) { ++ badParams += " CUID length,"; ++ CMS.debug("TokenServlet: Invalid CUID length"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); ++ if (xKDD == null || xKDD.length != 10) { ++ badParams += " KDD length,"; ++ CMS.debug("TokenServlet: Invalid KDD length"); ++ missingParam = true; ++ } ++ ++ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ if (xkeyInfo == null || xkeyInfo.length != 2) { ++ badParams += " KeyInfo length,"; ++ CMS.debug("TokenServlet: Invalid key info length."); ++ missingParam = true; ++ } ++ xcard_challenge = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); ++ if (xcard_challenge == null || xcard_challenge.length != 8) { ++ badParams += " card_challenge length,"; ++ CMS.debug("TokenServlet: Invalid card challenge length."); ++ missingParam = true; ++ } ++ ++ xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); ++ if (xhost_challenge == null || xhost_challenge.length != 8) { ++ badParams += " host_challenge length,"; ++ CMS.debug("TokenServlet: Invalid host challenge length"); ++ missingParam = true; ++ } ++ ++ } ++ ++ if (!missingParam) { ++ card_challenge = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); ++ ++ host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); ++ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ ++ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) ++ //ToDo: Will use these values after completing next ticket ++ try { ++ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); ++ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); ++ ++ // log settings read in to debug log along with xkeyInfo ++ CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" ++ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) ++ + ", xkeyInfo[1] = 0x" ++ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) ++ ); ++ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" ++ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) ++ ); ++ if (nistSP800_108KdfUseCuidAsKdd == true) { ++ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); ++ } else { ++ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); ++ } ++ // conform to the set-an-error-flag mentality ++ } catch (Exception e) { ++ missingSetting_exception = e; ++ CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " ++ + e.toString()); ++ } ++ ++ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx ++ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ if (mappingValue == null) { ++ selectedToken = ++ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ keyNickName = rKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ if (st.hasMoreTokens()) ++ selectedToken = st.nextToken(); ++ if (st.hasMoreTokens()) ++ keyNickName = st.nextToken(); ++ } ++ ++ if (selectedToken != null && keyNickName != null ++ // AC: KDF SPEC CHANGE - check for error flag ++ && missingSetting_exception == null) { ++ ++ try { ++ ++ byte macKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".mac_key")); ++ CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" ++ + selectedToken + " keyNickName=" + keyNickName); ++ ++ SecureChannelProtocol protocol = new SecureChannelProtocol(); ++ SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, ++ selectedToken, ++ keyNickName, card_challenge, ++ host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, ++ xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); ++ ++ session_key = protocol.wrapSessionKey(selectedToken, macKey, null); ++ ++ if (session_key == null) { ++ CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); ++ throw new Exception("Can't compute session key!"); ++ ++ } ++ ++ byte encKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".auth_key")); ++ SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, ++ selectedToken, ++ keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, ++ nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, ++ transportKeyName); ++ ++ enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); ++ ++ if (enc_session_key == null) { ++ CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); ++ throw new Exception("Can't compute enc session key!"); ++ ++ } ++ ++ if (serversideKeygen == true) { ++ ++ /** ++ * 0. generate des key ++ * 1. encrypt des key with kek key ++ * 2. encrypt des key with DRM transport key ++ * These two wrapped items are to be sent back to ++ * TPS. 2nd item is to DRM ++ **/ ++ CMS.debug("TokenServlet: calling ComputeKekKey"); ++ ++ byte kekKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".kek_key")); ++ ++ kek_key = protocol.computeKEKKey_SCP01(selectedToken, ++ keyNickName, ++ keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, ++ xCUID, ++ xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); ++ ++ CMS.debug("TokenServlet: called ComputeKekKey"); ++ ++ if (kek_key == null) { ++ CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); ++ throw new Exception("Can't compute kek key!"); ++ ++ } ++ // now use kek key to wrap kek session key.. ++ CMS.debug("computeSessionKey:kek key len =" + ++ kek_key.getLength()); ++ ++ // (1) generate DES key ++ /* applet does not support DES3 ++ org.mozilla.jss.crypto.KeyGenerator kg = ++ internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); ++ desKey = kg.generate();*/ ++ ++ /* ++ * GenerateSymkey firt generates a 16 byte DES2 key. ++ * It then pads it into a 24 byte key with last ++ * 8 bytes copied from the 1st 8 bytes. Effectively ++ * making it a 24 byte DES2 key. We need this for ++ * wrapping private keys on DRM. ++ */ ++ /*generate it on whichever token the master key is at*/ ++ if (useSoftToken_s.equals("true")) { ++ CMS.debug("TokenServlet: key encryption key generated on internal"); ++ //cfu audit here? sym key gen ++ ++ desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); ++ //cfu audit here? sym key gen done ++ } else { ++ CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); ++ desKey = protocol.generateSymKey(selectedToken); ++ } ++ if (desKey != null) { ++ // AC: KDF SPEC CHANGE - Output using CUID and KDD ++ CMS.debug("TokenServlet: key encryption key generated for CUID=" + ++ trim(pp.toHexString(xCUID)) + ++ ", KDD=" + ++ trim(pp.toHexString(xKDD))); ++ } else { ++ // AC: KDF SPEC CHANGE - Output using CUID and KDD ++ CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + ++ trim(pp.toHexString(xCUID)) + ++ ", KDD=" + ++ trim(pp.toHexString(xKDD))); ++ ++ throw new Exception("can't generate key encryption key"); ++ } ++ ++ /* ++ * ECBencrypt actually takes the 24 byte DES2 key ++ * and discard the last 8 bytes before it encrypts. ++ * This is done so that the applet can digest it ++ */ ++ ++ byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); ++ ++ /* ++ CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); ++ CMS.debug(encDesKey); ++ */ ++ ++ kek_wrapped_desKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); ++ ++ // get keycheck ++ ++ byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); ++ /* ++ CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); ++ CMS.debug(keycheck); ++ */ ++ keycheck_s = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); ++ ++ //use DRM transport cert to wrap desKey ++ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); ++ ++ if ((drmTransNickname == null) || (drmTransNickname == "")) { ++ CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); ++ throw new Exception("can't find DRM transport certificate nickname"); ++ } else { ++ CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); ++ } ++ ++ X509Certificate drmTransCert = null; ++ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); ++ // wrap kek session key with DRM transport public key ++ CryptoToken token = null; ++ if (useSoftToken_s.equals("true")) { ++ token = CryptoUtil.getCryptoToken(null); ++ } else { ++ token = CryptoUtil.getCryptoToken(selectedToken); ++ } ++ PublicKey pubKey = drmTransCert.getPublicKey(); ++ String pubKeyAlgo = pubKey.getAlgorithm(); ++ CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); ++ KeyWrapper keyWrapper = null; ++ //For wrapping symmetric keys don't need IV, use ECB ++ if (pubKeyAlgo.equals("EC")) { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); ++ keyWrapper.initWrap(pubKey, null); ++ } else { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); ++ keyWrapper.initWrap(pubKey, null); ++ } ++ CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); ++ drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); ++ CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); ++ ++ } // if (serversideKeygen == true) ++ ++ byte authKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".auth_key")); ++ ++ host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, ++ host_challenge, ++ xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, ++ authKeyArray, useSoftToken_s, keySet, transportKeyName); ++ ++ if (host_cryptogram == null) { ++ CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); ++ throw new Exception("Can't compute host cryptogram!"); ++ ++ } ++ ++ card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, ++ host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, ++ xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); ++ ++ if (card_crypto == null) { ++ CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); ++ throw new Exception("Can't compute card cryptogram!"); ++ ++ } ++ ++ if (isCryptoValidate) { ++ if (rcard_cryptogram == null) { ++ CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); ++ throw new Exception("Missing card cryptogram"); ++ } ++ input_card_crypto = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); ++ ++ //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); ++ //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); ++ ++ if (card_crypto.length == input_card_crypto.length) { ++ for (int i = 0; i < card_crypto.length; i++) { ++ if (card_crypto[i] != input_card_crypto[i]) { ++ sameCardCrypto = false; ++ break; ++ } ++ } ++ } else { ++ // different length; must be different ++ sameCardCrypto = false; ++ } ++ } ++ ++ // AC: KDF SPEC CHANGE - print both KDD and CUID ++ CMS.getLogger().log(ILogger.EV_AUDIT, ++ ILogger.S_TKS, ++ ILogger.LL_INFO, "processComputeSessionKey for CUID=" + ++ trim(pp.toHexString(xCUID)) + ++ ", KDD=" + ++ trim(pp.toHexString(xKDD))); ++ } catch (Exception e) { ++ CMS.debug(e); ++ CMS.debug("TokenServlet Computing Session Key: " + e.toString()); ++ if (isCryptoValidate) ++ sameCardCrypto = false; ++ } ++ } ++ } // ! missingParam ++ ++ String value = ""; ++ ++ resp.setContentType("text/html"); ++ ++ String outputString = ""; ++ String encSessionKeyString = ""; ++ String drm_trans_wrapped_desKeyString = ""; ++ String cryptogram = ""; ++ String status = "0"; ++ if (session_key != null && session_key.length > 0) { ++ outputString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); ++ } else { ++ ++ status = "1"; ++ } ++ ++ if (enc_session_key != null && enc_session_key.length > 0) { ++ encSessionKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); ++ } else { ++ status = "1"; ++ } ++ ++ if (serversideKeygen == true) { ++ if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) ++ drm_trans_wrapped_desKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); ++ else { ++ status = "1"; ++ } ++ } ++ ++ if (host_cryptogram != null && host_cryptogram.length > 0) { ++ cryptogram = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); ++ } else { ++ // AC: Bugfix: Don't override status's value if an error was already flagged ++ if (status.equals("0") == true) { ++ status = "2"; ++ } ++ } ++ ++ if (selectedToken == null || keyNickName == null) { ++ // AC: Bugfix: Don't override status's value if an error was already flagged ++ if (status.equals("0") == true) { ++ status = "4"; ++ } ++ } ++ ++ if (!sameCardCrypto) { ++ // AC: Bugfix: Don't override status's value if an error was already flagged ++ if (status.equals("0") == true) { ++ // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues ++ status = "5"; ++ } ++ } ++ ++ // AC: KDF SPEC CHANGE - check for settings file issue (flag) ++ if (missingSetting_exception != null) { ++ // AC: Intentionally override previous errors if config file settings were missing. ++ status = "6"; ++ } ++ ++ if (missingParam) { ++ // AC: Intentionally override previous errors if parameters were missing. ++ status = "3"; ++ } ++ ++ if (!status.equals("0")) { ++ ++ if (status.equals("1")) { ++ errorMsg = "Problem generating session key info."; ++ } ++ ++ if (status.equals("2")) { ++ errorMsg = "Problem creating host_cryptogram."; ++ } ++ ++ // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues ++ if (status.equals("5")) { ++ errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; ++ } ++ ++ if (status.equals("4")) { ++ errorMsg = "Problem obtaining token information."; ++ } ++ ++ // AC: KDF SPEC CHANGE - handle missing configuration item ++ if (status.equals("6")) { ++ errorMsg = "Problem reading required configuration value."; ++ } ++ ++ if (status.equals("3")) { ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters :" + badParams; ++ } ++ ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } else { ++ if (serversideKeygen == true) { ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); ++ sb.append(outputString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); ++ sb.append(cryptogram); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); ++ sb.append(encSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); ++ sb.append(kek_wrapped_desKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); ++ sb.append(keycheck_s); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); ++ sb.append(drm_trans_wrapped_desKeyString); ++ value = sb.toString(); ++ } else { ++ ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); ++ sb.append(outputString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); ++ sb.append(cryptogram); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); ++ sb.append(encSessionKeyString); ++ value = sb.toString(); ++ } ++ ++ } ++ //CMS.debug("TokenServlet:outputString.encode " + value); ++ ++ try { ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServlet:outputString.length " + value.length()); ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (IOException e) { ++ CMS.debug("TokenServlet: " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD. ++ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.SUCCESS, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ logParams); ++ ++ } else { ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.FAILURE, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd ++ errorMsg // Error ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ logParams); ++ ++ } ++ ++ audit(auditMessage); ++ } ++ ++ // This method will return the shared secret name. In new 10.1 subsystems, this ++ // name will be stored in tps.X.nickname. ++ // ++ // Until multiple TKS/TPS connections is fully supported, this method will just ++ // return the first shared secret nickname found, on the assumption that only ++ // one nickname will be configured. This will have to be changed to return the correct ++ // key based on some parameter in the request in future. ++ // ++ // On legacy systems, this method just returns what was previously returned. ++ private String getSharedSecretName(IConfigStore cs) throws EBaseException { ++ boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); ++ ++ if (useNewNames) { ++ String tpsList = cs.getString("tps.list", ""); ++ String firstSharedSecretName = null; ++ if (!tpsList.isEmpty()) { ++ for (String tpsID : tpsList.split(",")) { ++ String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); ++ ++ // This one will be a fall back in case we can't get a specific one ++ if (firstSharedSecretName == null) { ++ firstSharedSecretName = sharedSecretName; ++ } ++ ++ if (!sharedSecretName.isEmpty()) { ++ if (mCurrentUID != null) { ++ String csUid = cs.getString("tps." + tpsID + ".userid", ""); ++ ++ if (mCurrentUID.equalsIgnoreCase(csUid)) { ++ CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); ++ return sharedSecretName; ++ } ++ } ++ } ++ } ++ ++ if (firstSharedSecretName != null) { ++ //Return the first in the list if we couldn't isolate one ++ return firstSharedSecretName; ++ } ++ } ++ CMS.debug("getSharedSecretName: no shared secret has been configured"); ++ throw new EBaseException("No shared secret has been configured"); ++ } ++ ++ // legacy system - return as before ++ return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); ++ } ++ ++ //Accepts protocol param and supports scp03. ++ private void processDiversifyKey(HttpServletRequest req, ++ HttpServletResponse resp) throws EBaseException { ++ ++ String method = "TokenServlet.processDiversifyKey: "; ++ byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD ++ ++ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. ++ String oldKeyNickName = null; ++ String newKeyNickName = null; ++ ++ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) ++ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; ++ boolean nistSP800_108KdfUseCuidAsKdd = false; ++ ++ // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. ++ byte[] xkeyInfo = null, xnewkeyInfo = null; ++ ++ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting ++ Exception missingSetting_exception = null; ++ ++ boolean missingParam = false; ++ String errorMsg = ""; ++ String badParams = ""; ++ byte[] xWrappedDekKey = null; ++ ++ IConfigStore sconfig = CMS.getConfigStore(); ++ String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); ++ String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); ++ String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ String rKDD = req.getParameter("KDD"); ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ // temporarily make it friendly before TPS change ++ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); ++ rKDD = rCUID; ++ } ++ ++ String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); ++ String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); ++ ++ CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); ++ ++ int protocol = 1; ++ String auditMessage = ""; ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ CMS.debug("keySet selected: " + keySet); ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.DIVERSIFY_KEY_REQUEST, ++ rCUID, ++ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ++ ILogger.SUCCESS, ++ agentId, ++ oldMasterKeyName, ++ newMasterKeyName); ++ ++ audit(auditMessage); ++ ++ if ((rCUID == null) || (rCUID.equals(""))) { ++ badParams += " CUID,"; ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); ++ badParams += " KDD,"; ++ missingParam = true; ++ } ++ ++ if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { ++ badParams += " newKeyInfo,"; ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); ++ missingParam = true; ++ } ++ if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { ++ badParams += " KeyInfo,"; ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE ++ xCUID = null; // avoid errors about non-initialization ++ xKDD = null; // avoid errors about non-initialization ++ xkeyInfo = null; // avoid errors about non-initialization ++ xnewkeyInfo = null; // avoid errors about non-initialization ++ ++ if (!missingParam) { ++ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); ++ if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { ++ badParams += " KeyInfo length,"; ++ CMS.debug("TokenServlet: Invalid key info length"); ++ missingParam = true; ++ } ++ xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); ++ if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { ++ badParams += " NewKeyInfo length,"; ++ CMS.debug("TokenServlet: Invalid new key info length"); ++ missingParam = true; ++ } ++ ++ if (rProtocol != null) { ++ try { ++ protocol = Integer.parseInt(rProtocol); ++ } catch (NumberFormatException e) { ++ protocol = 1; ++ } ++ } ++ CMS.debug("process DiversifyKey: protocol value: " + protocol); ++ ++ if (protocol == 2) { ++ if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { ++ badParams += " WrappedDekKey,"; ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); ++ missingParam = true; ++ } else { ++ ++ CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); ++ xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); ++ } ++ ++ } ++ } ++ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); ++ if (!useSoftToken_s.equalsIgnoreCase("true")) ++ useSoftToken_s = "false"; ++ ++ KeySetData = null; ++ if (!missingParam) { ++ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); ++ if (xCUID == null || xCUID.length != 10) { ++ badParams += " CUID length,"; ++ CMS.debug("TokenServlet: Invalid CUID length"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); ++ if (xKDD == null || xKDD.length != 10) { ++ badParams += " KDD length,"; ++ CMS.debug("TokenServlet: Invalid KDD length"); ++ missingParam = true; ++ } ++ } ++ if (!missingParam) { ++ // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. ++ ++ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) ++ ++ //ToDo: Refactor this, this same block occurs several times in the file ++ try { ++ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); ++ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); ++ ++ // log settings read in to debug log along with xkeyInfo and xnewkeyInfo ++ CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" ++ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) ++ + ", xkeyInfo[1] (old) = 0x" ++ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) ++ + ", xnewkeyInfo[0] = 0x" ++ + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) ++ + ", xnewkeyInfo[1] = 0x" ++ + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) ++ ); ++ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" ++ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) ++ ); ++ if (nistSP800_108KdfUseCuidAsKdd == true) { ++ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); ++ } else { ++ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); ++ } ++ // conform to the set-an-error-flag mentality ++ } catch (Exception e) { ++ missingSetting_exception = e; ++ CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " ++ + e.toString()); ++ } ++ ++ if (mKeyNickName != null) ++ oldMasterKeyName = mKeyNickName; ++ if (mNewKeyNickName != null) ++ newMasterKeyName = mNewKeyNickName; ++ ++ String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ ++ // Get the first 6 characters, since scp03 gives us extra characters. ++ tokKeyInfo = tokKeyInfo.substring(0,6); ++ String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx ++ CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); ++ String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); ++ String oldSelectedToken = null; ++ if (oldMappingValue == null) { ++ oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ } else { ++ StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); ++ oldSelectedToken = st.nextToken(); ++ oldKeyNickName = st.nextToken(); ++ } ++ ++ ++ String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx ++ CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); ++ String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); ++ String newSelectedToken = null; ++ if (newMappingValue == null) { ++ newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ newKeyNickName = rnewKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(newMappingValue, ":"); ++ newSelectedToken = st.nextToken(); ++ newKeyNickName = st.nextToken(); ++ } ++ ++ CMS.debug("process DiversifyKey for oldSelectedToke=" + ++ oldSelectedToken + " newSelectedToken=" + newSelectedToken + ++ " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + ++ newKeyNickName); ++ ++ byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); ++ byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); ++ byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); ++ ++ // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); ++ ++ //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset ++ // passed down to the SecureChannelProtocol functions that deal with SCP03 ++ ++ GPParams gp3Params = readGPSettings(keySet); ++ ++ SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); ++ // AC: KDF SPEC CHANGE - check for error reading settings ++ if (missingSetting_exception == null) { ++ if (protocol == 1 || protocol == 3) { ++ KeySetData = secProtocol.diversifyKey(oldSelectedToken, ++ newSelectedToken, oldKeyNickName, ++ newKeyNickName, ++ xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use ++ xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] ++ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value ++ nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value ++ xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' ++ xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use ++ kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); ++ ++ } else if (protocol == 2) { ++ KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, ++ newKeyNickName, xkeyInfo, ++ xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, ++ (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); ++ } ++ //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); ++ CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); ++ ++ if (KeySetData == null || KeySetData.length <= 1) { ++ CMS.getLogger().log(ILogger.EV_AUDIT, ++ ILogger.S_TKS, ++ ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); ++ } ++ ++ CMS.getLogger().log(ILogger.EV_AUDIT, ++ ILogger.S_TKS, ++ ILogger.LL_INFO, ++ "process DiversifyKey for CUID=" + ++ trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD ++ ", KDD=" + ++ trim(pp.toHexString(xKDD)) ++ + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName ++ + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); ++ ++ resp.setContentType("text/html"); ++ ++ } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file ++ ++ } // ! missingParam ++ ++ String value = ""; ++ String status = "0"; ++ ++ if (KeySetData != null && KeySetData.length > 1) { ++ value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + ++ com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); ++ //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); ++ CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); ++ // AC: KDF SPEC CHANGE - check for settings file issue (flag) ++ } else if (missingSetting_exception != null) { ++ status = "6"; ++ errorMsg = "Problem reading required configuration value."; ++ value = "status=" + status; ++ } else if (missingParam) { ++ status = "3"; ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters: " + badParams; ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } else { ++ errorMsg = "Problem diversifying key data."; ++ status = "1"; ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } ++ ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServlet:outputString.length " + value.length()); ++ ++ try { ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (Exception e) { ++ CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.SUCCESS, // Outcome ++ status, // status ++ agentId, // AgentID ++ ++ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. ++ oldKeyNickName, // oldMasterKeyName ++ newKeyNickName, // newMasterKeyName ++ ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion ++ log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); ++ } else { ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.FAILURE, // Outcome ++ status, // status ++ agentId, // AgentID ++ ++ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. ++ oldKeyNickName, // oldMasterKeyName ++ newKeyNickName, // newMasterKeyName ++ ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion ++ log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd ++ errorMsg // Error ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); ++ } ++ ++ audit(auditMessage); ++ } ++ ++ private void processEncryptData(HttpServletRequest req, ++ HttpServletResponse resp) throws EBaseException { ++ byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD ++ ++ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) ++ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; ++ boolean nistSP800_108KdfUseCuidAsKdd = false; ++ ++ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting ++ Exception missingSetting_exception = null; ++ ++ boolean missingParam = false; ++ byte[] data = null; ++ boolean isRandom = true; // randomly generate the data to be encrypted ++ ++ String errorMsg = ""; ++ String badParams = ""; ++ IConfigStore sconfig = CMS.getConfigStore(); ++ encryptedData = null; ++ String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); ++ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); ++ ++ String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ String rKDD = req.getParameter("KDD"); ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ // temporarily make it friendly before TPS change ++ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); ++ rKDD = rCUID; ++ } ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ CMS.debug("keySet selected: " + keySet); ++ ++ String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); ++ if (s_isRandom.equalsIgnoreCase("false")) { ++ CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); ++ isRandom = false; ++ } else { ++ CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); ++ isRandom = true; ++ } ++ ++ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID ++ String auditMessage = CMS.getLogMessage( ++ AuditEvent.ENCRYPT_DATA_REQUEST, ++ rCUID, ++ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ++ ILogger.SUCCESS, ++ agentId, ++ s_isRandom); ++ audit(auditMessage); ++ ++ GPParams gp3Params = readGPSettings(keySet); ++ ++ if (isRandom) { ++ if ((rdata == null) || (rdata.equals(""))) { ++ CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); ++ } else { ++ CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); ++ } ++ try { ++ SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ data = new byte[16]; ++ random.nextBytes(data); ++ } catch (Exception e) { ++ CMS.debug("TokenServlet: processEncryptData():" + e.toString()); ++ badParams += " Random Number,"; ++ missingParam = true; ++ } ++ } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { ++ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); ++ badParams += " data,"; ++ missingParam = true; ++ } ++ ++ if ((rCUID == null) || (rCUID.equals(""))) { ++ badParams += " CUID,"; ++ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); ++ badParams += " KDD,"; ++ missingParam = true; ++ } ++ ++ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { ++ badParams += " KeyInfo,"; ++ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE ++ xCUID = null; // avoid errors about non-initialization ++ xKDD = null; // avoid errors about non-initialization ++ xkeyInfo = null; // avoid errors about non-initialization ++ ++ if (!missingParam) { ++ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); ++ if (xCUID == null || xCUID.length != 10) { ++ badParams += " CUID length,"; ++ CMS.debug("TokenServlet: Invalid CUID length"); ++ missingParam = true; ++ } ++ ++ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS ++ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); ++ if (xKDD == null || xKDD.length != 10) { ++ badParams += " KDD length,"; ++ CMS.debug("TokenServlet: Invalid KDD length"); ++ missingParam = true; ++ } ++ ++ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { ++ badParams += " KeyInfo length,"; ++ CMS.debug("TokenServlet: Invalid key info length"); ++ missingParam = true; ++ } ++ } ++ ++ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); ++ if (!useSoftToken_s.equalsIgnoreCase("true")) ++ useSoftToken_s = "false"; ++ ++ String selectedToken = null; ++ String keyNickName = null; ++ if (!missingParam) { ++ ++ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey ++ try { ++ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); ++ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); ++ ++ // log settings read in to debug log along with xkeyInfo ++ CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" ++ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) ++ + ", xkeyInfo[1] = 0x" ++ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) ++ ); ++ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" ++ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) ++ ); ++ if (nistSP800_108KdfUseCuidAsKdd == true) { ++ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); ++ } else { ++ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); ++ } ++ // conform to the set-an-error-flag mentality ++ } catch (Exception e) { ++ missingSetting_exception = e; ++ CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " ++ + e.toString()); ++ } ++ ++ if (!isRandom) ++ data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); ++ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ ++ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); ++ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ if (mappingValue == null) { ++ selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); ++ keyNickName = rKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ selectedToken = st.nextToken(); ++ keyNickName = st.nextToken(); ++ } ++ ++ ++ //calculate the protocol ++ ++ int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; ++ try ++ { ++ protocolInt = Integer.parseInt(protocolValue); ++ } ++ catch (NumberFormatException nfe) ++ { ++ protocolInt = SecureChannelProtocol.PROTOCOL_ONE; ++ } ++ ++ CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); ++ ++ //Check for reasonable sanity, leave room for future versions ++ if(protocolInt <= 0 || protocolInt > 20) { ++ CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); ++ protocolInt = 1; ++ ++ } ++ ++ byte kekKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); ++ // AC: KDF SPEC CHANGE - check for error reading settings ++ if (missingSetting_exception == null) { ++ ++ ++ SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); ++ ++ if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { ++ ++ encryptedData = protocol.encryptData( ++ selectedToken, keyNickName, data, keyInfo, ++ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value ++ nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value ++ xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' ++ xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use ++ kekKeyArray, useSoftToken_s, keySet); ++ ++ } else { ++ ++ encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, ++ nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, ++ useSoftToken_s, keySet,gp3Params); ++ ++ } ++ ++ SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); ++ ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ ++ CMS.getLogger().log(ILogger.EV_AUDIT, ++ ILogger.S_TKS, ++ ILogger.LL_INFO, "process EncryptData for CUID=" + ++ trim(pp.toHexString(xCUID)) + ++ ", KDD=" + ++ trim(pp.toHexString(xKDD))); ++ ++ } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file ++ ++ } // !missingParam ++ ++ resp.setContentType("text/html"); ++ ++ String value = ""; ++ String status = "0"; ++ if (encryptedData != null && encryptedData.length > 0) { ++ // sending both the pre-encrypted and encrypted data back ++ value = IRemoteRequest.RESPONSE_STATUS + "=0&" ++ + IRemoteRequest.TOKEN_DATA + "=" + ++ com.netscape.cmsutil.util.Utils.SpecialEncode(data) + ++ "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + ++ com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); ++ // AC: KDF SPEC CHANGE - check for settings file issue (flag) ++ } else if (missingSetting_exception != null) { ++ status = "6"; ++ errorMsg = "Problem reading required configuration value."; ++ value = "status=" + status; ++ } else if (missingParam) { ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters: " + badParams; ++ status = "3"; ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } else { ++ errorMsg = "Problem encrypting data."; ++ status = "1"; ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } ++ ++ //CMS.debug("TokenServlet:process EncryptData.encode " + value); ++ ++ try { ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServlet:outputString.lenght " + value.length()); ++ ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (Exception e) { ++ CMS.debug("TokenServlet: " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.SUCCESS, // Outcome ++ status, // status ++ agentId, // AgentID ++ s_isRandom, // isRandom ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); ++ } else { ++ // AC: KDF SPEC CHANGE - Log both CUID and KDD ++ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.FAILURE, // Outcome ++ status, // status ++ agentId, // AgentID ++ s_isRandom, // isRandom ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion ++ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd ++ errorMsg // Error ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); ++ } ++ ++ audit(auditMessage); ++ } ++ ++ /* ++ * For EncryptData: ++ * data=value1 ++ * CUID=value2 // missing from RA ++ * versionID=value3 // missing from RA ++ * ++ * For ComputeSession: ++ * card_challenge=value1 ++ * host_challenge=value2 ++ ++ * For DiversifyKey: ++ * new_master_key_index ++ * master_key_index ++ */ ++ ++ private void processComputeRandomData(HttpServletRequest req, ++ HttpServletResponse resp) throws EBaseException { ++ ++ byte[] randomData = null; ++ String status = "0"; ++ String errorMsg = ""; ++ String badParams = ""; ++ boolean missingParam = false; ++ int dataSize = 0; ++ ++ CMS.debug("TokenServlet::processComputeRandomData"); ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); ++ ++ if (sDataSize == null || sDataSize.equals("")) { ++ CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); ++ badParams += " Random Data size, "; ++ missingParam = true; ++ status = "1"; ++ } else { ++ try { ++ dataSize = Integer.parseInt(sDataSize.trim()); ++ } catch (NumberFormatException nfe) { ++ CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); ++ badParams += " Random Data size, "; ++ missingParam = true; ++ status = "1"; ++ } ++ ++ } ++ ++ CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); ++ ++ String auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, ++ ILogger.SUCCESS, ++ agentId); ++ ++ audit(auditMessage); ++ ++ if (!missingParam) { ++ try { ++ SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ randomData = new byte[dataSize]; ++ random.nextBytes(randomData); ++ } catch (Exception e) { ++ CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); ++ errorMsg = "Can't generate random data!"; ++ status = "2"; ++ } ++ } ++ ++ String randomDataOut = ""; ++ if (status.equals("0")) { ++ if (randomData != null && randomData.length == dataSize) { ++ randomDataOut = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); ++ } else { ++ status = "2"; ++ errorMsg = "Can't convert random data!"; ++ } ++ } ++ ++ if (status.equals("1") && missingParam) { ++ ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters :" + badParams; ++ } ++ ++ resp.setContentType("text/html"); ++ String value = ""; ++ ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ if (status.equals("0")) { ++ value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; ++ } ++ ++ try { ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); ++ ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (Exception e) { ++ CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, ++ ILogger.SUCCESS, ++ status, ++ agentId); ++ } else { ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, ++ ILogger.FAILURE, ++ status, ++ agentId, ++ errorMsg); ++ } ++ ++ audit(auditMessage); ++ } ++ ++ public void process(CMSRequest cmsReq) throws EBaseException { ++ HttpServletRequest req = cmsReq.getHttpReq(); ++ HttpServletResponse resp = cmsReq.getHttpResp(); ++ ++ IAuthToken authToken = authenticate(cmsReq); ++ AuthzToken authzToken = null; ++ ++ mCurrentUID = (String) authToken.get(IAuthToken.UID) ; ++ ++ try { ++ authzToken = authorize(mAclMethod, authToken, ++ mAuthzResourceName, "execute"); ++ } catch (Exception e) { ++ } ++ ++ if (authzToken == null) { ++ ++ try { ++ resp.setContentType("text/html"); ++ String value = "unauthorized="; ++ CMS.debug("TokenServlet: Unauthorized"); ++ ++ resp.setContentLength(value.length()); ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (Exception e) { ++ CMS.debug("TokenServlet: " + e.toString()); ++ } ++ ++ // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); ++ return; ++ } ++ ++ String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); ++ String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); ++ String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); ++ //CMS.debug("Protocol: " + protocol + " temp: " + temp); ++ ++ setDefaultSlotAndKeyName(req); ++ if (temp != null && protocol == null) { ++ processComputeSessionKey(req, resp); ++ } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { ++ processEncryptData(req, resp); ++ } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { ++ processDiversifyKey(req, resp); ++ } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { ++ processComputeRandomData(req, resp); ++ } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { ++ //SCP02 compute one session key. ++ processComputeSessionKeySCP02(req, resp); ++ ++ } else if (protocol != null && protocol.contains("3") ) { ++ processComputeSessionKeysSCP03(req,resp); ++ } else { ++ throw new EBaseException("Process: Can't decide upon function to call!"); ++ } ++ } ++ ++ //Create all the session keys for scp03 at once and return. ++ //ToDo: calcualte the optional rmac key ++ private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { ++ String method = "processComputeSessionKeysSCP03:"; ++ CMS.debug(method + " entering ..."); ++ ++ byte[] card_challenge, host_challenge, xCUID, xKDD; ++ byte[] card_crypto, host_cryptogram, input_card_crypto; ++ byte[] xcard_challenge, xhost_challenge; ++ byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; ++ String auditMessage = null; ++ String errorMsg = ""; ++ String badParams = ""; ++ String transportKeyName = ""; ++ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); ++ ++ String rKDD = req.getParameter("KDD"); ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ // KDF phase1: default to rCUID if not present ++ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); ++ rKDD = rCUID; ++ } ++ ++ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); ++ if (keySet == null || keySet.equals("")) { ++ keySet = "defKeySet"; ++ } ++ CMS.debug("keySet selected: " + keySet); ++ ++ GPParams gp3Params = readGPSettings(keySet); ++ ++ boolean serversideKeygen = false; ++ ++ IConfigStore sconfig = CMS.getConfigStore(); ++ boolean isCryptoValidate = true; ++ boolean missingParam = false; ++ ++ Exception missingSetting_exception = null; ++ ++ mac_session_key = null; ++ kek_session_key = null; ++ card_crypto = null; ++ host_cryptogram = null; ++ enc_session_key = null; ++ ++ SessionContext sContext = SessionContext.getContext(); ++ ++ String agentId = ""; ++ if (sContext != null) { ++ agentId = ++ (String) sContext.get(SessionContext.USER_ID); ++ } ++ ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, ++ rCUID, ++ rKDD, ++ ILogger.SUCCESS, ++ agentId); ++ ++ audit(auditMessage); ++ ++ String kek_wrapped_desKeyString = null; ++ String keycheck_s = null; ++ ++ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); ++ if (!useSoftToken_s.equalsIgnoreCase("true")) ++ useSoftToken_s = "false"; ++ ++ CMS.debug(method + " useSoftToken: " + useSoftToken_s); ++ ++ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); ++ if (rServersideKeygen.equals("true")) { ++ ++ serversideKeygen = true; ++ } ++ ++ CMS.debug(method + " serversideKeygen: " + serversideKeygen); ++ ++ try { ++ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); ++ } catch (EBaseException eee) { ++ } ++ ++ CMS.debug(method + " Do crypto validation: " + isCryptoValidate); ++ ++ transportKeyName = getSharedSecretName(sconfig); ++ ++ String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); ++ String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); ++ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); ++ String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); ++ ++ if ((rCUID == null) || (rCUID.equals(""))) { ++ CMS.debug(method + " missing request parameter: CUID"); ++ badParams += " CUID,"; ++ missingParam = true; ++ } ++ ++ if ((rKDD == null) || (rKDD.length() == 0)) { ++ CMS.debug(method + " missing request parameter: KDD"); ++ badParams += " KDD,"; ++ missingParam = true; ++ } ++ ++ if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { ++ badParams += " card_challenge,"; ++ CMS.debug(method + " missing request parameter: card challenge"); ++ missingParam = true; ++ } ++ ++ if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { ++ badParams += " host_challenge,"; ++ CMS.debug(method + " missing request parameter: host challenge"); ++ missingParam = true; ++ } ++ ++ if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { ++ badParams += " card_cryptogram,"; ++ CMS.debug(method + " missing request parameter: card_cryptogram"); ++ missingParam = true; ++ } ++ ++ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { ++ badParams += " KeyInfo,"; ++ CMS.debug(method + "missing request parameter: key info"); ++ missingParam = true; ++ } ++ ++ String selectedToken = null; ++ String keyNickName = null; ++ boolean sameCardCrypto = true; ++ ++ xCUID = null; ++ xKDD = null; ++ xkeyInfo = null; ++ xcard_challenge = null; ++ xhost_challenge = null; ++ ++ if (!missingParam) { ++ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); ++ if (xCUID == null || xCUID.length != 10) { ++ badParams += " CUID length,"; ++ CMS.debug("TokenServlet: Invalid CUID length"); ++ missingParam = true; ++ } ++ ++ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); ++ if (xKDD == null || xKDD.length != 10) { ++ badParams += " KDD length,"; ++ CMS.debug("TokenServlet: Invalid KDD length"); ++ missingParam = true; ++ } ++ ++ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); ++ if (xkeyInfo == null || xkeyInfo.length != 3) { ++ badParams += " KeyInfo length,"; ++ CMS.debug("TokenServlet: Invalid key info length."); ++ missingParam = true; ++ } ++ xcard_challenge = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); ++ if (xcard_challenge == null || xcard_challenge.length != 8) { ++ badParams += " card_challenge length,"; ++ CMS.debug("TokenServlet: Invalid card challenge length."); ++ missingParam = true; ++ } ++ ++ xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); ++ if (xhost_challenge == null || xhost_challenge.length != 8) { ++ badParams += " host_challenge length,"; ++ CMS.debug("TokenServlet: Invalid host challenge length"); ++ missingParam = true; ++ } ++ } ++ ++ ArrayList serverSideValues = null; ++ ++ if (!missingParam) { ++ card_challenge = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); ++ ++ host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); ++ ++ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx ++ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); ++ ++ ++ if (mappingValue == null) { ++ selectedToken = ++ CMS.getConfigStore().getString("tks.defaultSlot", "internal"); ++ keyNickName = rKeyInfo; ++ } else { ++ StringTokenizer st = new StringTokenizer(mappingValue, ":"); ++ if (st.hasMoreTokens()) ++ selectedToken = st.nextToken(); ++ if (st.hasMoreTokens()) ++ keyNickName = st.nextToken(); ++ } ++ ++ CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); ++ ++ SymmetricKey macSessionKey = null; ++ SymmetricKey encSessionKey = null; ++ SymmetricKey kekSessionKey = null; ++ ++ if (selectedToken != null && keyNickName != null ++ && missingSetting_exception == null) { ++ ++ try { ++ ++ byte macKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".mac_key")); ++ CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" ++ + selectedToken + " keyNickName=" + keyNickName); ++ ++ SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); ++ ++ macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, ++ SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, ++ transportKeyName,gp3Params); ++ ++ mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); ++ ++ if (mac_session_key == null) { ++ CMS.debug(method + " Can't get mac session key bytes"); ++ throw new Exception(method + " Can't get mac session key bytes"); ++ ++ } ++ ++ byte encKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".auth_key")); ++ ++ encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, ++ SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, ++ transportKeyName,gp3Params); ++ ++ enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); ++ ++ if (enc_session_key == null) { ++ CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); ++ throw new Exception("Can't compute enc session key!"); ++ ++ } ++ ++ byte kekKeyArray[] = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + ".kek_key")); ++ ++ kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, ++ SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, ++ xcard_challenge, ++ transportKeyName,gp3Params); ++ ++ kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); ++ ++ ++ //Offload some of the tedious params gathering to another method ++ //ToDo, create a method that reads all this stuff at once for all major methods ++ if (serversideKeygen) { ++ try { ++ serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, ++ kekSessionKey, protocol); ++ } catch (EBaseException e) { ++ ++ CMS.debug(method + " Can't calcualte server side keygen required values..."); ++ ++ } ++ } ++ ++ try { ++ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); ++ } catch (EBaseException eee) { ++ } ++ ++ ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); ++ try { ++ contextStream.write(host_challenge); ++ contextStream.write(card_challenge); ++ } catch (IOException e) { ++ throw new EBaseException(method + " Error calculating derivation data!"); ++ } ++ ++ host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); ++ SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); ++ ++ ++ if( isCryptoValidate) { ++ if (rcard_cryptogram == null) { ++ CMS.debug(method + " missing card cryptogram"); ++ throw new Exception(method + "Missing card cryptogram"); ++ } ++ input_card_crypto = ++ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); ++ card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); ++ SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); ++ SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); ++ ++ if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { ++ throw new Exception(method + "Card cryptogram mismatch!"); ++ } ++ ++ } ++ } catch (Exception e) { ++ CMS.debug(e); ++ CMS.debug("TokenServlet Computing Session Key: " + e.toString()); ++ if (isCryptoValidate) ++ sameCardCrypto = false; ++ } ++ } ++ } // ! missingParam ++ ++ String value = ""; ++ ++ resp.setContentType("text/html"); ++ ++ String encSessionKeyString = ""; ++ String macSessionKeyString = ""; ++ String kekSessionKeyString = ""; ++ ++ String drm_trans_wrapped_desKeyString = ""; ++ String cryptogram = ""; ++ String status = "0"; ++ ++ if (enc_session_key != null && enc_session_key.length > 0) { ++ encSessionKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); ++ } else { ++ status = "1"; ++ } ++ ++ if (mac_session_key != null && mac_session_key.length > 0) { ++ macSessionKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); ++ } else { ++ status = "1"; ++ } ++ ++ if (kek_session_key != null && kek_session_key.length > 0) { ++ kekSessionKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); ++ } else { ++ status = "1"; ++ } ++ ++ if (serversideKeygen == true) { ++ if (serverSideValues.size() == 3) { ++ drm_trans_wrapped_desKeyString = serverSideValues.get(2); ++ kek_wrapped_desKeyString = serverSideValues.get(0); ++ keycheck_s = serverSideValues.get(1); ++ } ++ else { ++ status = "1"; ++ } ++ } ++ ++ if (host_cryptogram != null && host_cryptogram.length > 0) { ++ cryptogram = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); ++ } else { ++ if (status.equals("0") == true) { ++ status = "2"; ++ } ++ } ++ ++ if (selectedToken == null || keyNickName == null) { ++ // AC: Bugfix: Don't override status's value if an error was already flagged ++ if (status.equals("0") == true) { ++ status = "4"; ++ } ++ } ++ ++ if (!sameCardCrypto) { ++ if (status.equals("0") == true) { ++ status = "5"; ++ } ++ } ++ ++ if (missingSetting_exception != null) { ++ status = "6"; ++ } ++ ++ if (missingParam) { ++ status = "3"; ++ } ++ ++ if (!status.equals("0")) { ++ ++ if (status.equals("1")) { ++ errorMsg = "Problem generating session key info."; ++ } ++ ++ if (status.equals("2")) { ++ errorMsg = "Problem creating host_cryptogram."; ++ } ++ ++ if (status.equals("5")) { ++ errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; ++ } ++ ++ if (status.equals("4")) { ++ errorMsg = "Problem obtaining token information."; ++ } ++ ++ if (status.equals("6")) { ++ errorMsg = "Problem reading required configuration value."; ++ } ++ ++ if (status.equals("3")) { ++ if (badParams.endsWith(",")) { ++ badParams = badParams.substring(0, badParams.length() - 1); ++ } ++ errorMsg = "Missing input parameters :" + badParams; ++ } ++ ++ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; ++ } else { ++ if (serversideKeygen == true) { ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); ++ sb.append(macSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); ++ sb.append(cryptogram); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); ++ sb.append(encSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); ++ sb.append(kekSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); ++ sb.append(kek_wrapped_desKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); ++ sb.append(keycheck_s); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); ++ sb.append(drm_trans_wrapped_desKeyString); ++ value = sb.toString(); ++ } else { ++ StringBuffer sb = new StringBuffer(); ++ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); ++ sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); ++ sb.append(macSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); ++ sb.append(cryptogram); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); ++ sb.append(encSessionKeyString); ++ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); ++ value = sb.toString(); ++ } ++ ++ } ++ //CMS.debug(method + "outputString.encode " + value); ++ ++ try { ++ resp.setContentLength(value.length()); ++ CMS.debug("TokenServlet:outputString.length " + value.length()); ++ OutputStream ooss = resp.getOutputStream(); ++ ooss.write(value.getBytes()); ++ ooss.flush(); ++ mRenderResult = false; ++ } catch (IOException e) { ++ CMS.debug("TokenServlet: " + e.toString()); ++ } ++ ++ if (status.equals("0")) { ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.SUCCESS, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, ++ logParams); ++ ++ } else { ++ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded ++ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ++ ILogger.FAILURE, // Outcome ++ status, // status ++ agentId, // AgentID ++ isCryptoValidate ? "true" : "false", // IsCryptoValidate ++ serversideKeygen ? "true" : "false", // IsServerSideKeygen ++ selectedToken, // SelectedToken ++ keyNickName, // KeyNickName ++ keySet, // TKSKeyset ++ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion ++ errorMsg // Error ++ }; ++ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, ++ logParams); ++ ++ } ++ ++ audit(auditMessage); ++ ++ } ++ ++ /** ++ * Serves HTTP admin request. ++ * ++ * @param req HTTP request ++ * @param resp HTTP response ++ */ ++ public void service(HttpServletRequest req, HttpServletResponse resp) ++ throws ServletException, IOException { ++ super.service(req, resp); ++ } ++ ++ private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { ++ ++ IConfigStore configStore = CMS.getConfigStore(); ++ String sharedSecretName = null; ++ try { ++ ++ sharedSecretName = getSharedSecretName(configStore); ++ ++ } catch (EBaseException e) { ++ throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " ++ + e); ++ ++ } ++ ++ CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); ++ ++ String symmKeys = null; ++ boolean keyPresent = false; ++ try { ++ symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); ++ CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); ++ } catch (Exception e) { ++ // TODO Auto-generated catch block ++ CMS.debug(e); ++ } ++ ++ for (String keyName : symmKeys.split(",")) { ++ if (sharedSecretName.equals(keyName)) { ++ CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); ++ keyPresent = true; ++ break; ++ } ++ ++ } ++ ++ if (!keyPresent) { ++ throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); ++ } ++ ++ // We know for now that shared secret is on this token ++ String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; ++ PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); ++ ++ CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); ++ ++ return sharedSecret; ++ ++ } ++ ++ //returns ArrayList of following values ++ // 0 : Kek wrapped des key ++ // 1 : keycheck value ++ // 2 : trans wrapped des key ++ private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, ++ SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { ++ ++ SymmetricKey desKey = null; ++ String method = "TokenServlet.calculateSErverSideKeygenValues: "; ++ ArrayList values = new ArrayList(); ++ ++ /** ++ * 0. generate des key ++ * 1. encrypt des key with kek key ++ * 2. encrypt des key with DRM transport key ++ * These two wrapped items are to be sent back to ++ * TPS. 2nd item is to DRM ++ **/ ++ CMS.debug(method + " entering..."); ++ ++ // (1) generate DES key ++ /* applet does not support DES3 ++ org.mozilla.jss.crypto.KeyGenerator kg = ++ internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); ++ desKey = kg.generate();*/ ++ ++ /* ++ * GenerateSymkey firt generates a 16 byte DES2 key. ++ * It then pads it into a 24 byte key with last ++ * 8 bytes copied from the 1st 8 bytes. Effectively ++ * making it a 24 byte DES2 key. We need this for ++ * wrapping private keys on DRM. ++ */ ++ /*generate it on whichever token the master key is at*/ ++ ++ if (useSoftToken.equals("true")) { ++ CMS.debug(method + " key encryption key generated on internal"); ++ desKey = protocol.generateSymKey("internal"); ++ //cfu audit here? sym key gen done ++ } else { ++ CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); ++ desKey = protocol.generateSymKey(selectedToken); ++ } ++ if (desKey == null) { ++ throw new EBaseException(method + "can't generate key encryption key"); ++ } ++ ++ /* ++ * ECBencrypt actually takes the 24 byte DES2 key ++ * and discard the last 8 bytes before it encrypts. ++ * This is done so that the applet can digest it ++ */ ++ ++ ++ // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) ++ ++ byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); ++ ++ String kek_wrapped_desKeyString = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); ++ ++ CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); ++ ++ values.add(kek_wrapped_desKeyString); ++ ++ // get keycheck ++ ++ byte[] keycheck = null; ++ ++ keycheck = protocol.computeKeyCheck(desKey, selectedToken); ++ ++ String keycheck_s = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); ++ ++ CMS.debug(method + "keycheck_s " + keycheck_s); ++ ++ values.add(keycheck_s); ++ ++ //use DRM transport cert to wrap desKey ++ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); ++ ++ if ((drmTransNickname == null) || (drmTransNickname == "")) { ++ CMS.debug(method + " did not find DRM transport certificate nickname"); ++ throw new EBaseException(method + "can't find DRM transport certificate nickname"); ++ } else { ++ CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); ++ } ++ ++ X509Certificate drmTransCert = null; ++ try { ++ ++ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); ++ // wrap kek session key with DRM transport public key ++ CryptoToken token = null; ++ if (useSoftToken.equals("true")) { ++ //token = CryptoManager.getInstance().getTokenByName(selectedToken); ++ token = CryptoManager.getInstance().getInternalCryptoToken(); ++ } else { ++ token = CryptoManager.getInstance().getTokenByName(selectedToken); ++ } ++ PublicKey pubKey = drmTransCert.getPublicKey(); ++ String pubKeyAlgo = pubKey.getAlgorithm(); ++ CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); ++ KeyWrapper keyWrapper = null; ++ //For wrapping symmetric keys don't need IV, use ECB ++ if (pubKeyAlgo.equals("EC")) { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); ++ keyWrapper.initWrap(pubKey, null); ++ } else { ++ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); ++ keyWrapper.initWrap(pubKey, null); ++ } ++ CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); ++ byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); ++ ++ String drmWrappedDesStr = ++ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); ++ ++ CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); ++ values.add(drmWrappedDesStr); ++ ++ } catch (Exception e) { ++ throw new EBaseException(e); ++ } ++ ++ return values; ++ } ++ ++ private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { ++ boolean sameCardCrypto = true; ++ ++ if (original_cryptogram == null || calculated_cryptogram == null) { ++ return false; ++ } ++ if (original_cryptogram.length == calculated_cryptogram.length) { ++ for (int i = 0; i < original_cryptogram.length; i++) { ++ if (original_cryptogram[i] != calculated_cryptogram[i]) { ++ sameCardCrypto = false; ++ break; ++ } ++ } ++ } else { ++ // different length; must be different ++ sameCardCrypto = false; ++ } ++ ++ return sameCardCrypto; ++ } ++ ++ //For now only used for scp03 ++ ++ static GPParams readGPSettings(String keySet) { ++ GPParams params = new GPParams(); ++ ++ String method = "TokenServlet.readGPSettings: "; ++ String gp3Settings = "tks." + keySet + ".prot3"; ++ ++ String divers = "emv"; ++ try { ++ divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); ++ } catch (EBaseException e) { ++ } ++ ++ params.setDiversificationScheme(divers); ++ ++ CMS.debug(method + " Divers: " + divers); ++ ++ String diversVer1Keys = "emv"; ++ ++ try { ++ diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); ++ } catch (EBaseException e) { ++ } ++ ++ params.setVersion1DiversificationScheme(diversVer1Keys); ++ CMS.debug(method + " Version 1 keys Divers: " + divers); ++ ++ String keyType = null; ++ try { ++ keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); ++ } catch (EBaseException e) { ++ } ++ ++ CMS.debug(method + " devKeyType: " + keyType); ++ ++ params.setDevKeyType(keyType); ++ ++ try { ++ keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); ++ } catch (EBaseException e) { ++ } ++ ++ params.setMasterKeyType(keyType); ++ ++ CMS.debug(method + " masterKeyType: " + keyType); ++ ++ ++ return params; ++ } ++ ++ private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { ++ byte devKeyArray[] = null; ++ try { ++ devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." ++ + keySet + "." + keyType)); ++ } catch (Exception e) { ++ throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); ++ } ++ ++ return devKeyArray; ++ } ++ ++ ++} +-- +1.8.3.1 + + +From fd149624a7ace41c75c5034345503c0d412f7aa3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 23 May 2017 22:25:32 +0200 +Subject: [PATCH 11/38] Updated log messages in OCSPProcessor. + +The OCSPProcessor has been modified to log the OCSP response to +help troubleshooting. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f +--- + base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java +index 3b72130..c7a40f7 100644 +--- a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java ++++ b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java +@@ -134,8 +134,8 @@ public class OCSPProcessor { + byte[] requestData = os.toByteArray(); + + if (verbose) { +- System.out.println("Data Length: " + requestData.length); +- System.out.println("Data: " + Utils.base64encode(requestData)); ++ System.out.println("Request Length: " + requestData.length); ++ System.out.println("Request: " + Utils.base64encode(requestData)); + } + + ByteArrayEntity requestEntity = new ByteArrayEntity(requestData); +@@ -156,8 +156,16 @@ public class OCSPProcessor { + } + + // construct OCSP response ++ ++ byte[] responseData = buffer.toByteArray(); ++ ++ if (verbose) { ++ System.out.println("Response Length: " + responseData.length); ++ System.out.println("Response: " + Utils.base64encode(responseData)); ++ } ++ + return (OCSPResponse)OCSPResponse.getTemplate().decode( +- new ByteArrayInputStream(buffer.toByteArray())); ++ new ByteArrayInputStream(responseData)); + + } finally { + EntityUtils.consume(responseEntity); +-- +1.8.3.1 + + +From b9f906eb1f26cf3d82262bc9894785742f451cd9 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 23 May 2017 11:12:06 -0400 +Subject: [PATCH 12/38] Fix failing audit log + +As currently written, the audit log for completing the cert +processing on the KRA will always fail because the cert is not +yet issued. The cert is only issued after the key is archived. + +Basically, though, this particular log is only suppposed to be +written to the CA audit log. Rather than adding a subsystem check, +the simplest solution is to not expose this event on the KRA. + +Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643 +--- + base/kra/shared/conf/CS.cfg | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 4b6ff74..69d9382 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +-- +1.8.3.1 + + +From de9f890133e3acc660b985e8ef5950507d341a03 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 23 May 2017 12:14:06 -0400 +Subject: [PATCH 13/38] Make sure archivalID is passed through archival + +There was some confusion in the previous commit for archival +logging. The archivalID is the id provided by the CA for the archival +and is its requestID. This allows the cert request operation +to be tracked through the archival. + +Made sure therefore, that we have two fields - one for the archivalID +and one for the requestId (which is the KRA archival request ID) + +In addition, some of the archival events occur in the CA component +just before the request id sent to the KRA. These events will not +be displayed unless the audit event is added to the CA CS.cfg. + +Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08 +--- + base/ca/shared/conf/CS.cfg | 4 +- + base/ca/src/com/netscape/ca/CAService.java | 22 +++++++-- + .../logging/event/SecurityDataArchivalEvent.java | 16 +------ + .../event/SecurityDataArchivalProcessedEvent.java | 2 + + .../src/com/netscape/kra/EnrollmentService.java | 53 ++++++++++++++++------ + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +++-- + .../src/com/netscape/kra/NetkeyKeygenService.java | 5 +- + .../com/netscape/kra/SecurityDataProcessor.java | 1 + + .../server/kra/rest/KeyRequestService.java | 1 + + .../cms/profile/common/CAEnrollProfile.java | 23 +++++++--- + base/server/cmsbundle/src/LogMessages.properties | 16 +++++-- + 11 files changed, 104 insertions(+), 50 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 8f9af5c..4e881dc 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 45fae66..c9eacfe 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -58,6 +58,7 @@ import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileSubsystem; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.cmscore.base.SubsystemRegistry; + import com.netscape.cmscore.connector.HttpConnector; + import com.netscape.cmscore.connector.LocalConnector; +@@ -371,6 +372,7 @@ public class CAService implements ICAService, IService { + public boolean serviceRequest(IRequest request) { + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); ++ RequestId requestId = request.getRequestId(); + + boolean completed = false; + +@@ -422,7 +424,9 @@ public class CAService implements ICAService, IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + boolean sendStatus = mKRAConnector.send(request); + +@@ -437,7 +441,9 @@ public class CAService implements ICAService, IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + return true; + } else { +@@ -451,7 +457,9 @@ public class CAService implements ICAService, IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + return true; + } +@@ -474,7 +482,9 @@ public class CAService implements ICAService, IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + } + + return true; +@@ -490,7 +500,9 @@ public class CAService implements ICAService, IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + } + + return completed; +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java +index 43f7525..adc8d5b 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java +@@ -30,6 +30,7 @@ public class SecurityDataArchivalEvent extends AuditEvent { + public SecurityDataArchivalEvent( + String subjectID, + String outcome, ++ String archivalID, + RequestId requestID, + String clientKeyID) { + +@@ -38,22 +39,9 @@ public class SecurityDataArchivalEvent extends AuditEvent { + setParameters(new Object[] { + subjectID, + outcome, ++ archivalID, + requestID, + clientKeyID + }); + } +- +- public SecurityDataArchivalEvent( +- String subjectID, +- String outcome, +- String requestID) { +- super(LOGGING_PROPERTY); +- +- setParameters(new Object[] { +- subjectID, +- outcome, +- requestID, +- null +- }); +- } + } +\ No newline at end of file +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +index eb4f6b3..0ec21ae 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +@@ -30,6 +30,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { + public SecurityDataArchivalProcessedEvent( + String subjectID, + String outcome, ++ String archivalRequestId, + RequestId requestID, + String clientKeyID, + KeyId keyID, +@@ -41,6 +42,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { + setParameters(new Object[] { + subjectID, + outcome, ++ archivalRequestId, + requestID, + clientKeyID, + keyID, +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index b28fbc6..4cf36d1 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.certsrv.util.IStatsSubsystem; +@@ -158,6 +159,7 @@ public class EnrollmentService implements IService { + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditPublicKey = ILogger.UNIDENTIFIED; ++ RequestId requestId = request.getRequestId(); + + if (CMS.debugOn()) + CMS.debug("EnrollmentServlet: KRA services enrollment request"); +@@ -198,7 +200,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); +@@ -243,7 +247,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); +@@ -276,7 +282,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); +@@ -315,7 +323,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); + } +@@ -333,7 +343,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); +@@ -355,7 +367,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } +@@ -387,7 +401,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } +@@ -411,7 +427,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } +@@ -458,7 +476,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } +@@ -477,7 +497,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } +@@ -492,7 +514,9 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } +@@ -546,14 +570,17 @@ public class EnrollmentService implements IService { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, +- request.getRequestId(), ++ auditRequesterID, ++ requestId, + null, + new KeyId(rec.getSerialNumber()), + null, +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 3c29bbf..ed20394 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -766,18 +766,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + + r = queue.newRequest(KRAService.ENROLLMENT); + +- // store a message in the signed audit log file + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID)); ++ auditRequesterID, ++ r.getRequestId(), ++ null)); + + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ null /* requestId */, ++ null /*clientKeyId */)); + throw eAudit1; + } + +@@ -792,6 +795,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, ++ auditRequesterID, + r.getRequestId(), + null, + new KeyId(rec.getSerialNumber()), +@@ -801,6 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.FAILURE, ++ auditRequesterID, + r.getRequestId(), + null, + new KeyId(rec.getSerialNumber()), +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index df42a4f..947377a 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -397,7 +397,9 @@ public class NetkeyKeygenService implements IService { + audit( new SecurityDataArchivalEvent( + agentId, + ILogger.SUCCESS, +- auditSubjectID)); ++ auditSubjectID, ++ request.getRequestId(), ++ null)); + + CMS.debug("KRA encrypts private key to put on internal ldap db"); + byte privateKeyData[] = null; +@@ -487,6 +489,7 @@ public class NetkeyKeygenService implements IService { + audit(new SecurityDataArchivalProcessedEvent( + agentId, + ILogger.SUCCESS, ++ auditSubjectID, + request.getRequestId(), + null, + new KeyId(serialNo), +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index a44eb2f..326630c 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -873,6 +873,7 @@ public class SecurityDataProcessor { + audit(new SecurityDataArchivalProcessedEvent( + subjectID, + status, ++ null, + requestID, + clientKeyID, + keyID, +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index 12040e0..8ec69a7 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -357,6 +357,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + audit(new SecurityDataArchivalEvent( + getRequestor(), + status, ++ null, + requestId, + clientKeyID)); + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +index 85db2cb..ec9f86b 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.ERejectException; + import com.netscape.certsrv.profile.IProfileUpdater; + import com.netscape.certsrv.request.IRequest; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestStatus; + + import netscape.security.x509.X500Name; +@@ -82,10 +83,10 @@ public class CAEnrollProfile extends EnrollProfile { + + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); +- String id = request.getRequestId().toString(); ++ RequestId requestId = request.getRequestId(); + + +- CMS.debug("CAEnrollProfile: execute request ID " + id); ++ CMS.debug("CAEnrollProfile: execute request ID " + requestId.toString()); + + ICertificateAuthority ca = (ICertificateAuthority) getAuthority(); + +@@ -115,7 +116,9 @@ public class CAEnrollProfile extends EnrollProfile { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + } else { + CMS.debug("CAEnrollProfile: execute send request"); + kraConnector.send(request); +@@ -125,7 +128,9 @@ public class CAEnrollProfile extends EnrollProfile { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + if (request.getError(getLocale(request)) != null && + (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { +@@ -140,7 +145,9 @@ public class CAEnrollProfile extends EnrollProfile { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.SUCCESS, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + } + } catch (Exception e) { + +@@ -153,7 +160,9 @@ public class CAEnrollProfile extends EnrollProfile { + audit(new SecurityDataArchivalEvent( + auditSubjectID, + ILogger.FAILURE, +- auditRequesterID)); ++ auditRequesterID, ++ requestId, ++ null)); + + throw new EProfileException(e); + } +@@ -179,7 +188,7 @@ public class CAEnrollProfile extends EnrollProfile { + X509CertImpl theCert; + try { + theCert = caService.issueX509Cert( +- aid, info, getId() /* profileId */, id /* requestId */); ++ aid, info, getId() /* profileId */, requestId.toString()); + } catch (EBaseException e) { + CMS.debug(e); + throw new EProfileException(e); +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 44eec23..66a7fd0 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2414,17 +2414,23 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED + # - used when user security data archive request is processed + # this is when DRM receives and processed the request +-# Client ID must be the user supplied client ID associated with ++# ArchivalRequestID is the requestID provided by the CA through the connector ++# It is used to track the request through from CA to KRA. ++# RequestId is the KRA archival request ID ++# ClientKeyID must be the user supplied client ID associated with + # the security data to be archived + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}][KeyID={5}][FailureReason={6}][PubKey={7}] security data archival request processed + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST + # - used when security data recovery request is made +-# RecoveryID must be the recovery request ID +-# CientID is the ID of the security data to be archived ++# ArchivalRequestID is the requestID provided by the CA through the connector ++# It is used to track the request through from CA to KRA. ++# RequestId is the KRA archival request ID ++# ClientKeyID must be the user supplied client ID associated with ++# the security data to be archived + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}] security data archival request made + # + # + # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED +-- +1.8.3.1 + + +From 1d6860b20970dae43b81e9f943fb49575f377099 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 24 May 2017 11:15:03 -0400 +Subject: [PATCH 14/38] Simplify recovery audit logging + +Currently, when we use the retrieveKey() REST interface, there are +two logs generated for the processing of a recovery request. To +rectify this, logging has been removed from the lower level in the +SecurityDataProcessor and is delegated to the higher level. + +This necessitated adding audit logging to the SecurityDataRecoveryService, +which processes recovery events asynchronously. + +In addition, the logging in retrieveKey() has been pushed down to +the retrieveKeyImpl, because there is at least one success exit point in +retrieveKeyImpl where a recovery request is created, but no key is exported. +Hence in this case, a KeyRetrieve success event is not warranted. + +Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87 +--- + .../com/netscape/kra/SecurityDataProcessor.java | 32 ----------- + .../netscape/kra/SecurityDataRecoveryService.java | 67 +++++++++++++++++++++- + .../org/dogtagpki/server/kra/rest/KeyService.java | 11 ++-- + 3 files changed, 72 insertions(+), 38 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 326630c..2899f32 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -42,7 +42,6 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; +-import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.RequestId; +@@ -322,20 +321,13 @@ public class SecurityDataProcessor { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + +- String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); +- String auditSubjectID = requestor; +- + Hashtable params = kra.getVolatileRequest( + request.getRequestId()); + KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); + request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); +- RequestId requestID = request.getRequestId(); +- String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + + if (params == null) { + CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, +- "cannot get volatile params", approvers); + throw new EBaseException("Can't obtain volatile params!"); + } + +@@ -457,8 +449,6 @@ public class SecurityDataProcessor { + iv != null? new IVParameterSpec(iv): null, + iv_wrap != null? new IVParameterSpec(iv_wrap): null); + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, +- "Cannot generate wrapping params", approvers); + throw new EBaseException("Cannot generate wrapping params: " + e, e); + } + } +@@ -514,8 +504,6 @@ public class SecurityDataProcessor { + params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, +- "Cannot unwrap passphrase", approvers); + throw new EBaseException("Cannot unwrap passphrase: " + e, e); + + } finally { +@@ -556,8 +544,6 @@ public class SecurityDataProcessor { + } + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, +- "Cannot wrap symmetric key", approvers); + throw new EBaseException("Cannot wrap symmetric key: " + e, e); + } + +@@ -574,8 +560,6 @@ public class SecurityDataProcessor { + wrapParams.getPayloadEncryptionAlgorithm(), + wrapParams.getPayloadEncryptionIV()); + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, +- keyId, "Cannot encrypt passphrase", approvers); + throw new EBaseException("Cannot encrypt passphrase: " + e, e); + } + +@@ -606,8 +590,6 @@ public class SecurityDataProcessor { + } + + } catch (Exception e) { +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, +- "Cannot wrap private key", approvers); + throw new EBaseException("Cannot wrap private key: " + e, e); + } + } +@@ -640,9 +622,6 @@ public class SecurityDataProcessor { + } + + params.put(IRequest.SECURITY_DATA_TYPE, dataType); +- +- auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, +- null, approvers); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + + return false; //return true ? TODO +@@ -857,17 +836,6 @@ public class SecurityDataProcessor { + audit(message); + } + +- private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, +- KeyId keyID, String reason, String recoveryAgents) { +- audit(new SecurityDataRecoveryProcessedEvent( +- subjectID, +- status, +- requestID, +- keyID, +- reason, +- recoveryAgents)); +- } +- + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, + KeyId keyID, String reason) { + audit(new SecurityDataArchivalProcessedEvent( +diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +index 0c7b4b7..da82e97 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +@@ -19,9 +19,14 @@ package com.netscape.kra; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; ++import com.netscape.certsrv.request.RequestId; + + import netscape.security.util.DerValue; + import netscape.security.x509.X509Key; + + /** + * This implementation services SecurityData Recovery requests. +@@ -33,6 +38,7 @@ public class SecurityDataRecoveryService implements IService { + + private IKeyRecoveryAuthority kra = null; + private SecurityDataProcessor processor = null; ++ private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + + public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { + this.kra = kra; +@@ -57,8 +63,65 @@ public class SecurityDataRecoveryService implements IService { + throws EBaseException { + + CMS.debug("SecurityDataRecoveryService.serviceRequest()"); +- processor.recover(request); +- kra.getRequestQueue().updateRequest(request); ++ ++ // parameters for auditing ++ String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); ++ KeyId keyId = new KeyId(request.getExtDataInBigInteger("serialNumber")); ++ RequestId requestID = request.getRequestId(); ++ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); ++ ++ try { ++ processor.recover(request); ++ kra.getRequestQueue().updateRequest(request); ++ auditRecoveryRequestProcessed( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ requestID, ++ keyId, ++ null, ++ approvers); ++ } catch (EBaseException e) { ++ auditRecoveryRequestProcessed( ++ auditSubjectID, ++ ILogger.FAILURE, ++ requestID, ++ keyId, ++ e.getMessage(), ++ approvers); ++ throw e; ++ } + return false; //TODO: return true? + } ++ ++ private void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ ++ private void audit(String msg) { ++ if (signedAuditLogger == null) ++ return; ++ ++ signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, ++ null, ++ ILogger.S_SIGNED_AUDIT, ++ ILogger.LL_SECURITY, ++ msg); ++ } ++ ++ private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, ++ KeyId keyID, String reason, String recoveryAgents) { ++ audit(new SecurityDataRecoveryProcessedEvent( ++ subjectID, ++ status, ++ requestID, ++ keyID, ++ reason, ++ recoveryAgents)); ++ } + } +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index 52799e6..8edb928 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -117,13 +117,10 @@ public class KeyService extends SubsystemService implements KeyResource { + public Response retrieveKey(KeyRecoveryRequest data) { + try { + Response response = retrieveKeyImpl(data); +- auditRetrieveKey(ILogger.SUCCESS); + return response; + } catch(RuntimeException e) { +- auditRetrieveKeyError(e.getMessage()); + throw e; + } catch (Exception e) { +- auditRetrieveKeyError(e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + } +@@ -137,6 +134,7 @@ public class KeyService extends SubsystemService implements KeyResource { + CMS.debug(auditInfo); + + if (data == null) { ++ auditRetrieveKeyError("Bad Request: Missing key Recovery Request"); + throw new BadRequestException("Missing key Recovery Request"); + } + +@@ -152,10 +150,12 @@ public class KeyService extends SubsystemService implements KeyResource { + try { + request = queue.findRequest(requestId); + } catch (EBaseException e) { ++ auditRetrieveKeyError(e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + + if (request == null) { ++ auditRetrieveKeyError("Bad Request: No request found"); + throw new BadRequestException("No request found"); + } + +@@ -166,7 +166,8 @@ public class KeyService extends SubsystemService implements KeyResource { + } else { + keyId = data.getKeyId(); + if (keyId == null) { +- throw new BadRequestException("Missing key Recovery Request"); ++ auditRetrieveKeyError("Bad Request: Missing key recovery request and key_id"); ++ throw new BadRequestException("Missing recovery request and key id"); + } + + auditInfo += ";keyID=" + keyId.toString(); +@@ -186,6 +187,7 @@ public class KeyService extends SubsystemService implements KeyResource { + request = reqDAO.createRecoveryRequest(data, uriInfo, getRequestor(), + getAuthToken(), ephemeral); + } catch (EBaseException e) { ++ auditRetrieveKeyError("Unable to create recovery request: " + e.getMessage()); + throw new PKIException(e.getMessage(), e); + } + +@@ -248,6 +250,7 @@ public class KeyService extends SubsystemService implements KeyResource { + auditRecoveryRequestProcessed(ILogger.SUCCESS, null); + + CMS.debug("KeyService: key retrieved"); ++ auditRetrieveKey(ILogger.SUCCESS); + return createOKResponse(keyData); + } + +-- +1.8.3.1 + + +From f6cc8db2fbd9ab509c4285e944306b31cf068a5f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 May 2017 06:38:50 +0200 +Subject: [PATCH 15/38] Cleaned up DefStore.processRequest() (part 1). + +An if-statement in DefStore.processRequest() has been modified +to return early for clarity. The code indentation has been adjusted +accordingly. + +https://pagure.io/dogtagpki/issue/2652 + +Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0 +--- + .../cms/src/com/netscape/cms/ocsp/DefStore.java | 121 +++++++++++---------- + 1 file changed, 62 insertions(+), 59 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +index 217c568..9882acd 100644 +--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java ++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +@@ -27,11 +27,6 @@ import java.util.Hashtable; + import java.util.Locale; + import java.util.Vector; + +-import netscape.security.x509.RevokedCertificate; +-import netscape.security.x509.X509CRLImpl; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509Key; +- + import org.mozilla.jss.asn1.ASN1Util; + import org.mozilla.jss.asn1.GeneralizedTime; + import org.mozilla.jss.asn1.INTEGER; +@@ -73,6 +68,11 @@ import com.netscape.cmsutil.ocsp.SingleResponse; + import com.netscape.cmsutil.ocsp.TBSRequest; + import com.netscape.cmsutil.ocsp.UnknownInfo; + ++import netscape.security.x509.RevokedCertificate; ++import netscape.security.x509.X509CRLImpl; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509Key; ++ + /** + * This is the default OCSP store that stores revocation information + * as certificate record (CMS internal data structure). +@@ -481,77 +481,80 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + incReqCount(theRec.getId()); + } + ++ if (theCert == null) { ++ return null; ++ } ++ + // check the serial number +- if (theCert != null) { +- INTEGER serialNo = cid.getSerialNumber(); ++ INTEGER serialNo = cid.getSerialNumber(); + +- log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); +- CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); +- CertStatus certStatus = null; +- GeneralizedTime thisUpdate = null; ++ log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); ++ CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); ++ CertStatus certStatus = null; ++ GeneralizedTime thisUpdate = null; + ++ if (theRec == null) { ++ thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); ++ } else { ++ thisUpdate = new GeneralizedTime( ++ theRec.getThisUpdate()); ++ } ++ GeneralizedTime nextUpdate = null; ++ ++ if (includeNextUpdate()) { ++ // this is an optional field + if (theRec == null) { +- thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); ++ nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); + } else { +- thisUpdate = new GeneralizedTime( +- theRec.getThisUpdate()); +- } +- GeneralizedTime nextUpdate = null; +- +- if (includeNextUpdate()) { +- // this is an optional field +- if (theRec == null) { +- nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); +- } else { +- nextUpdate = new GeneralizedTime( +- theRec.getNextUpdate()); +- } ++ nextUpdate = new GeneralizedTime( ++ theRec.getNextUpdate()); + } ++ } + +- if (theCRL == null) { +- certStatus = new UnknownInfo(); +- +- // if crl is not available, we can try crl cache +- if (theRec != null) { +- CMS.debug("DefStore: evaluating crl cache"); +- Hashtable cache = theRec.getCRLCacheNoClone(); +- if (cache != null) { +- RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); +- if (rc == null) { +- if (isNotFoundGood()) { +- certStatus = new GoodInfo(); +- } else { +- certStatus = new UnknownInfo(); +- } ++ if (theCRL == null) { ++ certStatus = new UnknownInfo(); ++ ++ // if crl is not available, we can try crl cache ++ if (theRec != null) { ++ CMS.debug("DefStore: evaluating crl cache"); ++ Hashtable cache = theRec.getCRLCacheNoClone(); ++ if (cache != null) { ++ RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); ++ if (rc == null) { ++ if (isNotFoundGood()) { ++ certStatus = new GoodInfo(); + } else { +- +- certStatus = new RevokedInfo( +- new GeneralizedTime( +- rc.getRevocationDate())); ++ certStatus = new UnknownInfo(); + } ++ } else { ++ ++ certStatus = new RevokedInfo( ++ new GeneralizedTime( ++ rc.getRevocationDate())); + } + } ++ } + +- } else { +- CMS.debug("DefStore: evaluating x509 crl impl"); +- X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); ++ } else { ++ CMS.debug("DefStore: evaluating x509 crl impl"); ++ X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); + +- if (crlentry == null) { +- // good or unknown +- if (isNotFoundGood()) { +- certStatus = new GoodInfo(); +- } else { +- certStatus = new UnknownInfo(); +- } ++ if (crlentry == null) { ++ // good or unknown ++ if (isNotFoundGood()) { ++ certStatus = new GoodInfo(); + } else { +- certStatus = new RevokedInfo(new GeneralizedTime( +- crlentry.getRevocationDate())); +- ++ certStatus = new UnknownInfo(); + } ++ } else { ++ certStatus = new RevokedInfo(new GeneralizedTime( ++ crlentry.getRevocationDate())); ++ + } +- return new SingleResponse(cid, certStatus, thisUpdate, +- nextUpdate); + } ++ return new SingleResponse(cid, certStatus, thisUpdate, ++ nextUpdate); ++ + } catch (Exception e) { + // error log + CMS.debug("DefStore: failed processing request e=" + e); +-- +1.8.3.1 + + +From 4511646ecec5b99dfb0ab31fc604a8765313941e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 May 2017 06:48:58 +0200 +Subject: [PATCH 16/38] Cleaned up DefStore.processRequest() (part 2). + +An if-statement in DefStore.processRequest() has been modified +to return early for clarity. The code indentation has been adjusted +accordingly. + +https://pagure.io/dogtagpki/issue/2652 + +Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3 +--- + .../cms/src/com/netscape/cms/ocsp/DefStore.java | 31 ++++++++++++---------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +index 9882acd..0b29b08 100644 +--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java ++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +@@ -535,23 +535,26 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + } + } + +- } else { +- CMS.debug("DefStore: evaluating x509 crl impl"); +- X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); +- +- if (crlentry == null) { +- // good or unknown +- if (isNotFoundGood()) { +- certStatus = new GoodInfo(); +- } else { +- certStatus = new UnknownInfo(); +- } +- } else { +- certStatus = new RevokedInfo(new GeneralizedTime( +- crlentry.getRevocationDate())); ++ return new SingleResponse(cid, certStatus, thisUpdate, ++ nextUpdate); ++ } ++ ++ CMS.debug("DefStore: evaluating x509 crl impl"); ++ X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); + ++ if (crlentry == null) { ++ // good or unknown ++ if (isNotFoundGood()) { ++ certStatus = new GoodInfo(); ++ } else { ++ certStatus = new UnknownInfo(); + } ++ } else { ++ certStatus = new RevokedInfo(new GeneralizedTime( ++ crlentry.getRevocationDate())); ++ + } ++ + return new SingleResponse(cid, certStatus, thisUpdate, + nextUpdate); + +-- +1.8.3.1 + + +From 7d39f6ecfe4c29c14948e4b5d30fde93d7f0f8e6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 May 2017 18:07:42 +0200 +Subject: [PATCH 17/38] Cleaned up DefStore.processRequest() (part 3). + +Some nested if-statements in DefStore.processRequest() has been +merged for clarity. + +https://pagure.io/dogtagpki/issue/2652 + +Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d +--- + .../cms/src/com/netscape/cms/ocsp/DefStore.java | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +index 0b29b08..676257b 100644 +--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java ++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +@@ -499,16 +499,18 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + thisUpdate = new GeneralizedTime( + theRec.getThisUpdate()); + } +- GeneralizedTime nextUpdate = null; + +- if (includeNextUpdate()) { +- // this is an optional field +- if (theRec == null) { +- nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); +- } else { +- nextUpdate = new GeneralizedTime( +- theRec.getNextUpdate()); +- } ++ // this is an optional field ++ GeneralizedTime nextUpdate; ++ ++ if (!includeNextUpdate()) { ++ nextUpdate = null; ++ ++ } else if (theRec == null) { ++ nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); ++ ++ } else { ++ nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); + } + + if (theCRL == null) { +-- +1.8.3.1 + + +From 9d74c8f2f6291e9bac433c950168d68fa5fc90c8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 May 2017 05:06:31 +0200 +Subject: [PATCH 18/38] Updated OCSP log messages. + +Some log messages in OCSP-related code have been updated for +clarity. + +https://pagure.io/dogtagpki/issue/2652 + +Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39 +--- + base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 10 +++++--- + .../cms/src/com/netscape/cms/ocsp/DefStore.java | 27 ++++++++++++++++------ + .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 7 ++++-- + 3 files changed, 32 insertions(+), 12 deletions(-) + +diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java +index 09b85b4..14dd338 100644 +--- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java ++++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java +@@ -415,6 +415,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, + */ + public BasicOCSPResponse sign(ResponseData rd) + throws EBaseException { ++ + try (DerOutputStream out = new DerOutputStream()) { + DerOutputStream tmp = new DerOutputStream(); + +@@ -424,9 +425,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, + if (rd_data != null) { + mTotalData += rd_data.length; + } ++ + rd.encode(tmp); + AlgorithmId.get(algname).encode(tmp); +- CMS.debug("adding signature"); ++ ++ CMS.debug("OCSPAuthority: adding signature"); + byte[] signature = mSigningUnit.sign(rd_data, algname); + + tmp.putBitString(signature); +@@ -440,6 +443,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, + for (int i = 0; i < chains.length; i++) { + tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); + } ++ + tmp1.write(DerValue.tag_Sequence, tmpChain); + tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), + tmp1); +@@ -449,9 +453,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, + BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); + + return response; ++ + } catch (Exception e) { +- e.printStackTrace(); +- // error e ++ CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString())); + return null; + } +diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +index 676257b..ea095ba 100644 +--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java ++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +@@ -409,8 +409,9 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + long endTime = CMS.getCurrentDate().getTime(); + mOCSPAuthority.incTotalTime(endTime - startTime); + return response; ++ + } catch (Exception e) { +- CMS.debug("DefStore: validation failed " + e.toString()); ++ CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString())); + return null; + } +@@ -449,6 +450,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CERT", e.toString())); + return null; + } ++ + MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); + X509Key key = (X509Key) cert.getPublicKey(); + byte digest[] = md.digest(key.getKey()); +@@ -474,6 +476,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + break; + } + } ++ + } else { + theCert = matched.getX509CertImpl(); + theRec = matched.getCRLIssuingPointRecord(); +@@ -490,16 +493,19 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + + log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); + CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); +- CertStatus certStatus = null; +- GeneralizedTime thisUpdate = null; ++ ++ GeneralizedTime thisUpdate; + + if (theRec == null) { + thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); + } else { +- thisUpdate = new GeneralizedTime( +- theRec.getThisUpdate()); ++ Date d = theRec.getThisUpdate(); ++ CMS.debug("DefStore: CRL record this update: " + d); ++ thisUpdate = new GeneralizedTime(d); + } + ++ CMS.debug("DefStore: this update: " + thisUpdate.toDate()); ++ + // this is an optional field + GeneralizedTime nextUpdate; + +@@ -510,9 +516,15 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); + + } else { +- nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); ++ Date d = theRec.getNextUpdate(); ++ CMS.debug("DefStore: CRL record next update: " + d); ++ nextUpdate = new GeneralizedTime(d); + } + ++ CMS.debug("DefStore: next update: " + (nextUpdate == null ? null : nextUpdate.toDate())); ++ ++ CertStatus certStatus; ++ + if (theCRL == null) { + certStatus = new UnknownInfo(); + +@@ -551,10 +563,10 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + } else { + certStatus = new UnknownInfo(); + } ++ + } else { + certStatus = new RevokedInfo(new GeneralizedTime( + crlentry.getRevocationDate())); +- + } + + return new SingleResponse(cid, certStatus, thisUpdate, +@@ -564,6 +576,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { + // error log + CMS.debug("DefStore: failed processing request e=" + e); + } ++ + return null; + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java +index 940bf65..5fde89d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java +@@ -198,16 +198,19 @@ public class OCSPServlet extends CMSServlet { + throw new Exception("OCSPServlet: OCSP request is " + + "empty or malformed"); + } ++ + ocspReq = (OCSPRequest) reqTemplate.decode(is); ++ + if ((ocspReq == null) || + (ocspReq.toString().equals(""))) { + throw new Exception("OCSPServlet: Decoded OCSP request " + + "is empty or malformed"); + } ++ + response = ((IOCSPService) mAuthority).validate(ocspReq); ++ + } catch (Exception e) { +- ; +- CMS.debug("OCSPServlet: " + e.toString()); ++ CMS.debug(e); + } + + if (response != null) { +-- +1.8.3.1 + + +From 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Mon, 10 Apr 2017 11:27:12 -0700 +Subject: [PATCH 19/38] Now the program can create and import shared secret + keys while under FIPS mode. + +--- + base/native-tools/src/tkstool/key.c | 102 ++++++++++++++++++++++++++------ + base/native-tools/src/tkstool/tkstool.c | 4 +- + base/native-tools/src/tkstool/tkstool.h | 3 +- + 3 files changed, 87 insertions(+), 22 deletions(-) + +diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c +index 4fd3796..e63da93 100644 +--- a/base/native-tools/src/tkstool/key.c ++++ b/base/native-tools/src/tkstool/key.c +@@ -19,6 +19,11 @@ + + #include "tkstool.h" + ++secuPWData pwdata = { PW_NONE, ++ 0 }; ++ ++ ++ + /*******************************/ + /** local private functions **/ + /*******************************/ +@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8 *newKey, + goto done; + } + +- key = PK11_ImportSymKeyWithFlags( +- /* slot */ slot, +- /* mechanism type */ CKM_DES3_ECB, +- /* origin */ PK11_OriginGenerated, +- /* operation */ CKA_ENCRYPT, +- /* key */ &keyItem, +- /* flags */ CKF_ENCRYPT, +- /* isPerm */ PR_FALSE, +- /* wincx */ 0 ); ++ key = TKS_ImportSymmetricKey( NULL, ++ slot, ++ CKM_DES3_ECB, ++ CKA_ENCRYPT, ++ &keyItem, ++ &pwdata, PR_FALSE ); ++ ++ + ++ ++ /* key = PK11_ImportSymKeyWithFlags( ++ slot, ++ CKM_DES3_ECB, ++ PK11_OriginGenerated, ++ CKA_ENCRYPT, ++ &keyItem, ++ CKF_ENCRYPT, ++ PR_FALSE, ++ 0 ); ++ */ + if( ! key ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to import %s key!\n\n\n", +@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, + CK_MECHANISM_TYPE mechanism, + CK_ATTRIBUTE_TYPE operation, + SECItem *sessionKeyShare, +- secuPWData *pwdata ) ++ secuPWData *pwdata, PRBool isPerm ) + { + PK11Origin origin = PK11_OriginGenerated; + PK11SymKey *symKey = NULL; ++ PK11SymKey *sessKey = NULL; ++ PK11Context *context = NULL; ++ static SECItem noParams = { siBuffer, NULL, 0 }; ++ SECItem wrappeditem = { siBuffer, NULL, 0 }; ++ ++ int len = 0; ++ unsigned char wrappedkey[DES_LENGTH * 3]; ++ SECStatus s = SECSuccess; + + if( slot == NULL ) { + return NULL; +@@ -1077,15 +1100,56 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, + "Generating %s symmetric key . . .\n\n", + symmetricKeyName ); + +- symKey = PK11_ImportSymKeyWithFlags( +- /* slot */ slot, +- /* mechanism type */ mechanism, +- /* origin */ origin, +- /* operation */ operation, +- /* key */ sessionKeyShare, +- /* flags */ 0, +- /* isPerm */ PR_FALSE, +- /* wincx */ pwdata ); ++ sessKey = PK11_TokenKeyGenWithFlags(slot, // slot handle ++ CKM_DES3_KEY_GEN, // mechanism type ++ NULL, // pointer to params (SECItem structure) ++ 0, // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms) ++ 0, // pointer to keyid (SECItem structure) ++ CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags ++ PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set) ++ NULL); ++ ++ if( sessKey == NULL ) { ++ goto cleanup; ++ } ++ ++ // Import the key onto the token using the temp session key and the key data. ++ // ++ ++ context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT, ++ sessKey, ++ &noParams); ++ ++ if (context == NULL) { ++ goto cleanup; ++ } ++ ++ len = sessionKeyShare->len; ++ /* encrypt the key with the master key */ ++ s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 ); ++ if (s != SECSuccess) ++ { ++ goto cleanup; ++ } ++ ++ wrappeditem.data = wrappedkey; ++ wrappeditem.len = len; ++ ++ symKey = PK11_UnwrapSymKeyWithFlagsPerm(sessKey, CKM_DES3_ECB, &noParams, ++ &wrappeditem, CKM_DES3_KEY_GEN, CKA_DECRYPT, DES_LENGTH * 3, ++ (CKA_ENCRYPT | CKA_DECRYPT) & CKF_KEY_OPERATION_FLAGS, isPerm ); ++ ++cleanup: ++ if( sessKey != NULL) { ++ PK11_FreeSymKey( sessKey ); ++ sessKey = NULL; ++ } ++ ++ if( context ) { ++ PK11_DestroyContext( ++ /* context */ context, ++ /* free it */ PR_TRUE ); ++ } + return symKey; + } + +diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c +index 6fd2a97..53781e4 100644 +--- a/base/native-tools/src/tkstool/tkstool.c ++++ b/base/native-tools/src/tkstool/tkstool.c +@@ -1417,14 +1417,14 @@ main( int argc, char **argv ) + CKM_DES3_KEY_GEN, + CKA_ENCRYPT, + &paddedFirstSessionKeyShare, +- &pwdata ); ++ &pwdata, PR_FALSE ); + #else + firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, + internalSlot, + CKM_DES2_KEY_GEN, + CKA_ENCRYPT, + &firstSessionKeyShare, +- &pwdata ); ++ &pwdata , PR_FALSE ); + #endif + if( firstSymmetricKey == NULL ) { + PR_fprintf( PR_STDERR, +diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h +index 4c276b0..80fdafd 100644 +--- a/base/native-tools/src/tkstool/tkstool.h ++++ b/base/native-tools/src/tkstool/tkstool.h +@@ -124,6 +124,7 @@ + "and press enter to continue " \ + "(or ^C to break): " + ++#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL + + /**************************************/ + /** external function declarations **/ +@@ -222,7 +223,7 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, + CK_MECHANISM_TYPE mechanism, + CK_ATTRIBUTE_TYPE operation, + SECItem *sessionKeyShare, +- secuPWData *pwdata ); ++ secuPWData *pwdata, PRBool isPerm ); + + PK11SymKey * + TKS_DeriveSymmetricKey( char *symmetricKeyName, +-- +1.8.3.1 + + +From 3ddc916954d712f6fe25497789925fecebef20fc Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 24 May 2017 12:31:45 -0400 +Subject: [PATCH 20/38] Encapsulate symmetric and asymmetric keygen audit + events + +Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 8 ---- + .../logging/event/AsymKeyGenerationEvent.java | 45 +++++++++++++++++++ + .../event/AsymKeyGenerationProcessedEvent.java | 51 ++++++++++++++++++++++ + .../logging/event/SymKeyGenerationEvent.java | 45 +++++++++++++++++++ + .../event/SymKeyGenerationProcessedEvent.java | 50 +++++++++++++++++++++ + .../src/com/netscape/kra/AsymKeyGenService.java | 20 ++++----- + .../kra/src/com/netscape/kra/SymKeyGenService.java | 16 +++---- + .../server/kra/rest/KeyRequestService.java | 19 ++++---- + base/server/cmsbundle/src/LogMessages.properties | 8 ++-- + 9 files changed, 221 insertions(+), 41 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 891398d..beedb9f 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -166,14 +166,6 @@ public class AuditEvent implements IBundleLogEvent { + + public final static String KEY_STATUS_CHANGE = + "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; +- public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; +- public static final String SYMKEY_GENERATION_REQUEST = +- "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; +- public static final String ASYMKEY_GENERATION_REQUEST = +- "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; +- public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED = +- "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; + + public final static String TOKEN_CERT_ENROLLMENT = + "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java +new file mode 100644 +index 0000000..f3236d6 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java +@@ -0,0 +1,45 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class AsymKeyGenerationEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST"; ++ ++ public AsymKeyGenerationEvent( ++ String subjectID, ++ String outcome, ++ RequestId requestID, ++ String clientKeyID) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID ++ }); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java +new file mode 100644 +index 0000000..ba242de +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java +@@ -0,0 +1,51 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class AsymKeyGenerationProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED"; ++ ++ public AsymKeyGenerationProcessedEvent( ++ String subjectID, ++ String outcome, ++ RequestId requestID, ++ String clientKeyID, ++ KeyId keyID, ++ String failureReason) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID, ++ keyID, ++ failureReason ++ }); ++ } ++} ++ +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java +new file mode 100644 +index 0000000..c1b8652 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java +@@ -0,0 +1,45 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SymKeyGenerationEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST"; ++ ++ public SymKeyGenerationEvent( ++ String subjectID, ++ String outcome, ++ RequestId requestID, ++ String clientKeyID) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java +new file mode 100644 +index 0000000..ad36d44 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java +@@ -0,0 +1,50 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class SymKeyGenerationProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; ++ ++ public SymKeyGenerationProcessedEvent( ++ String subjectID, ++ String outcome, ++ RequestId requestID, ++ String clientKeyID, ++ KeyId keyID, ++ String failureReason) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ requestID, ++ clientKeyID, ++ keyID, ++ failureReason ++ }); ++ } ++} +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index cfee504..ea1d0cc 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -28,11 +28,13 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.key.AsymKeyGenerationRequest; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AsymKeyGenerationProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.request.RequestId; +@@ -144,8 +146,8 @@ public class AsymKeyGenService implements IService { + } catch (EBaseException e) { + CMS.debugStackTrace(); + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), +- clientKeyId, null, "Failed to generate Asymmetric key"); +- throw new EBaseException("Errors in generating Asymmetric key: " + e); ++ clientKeyId, null, "Failed to generate asymmetric key: " + e.getMessage()); ++ throw new EBaseException("Errors in generating Asymmetric key: " + e, e); + } + + if (kp == null) { +@@ -205,7 +207,7 @@ public class AsymKeyGenService implements IService { + storage.addKeyRecord(record); + + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), +- clientKeyId, serialNo.toString(), "None"); ++ clientKeyId, new KeyId(serialNo), "None"); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + kra.getRequestQueue().updateRequest(request); + return true; +@@ -234,15 +236,13 @@ public class AsymKeyGenService implements IService { + + private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, + String clientKeyID, +- String keyID, String reason) { +- String auditMessage = CMS.getLogMessage( +- AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED, ++ KeyId keyID, String reason) { ++ audit(new AsymKeyGenerationProcessedEvent( + subjectID, + status, +- requestID.toString(), ++ requestID, + clientKeyID, +- keyID != null ? keyID : "None", +- reason); +- audit(auditMessage); ++ keyID, ++ reason)); + } + } +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index bf350d5..a4613c2 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -32,11 +32,13 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.dbs.keydb.IKeyRecord; + import com.netscape.certsrv.dbs.keydb.IKeyRepository; ++import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.key.SymKeyGenerationRequest; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.SymKeyGenerationProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; + import com.netscape.certsrv.request.RequestId; +@@ -232,7 +234,7 @@ public class SymKeyGenService implements IService { + storage.addKeyRecord(rec); + + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), +- clientKeyId, serialNo.toString(), "None"); ++ clientKeyId, new KeyId(serialNo), "None"); + + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + mKRA.getRequestQueue().updateRequest(request); +@@ -262,15 +264,13 @@ public class SymKeyGenService implements IService { + } + + private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, +- String keyID, String reason) { +- String auditMessage = CMS.getLogMessage( +- AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED, ++ KeyId keyID, String reason) { ++ audit(new SymKeyGenerationProcessedEvent( + subjectID, + status, +- requestID.toString(), ++ requestID, + clientKeyID, +- keyID != null ? keyID : "None", +- reason); +- audit(auditMessage); ++ keyID, ++ reason)); + } + } +\ No newline at end of file +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +index 8ec69a7..4e21f12 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +@@ -48,11 +48,12 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection; + import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.key.KeyRequestResponse; + import com.netscape.certsrv.key.SymKeyGenerationRequest; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.AsymKeyGenerationEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; ++import com.netscape.certsrv.logging.event.SymKeyGenerationEvent; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestNotFoundException; + import com.netscape.cms.realm.PKIPrincipal; +@@ -363,23 +364,19 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes + } + + public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { +- String msg = CMS.getLogMessage( +- AuditEvent.SYMKEY_GENERATION_REQUEST, ++ audit(new SymKeyGenerationEvent( + getRequestor(), + status, +- requestId != null ? requestId.toString() : "null", +- clientKeyID); +- auditor.log(msg); ++ requestId, ++ clientKeyID)); + } + + public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { +- String msg = CMS.getLogMessage( +- AuditEvent.ASYMKEY_GENERATION_REQUEST, ++ audit(new AsymKeyGenerationEvent( + getRequestor(), + status, +- requestId != null ? requestId.toString() : "null", +- clientKeyID); +- auditor.log(msg); ++ requestId, ++ clientKeyID)); + } + + @Override +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 66a7fd0..4a44134 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2492,22 +2492,22 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KE + # Client ID must be the user supplied client ID associated with + # the symmetric key to be generated and archived + # +-LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed ++LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed + # + # LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST + # - used when symmetric key generation request is made + # ClientKeyID is the ID of the symmetirc key to be generated and archived + # +-LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made ++LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made + # + # LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST + # - used when asymmetric key generation request is made +-LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made ++LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made + # + # LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED + # - used when a request to generate asymmetric keys received by the DRM + # is processed. +-LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed ++LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed + # + # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT + # - used for TPS when token certificate enrollment request is made +-- +1.8.3.1 + + +From 468cacf6d6ec4f46bd4e60255105da3a585c4f6d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 01:28:06 +0200 +Subject: [PATCH 21/38] Replaced random number generator in + SecurityDataProcessor. + +The SecurityDataProcessor has been modified to use the random +number generator provided by JssSubsystem. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189 +--- + .../com/netscape/kra/SecurityDataProcessor.java | 25 ++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 2899f32..ec848be 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -48,6 +48,7 @@ import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cmscore.dbs.KeyRecord; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Utils; + +@@ -640,7 +641,7 @@ public class SecurityDataProcessor { + * (ie. algorithm is unknown) + */ + private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception { +- int numBytes = 0; ++ + EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)): + defaultAlg; + +@@ -651,8 +652,14 @@ public class SecurityDataProcessor { + if (alg.getParameterClasses() == null) + return null; + +- numBytes = alg.getIVLength(); +- return (new SecureRandom()).generateSeed(numBytes); ++ int numBytes = alg.getIVLength(); ++ byte[] bytes = new byte[numBytes]; ++ ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); ++ random.nextBytes(bytes); ++ ++ return bytes; + } + + /*** +@@ -668,7 +675,7 @@ public class SecurityDataProcessor { + * (ie. algorithm is unknown) + */ + private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception { +- int numBytes = 0; ++ + KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) : + defaultAlg; + +@@ -679,8 +686,14 @@ public class SecurityDataProcessor { + if (alg.getParameterClasses() == null) + return null; + +- numBytes = alg.getBlockSize(); +- return (new SecureRandom()).generateSeed(numBytes); ++ int numBytes = alg.getBlockSize(); ++ byte[] bytes = new byte[numBytes]; ++ ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); ++ random.nextBytes(bytes); ++ ++ return bytes; + } + + public SymmetricKey recoverSymKey(KeyRecord keyRecord) +-- +1.8.3.1 + + +From eed550a9a7330d707f35ce8a9946573df68ff01b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 01:40:18 +0200 +Subject: [PATCH 22/38] Replaced random number generator in RequestQueue. + +The RequestQueue has been modified to use the random number +generator provided by JssSubsystem. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e +--- + .../cmscore/src/com/netscape/cmscore/request/RequestQueue.java | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java +index d7e7c6e..cd0f890 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java +@@ -42,6 +42,7 @@ import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestStatus; + import com.netscape.certsrv.request.ldap.IRequestMod; + import com.netscape.cmscore.dbs.DBSubsystem; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmscore.util.Debug; + + public class RequestQueue +@@ -60,9 +61,11 @@ public class RequestQueue + } + + protected RequestId newEphemeralRequestId() { +- long id = System.currentTimeMillis() * 10000 + new SecureRandom().nextInt(10000); +- RequestId rid = new RequestId(id); +- return rid; ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); ++ ++ long id = System.currentTimeMillis() * 10000 + random.nextInt(10000); ++ return new RequestId(id); + } + + protected IRequest readRequest(RequestId id) { +-- +1.8.3.1 + + +From 14e4e7a992c9537b9bf0403e6d94f316009923d0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 May 2017 20:25:54 +0200 +Subject: [PATCH 23/38] Added CRLIssuingPoint.generateCRLExtensions(). + +The code that generates CRLExtensions in updateCRLNow() +in CRLIssuingPoint has been refactored into a separate +generateCRLExtensions() method for clarity. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 45 ++++++++++++------------ + 1 file changed, 22 insertions(+), 23 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index 64101d7..de733eb 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -2630,17 +2630,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + mLastCRLNumber = mCRLNumber; + +- CRLExtensions ext = new CRLExtensions(); +- Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); ++ CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); + +- for (int i = 0; i < extNames.size(); i++) { +- String extName = extNames.elementAt(i); +- +- if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && +- (!extName.equals(FreshestCRLExtension.NAME))) { +- mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); +- } +- } + mSplits[1] += System.currentTimeMillis(); + + X509CRLImpl newX509DeltaCRL = null; +@@ -2791,20 +2782,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + mNextCRLNumber = mNextDeltaCRLNumber; + } + +- CRLExtensions ext = null; +- ++ CRLExtensions ext; + if (mAllowExtensions) { +- ext = new CRLExtensions(); +- Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); +- +- for (int i = 0; i < extNames.size(); i++) { +- String extName = extNames.elementAt(i); +- +- if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && +- (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { +- mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); +- } +- } ++ ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); ++ } else { ++ ext = null; + } + mSplits[6] += System.currentTimeMillis(); + // for audit log +@@ -2965,6 +2947,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + notifyAll(); + } + ++ CRLExtensions generateCRLExtensions(String excludedExtension) { ++ ++ CRLExtensions ext = new CRLExtensions(); ++ Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); ++ ++ for (int i = 0; i < extNames.size(); i++) { ++ String extName = extNames.elementAt(i); ++ ++ if (extName.equals(excludedExtension)) continue; ++ if (!mCMSCRLExtensions.isCRLExtensionEnabled(extName)) continue; ++ ++ mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); ++ } ++ ++ return ext; ++ } ++ + /** + * publish CRL. called from updateCRLNow() and init(). + */ +-- +1.8.3.1 + + +From 9af1f0d3b48d6dd358a4c63f938f2c5d0e119d7a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 May 2017 00:36:45 +0200 +Subject: [PATCH 24/38] Added CRLIssuingPoint.generateDeltaCRL(). + +The code that generates delta CRL in updateCRLNow() +in CRLIssuingPoint has been refactored into a separate +generateDeltaCRL() method for clarity. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 160 +++++++++++++---------- + 1 file changed, 93 insertions(+), 67 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index de733eb..317294b 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -2634,73 +2634,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + mSplits[1] += System.currentTimeMillis(); + +- X509CRLImpl newX509DeltaCRL = null; +- +- try { +- mSplits[2] -= System.currentTimeMillis(); +- byte[] newDeltaCRL; +- +- // #56123 - dont generate CRL if no revoked certificates +- if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { +- if (deltaCRLCerts.size() == 0) { +- CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", +- "No Revoked Certificates")); +- } +- } +- X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), +- AlgorithmId.get(signingAlgorithm), +- thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); +- +- newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); +- newDeltaCRL = newX509DeltaCRL.getEncoded(); +- mSplits[2] += System.currentTimeMillis(); +- +- mSplits[3] -= System.currentTimeMillis(); +- mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, +- Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); +- mSplits[3] += System.currentTimeMillis(); +- +- mDeltaCRLSize = deltaCRLCerts.size(); +- +- long totalTime = 0; +- StringBuffer splitTimes = new StringBuffer(" ("); +- for (int i = 1; i < mSplits.length && i < 5; i++) { +- totalTime += mSplits[i]; +- if (i > 1) +- splitTimes.append(","); +- splitTimes.append(String.valueOf(mSplits[i])); +- } +- splitTimes.append(")"); +- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, +- AuditFormat.LEVEL, +- CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), +- new Object[] { +- getId(), +- getNextCRLNumber(), +- getCRLNumber(), +- getLastUpdate(), +- getNextDeltaUpdate(), +- Long.toString(mDeltaCRLSize), +- Long.toString(totalTime) + splitTimes.toString() +- } +- ); +- } catch (EBaseException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- } catch (NoSuchAlgorithmException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- } catch (CRLException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- } catch (X509ExtensionException e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- } catch (OutOfMemoryError e) { +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- } ++ X509CRLImpl newX509DeltaCRL = generateDeltaCRL( ++ deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); + + try { + mSplits[4] -= System.currentTimeMillis(); +@@ -2964,6 +2899,97 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + return ext; + } + ++ X509CRLImpl generateDeltaCRL( ++ Hashtable deltaCRLCerts, ++ String signingAlgorithm, ++ Date thisUpdate, ++ Date nextDeltaUpdate, ++ CRLExtensions ext) { ++ ++ X509CRLImpl newX509DeltaCRL = null; ++ ++ try { ++ mSplits[2] -= System.currentTimeMillis(); ++ ++ // #56123 - dont generate CRL if no revoked certificates ++ if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { ++ if (deltaCRLCerts.size() == 0) { ++ CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", ++ "No Revoked Certificates")); ++ } ++ } ++ ++ X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), ++ AlgorithmId.get(signingAlgorithm), ++ thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); ++ ++ newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); ++ ++ byte[] newDeltaCRL = newX509DeltaCRL.getEncoded(); ++ ++ mSplits[2] += System.currentTimeMillis(); ++ ++ mSplits[3] -= System.currentTimeMillis(); ++ mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, ++ Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); ++ mSplits[3] += System.currentTimeMillis(); ++ ++ mDeltaCRLSize = deltaCRLCerts.size(); ++ ++ long totalTime = 0; ++ StringBuffer splitTimes = new StringBuffer(" ("); ++ for (int i = 1; i < mSplits.length && i < 5; i++) { ++ totalTime += mSplits[i]; ++ if (i > 1) ++ splitTimes.append(","); ++ splitTimes.append(String.valueOf(mSplits[i])); ++ } ++ splitTimes.append(")"); ++ ++ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, ++ AuditFormat.LEVEL, ++ CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), ++ new Object[] { ++ getId(), ++ getNextCRLNumber(), ++ getCRLNumber(), ++ getLastUpdate(), ++ getNextDeltaUpdate(), ++ Long.toString(mDeltaCRLSize), ++ Long.toString(totalTime) + splitTimes.toString() ++ } ++ ); ++ ++ } catch (EBaseException e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); ++ mDeltaCRLSize = -1; ++ ++ } catch (NoSuchAlgorithmException e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); ++ mDeltaCRLSize = -1; ++ ++ } catch (CRLException e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); ++ mDeltaCRLSize = -1; ++ ++ } catch (X509ExtensionException e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); ++ mDeltaCRLSize = -1; ++ ++ } catch (OutOfMemoryError e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); ++ mDeltaCRLSize = -1; ++ } ++ ++ return newX509DeltaCRL; ++ } ++ + /** + * publish CRL. called from updateCRLNow() and init(). + */ +-- +1.8.3.1 + + +From f3cc4462e3fd353a78c6a174c93ef3f81c014ce8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 May 2017 00:58:03 +0200 +Subject: [PATCH 25/38] Added CRLIssuingPoint.generateFullCRL(). + +The code that generates full CRL in updateCRLNow() +in CRLIssuingPoint has been refactored into a separate +generateFullCRL() method for clarity. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 254 ++++++++++++----------- + 1 file changed, 134 insertions(+), 120 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index 317294b..3764adf 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -2726,126 +2726,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + mSplits[6] += System.currentTimeMillis(); + // for audit log + +- X509CRLImpl newX509CRL; +- +- try { +- byte[] newCRL; +- +- CMS.debug("Making CRL with algorithm " + +- signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); +- +- mSplits[7] -= System.currentTimeMillis(); +- +- // #56123 - dont generate CRL if no revoked certificates +- if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { +- if (mCRLCerts.size() == 0) { +- CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", +- "No Revoked Certificates")); +- } +- } +- CMS.debug("before new X509CRLImpl"); +- X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), +- AlgorithmId.get(signingAlgorithm), +- thisUpdate, nextUpdate, mCRLCerts, ext); +- +- CMS.debug("before sign"); +- newX509CRL = mCA.sign(crl, signingAlgorithm); +- +- CMS.debug("before getEncoded()"); +- newCRL = newX509CRL.getEncoded(); +- CMS.debug("after getEncoded()"); +- mSplits[7] += System.currentTimeMillis(); +- +- mSplits[8] -= System.currentTimeMillis(); +- +- Date nextUpdateDate = mNextUpdate; +- if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || +- (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { +- nextUpdateDate = mNextDeltaUpdate; +- } +- if (mSaveMemory) { +- mCRLRepository.updateCRLIssuingPointRecord( +- mId, newCRL, thisUpdate, nextUpdateDate, +- mNextCRLNumber, Long.valueOf(mCRLCerts.size())); +- updateCRLCacheRepository(); +- } else { +- mCRLRepository.updateCRLIssuingPointRecord( +- mId, newCRL, thisUpdate, nextUpdateDate, +- mNextCRLNumber, Long.valueOf(mCRLCerts.size()), +- mRevokedCerts, mUnrevokedCerts, mExpiredCerts); +- mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; +- } +- +- mSplits[8] += System.currentTimeMillis(); +- +- mCRLSize = mCRLCerts.size(); +- mCRLNumber = mNextCRLNumber; +- mDeltaCRLNumber = mCRLNumber; +- mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); +- mNextDeltaCRLNumber = mNextCRLNumber; +- +- CMS.debug("Logging CRL Update to transaction log"); +- long totalTime = 0; +- long crlTime = 0; +- long deltaTime = 0; +- StringBuilder splitTimes = new StringBuilder(" ("); +- for (int i = 0; i < mSplits.length; i++) { +- totalTime += mSplits[i]; +- if (i > 0 && i < 5) { +- deltaTime += mSplits[i]; +- } else { +- crlTime += mSplits[i]; +- } +- if (i > 0) +- splitTimes.append(","); +- splitTimes.append(mSplits[i]); +- } +- splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); +- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, +- AuditFormat.LEVEL, +- CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), +- new Object[] { +- getId(), +- getCRLNumber(), +- getLastUpdate(), +- getNextUpdate(), +- Long.toString(mCRLSize), +- Long.toString(totalTime), +- Long.toString(crlTime), +- Long.toString(deltaTime) + splitTimes +- } +- ); +- CMS.debug("Finished Logging CRL Update to transaction log"); +- +- } catch (EBaseException e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- if (Debug.on()) +- Debug.printStackTrace(e); +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- } catch (NoSuchAlgorithmException e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- } catch (CRLException e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- } catch (X509ExtensionException e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- } catch (OutOfMemoryError e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- } ++ X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); + + try { + mSplits[9] -= System.currentTimeMillis(); +@@ -2990,6 +2871,139 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + return newX509DeltaCRL; + } + ++ X509CRLImpl generateFullCRL( ++ String signingAlgorithm, ++ Date thisUpdate, ++ Date nextUpdate, ++ CRLExtensions ext) throws EBaseException { ++ ++ try { ++ CMS.debug("Making CRL with algorithm " + ++ signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); ++ ++ mSplits[7] -= System.currentTimeMillis(); ++ ++ // #56123 - dont generate CRL if no revoked certificates ++ if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { ++ if (mCRLCerts.size() == 0) { ++ CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); ++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", ++ "No Revoked Certificates")); ++ } ++ } ++ ++ CMS.debug("CRLIssuingPoint: creating CRL object"); ++ X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), ++ AlgorithmId.get(signingAlgorithm), ++ thisUpdate, nextUpdate, mCRLCerts, ext); ++ ++ CMS.debug("CRLIssuingPoint: signing CRL"); ++ X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); ++ ++ CMS.debug("CRLIssuingPoint: encoding CRL"); ++ byte[] newCRL = newX509CRL.getEncoded(); ++ ++ mSplits[7] += System.currentTimeMillis(); ++ ++ mSplits[8] -= System.currentTimeMillis(); ++ ++ Date nextUpdateDate = mNextUpdate; ++ if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || ++ (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { ++ nextUpdateDate = mNextDeltaUpdate; ++ } ++ ++ if (mSaveMemory) { ++ mCRLRepository.updateCRLIssuingPointRecord( ++ mId, newCRL, thisUpdate, nextUpdateDate, ++ mNextCRLNumber, Long.valueOf(mCRLCerts.size())); ++ updateCRLCacheRepository(); ++ ++ } else { ++ mCRLRepository.updateCRLIssuingPointRecord( ++ mId, newCRL, thisUpdate, nextUpdateDate, ++ mNextCRLNumber, Long.valueOf(mCRLCerts.size()), ++ mRevokedCerts, mUnrevokedCerts, mExpiredCerts); ++ mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; ++ } ++ ++ mSplits[8] += System.currentTimeMillis(); ++ ++ mCRLSize = mCRLCerts.size(); ++ mCRLNumber = mNextCRLNumber; ++ mDeltaCRLNumber = mCRLNumber; ++ mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); ++ mNextDeltaCRLNumber = mNextCRLNumber; ++ ++ CMS.debug("CRLIssuingPoint: Logging CRL Update to transaction log"); ++ long totalTime = 0; ++ long crlTime = 0; ++ long deltaTime = 0; ++ StringBuilder splitTimes = new StringBuilder(" ("); ++ for (int i = 0; i < mSplits.length; i++) { ++ totalTime += mSplits[i]; ++ if (i > 0 && i < 5) { ++ deltaTime += mSplits[i]; ++ } else { ++ crlTime += mSplits[i]; ++ } ++ if (i > 0) ++ splitTimes.append(","); ++ splitTimes.append(mSplits[i]); ++ } ++ splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); ++ ++ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, ++ AuditFormat.LEVEL, ++ CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), ++ new Object[] { ++ getId(), ++ getCRLNumber(), ++ getLastUpdate(), ++ getNextUpdate(), ++ Long.toString(mCRLSize), ++ Long.toString(totalTime), ++ Long.toString(crlTime), ++ Long.toString(deltaTime) + splitTimes ++ } ++ ); ++ ++ CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); ++ ++ return newX509CRL; ++ ++ } catch (EBaseException e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ ++ } catch (NoSuchAlgorithmException e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ ++ } catch (CRLException e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ ++ } catch (X509ExtensionException e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ ++ } catch (OutOfMemoryError e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ } ++ } ++ + /** + * publish CRL. called from updateCRLNow() and init(). + */ +-- +1.8.3.1 + + +From c88ad697138778c597cf8ce361f8ee1761bee0ab Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 24 May 2017 22:49:24 -0400 +Subject: [PATCH 26/38] Encapsulate key status change audit logs + +Change-Id: I57b30cdff571056d0a95436858308872a8dc007b +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 3 -- + .../event/SecurityDataStatusChangeEvent.java | 49 ++++++++++++++++++++++ + .../org/dogtagpki/server/kra/rest/KeyService.java | 16 ++++--- + base/server/cmsbundle/src/LogMessages.properties | 2 +- + 4 files changed, 57 insertions(+), 13 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index beedb9f..348ea09 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -164,9 +164,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String CONFIG_SERIAL_NUMBER = + "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; + +- public final static String KEY_STATUS_CHANGE = +- "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; +- + public final static String TOKEN_CERT_ENROLLMENT = + "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; + public final static String TOKEN_CERT_RENEWAL = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java +new file mode 100644 +index 0000000..082516c +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java +@@ -0,0 +1,49 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.AuditEvent; ++ ++public class SecurityDataStatusChangeEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE"; ++ ++ public SecurityDataStatusChangeEvent( ++ String subjectID, ++ String outcome, ++ KeyId keyID, ++ String oldStatus, ++ String newStatus, ++ String info) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ keyID, ++ oldStatus, ++ newStatus, ++ info ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +index 8edb928..642367c 100644 +--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java ++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +@@ -60,12 +60,12 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; + import com.netscape.certsrv.key.KeyResource; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.kra.IKeyService; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataExportEvent; + import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataStatusChangeEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; + import com.netscape.certsrv.request.RequestId; +@@ -657,17 +657,15 @@ public class KeyService extends SubsystemService implements KeyResource { + auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); + } + +- public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, ++ public void auditKeyStatusChange(String status, KeyId keyID, String oldKeyStatus, + String newKeyStatus, String info) { +- String msg = CMS.getLogMessage( +- AuditEvent.KEY_STATUS_CHANGE, ++ audit(new SecurityDataStatusChangeEvent( + servletRequest.getUserPrincipal().getName(), + status, + keyID, + oldKeyStatus, + newKeyStatus, +- info); +- auditor.log(msg); ++ info)); + } + + public void auditRecoveryRequest(String status) { +@@ -809,20 +807,20 @@ public class KeyService extends SubsystemService implements KeyResource { + mods.add(IKeyRecord.ATTR_STATUS, Modification.MOD_REPLACE, + status); + repo.modifyKeyRecord(keyId.toBigInteger(), mods); +- auditKeyStatusChange(ILogger.SUCCESS, keyId.toString(), ++ auditKeyStatusChange(ILogger.SUCCESS, keyId, + (info!=null)?info.getStatus():null, status, auditInfo); + + return createNoContentResponse(); + } catch (EDBRecordNotFoundException e) { + auditInfo = auditInfo + ":" + e.getMessage(); + CMS.debug(auditInfo); +- auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), ++ auditKeyStatusChange(ILogger.FAILURE, keyId, + (info!=null)?info.getStatus():null, status, auditInfo); + throw new KeyNotFoundException(keyId, "key not found to modify", e); + } catch (Exception e) { + auditInfo = auditInfo + ":" + e.getMessage(); + CMS.debug(auditInfo); +- auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), ++ auditKeyStatusChange(ILogger.FAILURE, keyId, + (info!=null)?info.getStatus():null, status, auditInfo); + e.printStackTrace(); + throw new PKIException(e.getMessage(), e); +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 4a44134..3ac23d5 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2484,7 +2484,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SE + # oldStatus is the old status to change from + # newStatus is the new status to change to + # +-LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change ++LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change + # + # LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED + # - used when symmetric key generation request is processed +-- +1.8.3.1 + + +From 2a947446b81d21758ffadbae905a49e8c4e900ef Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 24 May 2017 23:42:41 -0400 +Subject: [PATCH 27/38] Encapsulate server side keygen audit events + +This encapsulates key gen events for the token servlets. +Consolidated the success and failure cases. Note that this +event can likely later be replaced with security_data_keygen +events. Leaving separate for now. + +Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 6 --- + .../logging/event/ServerSideKeyGenEvent.java | 45 +++++++++++++++++++++ + .../event/ServerSideKeyGenProcessedEvent.java | 47 ++++++++++++++++++++++ + base/kra/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/kra/NetkeyKeygenService.java | 34 +++++++--------- + base/server/cmsbundle/src/LogMessages.properties | 14 ++----- + 6 files changed, 113 insertions(+), 37 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 348ea09..1d94dad 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -72,12 +72,6 @@ public class AuditEvent implements IBundleLogEvent { + public final static String LOG_PATH_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + +- public final static String SERVER_SIDE_KEYGEN_REQUEST = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; +- public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; +- public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = +- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; + public final static String KEY_RECOVERY_AGENT_LOGIN = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; + public final static String KEY_GEN_ASYMMETRIC = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java +new file mode 100644 +index 0000000..0894716 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java +@@ -0,0 +1,45 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class ServerSideKeyGenEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST"; ++ ++ public ServerSideKeyGenEvent( ++ String subjectID, ++ String outcome, ++ String entityID, ++ RequestId requestID) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ entityID, ++ requestID ++ }); ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java +new file mode 100644 +index 0000000..71ed3ed +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java +@@ -0,0 +1,47 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.request.RequestId; ++ ++public class ServerSideKeyGenProcessedEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ private static final String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; ++ ++ public ServerSideKeyGenProcessedEvent( ++ String subjectID, ++ String outcome, ++ String entityID, ++ RequestId requestID, ++ String pubKey) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ outcome, ++ entityID, ++ requestID, ++ pubKey ++ }); ++ } ++} +\ No newline at end of file +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 69d9382..c08e56e 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 947377a..e54c58a 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -53,8 +53,11 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.logging.event.SecurityDataExportEvent; ++import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent; ++import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; ++import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cms.servlet.key.KeyRecordParser; +@@ -144,7 +147,6 @@ public class NetkeyKeygenService implements IService { + */ + public boolean serviceRequest(IRequest request) + throws EBaseException { +- String auditMessage = null; + String auditSubjectID = null; + byte[] wrapped_des_key; + +@@ -180,23 +182,21 @@ public class NetkeyKeygenService implements IService { + String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); + String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE); ++ RequestId requestId = request.getRequestId(); + + auditSubjectID = rCUID + ":" + rUserid; + + SessionContext sContext = SessionContext.getContext(); + String agentId = ""; + if (sContext != null) { +- agentId = +- (String) sContext.get(SessionContext.USER_ID); ++ agentId = (String) sContext.get(SessionContext.USER_ID); + } + +- auditMessage = CMS.getLogMessage( +- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST, ++ audit(new ServerSideKeyGenEvent( + agentId, + ILogger.SUCCESS, +- auditSubjectID); +- +- audit(auditMessage); ++ auditSubjectID, ++ requestId)); + + String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + // the request reocrd field delayLDAPCommit == "true" will cause +@@ -262,13 +262,12 @@ public class NetkeyKeygenService implements IService { + CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + +- auditMessage = CMS.getLogMessage( +- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, ++ audit(new ServerSideKeyGenProcessedEvent( + agentId, + ILogger.FAILURE, +- auditSubjectID); +- +- audit(auditMessage); ++ auditSubjectID, ++ requestId, ++ null)); + + return false; + } +@@ -294,14 +293,12 @@ public class NetkeyKeygenService implements IService { + request.setExtData("public_key", PubKey); + } + +- auditMessage = CMS.getLogMessage( +- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, ++ audit(new ServerSideKeyGenProcessedEvent( + agentId, + ILogger.SUCCESS, + auditSubjectID, +- PubKey); +- +- audit(auditMessage); ++ requestId, ++ PubKey)); + + //...extract the private key handle (not privatekeydata) + java.security.PrivateKey privKey = +@@ -365,7 +362,6 @@ public class NetkeyKeygenService implements IService { + "NetkeyKeygenService: failed generating wrapped private key", + PubKey)); + +- audit(auditMessage); + return false; + } else { + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 3ac23d5..fc4e946 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -1947,21 +1947,15 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA + # - used when server-side key generation request is made + # This is for tokenkeys + # EntityID must be the representation of the subject that will be on the certificate when issued +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}] server-side key generation request + # +-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS +-# - used when server-side key generation request has been processed with success ++# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED ++# - used when server-side key generation request has been processed. + # This is for tokenkeys + # EntityID must be the representation of the subject that will be on the certificate when issued + # PubKey must be the base-64 encoded public key associated with + # the private key to be archived +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] server-side key generation request processed with success +-# +-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE +-# - used when server-side key generation request has been processed with failure +-# This is for tokenkeys +-# EntityID must be the representation of the subject that will be on the certificate when issued +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed with failure ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}][[PubKey={4}] server-side key generation request processed + # + # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST + # - used when key recovery request is made +-- +1.8.3.1 + + +From 8aa94e1ca017e54454f6f6f6ebb4ee254062e822 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 May 2017 01:49:36 +0200 +Subject: [PATCH 28/38] Replaced SHA1-based random number generators. + +The SHA1-based random number generators in some classes have been +replaced with the random number generator provided by JssSubsystem. + +https://pagure.io/dogtagpki/issue/2695 + +Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514 +--- + base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 5 ++++- + base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 5 ++++- + base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java | 7 +++++-- + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index e54c58a..8383e89 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -62,6 +62,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cms.servlet.key.KeyRecordParser; + import com.netscape.cmscore.dbs.KeyRecord; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.crypto.CryptoUtil; + +@@ -153,10 +154,12 @@ public class NetkeyKeygenService implements IService { + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + String iv_s = ""; + try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + random.nextBytes(iv); + } catch (Exception e) { + CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString()); ++ throw new EBaseException(e); + } + + IVParameterSpec algParam = new IVParameterSpec(iv); +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index 2519a4d..c0b5cdd 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -56,6 +56,7 @@ import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cmscore.dbs.KeyRecord; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; + +@@ -203,10 +204,12 @@ public class TokenKeyRecoveryService implements IService { + + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + random.nextBytes(iv); + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); ++ throw new EBaseException(e); + } + + RequestId auditRequestID = request.getRequestId(); +diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java +index c8150a9..5b8b1dd 100644 +--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java ++++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java +@@ -54,6 +54,7 @@ import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cms.servlet.tks.GPParams; + import com.netscape.cms.servlet.tks.NistSP800_108KDF; + import com.netscape.cms.servlet.tks.SecureChannelProtocol; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + +@@ -1996,7 +1997,8 @@ public class TokenServlet extends CMSServlet { + CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); + } + try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + data = new byte[16]; + random.nextBytes(data); + } catch (Exception e) { +@@ -2320,7 +2322,8 @@ public class TokenServlet extends CMSServlet { + + if (!missingParam) { + try { +- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + randomData = new byte[dataSize]; + random.nextBytes(randomData); + } catch (Exception e) { +-- +1.8.3.1 + + +From 5ce1212159f8055ab7534887542e1d8cb41eb15d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 May 2017 19:35:36 +0200 +Subject: [PATCH 29/38] Refactored CRLIssuingPoint.generateDeltaCRL(). + +The code related to delta CRL generation has been moved into +generateDeltaCRL(). + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26 +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 102 ++++++++++++----------- + 1 file changed, 54 insertions(+), 48 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index 3764adf..feca02a 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -2607,51 +2607,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + mSplits[5] += System.currentTimeMillis(); + } else { + if (isDeltaCRLEnabled()) { +- mSplits[1] -= System.currentTimeMillis(); +- @SuppressWarnings("unchecked") +- Hashtable deltaCRLCerts = +- (Hashtable) clonedRevokedCerts.clone(); + +- deltaCRLCerts.putAll(clonedUnrevokedCerts); +- if (mIncludeExpiredCertsOneExtraTime) { +- if (!clonedExpiredCerts.isEmpty()) { +- for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { +- BigInteger serialNumber = e.nextElement(); +- if ((mLastFullUpdate != null && +- mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || +- mLastFullUpdate == null) { +- deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); +- } +- } +- } +- } else { +- deltaCRLCerts.putAll(clonedExpiredCerts); +- } +- +- mLastCRLNumber = mCRLNumber; +- +- CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); +- +- mSplits[1] += System.currentTimeMillis(); ++ generateDeltaCRL( ++ clonedRevokedCerts, ++ clonedUnrevokedCerts, ++ clonedExpiredCerts, ++ signingAlgorithm, ++ thisUpdate, ++ nextDeltaUpdate); + +- X509CRLImpl newX509DeltaCRL = generateDeltaCRL( +- deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); +- +- try { +- mSplits[4] -= System.currentTimeMillis(); +- publishCRL(newX509DeltaCRL, true); +- mSplits[4] += System.currentTimeMillis(); +- } catch (EBaseException e) { +- newX509DeltaCRL = null; +- if (Debug.on()) +- Debug.printStackTrace(e); +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); +- } catch (OutOfMemoryError e) { +- newX509DeltaCRL = null; +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); +- } + } else { + mDeltaCRLSize = -1; + } +@@ -2780,12 +2744,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + return ext; + } + +- X509CRLImpl generateDeltaCRL( +- Hashtable deltaCRLCerts, ++ void generateDeltaCRL( ++ Hashtable clonedRevokedCerts, ++ Hashtable clonedUnrevokedCerts, ++ Hashtable clonedExpiredCerts, + String signingAlgorithm, + Date thisUpdate, +- Date nextDeltaUpdate, +- CRLExtensions ext) { ++ Date nextDeltaUpdate) { ++ ++ mSplits[1] -= System.currentTimeMillis(); ++ ++ @SuppressWarnings("unchecked") ++ Hashtable deltaCRLCerts = ++ (Hashtable) clonedRevokedCerts.clone(); ++ ++ deltaCRLCerts.putAll(clonedUnrevokedCerts); ++ ++ if (mIncludeExpiredCertsOneExtraTime) { ++ ++ for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { ++ BigInteger serialNumber = e.nextElement(); ++ if (mLastFullUpdate == null || ++ mLastFullUpdate.after(mExpiredCerts.get(serialNumber).getRevocationDate())) { ++ deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); ++ } ++ } ++ ++ } else { ++ deltaCRLCerts.putAll(clonedExpiredCerts); ++ } ++ ++ mLastCRLNumber = mCRLNumber; ++ ++ CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); ++ ++ mSplits[1] += System.currentTimeMillis(); + + X509CRLImpl newX509DeltaCRL = null; + +@@ -2868,7 +2861,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + mDeltaCRLSize = -1; + } + +- return newX509DeltaCRL; ++ try { ++ mSplits[4] -= System.currentTimeMillis(); ++ publishCRL(newX509DeltaCRL, true); ++ mSplits[4] += System.currentTimeMillis(); ++ ++ } catch (EBaseException e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, ++ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); ++ } catch (OutOfMemoryError e) { ++ CMS.debug(e); ++ log(ILogger.LL_FAILURE, ++ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); ++ } + } + + X509CRLImpl generateFullCRL( +-- +1.8.3.1 + + +From 5e0cb550236c5bb06baa4b3a94558407a53c92ea Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 May 2017 21:22:50 +0200 +Subject: [PATCH 30/38] Refactored CRLIssuingPoint.generateFullCRL(). + +The code related to full CRL generation has been moved into +generateFullCRL(). + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I6a23c97255ba7095e168e927621f0503923251c2 +--- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 80 ++++++++++++------------ + 1 file changed, 40 insertions(+), 40 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index feca02a..cbcdc69 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -2676,39 +2676,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + clonedExpiredCerts = null; + + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { +- mSplits[6] -= System.currentTimeMillis(); +- if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { +- mNextCRLNumber = mNextDeltaCRLNumber; +- } +- +- CRLExtensions ext; +- if (mAllowExtensions) { +- ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); +- } else { +- ext = null; +- } +- mSplits[6] += System.currentTimeMillis(); +- // for audit log + +- X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); +- +- try { +- mSplits[9] -= System.currentTimeMillis(); +- mUpdatingCRL = CRL_PUBLISHING_STARTED; +- publishCRL(newX509CRL); +- newX509CRL = null; +- mSplits[9] += System.currentTimeMillis(); +- } catch (EBaseException e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); +- } catch (OutOfMemoryError e) { +- newX509CRL = null; +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); +- } ++ generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate); + } + + if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) { +@@ -2877,11 +2846,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + } + } + +- X509CRLImpl generateFullCRL( ++ void generateFullCRL( + String signingAlgorithm, + Date thisUpdate, +- Date nextUpdate, +- CRLExtensions ext) throws EBaseException { ++ Date nextUpdate) throws EBaseException { ++ ++ mSplits[6] -= System.currentTimeMillis(); ++ if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { ++ mNextCRLNumber = mNextDeltaCRLNumber; ++ } ++ ++ CRLExtensions ext; ++ if (mAllowExtensions) { ++ ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); ++ } else { ++ ext = null; ++ } ++ mSplits[6] += System.currentTimeMillis(); ++ ++ X509CRLImpl newX509CRL = null; + + try { + CMS.debug("Making CRL with algorithm " + +@@ -2904,7 +2887,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + thisUpdate, nextUpdate, mCRLCerts, ext); + + CMS.debug("CRLIssuingPoint: signing CRL"); +- X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); ++ newX509CRL = mCA.sign(crl, signingAlgorithm); + + CMS.debug("CRLIssuingPoint: encoding CRL"); + byte[] newCRL = newX509CRL.getEncoded(); +@@ -2914,8 +2897,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + mSplits[8] -= System.currentTimeMillis(); + + Date nextUpdateDate = mNextUpdate; +- if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || +- (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { ++ if (isDeltaCRLEnabled() ++ && (mUpdateSchema > 1 || mEnableDailyUpdates && mExtendedTimeList) ++ && mNextDeltaUpdate != null) { + nextUpdateDate = mNextDeltaUpdate; + } + +@@ -2976,8 +2960,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); + +- return newX509CRL; +- + } catch (EBaseException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; +@@ -3008,6 +2990,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } ++ ++ try { ++ mSplits[9] -= System.currentTimeMillis(); ++ mUpdatingCRL = CRL_PUBLISHING_STARTED; ++ publishCRL(newX509CRL); ++ mSplits[9] += System.currentTimeMillis(); ++ ++ } catch (EBaseException e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, ++ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); ++ } catch (OutOfMemoryError e) { ++ CMS.debug(e); ++ mUpdatingCRL = CRL_UPDATE_DONE; ++ log(ILogger.LL_FAILURE, ++ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); ++ } + } + + /** +-- +1.8.3.1 + + +From 64233b8f26a3f87786fa0e0d641a5a02116ebece Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 26 May 2017 00:13:49 +0200 +Subject: [PATCH 31/38] Updated ECAException constructor. + +The ECAException constructor has been modified to accept a more +generic Throwable instead of Exception. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee +--- + base/common/src/com/netscape/certsrv/ca/ECAException.java | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java +index 01c601e..814219f 100644 +--- a/base/common/src/com/netscape/certsrv/ca/ECAException.java ++++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java +@@ -51,10 +51,10 @@ public class ECAException extends EBaseException { + *

    + * + * @param msgFormat constant from CAResources. +- * @param e embedded exception. ++ * @param cause cause of this exception. + */ +- public ECAException(String msgFormat, Exception e) { +- super(msgFormat, e); ++ public ECAException(String msgFormat, Throwable cause) { ++ super(msgFormat, cause); + } + + /** +-- +1.8.3.1 + + +From 5438e24e022c4c169ff9b5c6325e5ec0023d4caa Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 25 May 2017 16:31:45 -0400 +Subject: [PATCH 32/38] Set encryption flag for generated keys + +The key record for keys generated in the keygen servlets +was not updated to reflect whether or not the server was set up +to do encryption/key wrapping. This patch corrects this +oversight. + +Bugzilla BZ# 1455617 + +Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024 +--- + base/kra/src/com/netscape/kra/AsymKeyGenService.java | 2 +- + base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 2 +- + base/kra/src/com/netscape/kra/SymKeyGenService.java | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +index ea1d0cc..1e38b48 100644 +--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java +@@ -197,7 +197,7 @@ public class AsymKeyGenService implements IService { + } + + try { +- record.setWrappingParams(params, false); ++ record.setWrappingParams(params, allowEncDecrypt_archival); + } catch (Exception e) { + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to store wrapping params"); +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 8383e89..96d7aae 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -477,7 +477,7 @@ public class NetkeyKeygenService implements IService { + return false; + } + +- rec.setWrappingParams(params, false); ++ rec.setWrappingParams(params, allowEncDecrypt_archival); + + CMS.debug("NetkeyKeygenService: before addKeyRecord"); + rec.set(KeyRecord.ATTR_ID, serialNo); +diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java +index a4613c2..578b1ff 100644 +--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java ++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java +@@ -221,7 +221,7 @@ public class SymKeyGenService implements IService { + } + + try { +- rec.setWrappingParams(params, false); ++ rec.setWrappingParams(params, allowEncDecrypt_archival); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); +-- +1.8.3.1 + + +From 2866f6195eb49012cf7c42089a9fbf1be819129a Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 26 May 2017 17:47:14 +1000 +Subject: [PATCH 33/38] Fix NPE in lightweight CA creation + +Fixes: https://pagure.io/dogtagpki/issue/2711 +--- + .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +index 908cbe4..4b0f68c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +@@ -148,7 +148,9 @@ public class EnrollmentProcessor extends CertProcessor { + IProfileContext ctx = profile.createContext(); + + // set arbitrary user data into request, if any +- String userData = request.getParameter("user-data"); ++ String userData = null; ++ if (request != null) ++ userData = request.getParameter("user-data"); + if (userData != null) + ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); + +-- +1.8.3.1 + + +From e3f64ea8ca4ec231a954076a7f6b05dfc626ff1b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 18 May 2017 19:38:20 +0200 +Subject: [PATCH 34/38] Added DELTA_CRL_GENERATION audit event. + +A new DELTA_CRL_GENERATION audit event has been added which will +be generated when delta CRL generation is complete. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f +--- + base/ca/shared/conf/CS.cfg | 4 +- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 69 ++++++++++++----- + .../logging/event/DeltaCRLGenerationEvent.java | 86 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 6 ++ + 4 files changed, 145 insertions(+), 20 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 4e881dc..7377561 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index cbcdc69..ff157b5 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -51,8 +51,10 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; + import com.netscape.certsrv.dbs.certdb.IRevocationInfo; + import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; + import com.netscape.certsrv.dbs.crldb.ICRLRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; + import com.netscape.certsrv.publish.ILdapRule; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; +@@ -2758,8 +2760,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (deltaCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", +- "No Revoked Certificates")); ++ mDeltaCRLSize = -1; ++ audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); ++ return; + } + } + +@@ -2804,30 +2807,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + } + ); + ++ audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); ++ + } catch (EBaseException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); + mDeltaCRLSize = -1; ++ audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); ++ return; + +- } catch (NoSuchAlgorithmException e) { +- CMS.debug(e); +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- +- } catch (CRLException e) { +- CMS.debug(e); +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- +- } catch (X509ExtensionException e) { +- CMS.debug(e); +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); +- mDeltaCRLSize = -1; +- +- } catch (OutOfMemoryError e) { ++ } catch (Throwable e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; ++ audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); ++ return; + } + + try { +@@ -3186,6 +3180,45 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + } + } + } ++ ++ String getAuditSubjectID() { ++ ++ SessionContext context = SessionContext.getExistingContext(); ++ ++ if (context == null) { ++ return ILogger.UNIDENTIFIED; ++ } ++ ++ String subjectID = (String)context.get(SessionContext.USER_ID); ++ ++ if (subjectID == null) { ++ if (Thread.currentThread() == mUpdateThread) { ++ return ILogger.SYSTEM_UID; ++ ++ } else { ++ return ILogger.NONROLEUSER; ++ } ++ } ++ ++ return subjectID.trim(); ++ } ++ ++ void audit(AuditEvent event) { ++ ++ ILogger logger = CMS.getSignedAuditLogger(); ++ if (logger == null) return; ++ ++ String messageID = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(messageID, params); ++ ++ logger.log(ILogger.EV_SIGNED_AUDIT, ++ null, ++ ILogger.S_SIGNED_AUDIT, ++ ILogger.LL_SECURITY, ++ message); ++ } + } + + class CertRecProcessor implements IElementProcessor { +diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java +new file mode 100644 +index 0000000..ba04a33 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java +@@ -0,0 +1,86 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import java.math.BigInteger; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++ ++public class DeltaCRLGenerationEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION"; ++ ++ public DeltaCRLGenerationEvent() { ++ super(LOGGING_PROPERTY); ++ } ++ ++ public static DeltaCRLGenerationEvent createSuccessEvent( ++ String subjectID, ++ BigInteger crlNumber) { ++ ++ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); ++ ++ event.setAttribute("CRLnum", crlNumber); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++ ++ public static DeltaCRLGenerationEvent createSuccessEvent( ++ String subjectID, ++ String info) { ++ ++ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); ++ ++ event.setAttribute("Info", info); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++ ++ public static DeltaCRLGenerationEvent createFailureEvent( ++ String subjectID, ++ String reason) { ++ ++ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); ++ ++ event.setAttribute("FailureReason", reason); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.FAILURE, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index fc4e946..30b8e2a 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification + # ++# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION ++# - used when delta CRL generation is complete ++# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise ++# ++LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation ++# + # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL + # - used when CRLs are retrieved by the OCSP Responder + # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-- +1.8.3.1 + + +From 4d5ecb5dd3e1f4eabbe29ab2ddbfeb825f9f4233 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 May 2017 22:53:03 +0200 +Subject: [PATCH 35/38] Added DELTA_CRL_PUBLISHING audit event. + +A new DELTA_CRL_PUBLISHING audit event has been added which will +be generated when delta CRL publishing is complete. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372 +--- + base/ca/shared/conf/CS.cfg | 4 +- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 10 ++-- + .../logging/event/DeltaCRLPublishingEvent.java | 63 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 6 +++ + 4 files changed, 76 insertions(+), 7 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 7377561..867e4cb 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index ff157b5..9fd8c49 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; ++import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; + import com.netscape.certsrv.publish.ILdapRule; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; +@@ -2829,14 +2830,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + publishCRL(newX509DeltaCRL, true); + mSplits[4] += System.currentTimeMillis(); + +- } catch (EBaseException e) { +- CMS.debug(e); +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); +- } catch (OutOfMemoryError e) { ++ audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); ++ ++ } catch (Throwable e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); ++ audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); + } + } + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java +new file mode 100644 +index 0000000..d6521d7 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java +@@ -0,0 +1,63 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import java.math.BigInteger; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++ ++public class DeltaCRLPublishingEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING"; ++ ++ public DeltaCRLPublishingEvent( ++ String subjectID, ++ BigInteger crlNumber) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("CRLnum", crlNumber); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ getAttributeList() ++ }); ++ } ++ ++ public DeltaCRLPublishingEvent( ++ String subjectID, ++ BigInteger crlNumber, ++ String reason) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("CRLnum", crlNumber); ++ setAttribute("FailureReason", reason); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.FAILURE, ++ getAttributeList() ++ }); ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 30b8e2a..c35d605 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2128,6 +2128,12 @@ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[A + # + LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation + # ++# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING ++# - used when delta CRL publishing is complete ++# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise ++# ++LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing ++# + # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL + # - used when CRLs are retrieved by the OCSP Responder + # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-- +1.8.3.1 + + +From 37e6ba6d1fb24694c2744adbc27c78b749d7e35d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 26 May 2017 00:13:10 +0200 +Subject: [PATCH 36/38] Added FULL_CRL_GENERATION audit event. + +A new FULL_CRL_GENERATION audit event has been added which will +be generated when full CRL generation is complete. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I74b083721e477ad72fe5a787935af617e89a6968 +--- + base/ca/shared/conf/CS.cfg | 4 +- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 36 +++------ + .../logging/event/FullCRLGenerationEvent.java | 86 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 6 ++ + 4 files changed, 104 insertions(+), 28 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 867e4cb..3daac8b 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index 9fd8c49..9583f50 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -19,8 +19,6 @@ package com.netscape.ca; + + import java.io.IOException; + import java.math.BigInteger; +-import java.security.NoSuchAlgorithmException; +-import java.security.cert.CRLException; + import java.util.Date; + import java.util.Enumeration; + import java.util.Hashtable; +@@ -56,6 +54,7 @@ import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; + import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; ++import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; + import com.netscape.certsrv.publish.ILdapRule; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; +@@ -84,7 +83,6 @@ import netscape.security.x509.RevokedCertImpl; + import netscape.security.x509.RevokedCertificate; + import netscape.security.x509.X509CRLImpl; + import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509ExtensionException; + + /** + * This class encapsulates CRL issuing mechanism. CertificateAuthority +@@ -2870,8 +2868,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", +- "No Revoked Certificates")); ++ audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); ++ return; + } + } + +@@ -2954,35 +2952,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); + ++ audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); ++ + } catch (EBaseException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); + +- } catch (NoSuchAlgorithmException e) { +- CMS.debug(e); +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- +- } catch (CRLException e) { +- CMS.debug(e); +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- +- } catch (X509ExtensionException e) { +- CMS.debug(e); +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); +- +- } catch (OutOfMemoryError e) { ++ } catch (Throwable e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); +- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); ++ audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); ++ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); + } + + try { +diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java +new file mode 100644 +index 0000000..9dd47dd +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java +@@ -0,0 +1,86 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import java.math.BigInteger; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++ ++public class FullCRLGenerationEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION"; ++ ++ public FullCRLGenerationEvent() { ++ super(LOGGING_PROPERTY); ++ } ++ ++ public static FullCRLGenerationEvent createSuccessEvent( ++ String subjectID, ++ BigInteger crlNumber) { ++ ++ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); ++ ++ event.setAttribute("CRLnum", crlNumber); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++ ++ public static FullCRLGenerationEvent createSuccessEvent( ++ String subjectID, ++ String info) { ++ ++ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); ++ ++ event.setAttribute("Info", info); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++ ++ public static FullCRLGenerationEvent createFailureEvent( ++ String subjectID, ++ String reason) { ++ ++ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); ++ ++ event.setAttribute("FailureReason", reason); ++ ++ event.setParameters(new Object[] { ++ subjectID, ++ ILogger.FAILURE, ++ event.getAttributeList() ++ }); ++ ++ return event; ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index c35d605..f5ae7bb 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2134,6 +2134,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEven + # + LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing + # ++# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION ++# - used when full CRL generation is complete ++# Outcome is "success" when full CRL is generated successfully, "failure" otherwise ++# ++LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation ++# + # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL + # - used when CRLs are retrieved by the OCSP Responder + # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-- +1.8.3.1 + + +From 33838ebaffcdf121c4167379f0c917b5b5b67d0e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 26 May 2017 00:46:53 +0200 +Subject: [PATCH 37/38] Added FULL_CRL_PUBLISHING audit event. + +A new FULL_CRL_PUBLISHING audit event has been added which will +be generated when full CRL publishing is complete. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082 +--- + base/ca/shared/conf/CS.cfg | 4 +- + base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 16 +++--- + .../logging/event/FullCRLPublishingEvent.java | 63 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 6 +++ + 4 files changed, 79 insertions(+), 10 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 3daac8b..fc21295 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +index 9583f50..be6ffa8 100644 +--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java ++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; + import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; + import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; ++import com.netscape.certsrv.logging.event.FullCRLPublishingEvent; + import com.netscape.certsrv.publish.ILdapRule; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.request.IRequest; +@@ -2975,16 +2976,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + publishCRL(newX509CRL); + mSplits[9] += System.currentTimeMillis(); + +- } catch (EBaseException e) { +- CMS.debug(e); +- mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); +- } catch (OutOfMemoryError e) { ++ audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); ++ ++ } catch (Throwable e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; +- log(ILogger.LL_FAILURE, +- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); ++ String message = CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()); ++ log(ILogger.LL_FAILURE, message); ++ audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); ++ throw new ECAException(message, e); + } + } + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java +new file mode 100644 +index 0000000..a3764c0 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java +@@ -0,0 +1,63 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import java.math.BigInteger; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++ ++public class FullCRLPublishingEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING"; ++ ++ public FullCRLPublishingEvent( ++ String subjectID, ++ BigInteger crlNumber) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("CRLnum", crlNumber); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ getAttributeList() ++ }); ++ } ++ ++ public FullCRLPublishingEvent( ++ String subjectID, ++ BigInteger crlNumber, ++ String reason) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("CRLnum", crlNumber); ++ setAttribute("FailureReason", reason); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.FAILURE, ++ getAttributeList() ++ }); ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index f5ae7bb..689d7bc 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2140,6 +2140,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEven + # + LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation + # ++# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING ++# - used when full CRL publishing is complete ++# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise ++# ++LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Full CRL publishing ++# + # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL + # - used when CRLs are retrieved by the OCSP Responder + # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-- +1.8.3.1 + + +From c9a9fe6e31d860c089dd2b2ee584dd0d4a9b2174 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 May 2017 00:33:26 +0200 +Subject: [PATCH 38/38] Added SCHEDULE_CRL_GENERATION audit event. + +A new SCHEDULE_CRL_GENERATION audit event has been added which +will be generated when CRL generation is scheduled manually. + +https://pagure.io/dogtagpki/issue/2651 + +Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a +--- + base/ca/shared/conf/CS.cfg | 4 +- + .../logging/event/ScheduleCRLGenerationEvent.java | 56 ++++++++++++++++++++++ + .../com/netscape/cms/servlet/cert/UpdateCRL.java | 16 +++++-- + base/server/cmsbundle/src/LogMessages.properties | 6 +++ + 4 files changed, 77 insertions(+), 5 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index fc21295..d1bf7db 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java +new file mode 100644 +index 0000000..5b2a461 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java +@@ -0,0 +1,56 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; ++ ++public class ScheduleCRLGenerationEvent extends AuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String LOGGING_PROPERTY = ++ "LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION"; ++ ++ public ScheduleCRLGenerationEvent( ++ String subjectID) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.SUCCESS, ++ getAttributeList() ++ }); ++ } ++ ++ public ScheduleCRLGenerationEvent( ++ String subjectID, ++ Exception e) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("FailureReason", e.getMessage()); ++ ++ setParameters(new Object[] { ++ subjectID, ++ ILogger.FAILURE, ++ getAttributeList() ++ }); ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +index b4d9d29..a9a2cd2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +@@ -45,6 +45,7 @@ import com.netscape.certsrv.common.ICMSRequest; + import com.netscape.certsrv.ldap.ELdapException; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.ScheduleCRLGenerationEvent; + import com.netscape.certsrv.publish.ILdapRule; + import com.netscape.certsrv.publish.IPublisherProcessor; + import com.netscape.certsrv.util.IStatsSubsystem; +@@ -375,9 +376,18 @@ public class UpdateCRL extends CMSServlet { + + } else { + +- CMS.debug("UpdateCRL: scheduling CRL update"); +- crlIssuingPoint.setManualUpdate(signatureAlgorithm); +- header.addStringValue("crlUpdate", "Scheduled"); ++ try { ++ CMS.debug("UpdateCRL: scheduling CRL update"); ++ ++ crlIssuingPoint.setManualUpdate(signatureAlgorithm); ++ header.addStringValue("crlUpdate", "Scheduled"); ++ ++ audit(new ScheduleCRLGenerationEvent(auditSubjectID())); ++ ++ } catch (Exception e) { ++ audit(new ScheduleCRLGenerationEvent(auditSubjectID(), e)); ++ throw e; ++ } + } + + return; +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 689d7bc..9490098 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification + # ++# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION ++# - used when CRL generation is scheduled ++# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise ++# ++LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} schedule for CRL generation ++# + # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION + # - used when delta CRL generation is complete + # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-snapshot-3.patch b/SOURCES/pki-core-snapshot-3.patch new file mode 100644 index 0000000..ac2099b --- /dev/null +++ b/SOURCES/pki-core-snapshot-3.patch @@ -0,0 +1,2377 @@ +From 14e44691ef0b61220d390afb745496b7d62945ee Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 May 2017 21:15:44 +0200 +Subject: [PATCH 04/27] Added pkispawn options for two-step installation. + +New --skip-configuration and --skip-installation options have +been added to pkispawn to provide a mechanism to set the +pki_skip_configuration and pki_skip_installation parameters +without changing the deployment configuration file. + +https://pagure.io/dogtagpki/issue/2707 + +Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de +--- + base/server/sbin/pkispawn | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 9e2ebc8..742f579 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -91,6 +91,18 @@ def main(argv): + dest='precheck', action='store_true', + help='Execute pre-checks and exit') + ++ parser.optional.add_argument( ++ '--skip-configuration', ++ dest='skip_configuration', ++ action='store_true', ++ help='skip configuration step') ++ ++ parser.optional.add_argument( ++ '--skip-installation', ++ dest='skip_installation', ++ action='store_true', ++ help='skip installation step') ++ + args = parser.process_command_line_arguments() + + config.default_deployment_cfg = \ +@@ -475,6 +487,24 @@ def main(argv): + sys.exit(1) + + start_logging() ++ ++ # Read the specified PKI configuration file. ++ rv = parser.read_pki_configuration_file() ++ if rv != 0: ++ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, ++ extra=config.PKI_INDENTATION_LEVEL_0) ++ sys.exit(1) ++ ++ # --skip-configuration ++ if args.skip_configuration: ++ parser.set_property(deployer.subsystem_name, ++ 'pki_skip_configuration', 'True') ++ ++ # --skip-installation ++ if args.skip_installation: ++ parser.set_property(deployer.subsystem_name, ++ 'pki_skip_installation', 'True') ++ + create_master_dictionary(parser) + + if not interactive and \ +@@ -635,23 +665,21 @@ def start_logging(): + + + def create_master_dictionary(parser): +- # Read the specified PKI configuration file. +- rv = parser.read_pki_configuration_file() +- if rv != 0: +- config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, +- extra=config.PKI_INDENTATION_LEVEL_0) +- sys.exit(1) + + # Read in the PKI slots configuration file. + parser.compose_pki_slots_dictionary() ++ + config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.slots_dict), + extra=config.PKI_INDENTATION_LEVEL_0) ++ + # Combine the various sectional dictionaries into a PKI master dictionary + parser.compose_pki_master_dictionary() ++ + parser.mdict['pki_spawn_log'] = \ + config.pki_log_dir + "/" + config.pki_log_name ++ + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), +-- +1.8.3.1 + + +From 9af1746463bec2e62c990279d857635f693cfac7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 May 2017 21:07:59 +0200 +Subject: [PATCH 05/27] Fixed two-step subordinate CA installation. + +The initialization scriptlet has been fixed to verify the subsystem +existence properly when running the second step of the two-step +subordinate CA installation. + +https://pagure.io/dogtagpki/issue/2707 + +Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8 +--- + .../pki/server/deployment/scriptlets/initialization.py | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 4dc4e9a..1ae77e4 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -54,13 +54,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + else: + config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) ++ ++ # Verify that the subsystem already exists for the following cases: ++ # - External CA (Step 2) ++ # - Stand-alone PKI (Step 2) ++ # - Two-step installation (Step 2) ++ + if (deployer.mdict['pki_subsystem'] == "CA" or + config.str2bool(deployer.mdict['pki_standalone'])) and \ +- config.str2bool(deployer.mdict['pki_external_step_two']): +- # verify that this External CA (Step 2), or Stand-alone PKI +- # (Step 2) currently EXISTS for this "instance" ++ config.str2bool(deployer.mdict['pki_external_step_two']) or \ ++ config.str2bool(deployer.mdict['pki_skip_installation']): + deployer.instance.verify_subsystem_exists() + deployer.mdict['pki_skip_installation'] = "True" ++ + else: + # verify that this type of "subsystem" does NOT yet + # exist for this "instance" +-- +1.8.3.1 + + +From 0984d8a114b326a75b2c32cd9da2b7dee23920bb Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 26 May 2017 22:57:07 -0400 +Subject: [PATCH 07/27] Convert CMC code to use AES + +* Switched out CrytoUtil calls that use DES and replaced them + with AES equivalents. Removed these now unneeded methods. +* Added 16 byte constant IV for AES operations. This must be + replaced by a randomly generated IV. Added TODOs where IVs + should be replaced. +* Corrected misspellings of "enreypted" in both request fields + and variable names +* Removed some code from null checks where the result could + never be null. These cases were flagged in eclipse as dead + code. + +Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb +--- + .../src/com/netscape/cmstools/CMCRequest.java | 18 +++- + .../netscape/cms/profile/common/EnrollProfile.java | 111 ++++++++++++++------- + .../cms/servlet/common/CMCOutputTemplate.java | 40 ++++---- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 84 ++-------------- + 4 files changed, 113 insertions(+), 140 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 9c41403..8d49b20 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -52,6 +52,9 @@ import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.asn1.UTF8String; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.DigestAlgorithm; ++import org.mozilla.jss.crypto.EncryptionAlgorithm; ++import org.mozilla.jss.crypto.IVParameterSpec; ++import org.mozilla.jss.crypto.KeyWrapAlgorithm; + import org.mozilla.jss.crypto.ObjectNotFoundException; + import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.crypto.Signature; +@@ -1718,19 +1721,30 @@ public class CMCRequest { + CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); + SymmetricKey symKey = CryptoUtil.unwrap( + token, ++ SymmetricKey.AES, ++ 128, + SymmetricKey.Usage.DECRYPT, + privKey, +- recipient.getEncryptedKey().toByteArray()); ++ recipient.getEncryptedKey().toByteArray(), ++ KeyWrapAlgorithm.RSA); ++ + if (symKey == null) { + System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!"); + System.exit(1); + } + System.out.println(method + "symKey unwrapped."); + ++ // TODO(alee) The code below should be replaced by code that generates a random IV ++ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ IVParameterSpec default_iv = new IVParameterSpec(iv); ++ + byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( + token, ++ default_iv, + encCI.getEncryptedContent().toByteArray(), +- symKey); ++ symKey, ++ EncryptionAlgorithm.AES_128_CBC); ++ + if (challenge == null) { + System.out + .println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!"); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 1443a0a..12fb736 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.asn1.UTF8String; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.DigestAlgorithm; ++import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.HMACAlgorithm; ++import org.mozilla.jss.crypto.IVParameterSpec; ++import org.mozilla.jss.crypto.KeyGenAlgorithm; ++import org.mozilla.jss.crypto.KeyWrapAlgorithm; + import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.pkcs10.CertificationRequest; +@@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile + String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); + token = CryptoUtil.getCryptoToken(tokenName); + ++ // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length ++ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ IVParameterSpec ivps = new IVParameterSpec(iv); ++ + PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); + if (userPubKey == null) { + msg = method + "userPubKey null after X509Key.parsePublicKey"; +@@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile + throw new EBaseException(msg); + } + +- SymmetricKey symKey = CryptoUtil.generateKey(token); +- byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey( +- token, symKey, challenge); +- if (pop_encreyptedData == null) { +- msg = method + "pop_encreyptedData null"; ++ SymmetricKey symKey = CryptoUtil.generateKey( ++ token, ++ KeyGenAlgorithm.AES, ++ 128, ++ null, ++ true); ++ ++ byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey( ++ token, ++ symKey, ++ challenge, ++ EncryptionAlgorithm.AES_128_CBC, ++ ivps); ++ ++ if (pop_encryptedData == null) { ++ msg = method + "pop_encryptedData null"; + CMS.debug(msg); + throw new EBaseException(msg); + } + +- byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( +- token, issuanceProtPubKey, symKey); +- if (pop_sysPubEncreyptedSession == null) { +- msg = method + "pop_sysPubEncreyptedSession null"; ++ byte[] pop_sysPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( ++ token, ++ issuanceProtPubKey, ++ symKey, ++ KeyWrapAlgorithm.RSA); ++ ++ if (pop_sysPubEncryptedSession == null) { ++ msg = method + "pop_sysPubEncryptedSession null"; + CMS.debug(msg); + throw new EBaseException(msg); + } + +- byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( +- token, userPubKey, symKey); +- if (pop_userPubEncreyptedSession == null) { +- msg = method + "pop_userPubEncreyptedSession null"; ++ ++ byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( ++ token, ++ userPubKey, ++ symKey, ++ KeyWrapAlgorithm.RSA); ++ ++ if (pop_userPubEncryptedSession == null) { ++ msg = method + "pop_userPubEncryptedSession null"; + CMS.debug(msg); + throw new EBaseException(msg); + } + CMS.debug(method + "POP challenge fields generated successfully...setting request extData"); + +- req.setExtData("pop_encreyptedData", pop_encreyptedData); ++ req.setExtData("pop_encryptedData", pop_encryptedData); + +- req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession); ++ req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession); + +- req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession); ++ req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); + + // now compute and set witness + CMS.debug(method + "now compute and set witness"); +@@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile + } + + // now verify the POP witness +- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); +- if (pop_encreyptedData == null) { ++ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); ++ if (pop_encryptedData == null) { + msg = method + +- "pop_encreyptedData not found in request:" + ++ "pop_encryptedData not found in request:" + + reqId.toString(); + CMS.debug(msg); + return null; + } + +- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); +- if (pop_sysPubEncreyptedSession == null) { ++ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); ++ if (pop_sysPubEncryptedSession == null) { + msg = method + +- "pop_sysPubEncreyptedSession not found in request:" + ++ "pop_sysPubEncryptedSession not found in request:" + + reqId.toString(); + CMS.debug(msg); + return null; +@@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile + + SymmetricKey symKey = CryptoUtil.unwrap( + token, ++ SymmetricKey.AES, ++ 128, + SymmetricKey.Usage.DECRYPT, + issuanceProtPrivKey, +- pop_sysPubEncreyptedSession); ++ pop_sysPubEncryptedSession, ++ KeyWrapAlgorithm.RSA); ++ + if (symKey == null) { + msg = "symKey null after CryptoUtil.unwrap returned"; + CMS.debug(msg); + return null; + } + ++ // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request ++ // This IV is supposed to be random ++ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ IVParameterSpec default_iv = new IVParameterSpec(iv); ++ + byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( +- token, pop_encreyptedData, symKey); ++ token, ++ default_iv, ++ pop_encryptedData, ++ symKey, ++ EncryptionAlgorithm.AES_128_CBC); ++ + if (challenge_b == null) { + msg = method + "challenge_b null after decryptUsingSymmetricKey returned"; + CMS.debug(msg); +@@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile + witness_bytes, + hashAlg, macAlg); + +- String authMgrID = +- (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); + String auditSubjectID = null; + + if (verified) { +- // update auditSubjectID +- if (sessionContext != null) { +- auditSubjectID = (String) +- sessionContext.get(SessionContext.USER_ID); +- CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); +- CMS.debug(method + "identity verified. Updating auditSubjectID"); +- CMS.debug(method + "updated auditSubjectID is:"+ ident_string); +- auditSubjectID = ident_string; +- sessionContext.put(SessionContext.USER_ID, auditSubjectID); +- } else { //very unlikely +- CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); +- } ++ auditSubjectID = (String) ++ sessionContext.get(SessionContext.USER_ID); ++ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); ++ CMS.debug(method + "identity verified. Updating auditSubjectID"); ++ CMS.debug(method + "updated auditSubjectID is:"+ ident_string); ++ auditSubjectID = ident_string; ++ sessionContext.put(SessionContext.USER_ID, auditSubjectID); + + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index c130a1e..8e47298 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE; + import org.mozilla.jss.asn1.SET; + import org.mozilla.jss.asn1.UTF8String; + import org.mozilla.jss.crypto.DigestAlgorithm; ++import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.SignatureAlgorithm; + import org.mozilla.jss.pkcs11.PK11PubKey; + import org.mozilla.jss.pkix.cert.Certificate; +@@ -433,10 +434,7 @@ public class CMCOutputTemplate { + + ResponseBody respBody = new ResponseBody(controlSeq, + cmsSeq, otherMsgSeq); +- if (respBody != null) +- CMS.debug(method + " after new ResponseBody, respBody not null"); +- else +- CMS.debug(method + " after new ResponseBody, respBody null"); ++ CMS.debug(method + " after new ResponseBody, respBody not null"); + + ContentInfo contentInfo = getContentInfo(respBody, certs); + ByteArrayOutputStream fos = new ByteArrayOutputStream(); +@@ -489,30 +487,25 @@ public class CMCOutputTemplate { + CMS.debug(method + "popChallengeRequired true"); + + byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST); +- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); ++ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); + //don't need this for encryptedPOP, but need to check for existence anyway +- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); +- byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession"); +- if ((pop_encreyptedData != null) && +- (pop_sysPubEncreyptedSession != null) && +- (pop_userPubEncreyptedSession != null)) { ++ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); ++ byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); ++ if ((pop_encryptedData != null) && ++ (pop_sysPubEncryptedSession != null) && ++ (pop_userPubEncryptedSession != null)) { + // generate encryptedPOP here + // algs are hard-coded for now + + try { + EnvelopedData envData = CryptoUtil.createEnvelopedData( +- pop_encreyptedData, +- pop_userPubEncreyptedSession); ++ pop_encryptedData, ++ pop_userPubEncryptedSession); + if (envData == null) { + msg = "envData null returned by createEnvelopedData"; + throw new EBaseException(method + msg); + } + ContentInfo ci = new ContentInfo(envData); +- if (ci == null) { +- msg = "ci null from new ContentInfo"; +- CMS.debug(msg); +- throw new EBaseException(method + msg); +- } + CMS.debug(method + "now we can compose encryptedPOP"); + + TaggedRequest.Template tReqTemplate = new TaggedRequest.Template(); +@@ -524,17 +517,18 @@ public class CMCOutputTemplate { + throw new EBaseException(method + msg); + } + ++ // TODO(alee) The code below should be replaced by code that generates a random IV ++ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ ++ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); ++ + encPop = new EncryptedPOP( + tReq, + ci, +- CryptoUtil.getDefaultEncAlg(), ++ aid, + CryptoUtil.getDefaultHashAlg(), + new OCTET_STRING(req.getExtDataInByteArray("pop_witness"))); +- if (encPop == null) { +- msg = "encPop null returned by new EncryptedPOP"; +- CMS.debug(msg); +- throw new EBaseException(method + msg); +- } + + } catch (Exception e) { + CMS.debug(method + " excepton:" + e); +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 8b8c443..95b8f81 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2572,15 +2572,15 @@ public class CryptoUtil { + throw new Exception(method + msg); + } + ++ // TODO(alee) Replace the below with a random IV that is likely passed in ++ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); ++ + EncryptedContentInfo encCInfo = new EncryptedContentInfo( + ContentInfo.DATA, +- getDefaultEncAlg(), ++ aid, + new OCTET_STRING(encContent)); +- if (encCInfo == null) { +- msg = method + "encCInfo null from new EncryptedContentInfo"; +- System.out.println(msg); +- throw new Exception(method + msg); +- } + + Name name = new Name(); + name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP +@@ -2589,11 +2589,6 @@ public class CryptoUtil { + new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed + new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()), + new OCTET_STRING(encSymKey)); +- if (recipient == null) { +- msg = method + "recipient null from new RecipientInfo"; +- System.out.println(msg); +- throw new Exception(method + msg); +- } + + SET recipients = new SET(); + recipients.addElement(recipient); +@@ -2615,77 +2610,14 @@ public class CryptoUtil { + * the defaults + */ + +- private static byte default_iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- private static IVParameterSpec default_IV = new IVParameterSpec(default_iv); +- +- // this generates a temporary 128 bit AES symkey with defaults +- public static SymmetricKey generateKey(CryptoToken token) throws Exception { +- return generateKey(token, +-//TODO: KeyGenAlgorithm.AES, 128, +- KeyGenAlgorithm.DES3, 128 /*unused*/, +- null, true); +- } +- +- // decryptUsingSymmetricKey with default algorithms +- public static byte[] decryptUsingSymmetricKey(CryptoToken token, byte[] encryptedData, SymmetricKey wrappingKey) throws Exception { +- return decryptUsingSymmetricKey(token, default_IV, encryptedData, +- wrappingKey, +- EncryptionAlgorithm.DES3_CBC_PAD); +-//TODO: EncryptionAlgorithm.AES_128_CBC); +- } +- +- // encryptUsingSymmetricKey with default algorithms +- public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data) throws Exception { +- return encryptUsingSymmetricKey( +- token, +- wrappingKey, +- data, +- EncryptionAlgorithm.DES3_CBC_PAD, +-//TODO: EncryptionAlgorithm.AES_128_CBC, +- default_IV); +- } +- +- // wrapUsingPublicKey using default algorithm +- public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data) throws Exception { +- return wrapUsingPublicKey(token, wrappingKey, data, KeyWrapAlgorithm.RSA); +- } +- +- // unwrap sym key using default algorithms +- public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Usage usage, PrivateKey wrappingKey, byte[] wrappedSymKey) throws Exception { +- return unwrap( +- token, +-//TODO: SymmetricKey.AES, +- SymmetricKey.DES3, +- 0, +- usage, +- wrappingKey, +- wrappedSymKey, +- getDefaultKeyWrapAlg()); +- } +- +- public static AlgorithmIdentifier getDefaultEncAlg() +- throws Exception { +- OBJECT_IDENTIFIER oid = +- EncryptionAlgorithm.DES3_CBC.toOID(); +-//TODO: EncryptionAlgorithm.AES_128_CBC.toOID(); +- +- AlgorithmIdentifier aid = +- new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); +- return aid; +- } +- + public static String getDefaultHashAlgName() { + return ("SHA-256"); + } + +- public static KeyWrapAlgorithm getDefaultKeyWrapAlg() { +- return KeyWrapAlgorithm.RSA; +- } +- + public static AlgorithmIdentifier getDefaultHashAlg() + throws Exception { + AlgorithmIdentifier hashAlg; +- hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID("SHA-256")); ++ hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID(getDefaultHashAlgName())); + return hashAlg; + } + +@@ -2768,8 +2700,6 @@ public class CryptoUtil { + */ + public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai) + throws NoSuchAlgorithmException { +- OBJECT_IDENTIFIER oid = null; +- + System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString()); + if (ai != null) { + if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) { +-- +1.8.3.1 + + +From 772e05e746570c13afeb60516c07a3fb95ca3e78 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Jun 2017 23:38:04 +0200 +Subject: [PATCH 10/27] Removed superfluous deployment configuration backup. + +The pkispawn has been modified to generate a temporary backup +file (instead of permanent and timestamped backup files) of the +deployment configuration file before normalizing its content. +The temporary backup will be removed automatically when the +normalization is complete. + +https://pagure.io/dogtagpki/issue/2674 + +Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047 +--- + base/server/sbin/pkispawn | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 742f579..1aa7079 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -34,8 +34,6 @@ try: + import ldap + import os + import requests +- import time +- from time import strftime as date + import traceback + import pki + from pki.server.deployment import pkiconfig as config +@@ -610,12 +608,9 @@ def main(argv): + + + def sanitize_user_deployment_cfg(cfg): +- # Generate a timestamp +- ticks = time.time() +- timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + + # Correct any section headings in the user's configuration file +- for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp): ++ for line in fileinput.FileInput(cfg, inplace=1): + # Remove extraneous leading and trailing whitespace from all lines + line = line.strip() + # Normalize section headings to match '/etc/pki/default.cfg' +-- +1.8.3.1 + + +From f7b6305396581f5916498cc4ea8247596bf39aaf Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 2 Jun 2017 02:10:02 +0200 +Subject: [PATCH 11/27] Fixed pylint issues + +- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues +--- + base/common/python/pki/cli/pkcs12.py | 4 ++-- + base/common/python/pki/encoder.py | 12 ++++++------ + base/server/python/pki/server/cli/audit.py | 8 ++++---- + base/server/python/pki/server/cli/ca.py | 16 ++++++++-------- + base/server/python/pki/server/cli/db.py | 8 ++++---- + base/server/python/pki/server/cli/kra.py | 20 ++++++++++---------- + base/server/python/pki/server/cli/ocsp.py | 4 ++-- + base/server/python/pki/server/cli/subsystem.py | 4 ++-- + base/server/python/pki/server/cli/tks.py | 4 ++-- + base/server/python/pki/server/cli/tps.py | 20 ++++++++++---------- + base/server/python/pki/server/upgrade.py | 3 --- + 11 files changed, 50 insertions(+), 53 deletions(-) + +diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py +index 8934d33..6b99fcf 100644 +--- a/base/common/python/pki/cli/pkcs12.py ++++ b/base/common/python/pki/cli/pkcs12.py +@@ -62,10 +62,10 @@ class PKCS12ImportCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'v', [ + 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite', + 'verbose', 'debug', 'help']) +diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py +index 8485ab8..d3298bc 100644 +--- a/base/common/python/pki/encoder.py ++++ b/base/common/python/pki/encoder.py +@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder): + """ + # pylint: disable=E0202 + +- def default(self, obj): ++ def default(self, o): + for k, v in iteritems(TYPES): +- if isinstance(obj, v): +- return {k: obj.__dict__} ++ if isinstance(o, v): ++ return {k: o.__dict__} + for t in itervalues(NOTYPES): +- if isinstance(obj, t): +- return self.attr_name_conversion(obj.__dict__, type(obj)) +- return json.JSONEncoder.default(self, obj) ++ if isinstance(o, t): ++ return self.attr_name_conversion(o.__dict__, type(o)) ++ return json.JSONEncoder.default(self, o) + + @staticmethod + def attr_name_conversion(attr_dict, object_class): +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +index 0833ca8..a19ca8c 100644 +--- a/base/server/python/pki/server/cli/audit.py ++++ b/base/server/python/pki/server/cli/audit.py +@@ -56,10 +56,10 @@ class AuditFileFindCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + +@@ -129,10 +129,10 @@ class AuditFileVerifyCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + +diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py +index 550e511..48c7dba 100644 +--- a/base/server/python/pki/server/cli/ca.py ++++ b/base/server/python/pki/server/cli/ca.py +@@ -78,10 +78,10 @@ class CACertChainExportCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +@@ -190,10 +190,10 @@ class CACertRequestFindCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'cert=', 'cert-file=', + 'verbose', 'help']) + +@@ -268,10 +268,10 @@ class CACertRequestShowCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, args = getopt.gnu_getopt(args, 'i:v', [ ++ opts, args = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'output-file=', + 'verbose', 'help']) + +@@ -356,10 +356,10 @@ class CAClonePrepareCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py +index 17b1a2f..3df911c 100644 +--- a/base/server/python/pki/server/cli/db.py ++++ b/base/server/python/pki/server/cli/db.py +@@ -58,10 +58,10 @@ class DBSchemaUpgrade(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=', ++ argv, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=', + 'verbose', 'help']) + + except getopt.GetoptError as e: +@@ -150,10 +150,10 @@ class DBUpgrade(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, 'i:v', ['instance=', 'verbose', 'help']) ++ argv, 'i:v', ['instance=', 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) +diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py +index 3724014..6c1ade9 100644 +--- a/base/server/python/pki/server/cli/kra.py ++++ b/base/server/python/pki/server/cli/kra.py +@@ -81,10 +81,10 @@ class KRAClonePrepareCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +@@ -203,10 +203,10 @@ class KRADBVLVFindCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -315,10 +315,10 @@ class KRADBVLVAddCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -421,10 +421,10 @@ class KRADBVLVDeleteCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -543,10 +543,10 @@ class KRADBVLVReindexCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py +index 3e9b6aa..b3e4e45 100644 +--- a/base/server/python/pki/server/cli/ocsp.py ++++ b/base/server/python/pki/server/cli/ocsp.py +@@ -67,10 +67,10 @@ class OCSPClonePrepareCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 8395bd2..10af8ca 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -66,10 +66,10 @@ class SubsystemFindCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + +diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py +index 0e6a998..0bfaca1 100644 +--- a/base/server/python/pki/server/cli/tks.py ++++ b/base/server/python/pki/server/cli/tks.py +@@ -67,10 +67,10 @@ class TKSClonePrepareCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py +index 03df8de..a34bbd9 100644 +--- a/base/server/python/pki/server/cli/tps.py ++++ b/base/server/python/pki/server/cli/tps.py +@@ -76,10 +76,10 @@ class TPSClonePrepareCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + + try: +- opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + +@@ -195,10 +195,10 @@ class TPSDBVLVFindCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -306,10 +306,10 @@ class TPSDBVLVAddCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -419,10 +419,10 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +@@ -554,10 +554,10 @@ class TPSDBVLVReindexCLI(pki.cli.CLI): + print(' --help Show help message.') + print() + +- def execute(self, args): ++ def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt( +- args, ++ argv, + 'i:D:w:x:g:v', + ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', + 'verbose', 'help'] +diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py +index 2c72e48..926c683 100644 +--- a/base/server/python/pki/server/upgrade.py ++++ b/base/server/python/pki/server/upgrade.py +@@ -38,9 +38,6 @@ SUBSYSTEM_TRACKER = '%s/CS.cfg' + + class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + +- def __init__(self): +- super(PKIServerUpgradeScriptlet, self).__init__() +- + def get_backup_dir(self): + return BACKUP_DIR + '/' + str(self.version) + '/' + str(self.index) + +-- +1.8.3.1 + + +From b3d851b864dc986a9af8ffcb1962f8e7b4de3114 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Jun 2017 04:54:05 +0200 +Subject: [PATCH 12/27] Added upgrade script for keepAliveTimeout. + +An upgrade script has been added to set the keepAliveTimeout +attribute for the Secure connector in the server.xml. + +https://pagure.io/dogtagpki/issue/2687 + +Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d +--- + base/common/upgrade/10.4.1/.gitignore | 4 ++ + base/common/upgrade/10.4.2/.gitignore | 4 ++ + base/common/upgrade/10.4.3/.gitignore | 4 ++ + base/common/upgrade/10.4.4/.gitignore | 4 ++ + base/common/upgrade/10.4.5/.gitignore | 4 ++ + base/common/upgrade/10.4.6/.gitignore | 4 ++ + base/server/upgrade/10.4.3/.gitignore | 4 ++ + base/server/upgrade/10.4.4/.gitignore | 4 ++ + base/server/upgrade/10.4.5/.gitignore | 4 ++ + .../upgrade/10.4.6/01-UpdateKeepAliveTimeout | 59 ++++++++++++++++++++++ + 10 files changed, 95 insertions(+) + create mode 100644 base/common/upgrade/10.4.1/.gitignore + create mode 100644 base/common/upgrade/10.4.2/.gitignore + create mode 100644 base/common/upgrade/10.4.3/.gitignore + create mode 100644 base/common/upgrade/10.4.4/.gitignore + create mode 100644 base/common/upgrade/10.4.5/.gitignore + create mode 100644 base/common/upgrade/10.4.6/.gitignore + create mode 100644 base/server/upgrade/10.4.3/.gitignore + create mode 100644 base/server/upgrade/10.4.4/.gitignore + create mode 100644 base/server/upgrade/10.4.5/.gitignore + create mode 100755 base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout + +diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.1/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.2/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.3/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.4/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.5/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/common/upgrade/10.4.6/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/server/upgrade/10.4.3/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/server/upgrade/10.4.4/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/server/upgrade/10.4.5/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout +new file mode 100755 +index 0000000..31c4d1b +--- /dev/null ++++ b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout +@@ -0,0 +1,59 @@ ++#!/usr/bin/python ++# Authors: ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++# ++ ++from __future__ import absolute_import ++import os ++from lxml import etree ++ ++import pki ++ ++ ++class UpdateKeepAliveTimeout( ++ pki.server.upgrade.PKIServerUpgradeScriptlet): ++ ++ def __init__(self): ++ super(UpdateKeepAliveTimeout, self).__init__() ++ self.message = 'Update keepAliveTimeout parameter' ++ ++ self.parser = etree.XMLParser(remove_blank_text=True) ++ ++ def upgrade_instance(self, instance): ++ ++ server_xml = os.path.join(instance.conf_dir, 'server.xml') ++ self.backup(server_xml) ++ ++ document = etree.parse(server_xml, self.parser) ++ ++ server = document.getroot() ++ connectors = server.findall('.//Connector') ++ ++ for connector in connectors: ++ ++ # find the Secure connector ++ name = connector.get('name') ++ if name != 'Secure': ++ continue ++ ++ # set the keepAliveTimeout parameter to 5 minutes ++ connector.set('keepAliveTimeout', '300000') ++ ++ with open(server_xml, 'wb') as f: ++ document.write(f, pretty_print=True, encoding='utf-8') +-- +1.8.3.1 + + +From 03235ab51d102ba722e71adf00d2f721c77cd222 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Jun 2017 21:02:41 +0200 +Subject: [PATCH 15/27] Fixed random password generator. + +The equal sign is no longer used to generate random password +since it's already used as token name and password delimiter in +password.conf. + +https://pagure.io/dogtagpki/issue/2556 + +Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84 +--- + base/common/python/pki/__init__.py | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index 1fc5385..0478b32 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -45,6 +45,11 @@ PACKAGE_VERSION = SHARE_DIR + '/VERSION' + CERT_HEADER = "-----BEGIN CERTIFICATE-----" + CERT_FOOTER = "-----END CERTIFICATE-----" + ++# Valid punctuation characters for random password. ++# This is identical to string.punctuation minus the equal ++# sign since it's used as delimiter in password.conf. ++PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~' ++ + + def read_text(message, + options=None, default=None, delimiter=':', +@@ -139,7 +144,7 @@ def generate_password(): + * digits (string.digits) + * ASCII lowercase letters (string.ascii_lowercase) + * ASCII uppercase letters (string.ascii_uppercase) +- * ASCII non-alphanumeric characters (string.punctuation) ++ * ASCII non-alphanumeric characters (PUNCTUATIONS) + * non-ASCII characters + + If an ASCII uppercase letter is the first character of the password, +@@ -159,7 +164,7 @@ def generate_password(): + valid_chars = string.digits +\ + string.ascii_lowercase +\ + string.ascii_uppercase +\ +- string.punctuation ++ PUNCTUATIONS + + chars = [] + +@@ -168,7 +173,7 @@ def generate_password(): + chars.append(rnd.choice(string.digits)) + chars.append(rnd.choice(string.ascii_lowercase)) + chars.append(rnd.choice(string.ascii_uppercase)) +- chars.append(rnd.choice(string.punctuation)) ++ chars.append(rnd.choice(PUNCTUATIONS)) + + # add 6 additional random chars + chars.extend(rnd.choice(valid_chars) for i in range(6)) +-- +1.8.3.1 + + +From 08bf26f786b8d233382c6fedfad5d33d8c11d78f Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 1 Jun 2017 17:46:27 -0400 +Subject: [PATCH 16/27] Fix NPE in audit log invocation + +Some audit log objects take a RequestId or KeyId, on which we call +toString(). In some cases, we were creating a KeyId or RequestId +with null values, resulting in an NPE. We fix these in this patch. + +Bugzilla BZ# 1458043 + +Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db +--- + base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java | 3 ++- + base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 4 ++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index ed20394..5e3b8a9 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -1128,7 +1128,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + r = queue.findRequest(new RequestId(reqID)); + + auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); +- keyID = new KeyId(r.getExtDataInBigInteger("serialNumber")); ++ BigInteger serialNumber = r.getExtDataInBigInteger("serialNumber"); ++ keyID = serialNumber != null? new KeyId(serialNumber) : null; + + // set transient parameters + params = createVolatileRequest(r.getRequestId()); +diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +index c0b5cdd..891b083 100644 +--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +@@ -283,7 +283,7 @@ public class TokenKeyRecoveryService implements IService { + // retrieve based on Certificate + String cert_s = request.getExtDataInString(ATTR_USER_CERT); + String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); +- KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID)); ++ KeyId keyId = keyid_s != null ? new KeyId(keyid_s): null; + /* have to have at least one */ + if ((cert_s == null) && (keyid_s == null)) { + CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); +@@ -593,7 +593,7 @@ public class TokenKeyRecoveryService implements IService { + return true; + + } catch (Exception e) { +- CMS.debug("TokenKeyRecoveryService: " + e.toString()); ++ CMS.debug(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } + +-- +1.8.3.1 + + +From 29dbed75f1c214a065cd3bcc438d0584fd980d4f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 2 Jun 2017 18:46:01 +0200 +Subject: [PATCH 17/27] Excluded backslash from random password. + +The backslash is no longer used for generating random password +since it's causing SSL hanshake failure. + +https://pagure.io/dogtagpki/issue/2676 + +Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411 +--- + base/common/python/pki/__init__.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index 0478b32..1a6f5c2 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -46,9 +46,10 @@ CERT_HEADER = "-----BEGIN CERTIFICATE-----" + CERT_FOOTER = "-----END CERTIFICATE-----" + + # Valid punctuation characters for random password. +-# This is identical to string.punctuation minus the equal +-# sign since it's used as delimiter in password.conf. +-PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~' ++# This is based on string.punctuation except: ++# - equal sign since it's used as delimiter in password.conf ++# - backslash since it's causing SSL handshake failure ++PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~' + + + def read_text(message, +-- +1.8.3.1 + + +From a614eb15476adb00df571d3ea05fdd8ea282141d Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 2 Jun 2017 15:40:52 -0700 +Subject: [PATCH 18/27] Resolve #1663 Add SCP03 support . + +This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03. +--- + base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java | 7 ++++--- + base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 4 ++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java +index 5e5646b..3b80f27 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java ++++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java +@@ -421,10 +421,11 @@ public class SecureChannel { + throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + +- CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() ); ++ if(cardCryptogram != null) ++ CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString()); + +- CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString()); +- CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString()); ++ if(calculatedCardCryptogram != null) ++ CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString()); + + ExternalAuthenticateAPDUGP211 externalAuth = new ExternalAuthenticateAPDUGP211(hostCryptogram, + /* secLevel */secLevelGP211); +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 0f96915..e1a5748 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -957,6 +957,10 @@ public class TPSProcessor { + kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, + kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); + ++ CMS.debug(" encSessionKeySCP03 " + encSessionKeySCP03); ++ CMS.debug(" macSessionKeySCP03 " + macSessionKeySCP03); ++ CMS.debug(" kekSessionKeySCP03 " + kekSessionKeySCP03); ++ + channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03, + drmDesKeyBuff, kekDesKeyBuff, + keyCheckBuff, keyDiversificationData, cardChallenge, +-- +1.8.3.1 + + +From af41896f083e1101b1ba62f6cc8c9be6064c6786 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 02:07:04 +0200 +Subject: [PATCH 19/27] Refactored MainCLI.loadPassword() (part 1). + +The method that loads password from a file in MainCLI has been +renamed into loadPassword() and modified to return early for +clarity. + +https://pagure.io/dogtagpki/issue/2717 + +Change-Id: I9b031c31040c2d00f04d9997abcdae38163bf6d5 +--- + .../src/com/netscape/cmstools/cli/MainCLI.java | 24 ++++++++++++---------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 1b9c569..2402196 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -229,7 +229,7 @@ public class MainCLI extends CLI { + options.addOption(null, "version", false, "Show version number."); + } + +- public String[] readPlaintextPasswordFromFile(String pwfile) throws Exception { ++ public String[] loadPassword(String pwfile) throws Exception { + String[] tokenPassword = { null, null }; + BufferedReader br = null; + String delimiter = "="; +@@ -238,11 +238,16 @@ public class MainCLI extends CLI { + br = new BufferedReader(new FileReader(pwfile)); + + String line = br.readLine(); +- if (line != null) { +- if (line.isEmpty()) { +- throw new Exception("File '" + pwfile + "' does not define a token or a password!"); + +- } else if (line.contains(delimiter)) { ++ if (line == null) { ++ throw new Exception("File '" + pwfile + "' is empty!"); ++ } ++ ++ if (line.isEmpty()) { ++ throw new Exception("File '" + pwfile + "' does not define a token or a password!"); ++ } ++ ++ if (line.contains(delimiter)) { + // Process 'token=password' format: + // + // Token: tokenPassword[0] +@@ -270,10 +275,7 @@ public class MainCLI extends CLI { + // Set simple 'password' (do not trim leading/trailing whitespace) + tokenPassword[1] = line; + } +- } else { +- // Case of an empty password file +- throw new Exception("File '" + pwfile + "' is empty!"); +- } ++ + } finally { + if (br != null) { + br.close(); +@@ -397,7 +399,7 @@ public class MainCLI extends CLI { + + if (certPasswordFile != null) { + // read client security database password from specified file +- tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile); ++ tokenPasswordPair = loadPassword(certPasswordFile); + // XXX TBD set client security database token + + certPassword = tokenPasswordPair[1]; +@@ -411,7 +413,7 @@ public class MainCLI extends CLI { + + if (passwordFile != null) { + // read user password from specified file +- tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile); ++ tokenPasswordPair = loadPassword(passwordFile); + // XXX TBD set user token + + password = tokenPasswordPair[1]; +-- +1.8.3.1 + + +From 9741b7873005419b922ba79c61ef98ae17cb58be Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 02:03:32 +0200 +Subject: [PATCH 20/27] Refactored MainCLI.loadPassword() (part 2). + +The MainCLI.loadPassword() has been modified to fix the code +indentation. + +https://pagure.io/dogtagpki/issue/2717 + +Change-Id: I7d208f1f4568f2fb1323ab206f45af5c0338b53f +--- + .../src/com/netscape/cmstools/cli/MainCLI.java | 49 +++++++++++----------- + 1 file changed, 25 insertions(+), 24 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 2402196..2b6b173 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -247,35 +247,36 @@ public class MainCLI extends CLI { + throw new Exception("File '" + pwfile + "' does not define a token or a password!"); + } + +- if (line.contains(delimiter)) { +- // Process 'token=password' format: +- // +- // Token: tokenPassword[0] +- // Password: tokenPassword[1] +- // +- tokenPassword = line.split(delimiter, 2); +- +- // Always trim leading/trailing whitespace from 'token' +- tokenPassword[0] = tokenPassword[0].trim(); +- +- // Check for undefined 'token' +- if (tokenPassword[0].isEmpty()) { +- // Set default 'token' +- tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; +- } +- +- // Check for undefined 'password' +- if (tokenPassword[1].isEmpty()) { +- throw new Exception("File '" + pwfile + "' does not define a password!"); +- } +- } else { ++ if (line.contains(delimiter)) { ++ // Process 'token=password' format: ++ // ++ // Token: tokenPassword[0] ++ // Password: tokenPassword[1] ++ // ++ tokenPassword = line.split(delimiter, 2); ++ ++ // Always trim leading/trailing whitespace from 'token' ++ tokenPassword[0] = tokenPassword[0].trim(); ++ ++ // Check for undefined 'token' ++ if (tokenPassword[0].isEmpty()) { + // Set default 'token' + tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; ++ } + +- // Set simple 'password' (do not trim leading/trailing whitespace) +- tokenPassword[1] = line; ++ // Check for undefined 'password' ++ if (tokenPassword[1].isEmpty()) { ++ throw new Exception("File '" + pwfile + "' does not define a password!"); + } + ++ } else { ++ // Set default 'token' ++ tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; ++ ++ // Set simple 'password' (do not trim leading/trailing whitespace) ++ tokenPassword[1] = line; ++ } ++ + } finally { + if (br != null) { + br.close(); +-- +1.8.3.1 + + +From 729468e46612569da4c93b15bc0d674099003aba Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 02:28:00 +0200 +Subject: [PATCH 21/27] Refactored MainCLI.loadPassword() (part 3). + +The MainCLI.loadPassword() has been modified to use try-with- +resources. Some log messages have been added for clarity. + +https://pagure.io/dogtagpki/issue/2717 + +Change-Id: Ic4950ba677613565f548b51d1f985177c6726510 +--- + .../src/com/netscape/cmstools/cli/MainCLI.java | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 2b6b173..dcc60e2 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -230,12 +230,11 @@ public class MainCLI extends CLI { + } + + public String[] loadPassword(String pwfile) throws Exception { ++ + String[] tokenPassword = { null, null }; +- BufferedReader br = null; + String delimiter = "="; + +- try { +- br = new BufferedReader(new FileReader(pwfile)); ++ try (BufferedReader br = new BufferedReader(new FileReader(pwfile))) { + + String line = br.readLine(); + +@@ -276,11 +275,6 @@ public class MainCLI extends CLI { + // Set simple 'password' (do not trim leading/trailing whitespace) + tokenPassword[1] = line; + } +- +- } finally { +- if (br != null) { +- br.close(); +- } + } + + return tokenPassword; +@@ -399,7 +393,7 @@ public class MainCLI extends CLI { + config.setCertNickname(certNickname); + + if (certPasswordFile != null) { +- // read client security database password from specified file ++ if (verbose) System.out.println("Loading NSS password from " + certPasswordFile); + tokenPasswordPair = loadPassword(certPasswordFile); + // XXX TBD set client security database token + +@@ -413,7 +407,7 @@ public class MainCLI extends CLI { + config.setUsername(username); + + if (passwordFile != null) { +- // read user password from specified file ++ if (verbose) System.out.println("Loading user password from " + passwordFile); + tokenPasswordPair = loadPassword(passwordFile); + // XXX TBD set user token + +@@ -494,15 +488,18 @@ public class MainCLI extends CLI { + + // If password is specified, use password to access security token + if (config.getCertPassword() != null) { +- if (verbose) System.out.println("Logging into security token"); ++ + try { + CryptoManager manager = CryptoManager.getInstance(); + + String tokenName = config.getTokenName(); +- CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); ++ if (verbose) System.out.println("Getting " + (tokenName == null ? "internal" : tokenName) + " token"); + ++ CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); + manager.setThreadToken(token); + ++ if (verbose) System.out.println("Logging into " + token.getName()); ++ + Password password = new Password(config.getCertPassword().toCharArray()); + token.login(password); + +-- +1.8.3.1 + + +From d4e5176702b3a08a67233e069ac211e95e01b228 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 01:32:37 +0200 +Subject: [PATCH 22/27] Refactored CLI.runExternal(). + +The methods for running external commands in various CLI classes +have been merged into CLI.runExternal(). + +https://pagure.io/dogtagpki/issue/2717 + +Change-Id: I5b6d136db699d3bb48e4f36f7f187d0240bbbf62 +--- + .../src/com/netscape/cmstools/cli/CLI.java | 35 ++++++++++++++++++++++ + .../src/com/netscape/cmstools/cli/MainCLI.java | 10 +++---- + .../cmstools/client/ClientCertImportCLI.java | 23 ++------------ + .../cmstools/client/ClientCertModifyCLI.java | 35 +++++----------------- + .../cmstools/client/ClientCertRequestCLI.java | 10 +++---- + .../cmstools/client/ClientCertShowCLI.java | 27 +++-------------- + .../netscape/cmstools/client/ClientInitCLI.java | 25 ++++++---------- + 7 files changed, 65 insertions(+), 100 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java +index 4911b8a..60db7a1 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java +@@ -18,6 +18,7 @@ + + package com.netscape.cmstools.cli; + ++import java.io.IOException; + import java.util.ArrayList; + import java.util.Collection; + import java.util.LinkedHashMap; +@@ -351,4 +352,38 @@ public class CLI { + public static void setVerbose(boolean verbose) { + CLI.verbose = verbose; + } ++ ++ public void runExternal(List command) throws CLIException, IOException, InterruptedException { ++ String[] array = command.toArray(new String[command.size()]); ++ runExternal(array); ++ } ++ ++ public void runExternal(String[] command) throws CLIException, IOException, InterruptedException { ++ ++ if (verbose) { ++ ++ System.out.print("External command:"); ++ ++ for (String c : command) { ++ ++ boolean quote = c.contains(" "); ++ ++ System.out.print(" "); ++ ++ if (quote) System.out.print("\""); ++ System.out.print(c); ++ if (quote) System.out.print("\""); ++ } ++ ++ System.out.println(); ++ } ++ ++ Runtime rt = Runtime.getRuntime(); ++ Process p = rt.exec(command); ++ int rc = p.waitFor(); ++ ++ if (rc != 0) { ++ throw new CLIException("External command failed. RC: " + rc, rc); ++ } ++ } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index dcc60e2..51861b5 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -473,12 +473,10 @@ public class MainCLI extends CLI { + "--empty-password" + }; + +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(commands); +- +- int rc = p.waitFor(); +- if (rc != 0) { +- throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")"); ++ try { ++ runExternal(commands); ++ } catch (Exception e) { ++ throw new Exception("Unable to create security database", e); + } + } + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 9cb3e67..687dfc4 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -21,14 +21,12 @@ package com.netscape.cmstools.client; + import java.io.File; + import java.io.FileOutputStream; + import java.io.FileWriter; +-import java.io.IOException; + import java.io.PrintWriter; + import java.net.URI; + import java.util.Arrays; + + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; +-import org.apache.commons.lang.StringUtils; + + import com.netscape.certsrv.cert.CertClient; + import com.netscape.certsrv.cert.CertData; +@@ -283,8 +281,7 @@ public class ClientCertImportCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to import certificate file", e); + } +@@ -305,25 +302,9 @@ public class ClientCertImportCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to import PKCS #12 file", e); + } + } +- +- public void run(String[] command) throws IOException, InterruptedException { +- +- if (verbose) { +- System.out.println("Command: " + StringUtils.join(command, " ")); +- } +- +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(command); +- int rc = p.waitFor(); +- +- if (rc != 0) { +- throw new IOException("Command failed. RC: " + rc); +- } +- } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java +index f229e67..8ae7c6d 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java +@@ -18,8 +18,6 @@ + + package com.netscape.cmstools.client; + +-import java.io.IOException; +- + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; + +@@ -75,38 +73,19 @@ public class ClientCertModifyCLI extends CLI { + + String trustAttributes = cmd.getOptionValue("trust", "u,u,u"); + +- int rc = modifyCert( +- mainCLI.certDatabase.getAbsolutePath(), +- nickname, +- trustAttributes); +- +- if (rc != 0) { +- MainCLI.printMessage("Modified failed"); +- return; +- } +- +- MainCLI.printMessage("Modified certificate \"" + nickname + "\""); +- } +- +- public int modifyCert( +- String dbPath, +- String nickname, +- String trustAttributes) throws IOException, InterruptedException { +- + String[] command = { + "/usr/bin/certutil", "-M", +- "-d", dbPath, ++ "-d", mainCLI.certDatabase.getAbsolutePath(), + "-n", nickname, + "-t", trustAttributes + }; + +- return run(command); +- } +- +- public int run(String[] command) throws IOException, InterruptedException { ++ try { ++ runExternal(command); ++ } catch (Exception e) { ++ throw new Exception("Unable to modify certificate", e); ++ } + +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(command); +- return p.waitFor(); ++ MainCLI.printMessage("Modified certificate \"" + nickname + "\""); + } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +index 696ab8b..a14bb24 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +@@ -386,12 +386,10 @@ public class ClientCertRequestCLI extends CLI { + "-n", subjectDN + }; + +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(commands); +- +- int rc = p.waitFor(); +- if (rc != 0) { +- throw new Exception("CSR generation failed"); ++ try { ++ runExternal(commands); ++ } catch (Exception e) { ++ throw new Exception("CSR generation failed", e); + } + + if (verbose) { +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java +index 2242b37..bb60fbf 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java +@@ -20,13 +20,11 @@ package com.netscape.cmstools.client; + + import java.io.File; + import java.io.FileWriter; +-import java.io.IOException; + import java.io.PrintWriter; + + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; + import org.apache.commons.lang.RandomStringUtils; +-import org.apache.commons.lang.StringUtils; + import org.mozilla.jss.crypto.X509Certificate; + + import com.netscape.certsrv.client.PKIClient; +@@ -192,8 +190,7 @@ public class ClientCertShowCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to export PKCS #12 file", e); + } +@@ -215,8 +212,7 @@ public class ClientCertShowCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to export certificate", e); + } +@@ -238,8 +234,7 @@ public class ClientCertShowCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to export private key", e); + } +@@ -261,23 +256,9 @@ public class ClientCertShowCLI extends CLI { + }; + + try { +- run(command); +- ++ runExternal(command); + } catch (Exception e) { + throw new Exception("Unable to export client certificate and private key", e); + } + } +- +- public void run(String[] command) throws IOException, InterruptedException { +- +- if (verbose) System.out.println("Command: " + StringUtils.join(command, " ")); +- +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(command); +- int rc = p.waitFor(); +- +- if (rc != 0) { +- throw new IOException("Command failed. RC: " + rc); +- } +- } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java +index 893b40b..7e018de 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java +@@ -95,12 +95,11 @@ public class ClientInitCLI extends CLI { + File passwordFile = new File(certDatabase, "password.txt"); + + try { +- String[] commands = { +- "/usr/bin/certutil", "-N", +- "-d", certDatabase.getAbsolutePath(), +- }; +- +- List list = new ArrayList<>(Arrays.asList(commands)); ++ List list = new ArrayList<>(); ++ list.add("/usr/bin/certutil"); ++ list.add("-N"); ++ list.add("-d"); ++ list.add(certDatabase.getAbsolutePath()); + + if (mainCLI.config.getCertPassword() == null) { + list.add("--empty-password"); +@@ -114,16 +113,10 @@ public class ClientInitCLI extends CLI { + list.add(passwordFile.getAbsolutePath()); + } + +- commands = new String[list.size()]; +- list.toArray(commands); +- +- Runtime rt = Runtime.getRuntime(); +- Process p = rt.exec(commands); +- +- int rc = p.waitFor(); +- if (rc != 0) { +- MainCLI.printMessage("Client initialization failed"); +- return; ++ try { ++ runExternal(list); ++ } catch (Exception e) { ++ throw new Exception("Client initialization failed", e); + } + + MainCLI.printMessage("Client initialized"); +-- +1.8.3.1 + + +From 3ef47867df74eb9dce408b88756ccce7d7438da5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 00:29:29 +0200 +Subject: [PATCH 23/27] Fixed pki client-cert-import CLI. + +The pki client-cert-import CLI has been modified to provide a +password file when invoking the certutil -A command. + +https://pagure.io/dogtagpki/issue/2717 + +Change-Id: If32f9eeb39d140aaef38c9bc1933f3ae0f57a5a2 +--- + .../cmstools/client/ClientCertImportCLI.java | 94 +++++++++++++++------- + 1 file changed, 66 insertions(+), 28 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 687dfc4..1c67f99 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -23,7 +23,9 @@ import java.io.FileOutputStream; + import java.io.FileWriter; + import java.io.PrintWriter; + import java.net.URI; ++import java.util.ArrayList; + import java.util.Arrays; ++import java.util.List; + + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; +@@ -128,6 +130,20 @@ public class ClientCertImportCLI extends CLI { + String serialNumber = cmd.getOptionValue("serial"); + String trustAttributes = cmd.getOptionValue("trust"); + ++ File nssdbPasswordFile = null; ++ ++ if (mainCLI.config.getCertPassword() != null) { ++ ++ // store NSS database password in a temporary file ++ ++ nssdbPasswordFile = File.createTempFile("pki-client-cert-import-", ".nssdb-pwd"); ++ nssdbPasswordFile.deleteOnExit(); ++ ++ try (PrintWriter out = new PrintWriter(new FileWriter(nssdbPasswordFile))) { ++ out.print(mainCLI.config.getCertPassword()); ++ } ++ } ++ + // load the certificate + if (certPath != null) { + +@@ -137,7 +153,8 @@ public class ClientCertImportCLI extends CLI { + trustAttributes = "u,u,u"; + + importCert( +- mainCLI.certDatabase.getAbsolutePath(), ++ mainCLI.certDatabase, ++ nssdbPasswordFile, + certPath, + nickname, + trustAttributes); +@@ -150,7 +167,8 @@ public class ClientCertImportCLI extends CLI { + trustAttributes = "CT,c,"; + + importCert( +- mainCLI.certDatabase.getAbsolutePath(), ++ mainCLI.certDatabase, ++ nssdbPasswordFile, + caCertPath, + nickname, + trustAttributes); +@@ -164,7 +182,7 @@ public class ClientCertImportCLI extends CLI { + + } else if (pkcs12Password != null) { + // store password into a temporary file +- File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pwd"); ++ File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pkcs12-pwd"); + pkcs12PasswordFile.deleteOnExit(); + + try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { +@@ -182,8 +200,8 @@ public class ClientCertImportCLI extends CLI { + + // import certificates and private key into PKCS #12 file + importPKCS12( +- mainCLI.certDatabase.getAbsolutePath(), +- mainCLI.config.getCertPassword(), ++ mainCLI.certDatabase, ++ nssdbPasswordFile, + pkcs12Path, + pkcs12PasswordPath); + +@@ -212,7 +230,8 @@ public class ClientCertImportCLI extends CLI { + trustAttributes = "CT,c,"; + + importCert( +- mainCLI.certDatabase.getAbsolutePath(), ++ mainCLI.certDatabase, ++ nssdbPasswordFile, + certFile.getAbsolutePath(), + nickname, + trustAttributes); +@@ -245,7 +264,8 @@ public class ClientCertImportCLI extends CLI { + trustAttributes = "u,u,u"; + + importCert( +- mainCLI.certDatabase.getAbsolutePath(), ++ mainCLI.certDatabase, ++ nssdbPasswordFile, + certFile.getAbsolutePath(), + nickname, + trustAttributes); +@@ -263,8 +283,9 @@ public class ClientCertImportCLI extends CLI { + } + + public void importCert( +- String dbPath, +- String certPath, ++ File dbPath, ++ File dbPasswordFile, ++ String certFile, + String nickname, + String trustAttributes) throws Exception { + +@@ -272,13 +293,23 @@ public class ClientCertImportCLI extends CLI { + throw new Exception("Missing certificate nickname."); + } + +- String[] command = { +- "/bin/certutil", "-A", +- "-d", dbPath, +- "-i", certPath, +- "-n", nickname, +- "-t", trustAttributes +- }; ++ List command = new ArrayList<>(); ++ command.add("/bin/certutil"); ++ command.add("-A"); ++ command.add("-d"); ++ command.add(dbPath.getAbsolutePath()); ++ ++ if (dbPasswordFile != null) { ++ command.add("-f"); ++ command.add(dbPasswordFile.getAbsolutePath()); ++ } ++ ++ command.add("-i"); ++ command.add(certFile); ++ command.add("-n"); ++ command.add(nickname); ++ command.add("-t"); ++ command.add(trustAttributes); + + try { + runExternal(command); +@@ -288,18 +319,25 @@ public class ClientCertImportCLI extends CLI { + } + + public void importPKCS12( +- String dbPath, +- String dbPassword, +- String pkcs12Path, +- String pkcs12PasswordPath) throws Exception { +- +- String[] command = { +- "/bin/pk12util", +- "-d", dbPath, +- "-K", dbPassword, +- "-i", pkcs12Path, +- "-w", pkcs12PasswordPath +- }; ++ File dbPath, ++ File dbPasswordFile, ++ String pkcs12File, ++ String pkcs12PasswordFile) throws Exception { ++ ++ List command = new ArrayList<>(); ++ command.add("/bin/pk12util"); ++ command.add("-d"); ++ command.add(dbPath.getAbsolutePath()); ++ ++ if (dbPasswordFile != null) { ++ command.add("-k"); ++ command.add(dbPasswordFile.getAbsolutePath()); ++ } ++ ++ command.add("-i"); ++ command.add(pkcs12File); ++ command.add("-w"); ++ command.add(pkcs12PasswordFile); + + try { + runExternal(command); +-- +1.8.3.1 + + +From 64b7b7abfed29b6a520be66414139364d713461e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 3 Jun 2017 03:52:09 +0200 +Subject: [PATCH 24/27] Fixed default CA cert trust flags in pki CLI. + +The pki CLI has been modified to use CT,C,C as the default trust +flags for CA certificate import operations. + +https://pagure.io/dogtagpki/issue/2726 + +Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377 +--- + base/common/python/pki/cli/pkcs12.py | 2 +- + .../src/com/netscape/cmstools/client/ClientCertImportCLI.java | 4 ++-- + .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 1 + + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py +index 6b99fcf..2f8aabf 100644 +--- a/base/common/python/pki/cli/pkcs12.py ++++ b/base/common/python/pki/cli/pkcs12.py +@@ -237,7 +237,7 @@ class PKCS12ImportCLI(pki.cli.CLI): + trust_flags = cert_info['trust_flags'] + else: + # default trust flags for CA certificates +- trust_flags = 'CT,c,c' ++ trust_flags = 'CT,C,C' + + if main_cli.verbose: + print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id)) +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 1c67f99..844453e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -164,7 +164,7 @@ public class ClientCertImportCLI extends CLI { + if (verbose) System.out.println("Importing CA certificate from " + caCertPath + "."); + + if (trustAttributes == null) +- trustAttributes = "CT,c,"; ++ trustAttributes = "CT,C,C"; + + importCert( + mainCLI.certDatabase, +@@ -227,7 +227,7 @@ public class ClientCertImportCLI extends CLI { + } + + if (trustAttributes == null) +- trustAttributes = "CT,c,"; ++ trustAttributes = "CT,C,C"; + + importCert( + mainCLI.certDatabase, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index c9a375f..ebade36 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -1113,6 +1113,7 @@ public class ConfigurationUtils { + | InternalCertificate.VALID_CA); + + } else if (isAuditSigningCert(name)) { ++ // set trust flags to u,u,Pu + icert.setObjectSigningTrust(InternalCertificate.USER + | InternalCertificate.VALID_PEER + | InternalCertificate.TRUSTED_PEER); +-- +1.8.3.1 + + +From c0b2daef934a8f5ac1c61d673865348aa2a0f702 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 25 May 2017 15:32:14 +1000 +Subject: [PATCH 25/27] Improve exception message for null + AuthorityKeyIdentifier + +When the Authority Key Identifier extension cannot be instantiated, +we currently fail with a generic "extension not found" error +message. Throw a better exception for this case in particular, and +improve the exception message for the general case of attempting to +add a null exception. + +Fixes: https://pagure.io/dogtagpki/issue/2705 +Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd +--- + .../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java | 4 ++++ + base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java +index 42931de..f8d8b44 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java +@@ -183,6 +183,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { + } catch (EBaseException e) { + throw new EProfileException(e); + } ++ if (ext == null) { ++ throw new EProfileException( ++ "Could not instantiate AuthorityKeyIdentifier extension."); ++ } + addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info); + } + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +index 1d5bfc4..6192888 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +@@ -367,7 +367,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + protected void addExtension(String name, Extension ext, X509CertInfo info) + throws EProfileException { + if (ext == null) { +- throw new EProfileException("extension not found"); ++ throw new EProfileException("addExtension: extension '" + name + "' is null"); + } + CertificateExtensions exts = null; + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-snapshot-4.patch b/SOURCES/pki-core-snapshot-4.patch new file mode 100644 index 0000000..fa0082b --- /dev/null +++ b/SOURCES/pki-core-snapshot-4.patch @@ -0,0 +1,3667 @@ +From aa39354dbbf9df404f6ad374c837db0c421f2705 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 5 Jun 2017 08:50:25 -0700 +Subject: [PATCH 01/14] Ticket #2617 part2: add revocation check to signing + cert + +--- + .../cms/authentication/CMCUserSignedAuth.java | 19 +++++++++++++++++++ + .../authentication/CertUserDBAuthentication.java | 2 +- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 2128c1e..a18c25e 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; ++import java.security.cert.CertificateExpiredException; + import java.security.MessageDigest; + import java.security.PublicKey; + import java.util.Enumeration; +@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + si.verify(digest, id, pubK); + } + CMS.debug(method + "finished checking signature"); ++ + // verify signer's certificate using the revocator ++ // ...or not; I think it just checks usage and ++ // validity, but not revocation status + if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { + CMS.debug(method + "CMC signature failed to be verified"); + s.close(); +@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + // At this point, the signature has been verified; + ++ // now check revocation status of the cert ++ if (CMS.isRevoked(x509Certs)) { ++ CMS.debug(method + "CMC signing cert is a revoked certificate"); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ try { //do this again anyways ++ cert.checkValidity(); ++ } catch (CertificateExpiredException e) { ++ CMS.debug(method + "CMC signing cert is an expired certificate"); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } catch (Exception e) { ++ CMS.debug(method + e.toString()); ++ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ + IAuthToken tempToken = new AuthToken(null); + /* + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java +index 998d7e2..ae450fa 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java +@@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen + try { + user = (User) mCULocator.locateUser(certs); + } catch (EUsrGrpException e) { +- CMS.debug("CertUserDBAuthentication: cannot map certificate to any user"); ++ CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber() + .toString(16), x509Certs[0].getSubjectDN().toString(), e.toString())); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); +-- +1.8.3.1 + + +From 30fb7bf49ce0f4c726f937b3984a4e27abb39959 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Tue, 6 Jun 2017 16:16:32 -0700 +Subject: [PATCH 04/14] Minor fix to already fixed issue: + +The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue. +--- + base/native-tools/src/tkstool/key.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c +index e63da93..f208cbd 100644 +--- a/base/native-tools/src/tkstool/key.c ++++ b/base/native-tools/src/tkstool/key.c +@@ -1219,13 +1219,14 @@ TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, + rvExtractSymmetricKey = PK11_ExtractKeyValue( /* symmetric key */ symKey ); + if( rvExtractSymmetricKey != SECSuccess ) { + PR_fprintf( PR_STDERR, +- "ERROR: Failed to extract the %s key!\n\n", ++ "ERROR: Failed to extract the %s key for final display, OK if in FIPs mode!\n\n", + symmetricKeyName ); +- goto destroyHexSymmetricKey; +- } ++ symmetricKey = NULL; ++ } else { + +- /* If present, retrieve the raw key data */ +- symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); ++ /* If present, retrieve the raw key data */ ++ symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); ++ } + + #if defined(DEBUG) + /* For convenience, display the final symmetric key and */ +-- +1.8.3.1 + + +From 38df4274214938ceece85627abb6d4fe77b960ff Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Fri, 26 May 2017 13:06:18 -0400 +Subject: [PATCH 06/14] Refactor client to not use keysets + +It is simpler to simply tell the client which +algorithm to use for key wrapping and encryption, rather +than use key sets. Therefore: + +* KRAInfo and CAInfo are refactored to provide the + algorithms required for key wrapping and encryption. + +* Client is modified to use these parameters to determine + which algorithms to use. + +* We specify the OIDs that will be used in the PKIARchiveOptions + more correctly. The options are basically: + AES-128-CBC, DES3-CBC, AES KeyWrap/Pad + +Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409 +--- + base/common/src/org/dogtagpki/common/CAInfo.java | 34 +++-- + base/common/src/org/dogtagpki/common/KRAInfo.java | 34 +++++ + .../src/com/netscape/cmstools/CRMFPopClient.java | 153 ++++++++++----------- + .../cmstools/client/ClientCertRequestCLI.java | 34 +---- + .../org/dogtagpki/server/rest/CAInfoService.java | 18 +-- + .../org/dogtagpki/server/rest/KRAInfoService.java | 40 +++++- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 22 +++ + 7 files changed, 206 insertions(+), 129 deletions(-) + +diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java +index f21dcd0..0f68c7a 100644 +--- a/base/common/src/org/dogtagpki/common/CAInfo.java ++++ b/base/common/src/org/dogtagpki/common/CAInfo.java +@@ -54,7 +54,8 @@ public class CAInfo extends ResourceMessage { + } + + String archivalMechanism; +- String wrappingKeySet; ++ String encryptAlgorithm; ++ String keyWrapAlgorithm; + + @XmlElement(name="ArchivalMechanism") + public String getArchivalMechanism() { +@@ -65,13 +66,20 @@ public class CAInfo extends ResourceMessage { + this.archivalMechanism = archivalMechanism; + } + +- @XmlElement(name="WrappingKeySet") +- public String getWrappingKeySet() { +- return wrappingKeySet; ++ public String getEncryptAlgorithm() { ++ return encryptAlgorithm; + } + +- public void setWrappingKeySet(String wrappingKeySet) { +- this.wrappingKeySet = wrappingKeySet; ++ public void setEncryptAlgorithm(String encryptAlgorithm) { ++ this.encryptAlgorithm = encryptAlgorithm; ++ } ++ ++ public String getKeyWrapAlgorithm() { ++ return keyWrapAlgorithm; ++ } ++ ++ public void setKeyWrapAlgorithm(String keyWrapAlgorithm) { ++ this.keyWrapAlgorithm = keyWrapAlgorithm; + } + + @Override +@@ -79,7 +87,8 @@ public class CAInfo extends ResourceMessage { + final int prime = 31; + int result = super.hashCode(); + result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); +- result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); ++ result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); ++ result = prime * result + ((keyWrapAlgorithm == null) ? 0 : keyWrapAlgorithm.hashCode()); + return result; + } + +@@ -97,10 +106,15 @@ public class CAInfo extends ResourceMessage { + return false; + } else if (!archivalMechanism.equals(other.archivalMechanism)) + return false; +- if (wrappingKeySet == null) { +- if (other.wrappingKeySet != null) ++ if (encryptAlgorithm == null) { ++ if (other.encryptAlgorithm != null) ++ return false; ++ } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) ++ return false; ++ if (keyWrapAlgorithm == null) { ++ if (other.keyWrapAlgorithm != null) + return false; +- } else if (!wrappingKeySet.equals(other.wrappingKeySet)) ++ } else if (!keyWrapAlgorithm.equals(other.keyWrapAlgorithm)) + return false; + return true; + } +diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java +index e17bd64..66fb992 100644 +--- a/base/common/src/org/dogtagpki/common/KRAInfo.java ++++ b/base/common/src/org/dogtagpki/common/KRAInfo.java +@@ -55,6 +55,8 @@ public class KRAInfo extends ResourceMessage { + + String archivalMechanism; + String recoveryMechanism; ++ String encryptAlgorithm; ++ String wrapAlgorithm; + + @XmlElement(name="ArchivalMechanism") + public String getArchivalMechanism() { +@@ -74,12 +76,32 @@ public class KRAInfo extends ResourceMessage { + this.recoveryMechanism = recoveryMechanism; + } + ++ @XmlElement(name="EncryptAlgorithm") ++ public String getEncryptAlgorithm() { ++ return encryptAlgorithm; ++ } ++ ++ public void setEncryptAlgorithm(String encryptAlgorithm) { ++ this.encryptAlgorithm = encryptAlgorithm; ++ } ++ ++ @XmlElement(name="WrapAlgorithm") ++ public String getWrapAlgorithm() { ++ return wrapAlgorithm; ++ } ++ ++ public void setWrapAlgorithm(String wrapAlgorithm) { ++ this.wrapAlgorithm = wrapAlgorithm; ++ } ++ + @Override + public int hashCode() { + final int prime = 31; + int result = super.hashCode(); + result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); ++ result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); + result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode()); ++ result = prime * result + ((wrapAlgorithm == null) ? 0 : wrapAlgorithm.hashCode()); + return result; + } + +@@ -97,11 +119,21 @@ public class KRAInfo extends ResourceMessage { + return false; + } else if (!archivalMechanism.equals(other.archivalMechanism)) + return false; ++ if (encryptAlgorithm == null) { ++ if (other.encryptAlgorithm != null) ++ return false; ++ } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) ++ return false; + if (recoveryMechanism == null) { + if (other.recoveryMechanism != null) + return false; + } else if (!recoveryMechanism.equals(other.recoveryMechanism)) + return false; ++ if (wrapAlgorithm == null) { ++ if (other.wrapAlgorithm != null) ++ return false; ++ } else if (!wrapAlgorithm.equals(other.wrapAlgorithm)) ++ return false; + return true; + } + +@@ -125,6 +157,8 @@ public class KRAInfo extends ResourceMessage { + KRAInfo before = new KRAInfo(); + before.setArchivalMechanism("encrypt"); + before.setRecoveryMechanism("keywrap"); ++ before.setEncryptAlgorithm("AES/CBC/Pad"); ++ before.setWrapAlgorithm("AES KeyWrap/Padding"); + + String string = before.toString(); + System.out.println(string); +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 0057a1d..b06faa6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -190,11 +190,7 @@ public class CRMFPopClient { + option.setArgName("extractable"); + options.addOption(option); + +- option = new Option("g", true, "KeyWrap"); +- option.setArgName("keyWrap"); +- options.addOption(option); +- +- option = new Option("w", true, "Wrapping Keyset"); ++ option = new Option("w", true, "Algorithm to be used for key wrapping"); + option.setArgName("keySet"); + options.addOption(option); + +@@ -231,10 +227,7 @@ public class CRMFPopClient { + System.out.println(" - POP_NONE: without POP"); + System.out.println(" - POP_SUCCESS: with valid POP"); + System.out.println(" - POP_FAIL: with invalid POP (for testing)"); +- System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); +- System.out.println(" - true: use a key wrapping algorithm"); +- System.out.println(" - false: use an encryption algorithm"); +- System.out.println(" -w Key set ID to use when wrapping the private key"); ++ System.out.println(" -w Algorithm to use for key wrapping"); + System.out.println(" -b PEM transport certificate (default: transport.txt)"); + System.out.println(" -v, --verbose Run in verbose mode."); + System.out.println(" --help Show help message."); +@@ -329,20 +322,17 @@ public class CRMFPopClient { + + boolean self_sign = cmd.hasOption("y"); + +- // get the key wrapping mechanism +- boolean keyWrap = true; +- if (cmd.hasOption("g")) { +- keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); ++ // get the keywrap algorithm ++ KeyWrapAlgorithm keyWrapAlgorithm = null; ++ String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString(); ++ if (cmd.hasOption("w")) { ++ kwAlg = cmd.getOptionValue("w"); + } else { +- String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); +- if (useKeyWrap != null) { +- keyWrap = Boolean.parseBoolean(useKeyWrap); ++ String alg = System.getenv("KEY_ARCHIVAL_KEYWRAP_ALGORITHM"); ++ if (alg != null) { ++ kwAlg = alg; + } + } +- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : +- KRAInfoResource.ENCRYPT_MECHANISM; +- +- String wrappingKeySet = cmd.getOptionValue("w"); + + String output = cmd.getOptionValue("o"); + +@@ -351,12 +341,11 @@ public class CRMFPopClient { + String requestor = cmd.getOptionValue("r"); + + if (hostPort != null) { +- if (cmd.hasOption("g") || cmd.hasOption("w")) { +- printError("Wrapping Key Set (-g) and keywrap (-w) options should " + +- "not be specified when hostport is specified. " + +- "CRMFPopClient will contact the server to " + +- "determine the correct values for these parameters"); +- System.exit(1); ++ if (cmd.hasOption("w")) { ++ printError("Any value specified for the key wrap parameter (-w) " + ++ "will be overriden. CRMFPopClient will contact the " + ++ "CA to determine the supported algorithm when " + ++ "hostport is specified"); + } + } + +@@ -493,9 +482,9 @@ public class CRMFPopClient { + System.out.println("Keypair private key id: " + kid); + + if (hostPort != null) { +- // check the CA for the required keyset and archival mechanism ++ // check the CA for the required key wrap algorithm + // if found, override whatever has been set by the command line +- // options or environment for archivalMechanism and wrappingKeySet ++ // options for the key wrap algorithm + + ClientConfig config = new ClientConfig(); + String host = hostPort.substring(0, hostPort.indexOf(':')); +@@ -503,31 +492,17 @@ public class CRMFPopClient { + config.setServerURL("http", host, port); + + PKIClient pkiclient = new PKIClient(config); +- +- // get archival mechanism +- CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); +- try { +- CAInfo info = infoClient.getInfo(); +- archivalMechanism = info.getArchivalMechanism(); +- wrappingKeySet = info.getWrappingKeySet(); +- } catch (PKIException e) { +- if (e.getCode() == 404) { +- // assume this is an older server, +- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; +- wrappingKeySet = "0"; +- } else { +- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); +- } +- } catch (Exception e) { +- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); +- } ++ kwAlg = getKeyWrapAlgotihm(pkiclient); + } + ++ if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg); ++ keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); ++ + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( + self_sign, + token, transportCert, algorithm, keyPair, +- subject, archivalMechanism, wrappingKeySet); ++ subject, keyWrapAlgorithm); + + ProofOfPossession pop = null; + +@@ -592,6 +567,36 @@ public class CRMFPopClient { + } + } + ++ public static String getKeyWrapAlgotihm(PKIClient pkiclient) ++ throws Exception { ++ String kwAlg = null; ++ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); ++ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ ++ try { ++ CAInfo info = infoClient.getInfo(); ++ archivalMechanism = info.getArchivalMechanism(); ++ kwAlg = info.getKeyWrapAlgorithm(); ++ } catch (PKIException e) { ++ if (e.getCode() == 404) { ++ // assume this is an older server, ++ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; ++ kwAlg = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); ++ } else { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); ++ } ++ } catch (Exception e) { ++ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); ++ } ++ ++ if (!archivalMechanism.equals(KRAInfoResource.KEYWRAP_MECHANISM)) { ++ // new server with encryption set. Use something we know will ++ // work. AES-128-CBC ++ kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString(); ++ } ++ return kwAlg; ++ } ++ + public void setVerbose(boolean verbose) { + this.verbose = verbose; + } +@@ -637,10 +642,9 @@ public class CRMFPopClient { + String algorithm, + KeyPair keyPair, + Name subject, +- String archivalMechanism, +- String wrappingKeySet) throws Exception { ++ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { + return createCertRequest(false, token, transportCert, algorithm, keyPair, +- subject, archivalMechanism, wrappingKeySet); ++ subject, keyWrapAlgorithm); + } + + public CertRequest createCertRequest( +@@ -650,24 +654,15 @@ public class CRMFPopClient { + String algorithm, + KeyPair keyPair, + Name subject, +- String archivalMechanism, +- String wrappingKeySet) throws Exception { +- EncryptionAlgorithm encryptAlg = null; +- +- if (wrappingKeySet == null) { +- wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); ++ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { ++ byte[] iv = null; ++ if (keyWrapAlgorithm.getParameterClasses() != null) { ++ iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); + } ++ OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); + +- if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { +- // talking to an old server? +- encryptAlg = EncryptionAlgorithm.DES3_CBC; +- } else { +- encryptAlg = EncryptionAlgorithm.AES_128_CBC; +- } +- +- byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); +- AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); +- WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); ++ WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); + + PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( + token, +@@ -698,29 +693,21 @@ public class CRMFPopClient { + return new CertRequest(new INTEGER(1), certTemplate, seq); + } + +- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, +- String archivalMechanism) throws Exception { +- if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { +- KeyWrapAlgorithm wrapAlg = null; +- IVParameterSpec wrapIVS = null; +- if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { +- // We will use AES_CBC_PAD as the a key wrap mechanism. This +- // can be decrypted using the same mechanism on the server. +- wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; +- wrapIVS = new IVParameterSpec(wrapIV); +- } else { +- wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; +- } ++ private WrappingParams getWrappingParams(KeyWrapAlgorithm kwAlg, byte[] iv) throws Exception { ++ IVParameterSpec ivps = iv != null ? new IVParameterSpec(iv): null; ++ ++ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD || ++ kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + return new WrappingParams( + SymmetricKey.AES, KeyGenAlgorithm.AES, 128, +- KeyWrapAlgorithm.RSA, encryptAlg, +- wrapAlg, wrapIVS, wrapIVS); +- } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { ++ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_128_CBC_PAD, ++ kwAlg, ivps, ivps); ++ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { + return new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, +- new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV)); ++ ivps, ivps); + } else { + throw new Exception("Invalid encryption algorithm"); + } +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +index a14bb24..9a0cfcc 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +@@ -29,18 +29,15 @@ import java.util.Vector; + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; + import org.apache.commons.io.FileUtils; +-import org.dogtagpki.common.CAInfo; +-import org.dogtagpki.common.CAInfoClient; +-import org.dogtagpki.common.KRAInfoResource; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.KeyWrapAlgorithm; + import org.mozilla.jss.crypto.Signature; + import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.pkix.crmf.CertRequest; + import org.mozilla.jss.pkix.crmf.ProofOfPossession; + import org.mozilla.jss.pkix.primitive.Name; + +-import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.cert.CertClient; + import com.netscape.certsrv.cert.CertEnrollmentRequest; + import com.netscape.certsrv.cert.CertRequestInfos; +@@ -249,29 +246,13 @@ public class ClientCertRequestCLI extends CLI { + CryptoManager manager = CryptoManager.getInstance(); + X509Certificate transportCert = manager.importCACertPackage(transportCertData); + +- // get archival mechanism +- CAInfoClient infoClient = new CAInfoClient(client, "ca"); +- String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; +- String wrappingKeySet = "1"; +- try { +- CAInfo info = infoClient.getInfo(); +- archivalMechanism = info.getArchivalMechanism(); +- wrappingKeySet = info.getWrappingKeySet(); +- } catch (PKIException e) { +- if (e.getCode() == 404) { +- // assume this is an older server, +- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; +- wrappingKeySet = "0"; +- } else { +- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); +- } +- } catch (Exception e) { +- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); +- } ++ // get archival and key wrap mechanisms from CA ++ String kwAlg = CRMFPopClient.getKeyWrapAlgotihm(client); ++ KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); + + csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, + algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, +- archivalMechanism, wrappingKeySet); ++ keyWrapAlgorithm); + + } else { + throw new Exception("Unknown request type: " + requestType); +@@ -411,8 +392,7 @@ public class ClientCertRequestCLI extends CLI { + int sensitive, + int extractable, + boolean withPop, +- String archivalMechanism, +- String wrappingKeySet ++ KeyWrapAlgorithm keyWrapAlgorithm + ) throws Exception { + + CryptoManager manager = CryptoManager.getInstance(); +@@ -434,7 +414,7 @@ public class ClientCertRequestCLI extends CLI { + } + + CertRequest certRequest = client.createCertRequest( +- token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); ++ token, transportCert, algorithm, keyPair, subject, keyWrapAlgorithm); + + ProofOfPossession pop = null; + if (withPop) { +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +index 398f499..52c9ca0 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +@@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo; + import org.dogtagpki.common.CAInfoResource; + import org.dogtagpki.common.KRAInfo; + import org.dogtagpki.common.KRAInfoClient; ++import org.mozilla.jss.crypto.EncryptionAlgorithm; ++import org.mozilla.jss.crypto.KeyWrapAlgorithm; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + +@@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { + // KRA-related fields (the initial values are only used if we + // did not yet receive authoritative info from KRA) + private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; +- private static String wrappingKeySet = "0"; ++ private static String encryptAlgorithm; ++ private static String keyWrapAlgorithm; + + @Override + public Response getInfo() throws Exception { +@@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { + } + + info.setArchivalMechanism(archivalMechanism); +- info.setWrappingKeySet(wrappingKeySet); ++ info.setEncryptAlgorithm(encryptAlgorithm); ++ info.setKeyWrapAlgorithm(keyWrapAlgorithm); + } + } + +@@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { + KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); + + archivalMechanism = kraInfo.getArchivalMechanism(); +- +- // request succeeded; the KRA is 10.4 or higher, +- // therefore supports key set v1 +- wrappingKeySet = "1"; ++ encryptAlgorithm = kraInfo.getEncryptAlgorithm(); ++ keyWrapAlgorithm = kraInfo.getWrapAlgorithm(); + + // mark info as authoritative + kraInfoAuthoritative = true; +@@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { + // The KRAInfoResource was added in 10.4, + // so we are talking to a pre-10.4 KRA + +- // pre-10.4 only supports key set v0 +- wrappingKeySet = "0"; ++ encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString(); ++ keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); + + // pre-10.4 KRA does not advertise the archival + // mechanism; look for the old knob in CA's config +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +index c4b3252..a9c3cdf 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +@@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.kra.IKeyRecoveryAuthority; ++import com.netscape.certsrv.security.IStorageKeyUnit; + import com.netscape.cms.servlet.base.PKIService; + ++import netscape.security.util.WrappingParams; ++ + /** + * @author Ade Lee + */ + public class KRAInfoService extends PKIService implements KRAInfoResource { + + private static Logger logger = LoggerFactory.getLogger(InfoService.class); ++ private IKeyRecoveryAuthority kra; ++ private IStorageKeyUnit storageUnit; ++ ++ public KRAInfoService() { ++ kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra"); ++ storageUnit = kra.getStorageKeyUnit(); ++ } + + @Override + public Response getInfo() throws Exception { +@@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { + KRAInfo info = new KRAInfo(); + info.setArchivalMechanism(getArchivalMechanism()); + info.setRecoveryMechanism(getRecoveryMechanism()); +- ++ info.setEncryptAlgorithm(getEncryptAlgorithm()); ++ info.setArchivalMechanism(getWrapAlgorithm()); + + return createOKResponse(info); + } +@@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { + boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); + return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; + } ++ ++ String getWrapAlgorithm() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ WrappingParams params = null; ++ try { ++ params = storageUnit.getWrappingParams(encrypt_archival); ++ } catch (Exception e) { ++ // return something that should always work ++ return "AES/CBC/Padding"; ++ } ++ return params.getPayloadWrapAlgorithm().toString(); ++ } ++ ++ String getEncryptAlgorithm() throws EBaseException { ++ IConfigStore cs = CMS.getConfigStore(); ++ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); ++ WrappingParams params = null; ++ try { ++ params = storageUnit.getWrappingParams(encrypt_archival); ++ } catch (Exception e) { ++ // return something that should always work ++ return "AES/CBC/Padding"; ++ } ++ return params.getPayloadEncryptionAlgorithm().toString(); ++ } + } + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 95b8f81..84e4a65 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2713,6 +2713,28 @@ public class CryptoUtil { + throw new NoSuchAlgorithmException(); + } + ++ /* ++ * Useful method to map KeyWrap algorithms to an OID. ++ * This is not yet defined within JSS, although it will be valuable to do ++ * so. The hard thing though is that the KeyWrapAlgorithms in JSS do not take ++ * KEK key size into account for algorithms like AES. We assume 128 bits in ++ * this case. ++ * ++ * This is used in the generation of CRMF requests, and will be correlated to ++ * the subsequent reverse mapping method below. ++ */ ++ public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { ++ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) ++ return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); ++ if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) ++ return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); ++ if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || ++ (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) ++ return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); ++ ++ throw new NoSuchAlgorithmException(); ++ } ++ + } + + // START ENABLE_ECC +-- +1.8.3.1 + + +From d5c331a42955365b76a1549aec047e613d3185dc Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 6 Jun 2017 16:16:40 -0400 +Subject: [PATCH 07/14] Server side changes to correctly parse the new + PKIArchiveOptions + +The server is modified to read the new OIDs in the PKIArchiveOptions +and handle them correctly. + +Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4 +--- + base/common/src/org/dogtagpki/common/CAInfo.java | 2 + + .../src/com/netscape/cmstools/CRMFPopClient.java | 20 ++++++-- + .../kra/src/com/netscape/kra/TransportKeyUnit.java | 21 ++++----- + .../org/dogtagpki/server/rest/KRAInfoService.java | 2 +- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 34 ++++++++++--- + .../src/netscape/security/util/WrappingParams.java | 55 ++++++++++++++++++++++ + 6 files changed, 109 insertions(+), 25 deletions(-) + +diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java +index 0f68c7a..ada8098 100644 +--- a/base/common/src/org/dogtagpki/common/CAInfo.java ++++ b/base/common/src/org/dogtagpki/common/CAInfo.java +@@ -66,6 +66,7 @@ public class CAInfo extends ResourceMessage { + this.archivalMechanism = archivalMechanism; + } + ++ @XmlElement(name="EncryptAlgorithm") + public String getEncryptAlgorithm() { + return encryptAlgorithm; + } +@@ -74,6 +75,7 @@ public class CAInfo extends ResourceMessage { + this.encryptAlgorithm = encryptAlgorithm; + } + ++ @XmlElement(name="WrapAlgorithm") + public String getKeyWrapAlgorithm() { + return keyWrapAlgorithm; + } +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index b06faa6..25de2dd 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -191,7 +191,7 @@ public class CRMFPopClient { + options.addOption(option); + + option = new Option("w", true, "Algorithm to be used for key wrapping"); +- option.setArgName("keySet"); ++ option.setArgName("keywrap algorithm"); + options.addOption(option); + + options.addOption("y", false, "for Self-signed cmc."); +@@ -655,13 +655,23 @@ public class CRMFPopClient { + KeyPair keyPair, + Name subject, + KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { +- byte[] iv = null; +- if (keyWrapAlgorithm.getParameterClasses() != null) { +- iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); +- } ++ byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); + OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); + ++ /* TODO(alee) ++ * ++ * HACK HACK! ++ * algorithms like AES KeyWrap do not require an IV, but we need to include one ++ * in the AlgorithmIdentifier above, or the creation and parsing of the ++ * PKIArchiveOptions options will fail. So we include an IV in aid, but null it ++ * later to correctly encrypt the data ++ */ + AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); ++ ++ Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); ++ if (iv_classes == null || iv_classes.length == 0) ++ iv = null; ++ + WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); + + PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( +diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +index d0ad8b3..91af7cf 100644 +--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java ++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java +@@ -267,7 +267,7 @@ public class TransportKeyUnit extends EncryptionUnit implements + * Decrypts the user private key. This is called on the transport unit. + */ + public byte[] decryptExternalPrivate(byte encSymmKey[], +- String symmAlgOID, byte symmAlgParams[], byte encValue[], ++ String wrapOID, byte wrapIV[], byte encValue[], + org.mozilla.jss.crypto.X509Certificate transCert) + throws Exception { + +@@ -279,12 +279,10 @@ public class TransportKeyUnit extends EncryptionUnit implements + CryptoToken token = getToken(transCert); + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); +- WrappingParams params = new WrappingParams( +- symmAlgOID, +- null, ++ WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions( ++ wrapOID, + priKeyAlgo, +- new IVParameterSpec(symmAlgParams), +- null); ++ new IVParameterSpec(wrapIV)); + + SymmetricKey sk = CryptoUtil.unwrap( + token, +@@ -303,6 +301,7 @@ public class TransportKeyUnit extends EncryptionUnit implements + params.getPayloadEncryptionAlgorithm()); + } + ++ + /** + * External unwrapping. Unwraps the symmetric key using + * the transport private key. +@@ -342,19 +341,17 @@ public class TransportKeyUnit extends EncryptionUnit implements + * the transport private key. + */ + public PrivateKey unwrap(byte encSymmKey[], +- String symmAlgOID, byte symmAlgParams[], ++ String wrapOID, byte wrapIV[], + byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transCert) + throws Exception { + CryptoToken token = getToken(transCert); + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); +- WrappingParams params = new WrappingParams( +- symmAlgOID, +- null, ++ WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions( ++ wrapOID, + priKeyAlgo, +- new IVParameterSpec(symmAlgParams), +- new IVParameterSpec(symmAlgParams)); ++ new IVParameterSpec(wrapIV)); + + // (1) unwrap the session key + SymmetricKey sk = CryptoUtil.unwrap( +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +index a9c3cdf..c855b22 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +@@ -59,7 +59,7 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { + info.setArchivalMechanism(getArchivalMechanism()); + info.setRecoveryMechanism(getRecoveryMechanism()); + info.setEncryptAlgorithm(getEncryptAlgorithm()); +- info.setArchivalMechanism(getWrapAlgorithm()); ++ info.setWrapAlgorithm(getWrapAlgorithm()); + + return createOKResponse(info); + } +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 84e4a65..eca8ddd 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2713,6 +2713,10 @@ public class CryptoUtil { + throw new NoSuchAlgorithmException(); + } + ++ public static final OBJECT_IDENTIFIER KW_AES_KEY_WRAP_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); ++ public static final OBJECT_IDENTIFIER KW_AES_CBC_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); ++ public static final OBJECT_IDENTIFIER KW_DES_CBC_PAD = new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); ++ + /* + * Useful method to map KeyWrap algorithms to an OID. + * This is not yet defined within JSS, although it will be valuable to do +@@ -2724,13 +2728,29 @@ public class CryptoUtil { + * the subsequent reverse mapping method below. + */ + public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { +- if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) +- return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); +- if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) +- return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); +- if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || +- (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) +- return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); ++ String name = kwAlg.toString(); ++ if (name.equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString())) ++ return KW_AES_KEY_WRAP_PAD; ++ if (name.equals(KeyWrapAlgorithm.AES_CBC_PAD.toString())) ++ return KW_AES_CBC_PAD; ++ if (name.equals(KeyWrapAlgorithm.DES3_CBC_PAD.toString())) ++ return KW_DES_CBC_PAD; ++ if (name.equals(KeyWrapAlgorithm.DES_CBC_PAD.toString())) ++ return KW_DES_CBC_PAD; ++ ++ throw new NoSuchAlgorithmException(); ++ } ++ ++ public static KeyWrapAlgorithm getKeyWrapAlgorithmFromOID(String wrapOID) throws NoSuchAlgorithmException { ++ OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); ++ if (oid.equals(KW_AES_KEY_WRAP_PAD)) ++ return KeyWrapAlgorithm.AES_KEY_WRAP_PAD; ++ ++ if (oid.equals(KW_AES_CBC_PAD)) ++ return KeyWrapAlgorithm.AES_CBC_PAD; ++ ++ if (oid.equals(KW_DES_CBC_PAD)) ++ return KeyWrapAlgorithm.DES3_CBC_PAD; + + throw new NoSuchAlgorithmException(); + } +diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java +index 8fe5df6..cda8870 100644 +--- a/base/util/src/netscape/security/util/WrappingParams.java ++++ b/base/util/src/netscape/security/util/WrappingParams.java +@@ -10,6 +10,8 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm; + import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.crypto.SymmetricKey.Type; + ++import com.netscape.cmsutil.crypto.CryptoUtil; ++ + public class WrappingParams { + // session key attributes + SymmetricKey.Type skType; +@@ -123,6 +125,59 @@ public class WrappingParams { + } + } + ++ private WrappingParams(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) ++ throws NumberFormatException, NoSuchAlgorithmException { ++ KeyWrapAlgorithm kwAlg = CryptoUtil.getKeyWrapAlgorithmFromOID(wrapOID); ++ ++ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { ++ skType = SymmetricKey.AES; ++ skKeyGenAlgorithm = KeyGenAlgorithm.AES; ++ payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; ++ payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; ++ skLength = 128; ++ } ++ ++ if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { ++ skType = SymmetricKey.AES; ++ skKeyGenAlgorithm = KeyGenAlgorithm.AES; ++ payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; ++ payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; ++ skLength = 128; ++ } ++ ++ if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { ++ skType = SymmetricKey.DES; ++ skKeyGenAlgorithm = KeyGenAlgorithm.DES; ++ skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; ++ payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; ++ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; ++ skLength = 0; ++ } ++ ++ if (priKeyAlgo.equals("EC")) { ++ skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; ++ } else { ++ skWrapAlgorithm = KeyWrapAlgorithm.RSA; ++ } ++ ++ // set the IVs ++ payloadEncryptionIV = wrapIV; ++ ++ if (payloadWrapAlgorithm == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { ++ // TODO(alee) Hack -- if we pass in null for the iv in the ++ // PKIArchiveOptions, we fail to decode correctly when parsing a ++ // CRMFPopClient request. ++ payloadWrappingIV = null; ++ } else { ++ payloadWrappingIV = wrapIV; ++ } ++ } ++ ++ public static WrappingParams getWrappingParamsFromArchiveOptions(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) ++ throws NumberFormatException, NoSuchAlgorithmException { ++ return new WrappingParams(wrapOID, priKeyAlgo, wrapIV); ++ } ++ + public SymmetricKey.Type getSkType() { + return skType; + } +-- +1.8.3.1 + + +From 5bf30f2f6a52b7164ba31ab12ed2317b2c572610 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 8 Jun 2017 16:08:30 -0400 +Subject: [PATCH 10/14] Stop using hardcoded IV in CMC + +Bugzilla #BZ 1458055 + +Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82 +--- + base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 13 ++++++++----- + .../src/com/netscape/cms/profile/common/EnrollProfile.java | 13 ++++++------- + .../com/netscape/cms/servlet/common/CMCOutputTemplate.java | 8 +++----- + 3 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 8d49b20..4adf22b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -40,6 +40,7 @@ import java.util.StringTokenizer; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ANY; + import org.mozilla.jss.asn1.ASN1Util; ++import org.mozilla.jss.asn1.ASN1Value; + import org.mozilla.jss.asn1.BIT_STRING; + import org.mozilla.jss.asn1.ENUMERATED; + import org.mozilla.jss.asn1.GeneralizedTime; +@@ -1708,6 +1709,12 @@ public class CMCRequest { + try { + TaggedRequest request = encryptedPop.getRequest(); + AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID(); ++ ++ ASN1Value v = thePOPAlgID.getParameters(); ++ v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); ++ byte iv[] = ((OCTET_STRING) v).toByteArray(); ++ IVParameterSpec ivps = new IVParameterSpec(iv); ++ + AlgorithmIdentifier witnessAlgID = encryptedPop.getWitnessAlgID(); + OCTET_STRING witness = encryptedPop.getWitness(); + ContentInfo cms = encryptedPop.getContentInfo(); +@@ -1734,13 +1741,9 @@ public class CMCRequest { + } + System.out.println(method + "symKey unwrapped."); + +- // TODO(alee) The code below should be replaced by code that generates a random IV +- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec default_iv = new IVParameterSpec(iv); +- + byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( + token, +- default_iv, ++ ivps, + encCI.getEncryptedContent().toByteArray(), + symKey, + EncryptionAlgorithm.AES_128_CBC); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 12fb736..2591ace 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -403,8 +403,7 @@ public abstract class EnrollProfile extends BasicProfile + String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); + token = CryptoUtil.getCryptoToken(tokenName); + +- // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length +- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; ++ byte[] iv = CryptoUtil.getNonceData(EncryptionAlgorithm.AES_128_CBC.getIVLength()); + IVParameterSpec ivps = new IVParameterSpec(iv); + + PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); +@@ -466,6 +465,8 @@ public abstract class EnrollProfile extends BasicProfile + + req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); + ++ req.setExtData("pop_encryptedDataIV", iv); ++ + // now compute and set witness + CMS.debug(method + "now compute and set witness"); + String hashName = CryptoUtil.getDefaultHashAlgName(); +@@ -1123,14 +1124,12 @@ public abstract class EnrollProfile extends BasicProfile + return null; + } + +- // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request +- // This IV is supposed to be random +- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- IVParameterSpec default_iv = new IVParameterSpec(iv); ++ byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); ++ IVParameterSpec ivps = new IVParameterSpec(iv); + + byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( + token, +- default_iv, ++ ivps, + pop_encryptedData, + symKey, + EncryptionAlgorithm.AES_128_CBC); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 8e47298..8d6c37f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -491,6 +491,7 @@ public class CMCOutputTemplate { + //don't need this for encryptedPOP, but need to check for existence anyway + byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); + byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); ++ byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); + if ((pop_encryptedData != null) && + (pop_sysPubEncryptedSession != null) && + (pop_userPubEncryptedSession != null)) { +@@ -517,11 +518,8 @@ public class CMCOutputTemplate { + throw new EBaseException(method + msg); + } + +- // TODO(alee) The code below should be replaced by code that generates a random IV +- byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; +- + OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); +- AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv)); + + encPop = new EncryptedPOP( + tReq, +@@ -532,7 +530,7 @@ public class CMCOutputTemplate { + + } catch (Exception e) { + CMS.debug(method + " excepton:" + e); +- throw new EBaseException(method + " excepton:" + e); ++ throw new EBaseException(method + " exception:" + e); + } + + } else { +-- +1.8.3.1 + + +From 698192f4f62c55142a557f6489ed2323e17401b0 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 30 May 2017 14:12:06 -0700 +Subject: [PATCH 11/14] Ticket #2619 Allow CA to process user-signed CMC + revocation requests + +First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken). + +One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest. + +This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing. + +On the client side: + +CMCRequest + +- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens. + +- removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert. + +- added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing. + +CMCRevoke + +- The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password. + +- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways; + +- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below) + +- This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now. + +On the server side. + +CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly. + +Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not. + +Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests. + +The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well. + +Previously missed signing cert validation is also added for more complete check. +Some SHA1 are turned into SHA2 + +Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s). +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 10 + + .../src/com/netscape/certsrv/apps/ICMSEngine.java | 8 + + .../com/netscape/certsrv/base/SessionContext.java | 5 + + .../src/com/netscape/cmstools/CMCRequest.java | 251 ++++++++----- + .../src/com/netscape/cmstools/CMCRevoke.java | 133 +++---- + .../com/netscape/cms/authentication/CMCAuth.java | 19 +- + .../cms/authentication/CMCUserSignedAuth.java | 198 +++++----- + .../netscape/cms/profile/common/EnrollProfile.java | 80 ++-- + .../cms/servlet/cert/CMCRevReqServlet.java | 4 +- + .../com/netscape/cms/servlet/cert/ListCerts.java | 10 +- + .../cms/servlet/common/CMCOutputTemplate.java | 407 +++++++++++++++------ + .../servlet/common/GenPendingTemplateFiller.java | 15 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 12 +- + .../src/com/netscape/cmscore/apps/CMSEngine.java | 33 ++ + .../netscape/cmscore/app/CMSEngineDefaultStub.java | 5 + + base/util/src/com/netscape/cmsutil/util/Utils.java | 5 + + 16 files changed, 769 insertions(+), 426 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index cc634cc..9df99ab 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -36,6 +36,7 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; + import org.mozilla.jss.CryptoManager.CertificateUsage; + import org.mozilla.jss.util.PasswordCallback; + ++import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.acls.EACLsException; + import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.authentication.IAuthSubsystem; +@@ -1575,6 +1576,15 @@ public final class CMS { + } + + /** ++ * Retrieves the SharedToken class. ++ * ++ * @return named SharedToken class ++ */ ++ public static ISharedToken getSharedTokenClass(String configName) { ++ return _engine.getSharedTokenClass(configName); ++ } ++ ++ /** + * Puts a password entry into the single-sign on cache. + * + * @param tag password tag +diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +index 3655b03..563b7c9 100644 +--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java ++++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +@@ -38,6 +38,7 @@ import org.mozilla.jss.util.PasswordCallback; + + import com.netscape.certsrv.acls.EACLsException; + import com.netscape.certsrv.acls.IACL; ++import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; +@@ -681,6 +682,13 @@ public interface ICMSEngine extends ISubsystem { + public ILdapConnFactory getLdapAnonConnFactory(String id) throws ELdapException; + + /** ++ * Retrieves the named SharedToken class ++ * ++ * @return named shared token class ++ */ ++ public ISharedToken getSharedTokenClass(String configName); ++ ++ /** + * Retrieves the password check. + * + * @return default password checker +diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java +index 81debae..8bcb3c1 100644 +--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java ++++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java +@@ -53,6 +53,11 @@ public class SessionContext extends Hashtable { + public static final String AUTH_MANAGER_ID = "authManagerId"; // String + + /** ++ * Principal name object of the signed CMC request ++ */ ++ public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; ++ ++ /** + * User object of the authenticated user in the current thread. + */ + public static final String USER = "user"; // IUser +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 4adf22b..00e03a7 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -72,15 +72,14 @@ import org.mozilla.jss.pkix.cmc.GetCert; + import org.mozilla.jss.pkix.cmc.IdentityProofV2; + import org.mozilla.jss.pkix.cmc.LraPopWitness; + import org.mozilla.jss.pkix.cmc.OtherInfo; +-import org.mozilla.jss.pkix.cmc.OtherMsg; + import org.mozilla.jss.pkix.cmc.PKIData; + import org.mozilla.jss.pkix.cmc.PendInfo; + import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; + import org.mozilla.jss.pkix.cmc.ResponseBody; ++import org.mozilla.jss.pkix.cmc.RevokeRequest; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; + import org.mozilla.jss.pkix.cmc.TaggedRequest; +-import org.mozilla.jss.pkix.cmmf.RevRequest; + import org.mozilla.jss.pkix.cms.ContentInfo; + import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; + import org.mozilla.jss.pkix.cms.EncryptedContentInfo; +@@ -374,14 +373,30 @@ public class CMCRequest { + + /** + * getCMCBlob create and return the enrollment request. +- * ++ * It now handles two types of data input: ++ * - SignedData (which is for signed data) ++ * - data (which is for unsigned data) + * @return the CMC enrollment request encoded in base64 + * + */ +- static ContentInfo getCMCBlob(SignedData req) { ++ static ContentInfo getCMCBlob(SignedData signedData, byte[] data) { + String method = "getCMCBlob: "; + System.out.println(method + "begins"); +- ContentInfo fullEnrollmentReq = new ContentInfo(req); ++ ContentInfo fullEnrollmentReq = null; ++ if (signedData != null && data == null) { ++ System.out.println("getCMCBlob: generating signed data"); ++ fullEnrollmentReq = new ContentInfo(signedData); ++ } else if (data != null && signedData == null) { ++ System.out.println("getCMCBlob: generating unsigned data"); ++ fullEnrollmentReq = new ContentInfo(data); ++ } else if (signedData == null && data == null) { ++ System.out.println("getCMCBlob: both params are null"); ++ System.exit(1); ++ } else { ++ System.out.println("getCMCBlob: both params are not null; only one of them can be used, the other must be null"); ++ System.exit(1); ++ } ++ + try { + ByteArrayOutputStream bs = new ByteArrayOutputStream(); + PrintStream ps = new PrintStream(bs); +@@ -768,29 +783,32 @@ public class CMCRequest { + System.out.println(""); + System.out.println("#input: full path for the PKCS10 request or CRMF request,"); + System.out.println("#the content must be in Base-64 encoded format"); +- System.out.println("#Multiple files are supported. They must be separated by space."); ++// System.out.println("#Multiple files are supported. They must be separated by space."); ++ System.out.println("# in case of revocation, input will be ignored"); + System.out.println("input=crmf.req"); + System.out.println(""); + System.out.println("#output: full path for the CMC request in binary format"); + System.out.println("output=cmc.req"); + System.out.println(""); +- System.out.println("#tokenname: name of token where agent signing cert can be found (default is internal)"); ++ System.out.println("#tokenname: name of token where user signing cert can be found (default is internal)"); + System.out.println("tokenname=internal"); + System.out.println(""); +- System.out.println("#nickname: nickname for agent certificate which will be used"); +- System.out.println("#to sign the CMC full request."); ++ System.out.println("#nickname: nickname for user certificate which will be used"); ++ System.out.println("#to sign the CMC full request (enrollment or revocation)."); ++ System.out.println(""); + System.out.println("#selfSign: if selfSign is true, the CMC request will be"); +- System.out.println("#signed with the pairing private key of the request;"); ++ System.out.println("#signed with the pairing private key of the enrollment request;"); + System.out.println("#and in which case the nickname will be ignored"); +- System.out.println("nickname=CMS Agent Certificate"); ++ System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored."); ++ System.out.println("nickname=CMS User Signing Certificate"); + System.out.println(""); + System.out.println("selfSign=false"); + System.out.println(""); + System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); + System.out.println("dbdir=./"); + System.out.println(""); +- System.out.println("#password: password for cert8.db which stores the agent"); +- System.out.println("#certificate"); ++ System.out.println("#password: password for cert8.db which stores the user signing"); ++ System.out.println("#certificate and keys"); + System.out.println("password=pass"); + System.out.println(""); + System.out.println("#format: request format, either pkcs10 or crmf"); +@@ -844,13 +862,19 @@ public class CMCRequest { + System.out.println("#control. Otherwise, false."); + System.out.println("revRequest.enable=false"); + System.out.println(""); ++/* + System.out.println("#revRequest.nickname: The nickname for the revoke certificate"); + System.out.println("revRequest.nickname=newuser's 102504a ID"); + System.out.println(""); ++*/ + System.out.println("#revRequest.issuer: The issuer name for the certificate being"); +- System.out.println("#revoked."); ++ System.out.println("#revoked. It only needs to be specified when the request is unsigned,;"); ++ System.out.println("#as in the case when sharedSecret is used;"); + System.out.println("revRequest.issuer=cn=Certificate Manager,c=us"); + System.out.println(""); ++ System.out.println("#revRequest.sharedSecret: The sharedSecret"); ++ System.out.println("revRequest.sharedSecret="); ++ System.out.println(""); + System.out.println("#revRequest.serial: The serial number for the certificate being"); + System.out.println("#revoked."); + System.out.println("revRequest.serial=61"); +@@ -861,9 +885,6 @@ public class CMCRequest { + System.out.println("# certificateHold, removeFromCRL"); + System.out.println("revRequest.reason=unspecified"); + System.out.println(""); +- System.out.println("#revRequest.sharedSecret: The sharedSecret"); +- System.out.println("revRequest.sharedSecret="); +- System.out.println(""); + System.out.println("#revRequest.comment: The human readable comment"); + System.out.println("revRequest.comment="); + System.out.println(""); +@@ -972,27 +993,27 @@ public class CMCRequest { + + private static ENUMERATED toCRLReason(String str) { + if (str.equalsIgnoreCase("unspecified")) { +- return RevRequest.unspecified; ++ return RevokeRequest.unspecified; + } else if (str.equalsIgnoreCase("keyCompromise")) { +- return RevRequest.keyCompromise; ++ return RevokeRequest.keyCompromise; + } else if (str.equalsIgnoreCase("caCompromise")) { +- return RevRequest.cACompromise; ++ return RevokeRequest.cACompromise; + } else if (str.equalsIgnoreCase("affiliationChanged")) { +- return RevRequest.affiliationChanged; ++ return RevokeRequest.affiliationChanged; + } else if (str.equalsIgnoreCase("superseded")) { +- return RevRequest.superseded; ++ return RevokeRequest.superseded; + } else if (str.equalsIgnoreCase("cessationOfOperation")) { +- return RevRequest.cessationOfOperation; ++ return RevokeRequest.cessationOfOperation; + } else if (str.equalsIgnoreCase("certificateHold")) { +- return RevRequest.certificateHold; ++ return RevokeRequest.certificateHold; + } else if (str.equalsIgnoreCase("removeFromCRL")) { +- return RevRequest.removeFromCRL; ++ return RevokeRequest.removeFromCRL; + } + + System.out.println("Unrecognized CRL reason"); + System.exit(1); + +- return RevRequest.unspecified; ++ return RevokeRequest.unspecified; + } + + /** +@@ -1119,42 +1140,84 @@ public class CMCRequest { + return bpid; + } + +- private static int addRevRequestAttr(int bpid, SEQUENCE seq, SEQUENCE otherMsgSeq, CryptoToken token, String tokenName, String nickname, ++ /* ++ * addRevRequestAttr adds the RevokeRequest control ++ * If sharedSecret exist, issuer name needs to be supplied; ++ * else signing cert is needed to extract issuerName ++ */ ++ private static int addRevRequestAttr(int bpid, SEQUENCE seq, ++ CryptoToken token, X509Certificate revokeSignCert, + String revRequestIssuer, String revRequestSerial, String revRequestReason, + String revRequestSharedSecret, String revRequestComment, String invalidityDatePresent, + CryptoManager manager) { ++ ++ String method = "addRevRequestAttr: "; + try { +- if (nickname.length() <= 0) { +- System.out.println("The nickname for the certificate being revoked is null"); +- System.exit(1); +- } +- String nickname1 = nickname; + UTF8String comment = null; + OCTET_STRING sharedSecret = null; + GeneralizedTime d = null; +- X500Name subjectname = new X500Name(revRequestIssuer); ++ X500Name issuerName = null; ++ ++ if ((revRequestSerial == null) || (revRequestSerial.length() <= 0)) { ++ System.out.println(method + "revocation serial number must be supplied"); ++ System.exit(1); ++ } ++ if ((revRequestReason == null) || (revRequestReason.length() <= 0)) { ++ System.out.println(method + "revocation reason must be supplied"); ++ System.exit(1); ++ } + INTEGER snumber = new INTEGER(revRequestSerial); + ENUMERATED reason = toCRLReason(revRequestReason); +- if (revRequestSharedSecret.length() > 0) ++ ++ if ((revRequestSharedSecret != null) && (revRequestSharedSecret.length() > 0)) { + sharedSecret = new OCTET_STRING(revRequestSharedSecret.getBytes()); +- if (revRequestComment.length() > 0) ++ // in case of sharedSecret, ++ // issuer name will have to be provided; ++ // revokeSignCert is ignored; ++ if (revRequestIssuer == null) { ++ System.out.println(method + "issuer name must be supplied when shared secret is used"); ++ System.exit(1); ++ } ++ issuerName = new X500Name(revRequestIssuer); ++ } else { // signing case; revokeSignCert is required ++ if (revokeSignCert == null) { ++ System.out.println(method + "revokeSignCert must be supplied in the signing case"); ++ System.exit(1); ++ } ++ } ++ ++ if (revRequestComment != null && revRequestComment.length() > 0) + comment = new UTF8String(revRequestComment); + if (invalidityDatePresent.equals("true")) + d = new GeneralizedTime(new Date()); +- RevRequest revRequest = +- new RevRequest(new ANY(subjectname.getEncoded()), snumber, +- reason, d, sharedSecret, comment); +- int revokeBpid = bpid; ++ ++ if (sharedSecret == null) { ++ System.out.println(method + "no sharedSecret found; request will be signed;"); ++ ++ // getting issuerName from revokeSignCert ++ byte[] certB = revokeSignCert.getEncoded(); ++ X509CertImpl impl = new X509CertImpl(certB); ++ issuerName = (X500Name) impl.getIssuerDN(); ++ } else { ++ System.out.println(method + "sharedSecret found; request will be unsigned;"); ++ } ++ ++ RevokeRequest revRequest = new RevokeRequest(new ANY(issuerName.getEncoded()), snumber, ++ reason, d, sharedSecret, comment); ++ + TaggedAttribute revRequestControl = new TaggedAttribute( + new INTEGER(bpid++), + OBJECT_IDENTIFIER.id_cmc_revokeRequest, revRequest); + seq.addElement(revRequestControl); ++ System.out.println(method + "RevokeRequest control created."); + +- if (sharedSecret != null) { +- System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1)); +- System.out.println(""); +- return bpid; +- } ++ return bpid; ++/* ++ * Constructing OtherMsg to include the SignerInfo makes no sense here ++ * as the outer layer SignedData would have SignerInfo. ++ * It is possibly done because the original code assumed a self-signed ++ * revocation request that is subsequently signed by an agent... ++ * which is not conforming to the RFC. + + EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( + OBJECT_IDENTIFIER.id_cct_PKIData, revRequestControl); +@@ -1241,6 +1304,7 @@ public class CMCRequest { + otherMsgSeq.addElement(otherMsg); + System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1)); + System.out.println(""); ++*/ + } catch (Exception e) { + System.out.println("Error in creating revRequest control. Check the parameters. Exception="+ e.toString()); + System.exit(1); +@@ -1346,9 +1410,9 @@ public class CMCRequest { + String salt = "lala123" + date.toString(); + + try { +- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); ++ MessageDigest SHA256Digest = MessageDigest.getInstance("SHA256"); + +- dig = SHA1Digest.digest(salt.getBytes()); ++ dig = SHA256Digest.digest(salt.getBytes()); + } catch (NoSuchAlgorithmException ex) { + dig = salt.getBytes(); + } +@@ -1825,7 +1889,6 @@ public class CMCRequest { + String dataReturnEnable = "false", dataReturnData = null; + String transactionMgtEnable = "false", transactionMgtId = null; + String senderNonceEnable = "false", senderNonce = null; +- String revCertNickname = ""; + String revRequestEnable = "false", revRequestIssuer = null, revRequestSerial = null; + String revRequestReason = null, revRequestSharedSecret = null, revRequestComment = null; + String revRequestInvalidityDatePresent = "false"; +@@ -1941,8 +2004,6 @@ public class CMCRequest { + revRequestComment = val; + } else if (name.equals("revRequest.invalidityDatePresent")) { + revRequestInvalidityDatePresent = val; +- } else if (name.equals("revRequest.nickname")) { +- revCertNickname = val; + } else if (name.equals("identification.enable")) { + identificationEnable = val; + } else if (name.equals("identification")) { +@@ -1985,7 +2046,8 @@ public class CMCRequest { + printUsage(); + } + +- if (!selfSign.equals("true") && nickname == null) { ++ if ((!selfSign.equals("true") && (revRequestSharedSecret == null)) ++ && nickname == null) { + System.out.println("Missing nickname."); + printUsage(); + } +@@ -2031,11 +2093,12 @@ public class CMCRequest { + certname.append(tokenName); + certname.append(":"); + } +- if (!selfSign.equals("true") && nickname != null) { ++ if ((!selfSign.equals("true") || (revRequestSharedSecret == null)) ++ && nickname != null) { + certname.append(nickname); + signerCert = cm.findCertByNickname(certname.toString()); + if (signerCert != null) { +- System.out.println("got signerCert: "+ certname.toString()); ++ System.out.println("got signerCert: " + certname.toString()); + } + } + +@@ -2065,6 +2128,7 @@ public class CMCRequest { + } + } + ++ boolean isSharedSecretRevoke = false; + if (decryptedPopEnable.equalsIgnoreCase("true")) { + if (encryptedPopResponseFile == null) { + System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified."); +@@ -2091,7 +2155,7 @@ public class CMCRequest { + } + } else { // !decryptedPopEnable + +- if (ifilename == null) { ++ if (!revRequestEnable.equalsIgnoreCase("true") && ifilename == null) { + System.out.println("Missing input filename for PKCS10 or CRMF."); + printUsage(); + } +@@ -2109,14 +2173,17 @@ public class CMCRequest { + } + } + +- StringTokenizer tokenizer = new StringTokenizer(ifilename, " "); +- String[] ifiles = new String[num]; +- for (int i = 0; i < num; i++) { +- String ss = tokenizer.nextToken(); +- ifiles[i] = ss; +- if (ss == null) { +- System.out.println("Missing input file for the request."); +- System.exit(1); ++ String[] ifiles = null; ++ if (revRequestEnable.equalsIgnoreCase("false")) { ++ StringTokenizer tokenizer = new StringTokenizer(ifilename, " "); ++ ifiles = new String[num]; ++ for (int i = 0; i < num; i++) { ++ String ss = tokenizer.nextToken(); ++ ifiles[i] = ss; ++ if (ss == null) { ++ System.out.println("Missing input file for the request."); ++ System.exit(1); ++ } + } + } + +@@ -2126,11 +2193,12 @@ public class CMCRequest { + } + + if (format == null) { +- System.out.println("Missing format."); +- printUsage(); ++ System.out.println("Missing format..assume revocation"); ++ //printUsage(); + } ++ + String[] requests = new String[num]; +- for (int i = 0; i < num; i++) { ++ for (int i = 0; i < num && revRequestEnable.equalsIgnoreCase("false") ; i++) { + BufferedReader inputBlob = null; + try { + inputBlob = new BufferedReader(new InputStreamReader( +@@ -2222,20 +2290,20 @@ public class CMCRequest { + + SEQUENCE otherMsgSeq = new SEQUENCE(); + if (revRequestEnable.equalsIgnoreCase("true")) { +- if (revRequestIssuer.length() == 0 || revRequestSerial.length() == 0 || +- revRequestReason.length() == 0) { +- System.out.println("Illegal parameters for revRequest control"); +- printUsage(); +- System.exit(1); ++ if ((revRequestSharedSecret!= null) ++ && (revRequestSharedSecret.length() > 0)) { ++ isSharedSecretRevoke = true; ++ //this will result in unsigned data + } + +- bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname, ++ bpid = addRevRequestAttr(bpid, controlSeq, token, signerCert, + revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret, + revRequestComment, revRequestInvalidityDatePresent, cm); +- } ++ pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE()); ++ } else { + +- // create the request PKIData +- pkidata = createPKIData( ++ // create the request PKIData ++ pkidata = createPKIData( + selfSign, + requests, + format, transactionMgtEnable, transactionMgtId, +@@ -2248,6 +2316,7 @@ public class CMCRequest { + popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg, + controlSeq, otherMsgSeq, bpid, + token, privk); ++ } + + if (pkidata == null) { + System.out.println("pkidata null after createPKIData(). Exiting with error"); +@@ -2255,22 +2324,30 @@ public class CMCRequest { + } + } + +- // sign the request +- SignedData signedData = null; +- if (selfSign.equalsIgnoreCase("true")) { +- // selfSign signs with private key +- System.out.println("selfSign is true..."); +- signedData = signData(privk, pkidata); ++ if (isSharedSecretRevoke) { ++ cmcblob = getCMCBlob(null, ++ ASN1Util.encode(pkidata)); + } else { +- // none selfSign signs with existing cert +- System.out.println("selfSign is false..."); +- signedData = signData(signerCert, tokenName, nickname, cm, pkidata); +- } +- if (signedData == null) { +- System.out.println("signData() returns null. Exiting with error"); +- System.exit(1); ++ ++ SignedData signedData = null; ++ ++ // sign the request ++ if (selfSign.equalsIgnoreCase("true")) { ++ // selfSign signs with private key ++ System.out.println("selfSign is true..."); ++ signedData = signData(privk, pkidata); ++ } else { ++ // none selfSign signs with existing cert ++ System.out.println("selfSign is false..."); ++ signedData = signData(signerCert, tokenName, nickname, cm, pkidata); ++ } ++ if (signedData == null) { ++ System.out.println("signData() returns null. Exiting with error"); ++ System.exit(1); ++ } ++ cmcblob = getCMCBlob(signedData, null); + } +- cmcblob = getCMCBlob(signedData); ++ + if (cmcblob == null) { + System.out.println("getCMCBlob() returns null. Exiting with error"); + System.exit(1); +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java +index c2572e6..e46e883 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java +@@ -75,6 +75,7 @@ public class CMCRevoke { + public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----"; + static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null, + pValue = null, cValue = null; ++ static String tValue = null; + + public static final String CMS_BASE_CA_SIGNINGCERT_NOT_FOUND = "CA signing certificate not found"; + public static final String PR_REQUEST_CMC = "CMC"; +@@ -109,8 +110,9 @@ public class CMCRevoke { + "-d

    " + + "-n " + + "-i " + +- "-s " + ++ "-s " + + "-m " + ++ "-t " + + "-p " + + "-h " + + "-c "); +@@ -135,6 +137,8 @@ public class CMCRevoke { + mValue = cleanArgs(s[i].substring(2)); + } else if (s[i].startsWith("-p")) { + pValue = cleanArgs(s[i].substring(2)); ++ } else if (s[i].startsWith("-t")) { ++ tValue = cleanArgs(s[i].substring(2)); + } else if (s[i].startsWith("-h")) { + hValue = cleanArgs(s[i].substring(2)); + } else if (s[i].startsWith("-c")) { +@@ -143,8 +147,6 @@ public class CMCRevoke { + + } + // optional parameters +- if (cValue == null) +- cValue = ""; + if (hValue == null) + hValue = ""; + +@@ -160,7 +162,7 @@ public class CMCRevoke { + "-d " + + "-n " + + "-i " + +- "-s " + ++ "-s " + + "-m " + + "-p " + + "-h " + +@@ -191,9 +193,9 @@ public class CMCRevoke { + + token.login(pass); + X509Certificate signerCert = getCertificate(cm, hValue, nValue); +- String outBlob = createRevokeReq(hValue, signerCert, cm); ++ ContentInfo fullEnrollmentRequest = createRevokeReq(hValue, signerCert, cm); + +- printCMCRevokeRequest(outBlob); ++ printCMCRevokeRequest(fullEnrollmentRequest); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); +@@ -209,29 +211,48 @@ public class CMCRevoke { + * + * @param asciiBASE64Blob the ascii string of the request + */ +- static void printCMCRevokeRequest(String asciiBASE64Blob) { ++ static void printCMCRevokeRequest(ContentInfo fullEnrollmentReq) { ++ String method = "printCMCRevokeRequest: "; + +- // (6) Finally, print the actual CMCSigning blob to the ++ ByteArrayOutputStream os = new ByteArrayOutputStream(); ++ ByteArrayOutputStream bs = new ByteArrayOutputStream(); ++ PrintStream ps = new PrintStream(bs); ++ ++ if (fullEnrollmentReq == null) { ++ System.out.println(method + "param fullEnrollmentRequest is null"); ++ System.exit(1); ++ } ++ // format is PR_REQUEST_CMC ++ try { ++ fullEnrollmentReq.encode(os); ++ } catch (IOException e) { ++ System.out.println("CMCSigning: I/O error " + ++ "encountered during write():\n" + ++ e); ++ System.exit(1); ++ } ++ //ps.print(Utils.base64encode(os.toByteArray())); ++ // no line breaks for ease of copy/paste for CA acceptance ++ System.out.println(RFC7468_HEADER); ++ ps.print(Utils.base64encodeSingleLine(os.toByteArray())); ++ ////fullEnrollmentReq.print(ps); // no header/trailer ++ ++ String asciiBASE64Blob = bs.toString(); ++ System.out.println(asciiBASE64Blob + "\n" + RFC7468_TRAILER); ++ ++ // (6) Finally, print the actual CMCSigning binary blob to the + // specified output file + FileOutputStream outputBlob = null; + + try { + outputBlob = new FileOutputStream("CMCRevoke.out"); ++ fullEnrollmentReq.encode(outputBlob); + } catch (IOException e) { + System.out.println("CMCSigning: unable to open file CMCRevoke.out for writing:\n" + e); + return; + } + +- System.out.println(RFC7468_HEADER); +- System.out.println(asciiBASE64Blob + RFC7468_TRAILER); +- try { +- asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER; +- outputBlob.write(asciiBASE64Blob.getBytes()); +- } catch (IOException e) { +- System.out.println("CMCSigning: I/O error " + +- "encountered during write():\n" + +- e); +- } ++ System.out.println("\nCMC revocation binary blob written to CMCRevoke.out\n"); + + try { + outputBlob.close(); +@@ -280,12 +301,11 @@ public class CMCRevoke { + * @param manager the crypto manger. + * @return the CMC revocation request encoded in base64 + */ +- static String createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) { ++ static ContentInfo createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) { + + java.security.PrivateKey privKey = null; + SignerIdentifier si = null; + ContentInfo fullEnrollmentReq = null; +- String asciiBASE64Blob = null; + + try { + +@@ -305,8 +325,8 @@ public class CMCRevoke { + + if (privKey == null) { + System.out.println("CMCRevoke::createRevokeReq() - " + +- "privKey is null!"); +- return ""; ++ "privKey is null!"); ++ return null; + } + + int bpid = 1; +@@ -319,65 +339,64 @@ public class CMCRevoke { + byte[] dig; + + try { +- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); ++ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); + +- dig = SHA1Digest.digest(salt.getBytes()); ++ dig = SHA2Digest.digest(salt.getBytes()); + } catch (NoSuchAlgorithmException ex) { + dig = salt.getBytes(); + } + String sn = Utils.base64encode(dig); + +- TaggedAttribute senderNonce = +- new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce, +- new OCTET_STRING(sn.getBytes())); ++ TaggedAttribute senderNonce = new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce, ++ new OCTET_STRING(sn.getBytes())); + + controlSeq.addElement(senderNonce); + + Name subjectName = new Name(); + + subjectName.addCommonName(iValue); +- org.mozilla.jss.pkix.cmmf.RevRequest lRevokeRequest = +- new org.mozilla.jss.pkix.cmmf.RevRequest(new ANY((new X500Name(iValue)).getEncoded()), +- new INTEGER(sValue), +- //org.mozilla.jss.pkix.cmmf.RevRequest.unspecified, +- new ENUMERATED((new Integer(mValue)).longValue()), +- null, +- new OCTET_STRING(pValue.getBytes()), +- new UTF8String(cValue.toCharArray())); ++ org.mozilla.jss.pkix.cmc.RevokeRequest lRevokeRequest = new org.mozilla.jss.pkix.cmc.RevokeRequest( ++ new ANY((new X500Name(iValue)).getEncoded()), ++ new INTEGER(sValue), ++ //org.mozilla.jss.pkix.cmc.RevokeRequest.unspecified, ++ new ENUMERATED((new Integer(mValue)).longValue()), ++ null, ++ (tValue != null) ? new OCTET_STRING(tValue.getBytes()) : null, ++ (cValue != null) ? new UTF8String(cValue.toCharArray()) : null); + //byte[] encoded = ASN1Util.encode(lRevokeRequest); +- //org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmmf.RevRequest.Template(); +- //org.mozilla.jss.pkix.cmmf.RevRequest revRequest = (org.mozilla.jss.pkix.cmmf.RevRequest) ++ //org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmc.RevokeRequest.Template(); ++ //org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest) + // template.decode(new java.io.ByteArrayInputStream( + // encoded)); + +- ByteArrayOutputStream os = new ByteArrayOutputStream(); +- //lRevokeRequest.encode(os); // khai +- TaggedAttribute revokeRequestTag = +- new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_revokeRequest, +- lRevokeRequest); ++ TaggedAttribute revokeRequestTag = new TaggedAttribute(new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_revokeRequest, ++ lRevokeRequest); + + controlSeq.addElement(revokeRequestTag); + PKIData pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE()); + + EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); +- // SHA1 is the default digest Alg for now. + DigestAlgorithm digestAlg = null; + SignatureAlgorithm signAlg = null; +- org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey).getType(); ++ org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey) ++ .getType(); + if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { +- signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; ++ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; + } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { +- signAlg = SignatureAlgorithm.ECSignatureWithSHA1Digest; +- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) { +- signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest; ++ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; ++ } else { ++ System.out.println("Algorithm not supported:" + ++ signingKeyType); ++ return null; + } + + MessageDigest SHADigest = null; + byte[] digest = null; + + try { +- SHADigest = MessageDigest.getInstance("SHA1"); +- digestAlg = DigestAlgorithm.SHA1; ++ SHADigest = MessageDigest.getInstance("SHA256"); ++ digestAlg = DigestAlgorithm.SHA256; + + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + +@@ -411,21 +430,11 @@ public class CMCRevoke { + + fullEnrollmentReq = new ContentInfo(req); + +- ByteArrayOutputStream bs = new ByteArrayOutputStream(); +- PrintStream ps = new PrintStream(bs); +- +- if (fullEnrollmentReq != null) { +- // format is PR_REQUEST_CMC +- fullEnrollmentReq.encode(os); +- ps.print(Utils.base64encode(os.toByteArray())); +- ////fullEnrollmentReq.print(ps); // no header/trailer +- } +- +- asciiBASE64Blob = bs.toString(); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); + } +- return asciiBASE64Blob; ++ ++ return fullEnrollmentReq; + } + } +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index b898353..9441167 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -237,6 +237,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + */ + public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, + EBaseException { ++ String method = "CMCAuth: authenticate: "; ++ String msg = ""; ++ + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditReqType = ILogger.UNIDENTIFIED; +@@ -261,7 +264,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } + String cmc = (String) returnVal; + if (cmc == null) { +- CMS.debug("CMCAuth: Authentication failed. Missing CMC."); ++ CMS.debug(method + "Authentication failed. Missing CMC."); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -279,8 +282,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } + + if (cmc.equals("")) { +- log(ILogger.LL_FAILURE, +- "cmc : attempted login with empty CMC."); ++ msg = "attempted login with empty CMC"; ++ CMS.debug(method + msg); ++ log(ILogger.LL_FAILURE, method + msg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( +@@ -331,6 +335,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + if (!cmcReq.getContentType().equals( + org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || + !cmcReq.hasContent()) { ++ CMS.debug(method + "malformed cmc: either not ContentInfo.SIGNED_DATA or cmcReq has no content"); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, +@@ -358,13 +363,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + if (checkSignerInfo) { + IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + if (agentToken == null) { +- CMS.debug("CMCAuth: authenticate() agentToken null"); ++ CMS.debug(method + "agentToken null"); + throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); + } + userid = agentToken.getInString("userid"); + uid = agentToken.getInString("cn"); + } else { +- CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); ++ CMS.debug(method + "signerInfo verification bypassed"); + } + // reset value of auditSignerInfo + if (uid != null) { +@@ -377,6 +382,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || + !ci.hasContent()) { ++ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; ++ CMS.debug( method + msg); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, +@@ -406,6 +413,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + if (numReqs == 0) { + // revocation request ++ CMS.debug(method + "numReqs 0, assume revocation request"); + + // reset value of auditReqType + auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE; +@@ -476,6 +484,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + } + } else { + // enrollment request ++ CMS.debug(method + "numReqs not 0, assume enrollment request"); + + // reset value of auditReqType + auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE; +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index a18c25e..2e4d6dc 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -29,9 +29,9 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; +-import java.security.cert.CertificateExpiredException; + import java.security.MessageDigest; + import java.security.PublicKey; ++import java.security.cert.CertificateExpiredException; + import java.util.Enumeration; + import java.util.Hashtable; + import java.util.Locale; +@@ -323,85 +323,90 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); + ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); + +- org.mozilla.jss.pkix.cms.ContentInfo cmcReq = +- (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo ++ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo + .getTemplate().decode( + cmcBlobIn); + +- if (!cmcReq.getContentType().equals( +- org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || +- !cmcReq.hasContent()) { +- +- cmcBlobIn.close(); +- msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA"; +- CMS.debug(msg); +- throw new EBaseException(msg); +- } +- +- SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); +- + String userid = ILogger.UNIDENTIFIED; + String uid = ILogger.UNIDENTIFIED; + +- IConfigStore cmc_config = CMS.getConfigStore(); +- boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); +- if (checkSignerInfo) { +- // selfSigned will be set in verifySignerInfo if applicable +- IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); +- if (userToken == null) { +- msg = "userToken null; verifySignerInfo failure"; +- CMS.debug(method + msg); +- throw new EBaseException(msg); +- } else { +- if (selfSigned) { +- CMS.debug(method +- + " self-signed cmc request will not have user identification info at this point."); +- auditSignerInfo = "selfSigned"; ++ SignedData cmcFullReq = null; ++ OCTET_STRING content = null; ++ OBJECT_IDENTIFIER id = null; ++ org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = null; ++ if (cmcReq.getContentType().equals( ++ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) { ++ CMS.debug(method + "cmc request content is signed data"); ++ cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); ++ ++ IConfigStore cmc_config = CMS.getConfigStore(); ++ boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); ++ if (checkSignerInfo) { ++ // selfSigned will be set in verifySignerInfo if applicable ++ IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); ++ if (userToken == null) { ++ msg = "userToken null; verifySignerInfo failure"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); + } else { +- CMS.debug(method + "signed with user cert"); +- userid = userToken.getInString("userid"); +- uid = userToken.getInString("cn"); +- if (userid == null && uid == null) { +- msg = " verifySignerInfo failure... missing userid and cn"; +- CMS.debug(method + msg); +- throw new EBaseException(msg); +- } +- // reset value of auditSignerInfo +- if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { +- CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); +- auditSignerInfo = uid.trim(); +- auditSubjectID = uid.trim(); +- authToken.set(IAuthToken.USER_ID, auditSubjectID); +- } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { +- CMS.debug(method + "setting auditSignerInfo to userid:" + userid); +- auditSignerInfo = userid.trim(); +- auditSubjectID = userid.trim(); +- authToken.set(IAuthToken.USER_ID, auditSubjectID); ++ if (selfSigned) { ++ CMS.debug(method ++ + " self-signed cmc request will not have user identification info at this point."); ++ auditSignerInfo = "selfSigned"; ++ } else { ++ CMS.debug(method + "signed with user cert"); ++ userid = userToken.getInString("userid"); ++ uid = userToken.getInString("cn"); ++ if (userid == null && uid == null) { ++ msg = " verifySignerInfo failure... missing userid and cn"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } ++ // reset value of auditSignerInfo ++ if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { ++ CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); ++ auditSignerInfo = uid.trim(); ++ auditSubjectID = uid.trim(); ++ authToken.set(IAuthToken.USER_ID, auditSubjectID); ++ } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { ++ CMS.debug(method + "setting auditSignerInfo to userid:" + userid); ++ auditSignerInfo = userid.trim(); ++ auditSubjectID = userid.trim(); ++ authToken.set(IAuthToken.USER_ID, auditSubjectID); ++ } + } + } ++ } else { ++ CMS.debug(method + " signerInfo verification bypassed"); + } +- } else { +- CMS.debug(method + " signerInfo verification bypassed"); +- } + +- EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); +- SET sis = cmcFullReq.getSignerInfos(); +- // only one SignerInfo for selfSigned +- org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = +- (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); ++ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); ++ SET sis = cmcFullReq.getSignerInfos(); ++ // only one SignerInfo for selfSigned ++ selfsign_signerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); + +- OBJECT_IDENTIFIER id = ci.getContentType(); ++ id = ci.getContentType(); + +- if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || +- !ci.hasContent()) { +- msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; +- CMS.debug(method + msg); ++ if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || ++ !ci.hasContent()) { ++ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; ++ CMS.debug(method + msg); ++ ++ throw new EBaseException(msg); ++ } + ++ content = ci.getContent(); ++ } else if (cmcReq.getContentType().equals( //unsigned ++ org.mozilla.jss.pkix.cms.ContentInfo.DATA)) { ++ CMS.debug(method + "cmc request content is unsigned data...verifySignerInfo will not be called;"); ++ content = (OCTET_STRING) cmcReq.getInterpretedContent(); ++ } else { ++ cmcBlobIn.close(); ++ msg = "unsupported cmc rquest content type; must be either ContentInfo.SIGNED_DATA or ContentInfo.DATA;"; ++ CMS.debug(msg); + throw new EBaseException(msg); + } + +- OCTET_STRING content = ci.getContent(); +- + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); + +@@ -426,7 +431,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + if (type.equals( + OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { +- /* TODO: user-signed revocation to be handled in next ticket ++ //further checks and actual revocation happen in CMCOutputTemplate ++ + // if( i ==1 ) { + // taggedAttribute.getType() == + // OBJECT_IDENTIFIER.id_cmc_revokeRequest +@@ -440,25 +446,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + for (int j = 0; j < numVals; j++) { + // serialNumber INTEGER + +- // SEQUENCE RevRequest = (SEQUENCE) ++ // SEQUENCE RevokeRequest = (SEQUENCE) + // values.elementAt(j); + byte[] encoded = ASN1Util.encode( + values.elementAt(j)); +- org.mozilla.jss.asn1.ASN1Template template = new +- org.mozilla.jss.pkix.cmmf.RevRequest.Template(); +- org.mozilla.jss.pkix.cmmf.RevRequest revRequest = +- (org.mozilla.jss.pkix.cmmf.RevRequest) +- ASN1Util.decode(template, encoded); ++ org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmc.RevokeRequest.Template(); ++ org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest) ASN1Util ++ .decode(template, encoded); + +- // SEQUENCE RevRequest = (SEQUENCE) ++ // SEQUENCE RevokeRequest = (SEQUENCE) + // ASN1Util.decode( + // SEQUENCE.getTemplate(), + // ASN1Util.encode( + // values.elementAt(j))); + +- // SEQUENCE RevRequest = ++ // SEQUENCE RevokeRequest = + // values.elementAt(j); +- // int revReqSize = RevRequest.size(); ++ // int revReqSize = RevokeRequest.size(); + // if( revReqSize > 3 ) { + // INTEGER serialNumber = + // new INTEGER((long)0); +@@ -473,13 +477,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + Integer IntObject = Integer.valueOf((int) reasonCode); + authToken.set(REASON_CODE, IntObject); + +- + //authToken.set("uid", uid); + //authToken.set("userid", userid); + + } +- */ +- + } + } + +@@ -648,8 +649,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + certInfoArray[i] = certInfo; + + if (selfSigned) { +- selfsign_skiExtn = +- (SubjectKeyIdentifierExtension) CryptoUtil ++ selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil + .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id); + if (selfsign_skiExtn != null) { + CMS.debug(method + +@@ -702,16 +702,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + throw new EInvalidCredentials(e.toString()); + } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, +- auditSubjectID, +- ILogger.SUCCESS, +- auditReqType, +- auditCertSubject, +- auditSignerInfo); +- +- audit(auditMessage); ++ // For accuracy, make sure revocation by shared secret doesn't ++ // log CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS ++ if (authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT) != null || ++ authToken.get(IAuthManager.CRED_CMC_SELF_SIGNED) != null) { ++ // store a message in the signed audit log file ++ auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditReqType, ++ auditCertSubject, ++ auditSignerInfo); ++ ++ audit(auditMessage); ++ } else { ++ CMS.debug(method ++ + "audit event CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS not logged due to unsigned data for revocation with shared secret."); ++ } + + CMS.debug(method + "ends successfully; returning authToken"); + return authToken; +@@ -1029,10 +1037,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } else { + CMS.debug(method + "found signing cert... verifying"); + +- //capture auditSubjectID first in case of failure +- netscape.security.x509.X500Name tempPrincipal = ++ // capture auditSubjectID first in case of failure ++ netscape.security.x509.X500Name principal = + (X500Name) x509Certs[0].getSubjectDN(); +- CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); ++ ++ // capture signer principal to be checked against ++ // cert subject principal later in CMCOutputTemplate ++ // in case of user signed revocation ++ auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal); ++ CN = principal.getCommonName(); //tempToken.get("userid"); + CMS.debug(method + " Principal name = " + CN); + auditContext.put(SessionContext.USER_ID, CN); + +@@ -1093,15 +1106,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // now check revocation status of the cert + if (CMS.isRevoked(x509Certs)) { + CMS.debug(method + "CMC signing cert is a revoked certificate"); ++ s.close(); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + try { //do this again anyways + cert.checkValidity(); + } catch (CertificateExpiredException e) { + CMS.debug(method + "CMC signing cert is an expired certificate"); ++ s.close(); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } catch (Exception e) { + CMS.debug(method + e.toString()); ++ s.close(); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 2591ace..74da8e7 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -588,16 +588,25 @@ public abstract class EnrollProfile extends BasicProfile + try { + byte data[] = CMS.AtoB(creq); + ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data); ++ PKIData pkiData = null; + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo + .getTemplate().decode(cmcBlobIn); +- org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq +- .getInterpretedContent(); +- org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); +- OCTET_STRING content = ci.getContent(); +- ++ OCTET_STRING content = null; ++ if (cmcReq.getContentType().equals( ++ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) { ++ CMS.debug(method + "cmc request content is signed data"); ++ org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq ++ .getInterpretedContent(); ++ org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); ++ content = ci.getContent(); ++ ++ } else { // for unsigned revocation requests (using shared secret) ++ CMS.debug(method + "cmc request content is unsigned data"); ++ content = (OCTET_STRING) cmcReq.getInterpretedContent(); ++ } + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); +- PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); ++ pkiData = (PKIData) (new PKIData.Template()).decode(s); + + mCMCData = pkiData; + //PKIData pkiData = (PKIData) +@@ -708,6 +717,8 @@ public abstract class EnrollProfile extends BasicProfile + byte randomSeed[] = null; + UTF8String ident_s = null; + SessionContext context = SessionContext.getContext(); ++ ++ boolean id_cmc_revokeRequest = false; + if (!context.containsKey("numOfControls")) { + CMS.debug(method + "numcontrols="+ numcontrols); + if (numcontrols > 0) { +@@ -735,7 +746,13 @@ public abstract class EnrollProfile extends BasicProfile + for (int i = 0; i < numcontrols; i++) { + attributes[i] = (TaggedAttribute) controlSeq.elementAt(i); + OBJECT_IDENTIFIER oid = attributes[i].getType(); +- if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { ++ if (oid.equals(OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { ++ id_cmc_revokeRequest = true; ++ // put in context for processing in ++ // CMCOutputTemplate.java later ++ context.put(OBJECT_IDENTIFIER.id_cmc_revokeRequest, ++ attributes[i]); ++ } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { + CMS.debug(method + " id_cmc_decryptedPOP found"); + id_cmc_decryptedPOP = true; + decPopVals = attributes[i].getValues(); +@@ -766,6 +783,10 @@ public abstract class EnrollProfile extends BasicProfile + */ + CMS.debug(method + "processing controls..."); + ++ if (id_cmc_revokeRequest) { ++ CMS.debug(method + "revocation control"); ++ } ++ + if (id_cmc_identification) { + if (ident == null) { + msg = "id_cmc_identification contains null attribute value"; +@@ -801,7 +822,7 @@ public abstract class EnrollProfile extends BasicProfile + + // checking Proof Of Identity, if not pre-signed + +- if (donePOI) { ++ if (donePOI || id_cmc_revokeRequest) { + // for logging purposes + if (id_cmc_identityProofV2) { + CMS.debug(method +@@ -921,6 +942,7 @@ public abstract class EnrollProfile extends BasicProfile + SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence(); + int numOtherMsgs = otherMsgSeq.size(); + if (!context.containsKey("numOfOtherMsgs")) { ++ CMS.debug(method + "found numOfOtherMsgs: " + numOtherMsgs); + context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs)); + for (int i = 0; i < numOtherMsgs; i++) { + OtherMsg omsg = (OtherMsg) (ASN1Util.decode(OtherMsg.getTemplate(), +@@ -959,6 +981,8 @@ public abstract class EnrollProfile extends BasicProfile + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); ++ if (id_cmc_revokeRequest) ++ continue; + if (popLinkWitnessRequired && + !context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { +@@ -1271,7 +1295,7 @@ public abstract class EnrollProfile extends BasicProfile + boolean sharedSecretFound = true; + String configName = "cmc.sharedSecret.class"; + String sharedSecret = null; +- ISharedToken tokenClass = getSharedTokenClass(configName); ++ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); + if (tokenClass == null) { + CMS.debug(method + " Failed to retrieve shared secret plugin class"); + sharedSecretFound = false; +@@ -1498,40 +1522,6 @@ public abstract class EnrollProfile extends BasicProfile + return bpids; + } + +- +- ISharedToken getSharedTokenClass(String configName) { +- String method = "EnrollProfile: getSharedTokenClass: "; +- ISharedToken tokenClass = null; +- +- String name = null; +- try { +- CMS.debug(method + "getting :" + configName); +- name = CMS.getConfigStore().getString(configName); +- CMS.debug(method + "Shared Secret plugin class name retrieved:" + +- name); +- } catch (Exception e) { +- CMS.debug(method + " Failed to retrieve shared secret plugin class name"); +- return null; +- } +- +- try { +- tokenClass = (ISharedToken) Class.forName(name).newInstance(); +- CMS.debug(method + "Shared Secret plugin class retrieved"); +- } catch (ClassNotFoundException e) { +- CMS.debug(method + " Failed to find class name: " + name); +- return null; +- } catch (InstantiationException e) { +- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); +- return null; +- } catch (IllegalAccessException e) { +- CMS.debug(method + " Illegal access: " + name); +- return null; +- } +- +- return tokenClass; +- } +- +- + /** + * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272 + * +@@ -1577,7 +1567,7 @@ public abstract class EnrollProfile extends BasicProfile + } + + String configName = "cmc.sharedSecret.class"; +- ISharedToken tokenClass = getSharedTokenClass(configName); ++ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); + + if (tokenClass == null) { + msg = " Failed to retrieve shared secret plugin class"; +@@ -1681,7 +1671,7 @@ public abstract class EnrollProfile extends BasicProfile + return false; + + String configName = "cmc.sharedSecret.class"; +- ISharedToken tokenClass = getSharedTokenClass(configName); ++ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); + if (tokenClass == null) { + CMS.debug(method + " Failed to retrieve shared secret plugin class"); + return false; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +index 24ba494..a66cd95 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +@@ -142,6 +142,8 @@ public class CMCRevReqServlet extends CMSServlet { + * @param cmsReq the object holding the request and response information + */ + protected void process(CMSRequest cmsReq) throws EBaseException { ++ String method = "CMCRevReqServlet: process: "; ++ CMS.debug(method + "begins"); + + String cmcAgentSerialNumber = null; + IArgBlock httpParams = cmsReq.getHttpParams(); +@@ -151,7 +153,7 @@ public class CMCRevReqServlet extends CMSServlet { + CMSTemplate form = null; + Locale[] locale = new Locale[1]; + +- CMS.debug("**** mFormPath = " + mFormPath); ++ CMS.debug(method + "**** mFormPath = " + mFormPath); + try { + form = getTemplate(mFormPath, req, locale); + } catch (IOException e) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java +index 3794f10..01c4b6a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java +@@ -461,11 +461,11 @@ public class ListCerts extends CMSServlet { + ICertRecord rec = e.nextElement(); + + if (rec == null) { +- CMS.debug("ListCerts: * record " + count + " is null"); ++ //CMS.debug("ListCerts: * record " + count + " is null"); + break; + } + curSerial = rec.getSerialNumber(); +- CMS.debug("ListCerts: * record " + count + ": " + curSerial); ++ //CMS.debug("ListCerts: * record " + count + ": " + curSerial); + + if (count == 0) { + firstSerial = curSerial; +@@ -493,11 +493,11 @@ public class ListCerts extends CMSServlet { + } + + if (mReverse) { +- CMS.debug("ListCerts: returning with rcount: " + rcount); ++ //CMS.debug("ListCerts: returning with rcount: " + rcount); + recs[rcount++] = rec; + + } else { +- CMS.debug("ListCerts: returning with arg block"); ++ //CMS.debug("ListCerts: returning with arg block"); + IArgBlock rarg = CMS.createArgBlock(); + fillRecordIntoArg(rec, rarg); + argSet.addRepeatRecord(rarg); +@@ -514,7 +514,7 @@ public class ListCerts extends CMSServlet { + CMS.debug("ListCerts: fill records into arg block and argSet"); + for (int ii = rcount - 1; ii >= 0; ii--) { + if (recs[ii] != null) { +- CMS.debug("ListCerts: processing recs[" + ii + "]"); ++ //CMS.debug("ListCerts: processing recs[" + ii + "]"); + IArgBlock rarg = CMS.createArgBlock(); + // CMS.debug("item " + ii + " is serial #" + recs[ii].getSerialNumber()); + fillRecordIntoArg(recs[ii], rarg); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 8d6c37f..067dce7 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -25,6 +25,7 @@ import java.math.BigInteger; + import java.security.MessageDigest; + import java.security.NoSuchAlgorithmException; + import java.security.PublicKey; ++import java.security.cert.CertificateExpiredException; + import java.util.Date; + import java.util.Hashtable; + +@@ -55,9 +56,9 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; + import org.mozilla.jss.pkix.cmc.OtherMsg; + import org.mozilla.jss.pkix.cmc.PendInfo; + import org.mozilla.jss.pkix.cmc.ResponseBody; ++import org.mozilla.jss.pkix.cmc.RevokeRequest; + import org.mozilla.jss.pkix.cmc.TaggedAttribute; + import org.mozilla.jss.pkix.cmc.TaggedRequest; +-import org.mozilla.jss.pkix.cmmf.RevRequest; + import org.mozilla.jss.pkix.cms.ContentInfo; + import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; + import org.mozilla.jss.pkix.cms.EnvelopedData; +@@ -76,8 +77,10 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IRequestQueue; +@@ -101,6 +104,8 @@ import netscape.security.x509.X509Key; + * @version $ $, $Date$ + */ + public class CMCOutputTemplate { ++ protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); ++ + public CMCOutputTemplate() { + } + +@@ -212,14 +217,12 @@ public class CMCOutputTemplate { + } + } + } else { +- CMS.debug(method + " reqs null. why?"); ++ CMS.debug(method + " reqs null. could be revocation"); + } + + TaggedAttribute tagattr = null; + CMCStatusInfo cmcStatusInfo = null; + +-//cfu +- + SEQUENCE decryptedPOPBpids = (SEQUENCE) context.get("decryptedPOP"); + if (decryptedPOPBpids != null && decryptedPOPBpids.size() > 0) { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, +@@ -880,8 +883,8 @@ public class CMCOutputTemplate { + String salt = "lala123" + date.toString(); + byte[] dig; + try { +- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); +- dig = SHA1Digest.digest(salt.getBytes()); ++ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); ++ dig = SHA2Digest.digest(salt.getBytes()); + } catch (NoSuchAlgorithmException ex) { + dig = salt.getBytes(); + } +@@ -920,22 +923,59 @@ public class CMCOutputTemplate { + private int processRevokeRequestControl(TaggedAttribute attr, + SEQUENCE controlSeq, int bpid) throws InvalidBERException, EBaseException, + IOException { ++ String method = "CMCOutputTemplate: processRevokeRequestControl: "; ++ String msg = ""; ++ CMS.debug(method + "begins"); + boolean revoke = false; + SessionContext context = SessionContext.getContext(); ++ String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); ++ if (authManagerId == null) { ++ CMS.debug(method + "authManagerId null.????"); ++ //unlikely, but... ++ authManagerId = "none"; ++ } else { ++ CMS.debug(method + "authManagerId =" + authManagerId); ++ } ++ ++ // in case of CMCUserSignedAuth, ++ // for matching signer and revoked cert principal ++ X500Name signerPrincipal = null; ++ ++ // for auditing ++ String auditRequesterID = null; ++ auditRequesterID = (String) context.get(SessionContext.USER_ID); ++ ++ if (auditRequesterID != null) { ++ auditRequesterID = auditRequesterID.trim(); ++ } else { ++ auditRequesterID = ILogger.NONROLEUSER; ++ } ++ signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); ++ String auditSubjectID = null; ++ String auditRequestType = "revoke"; ++ String auditSerialNumber = null; ++ String auditReasonNum = null; ++ RequestStatus auditApprovalStatus = RequestStatus.REJECTED; ++ + if (attr != null) { + INTEGER attrbpid = attr.getBodyPartID(); + CMCStatusInfo cmcStatusInfo = null; + SET vals = attr.getValues(); + if (vals.size() > 0) { +- RevRequest revRequest = +- (RevRequest) (ASN1Util.decode(new RevRequest.Template(), +- ASN1Util.encode(vals.elementAt(0)))); +- OCTET_STRING str = revRequest.getSharedSecret(); ++ RevokeRequest revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), ++ ASN1Util.encode(vals.elementAt(0)))); ++ OCTET_STRING reqSecret = revRequest.getSharedSecret(); + INTEGER pid = attr.getBodyPartID(); + TaggedAttribute tagattr = null; + INTEGER revokeCertSerial = revRequest.getSerialNumber(); ++ ENUMERATED n = revRequest.getReason(); ++ RevocationReason reason = toRevocationReason(n); ++ auditReasonNum = reason.toString(); + BigInteger revokeSerial = new BigInteger(revokeCertSerial.toByteArray()); +- if (str == null) { ++ auditSerialNumber = revokeSerial.toString(); ++ ++ if (reqSecret == null) { ++ CMS.debug(method + "no shared secret in request; Checking signature;"); + boolean needVerify = true; + try { + needVerify = CMS.getConfigStore().getBoolean("cmc.revokeCert.verify", true); +@@ -943,67 +983,75 @@ public class CMCOutputTemplate { + } + + if (needVerify) { +- Integer num1 = (Integer) context.get("numOfOtherMsgs"); +- int num = num1.intValue(); +- for (int i = 0; i < num; i++) { +- OtherMsg data = (OtherMsg) context.get("otherMsg" + i); +- INTEGER dpid = data.getBodyPartID(); +- if (pid.longValue() == dpid.longValue()) { +- ANY msgValue = data.getOtherMsgValue(); +- SignedData msgData = +- (SignedData) msgValue.decodeWith(SignedData.getTemplate()); +- if (!verifyRevRequestSignature(msgData)) { +- OtherInfo otherInfo = +- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), +- null); +- SEQUENCE failed_bpids = new SEQUENCE(); +- failed_bpids.addElement(attrbpid); +- cmcStatusInfo = +- new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, +- otherInfo); +- tagattr = new TaggedAttribute( +- new INTEGER(bpid++), +- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); +- controlSeq.addElement(tagattr); +- return bpid; ++ if (authManagerId.equals("CMCUserSignedAuth")) { ++ if (signerPrincipal == null) { ++ CMS.debug(method + "missing CMC signer principal"); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, ++ new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), ++ null); ++ SEQUENCE failed_bpids = new SEQUENCE(); ++ failed_bpids.addElement(attrbpid); ++ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, ++ otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ controlSeq.addElement(tagattr); ++ return bpid; ++ } ++ } else { // !CMCUserSignedAuth ++ ++ // this code is making the assumption that OtherMsg ++ // is used for signer info in signed cmc revocation, ++ // when in fact the signer info is ++ // in the outer layer and should have already been ++ // verified in the auth manager; ++ // Left here for possible legacy client(s) ++ ++ Integer num1 = (Integer) context.get("numOfOtherMsgs"); ++ CMS.debug(method + "found numOfOtherMsgs =" + num1.toString()); ++ int num = num1.intValue(); ++ for (int i = 0; i < num; i++) { ++ OtherMsg data = (OtherMsg) context.get("otherMsg" + i); ++ INTEGER dpid = data.getBodyPartID(); ++ if (pid.longValue() == dpid.longValue()) { ++ CMS.debug(method + "body part id match;"); ++ ANY msgValue = data.getOtherMsgValue(); ++ SignedData msgData = (SignedData) msgValue.decodeWith(SignedData.getTemplate()); ++ if (!verifyRevRequestSignature(msgData)) { ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, ++ new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), ++ null); ++ SEQUENCE failed_bpids = new SEQUENCE(); ++ failed_bpids.addElement(attrbpid); ++ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, ++ (String) null, ++ otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ controlSeq.addElement(tagattr); ++ return bpid; ++ } ++ } else { ++ CMS.debug(method + "body part id do not match;"); + } + } + } + } + + revoke = true; ++ } else { //use shared secret; request unsigned ++ CMS.debug(method + "checking shared secret"); + // check shared secret +- } else { +- ISharedToken tokenClass = null; +- boolean sharedSecretFound = true; +- String name = null; +- try { +- name = CMS.getConfigStore().getString("cmc.revokeCert.sharedSecret.class"); +- } catch (EPropertyNotFound e) { +- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); +- sharedSecretFound = false; +- } catch (EBaseException e) { +- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); +- sharedSecretFound = false; +- } +- +- try { +- tokenClass = (ISharedToken) Class.forName(name).newInstance(); +- } catch (ClassNotFoundException e) { +- CMS.debug("EnrollProfile: Failed to find class name: " + name); +- sharedSecretFound = false; +- } catch (InstantiationException e) { +- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); +- sharedSecretFound = false; +- } catch (IllegalAccessException e) { +- CMS.debug("EnrollProfile: Illegal access: " + name); +- sharedSecretFound = false; +- } +- +- if (!sharedSecretFound) { +- CMS.debug("CMCOutputTemplate: class for shared secret was not found."); +- OtherInfo otherInfo = +- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null); ++ //TODO: remember to provide one-time-use when working ++ // on shared token ++ ISharedToken tokenClass = ++ CMS.getSharedTokenClass("cmc.revokeCert.sharedSecret.class"); ++ if (tokenClass == null) { ++ CMS.debug(method + " Failed to retrieve shared secret plugin class"); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), ++ null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); + cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); +@@ -1014,15 +1062,13 @@ public class CMCOutputTemplate { + return bpid; + } + +- String sharedSecret = null; +- if (tokenClass != null) { +- sharedSecret = tokenClass.getSharedToken(revokeSerial); +- } ++ String sharedSecret = ++ sharedSecret = tokenClass.getSharedToken(revokeSerial); + + if (sharedSecret == null) { +- CMS.debug("CMCOutputTemplate: class for shared secret was not found."); +- OtherInfo otherInfo = +- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null); ++ CMS.debug("CMCOutputTemplate: shared secret not found."); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), ++ null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); + cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); +@@ -1033,15 +1079,17 @@ public class CMCOutputTemplate { + return bpid; + } + +- byte[] strb = str.toByteArray(); +- String clientSC = new String(strb); ++ byte[] reqSecretb = reqSecret.toByteArray(); ++ String clientSC = new String(reqSecretb); + if (clientSC.equals(sharedSecret)) { +- CMS.debug("CMCOutputTemplate: Both client and server shared secret are the same, can go ahead to revoke certificate."); ++ CMS.debug(method ++ + " Client and server shared secret are the same, can go ahead and revoke certificate."); + revoke = true; + } else { +- CMS.debug("CMCOutputTemplate: Both client and server shared secret are not the same, cant revoke certificate."); +- OtherInfo otherInfo = +- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); ++ CMS.debug(method ++ + " Client and server shared secret are not the same, cannot revoke certificate."); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), ++ null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); + cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); +@@ -1049,6 +1097,16 @@ public class CMCOutputTemplate { + new INTEGER(bpid++), + OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); + controlSeq.addElement(tagattr); ++ ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequesterID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus)); ++ + return bpid; + } + } +@@ -1060,11 +1118,11 @@ public class CMCOutputTemplate { + try { + record = repository.readCertificateRecord(revokeSerial); + } catch (EBaseException ee) { +- CMS.debug("CMCOutputTemplate: Exception: " + ee.toString()); ++ CMS.debug(method + "Exception: " + ee.toString()); + } + + if (record == null) { +- CMS.debug("CMCOutputTemplate: The certificate is not found"); ++ CMS.debug(method + " The certificate is not found"); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +@@ -1088,11 +1146,46 @@ public class CMCOutputTemplate { + controlSeq.addElement(tagattr); + return bpid; + } ++ + X509CertImpl impl = record.getCertificate(); ++ ++ X500Name certPrincipal = (X500Name) impl.getSubjectDN(); ++ auditSubjectID = certPrincipal.getCommonName(); ++ ++ // in case of user-signed request, check if signer ++ // principal matches that of the revoking cert ++ if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { ++ if (!certPrincipal.equals(signerPrincipal)) { ++ msg = "certificate principal and signer do not match"; ++ CMS.debug(method + msg); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), ++ null); ++ SEQUENCE failed_bpids = new SEQUENCE(); ++ failed_bpids.addElement(attrbpid); ++ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, msg, ++ otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); ++ controlSeq.addElement(tagattr); ++ ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequesterID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus)); ++ ++ return bpid; ++ } else { ++ CMS.debug(method + "certificate principal and signer match"); ++ } ++ } ++ + X509CertImpl[] impls = new X509CertImpl[1]; + impls[0] = impl; +- ENUMERATED n = revRequest.getReason(); +- RevocationReason reason = toRevocationReason(n); + CRLReasonExtension crlReasonExtn = new CRLReasonExtension(reason); + CRLExtensions entryExtn = new CRLExtensions(); + GeneralizedTime t = revRequest.getInvalidityDate(); +@@ -1105,8 +1198,8 @@ public class CMCOutputTemplate { + entryExtn.set(crlReasonExtn.getName(), crlReasonExtn); + } + +- RevokedCertImpl revCertImpl = +- new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(), entryExtn); ++ RevokedCertImpl revCertImpl = new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(), ++ entryExtn); + RevokedCertImpl[] revCertImpls = new RevokedCertImpl[1]; + revCertImpls[0] = revCertImpl; + IRequestQueue queue = ca.getRequestQueue(); +@@ -1122,20 +1215,30 @@ public class CMCOutputTemplate { + RequestStatus stat = revReq.getRequestStatus(); + if (stat == RequestStatus.COMPLETE) { + Integer result = revReq.getExtDataInInteger(IRequest.RESULT); +- CMS.debug("CMCOutputTemplate: revReq result = " + result); ++ CMS.debug(method + " revReq result = " + result); + if (result.equals(IRequest.RES_ERROR)) { + CMS.debug("CMCOutputTemplate: revReq exception: " + + revReq.getExtDataInString(IRequest.ERROR)); +- OtherInfo otherInfo = +- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), null); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), ++ null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +- cmcStatusInfo = +- new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); ++ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, ++ otherInfo); + tagattr = new TaggedAttribute( + new INTEGER(bpid++), + OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); + controlSeq.addElement(tagattr); ++ ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequesterID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus)); ++ + return bpid; + } + } +@@ -1148,7 +1251,7 @@ public class CMCOutputTemplate { + impl.getSubjectDN(), + impl.getSerialNumber().toString(16), + reason.toString() }); +- CMS.debug("CMCOutputTemplate: Certificate get revoked."); ++ CMS.debug(method + " Certificate revoked."); + SEQUENCE success_bpids = new SEQUENCE(); + success_bpids.addElement(attrbpid); + cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, +@@ -1157,6 +1260,16 @@ public class CMCOutputTemplate { + new INTEGER(bpid++), + OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); + controlSeq.addElement(tagattr); ++ ++ auditApprovalStatus = RequestStatus.COMPLETE; ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.SUCCESS, ++ auditRequesterID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus)); + return bpid; + } else { + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); +@@ -1167,6 +1280,16 @@ public class CMCOutputTemplate { + new INTEGER(bpid++), + OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); + controlSeq.addElement(tagattr); ++ ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditRequesterID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus)); ++ + return bpid; + } + } +@@ -1175,54 +1298,81 @@ public class CMCOutputTemplate { + return bpid; + } + ++ protected void audit(AuditEvent event) { ++ ++ String template = event.getMessage(); ++ Object[] params = event.getParameters(); ++ ++ String message = CMS.getLogMessage(template, params); ++ ++ audit(message); ++ } ++ ++ protected void audit(String msg) { ++ // in this case, do NOT strip preceding/trailing whitespace ++ // from passed-in String parameters ++ ++ if (mSignedAuditLogger == null) { ++ return; ++ } ++ ++ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, ++ null, ++ ILogger.S_SIGNED_AUDIT, ++ ILogger.LL_SECURITY, ++ msg); ++ } ++ + private RevocationReason toRevocationReason(ENUMERATED n) { + long code = n.getValue(); +- if (code == RevRequest.aACompromise.getValue()) ++ if (code == RevokeRequest.aACompromise.getValue()) + return RevocationReason.UNSPECIFIED; +- else if (code == RevRequest.affiliationChanged.getValue()) ++ else if (code == RevokeRequest.affiliationChanged.getValue()) + return RevocationReason.AFFILIATION_CHANGED; +- else if (code == RevRequest.cACompromise.getValue()) ++ else if (code == RevokeRequest.cACompromise.getValue()) + return RevocationReason.CA_COMPROMISE; +- else if (code == RevRequest.certificateHold.getValue()) ++ else if (code == RevokeRequest.certificateHold.getValue()) + return RevocationReason.CERTIFICATE_HOLD; +- else if (code == RevRequest.cessationOfOperation.getValue()) ++ else if (code == RevokeRequest.cessationOfOperation.getValue()) + return RevocationReason.CESSATION_OF_OPERATION; +- else if (code == RevRequest.keyCompromise.getValue()) ++ else if (code == RevokeRequest.keyCompromise.getValue()) + return RevocationReason.KEY_COMPROMISE; +- else if (code == RevRequest.privilegeWithdrawn.getValue()) ++ else if (code == RevokeRequest.privilegeWithdrawn.getValue()) + return RevocationReason.UNSPECIFIED; +- else if (code == RevRequest.removeFromCRL.getValue()) ++ else if (code == RevokeRequest.removeFromCRL.getValue()) + return RevocationReason.REMOVE_FROM_CRL; +- else if (code == RevRequest.superseded.getValue()) ++ else if (code == RevokeRequest.superseded.getValue()) + return RevocationReason.SUPERSEDED; +- else if (code == RevRequest.unspecified.getValue()) ++ else if (code == RevokeRequest.unspecified.getValue()) + return RevocationReason.UNSPECIFIED; + return RevocationReason.UNSPECIFIED; + } + + private boolean verifyRevRequestSignature(SignedData msgData) { ++ String method = "CMCOutputTemplate: verifyRevRequestSignature: "; ++ CMS.debug(method + "begins"); + try { + EncapsulatedContentInfo ci = msgData.getContentInfo(); + OCTET_STRING content = ci.getContent(); + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + TaggedAttribute tattr = (TaggedAttribute) (new TaggedAttribute.Template()).decode(s); + SET values = tattr.getValues(); +- RevRequest revRequest = null; +- if (values != null && values.size() > 0) +- revRequest = +- (RevRequest) (ASN1Util.decode(new RevRequest.Template(), +- ASN1Util.encode(values.elementAt(0)))); ++ RevokeRequest revRequest = null; ++ if (values != null && values.size() > 0) { ++ revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), ++ ASN1Util.encode(values.elementAt(0)))); ++ } else { ++ CMS.debug(method + "attribute null"); ++ return false; ++ } + + SET dias = msgData.getDigestAlgorithmIdentifiers(); + int numDig = dias.size(); + Hashtable digs = new Hashtable(); + for (int i = 0; i < numDig; i++) { +- AlgorithmIdentifier dai = +- (AlgorithmIdentifier) dias.elementAt(i); +- String name = +- DigestAlgorithm.fromOID(dai.getOID()).toString(); +- MessageDigest md = +- MessageDigest.getInstance(name); ++ AlgorithmIdentifier dai = (AlgorithmIdentifier) dias.elementAt(i); ++ String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); ++ MessageDigest md = MessageDigest.getInstance(name); + byte[] digest = md.digest(content.toByteArray()); + digs.put(name, digest); + } +@@ -1230,8 +1380,7 @@ public class CMCOutputTemplate { + SET sis = msgData.getSignerInfos(); + int numSis = sis.size(); + for (int i = 0; i < numSis; i++) { +- org.mozilla.jss.pkix.cms.SignerInfo si = +- (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); ++ org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); + String name = si.getDigestAlgorithm().toString(); + byte[] digest = digs.get(name); + if (digest == null) { +@@ -1242,17 +1391,15 @@ public class CMCOutputTemplate { + } + SignerIdentifier sid = si.getSignerIdentifier(); + if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { +- org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber = +- sid.getIssuerAndSerialNumber(); ++ org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber = sid ++ .getIssuerAndSerialNumber(); + java.security.cert.X509Certificate cert = null; + if (msgData.hasCertificates()) { + SET certs = msgData.getCertificates(); + int numCerts = certs.size(); + for (int j = 0; j < numCerts; j++) { +- org.mozilla.jss.pkix.cert.Certificate certJss = +- (Certificate) certs.elementAt(j); +- org.mozilla.jss.pkix.cert.CertificateInfo certI = +- certJss.getInfo(); ++ org.mozilla.jss.pkix.cert.Certificate certJss = (Certificate) certs.elementAt(j); ++ org.mozilla.jss.pkix.cert.CertificateInfo certI = certJss.getInfo(); + Name issuer = certI.getIssuer(); + byte[] issuerB = ASN1Util.encode(issuer); + INTEGER sn = certI.getSerialNumber(); +@@ -1268,11 +1415,33 @@ public class CMCOutputTemplate { + } + + if (cert != null) { ++ CMS.debug(method + "found cert"); + PublicKey pbKey = cert.getPublicKey(); + PK11PubKey pubK = PK11PubKey.fromSPKI(((X509Key) pbKey).getKey()); + si.verify(digest, ci.getContentType(), pubK); ++ ++ // now check validity of the cert ++ java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; ++ x509Certs[0] = cert; ++ if (CMS.isRevoked(x509Certs)) { ++ CMS.debug(method + "CMC signing cert is a revoked certificate"); ++ return false; ++ } ++ try { ++ cert.checkValidity(); ++ } catch (CertificateExpiredException e) { ++ CMS.debug(method + "CMC signing cert is an expired certificate"); ++ return false; ++ } catch (Exception e) { ++ return false; ++ } ++ + return true; ++ } else { ++ CMS.debug(method + "cert not found"); + } ++ } else { ++ CMS.debug(method + "unsupported SignerIdentifier for CMC revocation"); + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java +index 83a2d8c..4578a98 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java +@@ -158,9 +158,9 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { + byte[] dig; + + try { +- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); ++ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); + +- dig = SHA1Digest.digest(salt.getBytes()); ++ dig = SHA2Digest.digest(salt.getBytes()); + } catch (NoSuchAlgorithmException ex) { + dig = salt.getBytes(); + } +@@ -199,16 +199,15 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { + SignerIdentifier si = new + SignerIdentifier(SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null); + +- // SHA1 is the default digest Alg for now. + DigestAlgorithm digestAlg = null; + SignatureAlgorithm signAlg = null; + org.mozilla.jss.crypto.PrivateKey privKey = CryptoManager.getInstance().findPrivKeyByCert(x509cert); + org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType(); + + if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.RSA)) { +- signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; +- } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.DSA)) { +- signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest; ++ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; ++ } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.EC)) { ++ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; + } else { + CMS.debug("GenPendingTemplateFiller::getTemplateParams() - " + + "keyType " + keyType.toString() +@@ -220,8 +219,8 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { + byte[] digest = null; + + try { +- SHADigest = MessageDigest.getInstance("SHA1"); +- digestAlg = DigestAlgorithm.SHA1; ++ SHADigest = MessageDigest.getInstance("SHA256"); ++ digestAlg = DigestAlgorithm.SHA256; + + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 93039a4..330b5ff 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -413,7 +413,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + + setInputsIntoContext(request, profile, ctx); +- CMS.debug("ProfileSubmistServlet: set Inputs into Context"); ++ CMS.debug("ProfileSubmitCMCServlet: set Inputs into Context"); + + // before creating the request, authenticate the request + +@@ -560,9 +560,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + // In case of decryptedPOP, request already exists, find it and + // put in provedReq. + IRequest provedReq = null; ++ boolean isRevoke = false; + if (reqs == null) { + // handling DecryptedPOP request here + Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); ++ if (reqID == null) { ++ CMS.debug("ProfileSubmitCMCServlet: revocation request"); ++ isRevoke = true; ++ } else { + provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString())); + if (provedReq == null) { + +@@ -584,6 +589,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } else { + CMS.debug("ProfileSubmitCMCServlet: provedReq not null"); + } ++ } + } + + String errorCode = null; +@@ -592,7 +598,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + /////////////////////////////////////////////// + // populate request + /////////////////////////////////////////////// +- for (int k = 0; (provedReq == null) &&(k < reqs.length); k++) { ++ for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) { + // adding parameters to request + setInputsIntoRequest(request, profile, reqs[k]); + +@@ -712,7 +718,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + if (reqs != null && reqs.length > 0) + error_codes = new int[reqs.length]; + +- for (int k = 0; (provedReq == null) && (k < reqs.length); k++) { ++ for (int k = 0; (!isRevoke) && (provedReq == null) && (k < reqs.length); k++) { + try { + // reset the "auditRequesterID" + auditRequesterID = auditRequesterID(reqs[k]); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index 94a0783..b111f71 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -62,6 +62,7 @@ import org.mozilla.jss.util.PasswordCallback; + import org.w3c.dom.Element; + import org.w3c.dom.NodeList; + ++import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.acls.ACL; + import com.netscape.certsrv.acls.ACLEntry; + import com.netscape.certsrv.acls.EACLsException; +@@ -1912,6 +1913,38 @@ public class CMSEngine implements ICMSEngine { + } + } + ++ public ISharedToken getSharedTokenClass(String configName) { ++ String method = "CMSEngine: getSharedTokenClass: "; ++ ISharedToken tokenClass = null; ++ ++ String name = null; ++ try { ++ CMS.debug(method + "getting :" + configName); ++ name = CMS.getConfigStore().getString(configName); ++ CMS.debug(method + "Shared Secret plugin class name retrieved:" + ++ name); ++ } catch (Exception e) { ++ CMS.debug(method + " Failed to retrieve shared secret plugin class name"); ++ return null; ++ } ++ ++ try { ++ tokenClass = (ISharedToken) Class.forName(name).newInstance(); ++ CMS.debug(method + "Shared Secret plugin class retrieved"); ++ } catch (ClassNotFoundException e) { ++ CMS.debug(method + " Failed to find class name: " + name); ++ return null; ++ } catch (InstantiationException e) { ++ CMS.debug("EnrollProfile: Failed to instantiate class: " + name); ++ return null; ++ } catch (IllegalAccessException e) { ++ CMS.debug(method + " Illegal access: " + name); ++ return null; ++ } ++ ++ return tokenClass; ++ } ++ + public ILogger getLogger() { + return Logger.getLogger(); + } +diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +index dd28adb..b314dac 100644 +--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java ++++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +@@ -23,6 +23,7 @@ import com.netscape.certsrv.acls.EACLsException; + import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.apps.ICMSEngine; + import com.netscape.certsrv.apps.ICommandQueue; ++import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IArgBlock; +@@ -370,6 +371,10 @@ public class CMSEngineDefaultStub implements ICMSEngine { + return null; + } + ++ public ISharedToken getSharedTokenClass(String configName) { ++ return null; ++ } ++ + public void putPasswordCache(String tag, String pw) { + } + +diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java +index 98becdc..933432d 100644 +--- a/base/util/src/com/netscape/cmsutil/util/Utils.java ++++ b/base/util/src/com/netscape/cmsutil/util/Utils.java +@@ -285,6 +285,11 @@ public class Utils { + return string; + } + ++ public static String base64encodeSingleLine(byte[] bytes) { ++ String string = new Base64().encodeToString(bytes); ++ return string; ++ } ++ + public static byte[] base64decode(String string) { + byte[] bytes = Base64.decodeBase64(string); + return bytes; +-- +1.8.3.1 + + +From 4328b770f8cbbb4c85919bc50201dff2e230dcc3 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 8 Jun 2017 21:14:00 -0400 +Subject: [PATCH 12/14] Add possible keywrap algorithms to usage + +Added possible key wrap algorithms to the CRMFPopClient +usage statement to make it clear what options are available. + +Part of BZ #1458047 + +Change-Id: Ie49ec9cd9bbb5c112668469f701363b967695ef3 +--- + base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 25de2dd..0aaec28 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -228,6 +228,8 @@ public class CRMFPopClient { + System.out.println(" - POP_SUCCESS: with valid POP"); + System.out.println(" - POP_FAIL: with invalid POP (for testing)"); + System.out.println(" -w Algorithm to use for key wrapping"); ++ System.out.println(" - default: \"AES KeyWrap/Padding\""); ++ System.out.println(" - \"AES/CBC/PKCS5Padding\""); + System.out.println(" -b PEM transport certificate (default: transport.txt)"); + System.out.println(" -v, --verbose Run in verbose mode."); + System.out.println(" --help Show help message."); +-- +1.8.3.1 + + +From 9edd684fef78845acee95a766f34a9c57a1ab604 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 8 Jun 2017 22:08:01 -0400 +Subject: [PATCH 13/14] Add one more possible keywrap algorithm to usage + +Added one more key wrap algorithms to the CRMFPopClient +usage statement. + +Part of BZ #1458047 + +Change-Id: Ic52410a6a23f850944a6b96385b26a9bba12b51a +--- + base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 0aaec28..66453c3 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -230,6 +230,7 @@ public class CRMFPopClient { + System.out.println(" -w Algorithm to use for key wrapping"); + System.out.println(" - default: \"AES KeyWrap/Padding\""); + System.out.println(" - \"AES/CBC/PKCS5Padding\""); ++ System.out.println(" - \"DES3/CBC/Pad\""); + System.out.println(" -b PEM transport certificate (default: transport.txt)"); + System.out.println(" -v, --verbose Run in verbose mode."); + System.out.println(" --help Show help message."); +-- +1.8.3.1 + + +From 53564487e46040a9115fba51c8403ecacb50187e Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 8 Jun 2017 14:25:23 +1000 +Subject: [PATCH 14/14] KRA PKCS #12 export: add config to use 3DES PBE + encryption + +Restore the 3DES PKCS #12 key recovery code path, alongside the new +AES variant, which is broken on Thales nethsm. Add the +'kra.legacyPKCS12' config for selecting which version to use, with +the default value of 'true' (i.e., use 3DES). + +Part of: https://pagure.io/dogtagpki/issue/2728 + +Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360 +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 43 ++++++++++++++++------ + 1 file changed, 32 insertions(+), 11 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index eee800a..023eb80 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -487,19 +487,40 @@ public class RecoveryService implements IService { + PasswordConverter passConverter = new + PasswordConverter(); + +- byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( +- /* NSS has a bug that causes any AES CBC encryption +- * to use AES-256, but AlgorithmID contains chosen +- * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); +- CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); +- if (epkiBytes == null) { +- CMS.debug("RecoverService: createPFX() epkiBytes null"); +- throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); ++ boolean legacyP12 = ++ CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); ++ ++ ASN1Value key; ++ if (legacyP12) { ++ Random ran = new SecureRandom(); ++ byte[] salt = new byte[20]; ++ ran.nextBytes(salt); ++ ++ key = EncryptedPrivateKeyInfo.createPBE( ++ PBEAlgorithm.PBE_SHA1_DES3_CBC, ++ pass, salt, 1, passConverter, priKey, ct); ++ CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); ++ if (key == null) { ++ CMS.debug("RecoverService: createPFX() key null"); ++ throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); ++ } else { ++ CMS.debug("RecoverService: createPFX() key not null"); ++ } + } else { +- CMS.debug("RecoverService: createPFX() epkiBytes not null"); ++ byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( ++ /* NSS has a bug that causes any AES CBC encryption ++ * to use AES-256, but AlgorithmID contains chosen ++ * alg. To avoid mismatch, use AES_256_CBC. */ ++ passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); ++ CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); ++ if (epkiBytes == null) { ++ CMS.debug("RecoverService: createPFX() epkiBytes null"); ++ throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); ++ } else { ++ CMS.debug("RecoverService: createPFX() epkiBytes not null"); ++ } ++ key = new ANY(epkiBytes); + } +- ASN1Value key = new ANY(epkiBytes); + + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch b/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch new file mode 100644 index 0000000..78c3b8a --- /dev/null +++ b/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch @@ -0,0 +1,90 @@ +From c5312d0b44b5f58ba5b92aba85b89e405213e8a8 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Fri, 23 Jun 2017 15:57:29 -0400 +Subject: [PATCH] Patch for "pki-server subsystem-cert-update" command + +Currently, the --cert option has not been implemented for +`pki-server subsystem-cert-update` command. The --cert takes +certificate name that needs to be added to the NSS database +and replaces the existing certificate (if exists) in the +database + +https://pagure.io/dogtagpki/issue/2756 + +Change-Id: If8be9edd55a673230f86e213fc803be365e55a92 +(cherry picked from commit d762073c4b5bcd4f9f30e3b8439983a497a77c97) +--- + base/server/python/pki/server/cli/subsystem.py | 29 +++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 10af8ca..a9857ba 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -741,6 +741,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + print(' -i, --instance Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') ++ print(' --cert New certificate to be added') + print() + + def execute(self, argv): +@@ -748,7 +749,8 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', +- 'verbose', 'help']) ++ 'verbose', 'help', ++ 'cert=']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) +@@ -756,6 +758,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + sys.exit(1) + + instance_name = 'pki-tomcat' ++ cert_file = None + + for o, a in opts: + if o in ('-i', '--instance'): +@@ -768,6 +771,9 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + self.usage() + sys.exit() + ++ elif o == '--cert': ++ cert_file = a ++ + else: + print('ERROR: unknown option ' + o) + self.usage() +@@ -807,6 +813,27 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): + + token = subsystem_cert['token'] + nssdb = instance.open_nssdb(token) ++ ++ if cert_file: ++ if not os.path.isfile(cert_file): ++ print('ERROR: %s certificate does not exist.' % cert_file) ++ self.usage() ++ sys.exit(1) ++ ++ data = nssdb.get_cert( ++ nickname=subsystem_cert['nickname'], ++ output_format='base64') ++ ++ if data: ++ if self.verbose: ++ print('Removing old %s certificate from database.' % subsystem_cert['nickname']) ++ nssdb.remove_cert(nickname=subsystem_cert['nickname']) ++ if self.verbose: ++ print('Adding new %s certificate into database.' % subsystem_cert['nickname']) ++ nssdb.add_cert( ++ nickname=subsystem_cert['nickname'], ++ cert_file=cert_file) ++ + data = nssdb.get_cert( + nickname=subsystem_cert['nickname'], + output_format='base64') +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch b/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch new file mode 100644 index 0000000..0417ac6 --- /dev/null +++ b/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch @@ -0,0 +1,1132 @@ +From f10ba33f3d6f9cbd31831d0fb571e15b818e9990 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 26 Jun 2017 18:09:55 -0700 +Subject: [PATCH] Ticket #2757 CMC enrollment profiles for system certificates + +This patch supports CMC-based system certificate requests. + +This patch contains the following: +* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert +* The cmc-based system enrollment profiles: +caCMCauditSigningCert.cfg +caCMCcaCert.cfg +caCMCkraStorageCert.cfg +caCMCkraTransportCert.cfg +caCMCocspCert.cfg +caCMCserverCert.cfg +caCMCsubsystemCert.cfg +* new URI's in web.xml as new access points + +Usage example can be found here: +http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 + +(cherry picked from commit 65b1242cd139e6306fb3e039193a3a6b223ea9b1) +--- + base/ca/shared/conf/CS.cfg | 20 ++- + .../shared/profiles/ca/caCMCauditSigningCert.cfg | 80 +++++++++ + base/ca/shared/profiles/ca/caCMCcaCert.cfg | 96 ++++++++++ + base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 86 +++++++++ + .../shared/profiles/ca/caCMCkraTransportCert.cfg | 86 +++++++++ + base/ca/shared/profiles/ca/caCMCocspCert.cfg | 71 ++++++++ + base/ca/shared/profiles/ca/caCMCserverCert.cfg | 90 ++++++++++ + base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 86 +++++++++ + base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 4 +- + .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- + base/ca/shared/webapps/ca/WEB-INF/web.xml | 196 +++++++++++++++++++++ + .../src/com/netscape/cmstools/CMCRequest.java | 2 +- + .../com/netscape/cms/authentication/CMCAuth.java | 48 ++++- + .../cms/authentication/CMCUserSignedAuth.java | 2 + + .../netscape/cms/profile/common/EnrollProfile.java | 12 ++ + .../servlet/profile/ProfileSubmitCMCServlet.java | 2 +- + 16 files changed, 872 insertions(+), 11 deletions(-) + create mode 100644 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCcaCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCocspCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCserverCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 5a244d7..8976575 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl + profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg + profile.caRAserverCert.class_id=caEnrollImpl + profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg ++profile.caCMCUserCert.class_id=caEnrollImpl ++profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg ++profile.caCMCauditSigningCert.class_id=caEnrollImpl ++profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg ++profile.caCMCcaCert.class_id=caEnrollImpl ++profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg ++profile.caCMCkraStorageCert.class_id=caEnrollImpl ++profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg ++profile.caCMCkraTransportCert.class_id=caEnrollImpl ++profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg ++profile.caCMCocspCert.class_id=caEnrollImpl ++profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg ++profile.caCMCserverCert.class_id=caEnrollImpl ++profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg ++profile.caCMCsubsystemCert.class_id=caEnrollImpl ++profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg + profile.caCACert.class_id=caEnrollImpl + profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg + profile.caInstallCACert.class_id=caEnrollImpl + profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg +-profile.caCMCUserCert.class_id=caEnrollImpl +-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg + profile.caCrossSignedCACert.class_id=caEnrollImpl + profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg + profile.caDirBasedDualCert.class_id=caEnrollImpl +diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +new file mode 100644 +index 0000000..ed5a1b2 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +@@ -0,0 +1,80 @@ ++desc=This certificate profile is for enrolling audit signing certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Audit Signing Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=auditSigningCertSet ++policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 ++policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint ++policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* ++policyset.auditSigningCertSet.1.constraint.params.accept=true ++policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.auditSigningCertSet.1.default.name=Subject Name Default ++policyset.auditSigningCertSet.1.default.params.name= ++policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.auditSigningCertSet.2.constraint.name=Validity Constraint ++policyset.auditSigningCertSet.2.constraint.params.range=720 ++policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false ++policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false ++policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl ++policyset.auditSigningCertSet.2.default.name=Validity Default ++policyset.auditSigningCertSet.2.default.params.range=720 ++policyset.auditSigningCertSet.2.default.params.startTime=0 ++policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.auditSigningCertSet.3.constraint.name=Key Constraint ++policyset.auditSigningCertSet.3.constraint.params.keyType=RSA ++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.auditSigningCertSet.3.default.name=Key Default ++policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl ++policyset.auditSigningCertSet.4.constraint.name=No Constraint ++policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default ++policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl ++policyset.auditSigningCertSet.5.constraint.name=No Constraint ++policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.auditSigningCertSet.5.default.name=AIA Extension Default ++policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false ++policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true ++policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.auditSigningCertSet.6.default.name=Key Usage Default ++policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true ++policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false ++policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl ++policyset.auditSigningCertSet.9.constraint.name=No Constraint ++policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl ++policyset.auditSigningCertSet.9.default.name=Signing Alg ++policyset.auditSigningCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +new file mode 100644 +index 0000000..f6df36f +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +@@ -0,0 +1,96 @@ ++desc=This certificate profile is for enrolling Certificate Authority certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Certificate Manager Signing Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=caCertSet ++policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 ++policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.caCertSet.1.constraint.name=Subject Name Constraint ++policyset.caCertSet.1.constraint.params.pattern=CN=.* ++policyset.caCertSet.1.constraint.params.accept=true ++policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.caCertSet.1.default.name=Subject Name Default ++policyset.caCertSet.1.default.params.name= ++policyset.caCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.caCertSet.2.constraint.name=Validity Constraint ++policyset.caCertSet.2.constraint.params.range=7305 ++policyset.caCertSet.2.constraint.params.notBeforeCheck=false ++policyset.caCertSet.2.constraint.params.notAfterCheck=false ++policyset.caCertSet.2.default.class_id=caValidityDefaultImpl ++policyset.caCertSet.2.default.name=CA Certificate Validity Default ++policyset.caCertSet.2.default.params.range=7305 ++policyset.caCertSet.2.default.params.startTime=0 ++policyset.caCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.caCertSet.3.constraint.name=Key Constraint ++policyset.caCertSet.3.constraint.params.keyType=- ++policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.caCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.caCertSet.3.default.name=Key Default ++policyset.caCertSet.4.constraint.class_id=noConstraintImpl ++policyset.caCertSet.4.constraint.name=No Constraint ++policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.caCertSet.4.default.name=Authority Key Identifier Default ++policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl ++policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint ++policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true ++policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true ++policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 ++policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 ++policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl ++policyset.caCertSet.5.default.name=Basic Constraints Extension Default ++policyset.caCertSet.5.default.params.basicConstraintsCritical=true ++policyset.caCertSet.5.default.params.basicConstraintsIsCA=true ++policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 ++policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.caCertSet.6.constraint.params.keyUsageCritical=true ++policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true ++policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true ++policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.caCertSet.6.default.name=Key Usage Default ++policyset.caCertSet.6.default.params.keyUsageCritical=true ++policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true ++policyset.caCertSet.6.default.params.keyUsageCrlSign=true ++policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.caCertSet.8.constraint.class_id=noConstraintImpl ++policyset.caCertSet.8.constraint.name=No Constraint ++policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl ++policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default ++policyset.caCertSet.8.default.params.critical=false ++policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl ++policyset.caCertSet.9.constraint.name=No Constraint ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl ++policyset.caCertSet.9.default.name=Signing Alg ++policyset.caCertSet.9.default.params.signingAlg=- ++policyset.caCertSet.10.constraint.class_id=noConstraintImpl ++policyset.caCertSet.10.constraint.name=No Constraint ++policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl ++policyset.caCertSet.10.default.name=AIA Extension Default ++policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true ++policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName ++policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= ++policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.caCertSet.10.default.params.authInfoAccessCritical=false ++policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 +diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +new file mode 100644 +index 0000000..259430b +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling KRA storage certificates using CMC ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=KRA storage Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=drmStorageCertSet ++policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 ++policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint ++policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* ++policyset.drmStorageCertSet.1.constraint.params.accept=true ++policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.drmStorageCertSet.1.default.name=Subject Name Default ++policyset.drmStorageCertSet.1.default.params.name= ++policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.drmStorageCertSet.2.constraint.name=Validity Constraint ++policyset.drmStorageCertSet.2.constraint.params.range=720 ++policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false ++policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false ++policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl ++policyset.drmStorageCertSet.2.default.name=Validity Default ++policyset.drmStorageCertSet.2.default.params.range=720 ++policyset.drmStorageCertSet.2.default.params.startTime=0 ++policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.drmStorageCertSet.3.constraint.name=Key Constraint ++policyset.drmStorageCertSet.3.constraint.params.keyType=RSA ++policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.drmStorageCertSet.3.default.name=Key Default ++policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl ++policyset.drmStorageCertSet.4.constraint.name=No Constraint ++policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default ++policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl ++policyset.drmStorageCertSet.5.constraint.name=No Constraint ++policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.drmStorageCertSet.5.default.name=AIA Extension Default ++policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false ++policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true ++policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.drmStorageCertSet.6.default.name=Key Usage Default ++policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true ++policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false ++policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl ++policyset.drmStorageCertSet.7.constraint.name=No Constraint ++policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false ++policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl ++policyset.drmStorageCertSet.9.constraint.name=No Constraint ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl ++policyset.drmStorageCertSet.9.default.name=Signing Alg ++policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +new file mode 100644 +index 0000000..ec54f9c +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Key Archival Authority Transport Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=transportCertSet ++policyset.transportCertSet.list=1,2,3,4,5,6,7,8 ++policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.transportCertSet.1.constraint.name=Subject Name Constraint ++policyset.transportCertSet.1.constraint.params.pattern=CN=.* ++policyset.transportCertSet.1.constraint.params.accept=true ++policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.transportCertSet.1.default.name=Subject Name Default ++policyset.transportCertSet.1.default.params.name= ++policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.transportCertSet.2.constraint.name=Validity Constraint ++policyset.transportCertSet.2.constraint.params.range=720 ++policyset.transportCertSet.2.constraint.params.notBeforeCheck=false ++policyset.transportCertSet.2.constraint.params.notAfterCheck=false ++policyset.transportCertSet.2.default.class_id=validityDefaultImpl ++policyset.transportCertSet.2.default.name=Validity Default ++policyset.transportCertSet.2.default.params.range=720 ++policyset.transportCertSet.2.default.params.startTime=0 ++policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.transportCertSet.3.constraint.name=Key Constraint ++policyset.transportCertSet.3.constraint.params.keyType=RSA ++policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.transportCertSet.3.default.name=Key Default ++policyset.transportCertSet.4.constraint.class_id=noConstraintImpl ++policyset.transportCertSet.4.constraint.name=No Constraint ++policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.transportCertSet.4.default.name=Authority Key Identifier Default ++policyset.transportCertSet.5.constraint.class_id=noConstraintImpl ++policyset.transportCertSet.5.constraint.name=No Constraint ++policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.transportCertSet.5.default.name=AIA Extension Default ++policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.transportCertSet.5.default.params.authInfoAccessCritical=false ++policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.transportCertSet.6.constraint.params.keyUsageCritical=true ++policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.transportCertSet.6.default.name=Key Usage Default ++policyset.transportCertSet.6.default.params.keyUsageCritical=true ++policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.transportCertSet.6.default.params.keyUsageCrlSign=false ++policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.transportCertSet.7.constraint.class_id=noConstraintImpl ++policyset.transportCertSet.7.constraint.name=No Constraint ++policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.transportCertSet.7.default.params.exKeyUsageCritical=false ++policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.transportCertSet.8.constraint.name=No Constraint ++policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.transportCertSet.8.default.name=Signing Alg ++policyset.transportCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +new file mode 100644 +index 0000000..8afbd46 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +@@ -0,0 +1,71 @@ ++desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=OCSP Responder Signing Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=ocspCertSet ++policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 ++policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.ocspCertSet.1.constraint.name=Subject Name Constraint ++policyset.ocspCertSet.1.constraint.params.pattern=CN=.* ++policyset.ocspCertSet.1.constraint.params.accept=true ++policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.ocspCertSet.1.default.name=Subject Name Default ++policyset.ocspCertSet.1.default.params.name= ++policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.ocspCertSet.2.constraint.name=Validity Constraint ++policyset.ocspCertSet.2.constraint.params.range=720 ++policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false ++policyset.ocspCertSet.2.constraint.params.notAfterCheck=false ++policyset.ocspCertSet.2.default.class_id=validityDefaultImpl ++policyset.ocspCertSet.2.default.name=Validity Default ++policyset.ocspCertSet.2.default.params.range=720 ++policyset.ocspCertSet.2.default.params.startTime=0 ++policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.ocspCertSet.3.constraint.name=Key Constraint ++policyset.ocspCertSet.3.constraint.params.keyType=- ++policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.ocspCertSet.3.default.name=Key Default ++policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl ++policyset.ocspCertSet.4.constraint.name=No Constraint ++policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.ocspCertSet.4.default.name=Authority Key Identifier Default ++policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl ++policyset.ocspCertSet.5.constraint.name=No Constraint ++policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.ocspCertSet.5.default.name=AIA Extension Default ++policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false ++policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl ++policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension ++policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false ++policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 ++policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.ocspCertSet.6.default.name=Extended Key Usage Default ++policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false ++policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 ++policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl ++policyset.ocspCertSet.8.constraint.name=No Constraint ++policyset.ocspCertSet.8.constraint.params.extCritical=false ++policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 ++policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl ++policyset.ocspCertSet.8.default.name=OCSP No Check Extension ++policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false ++policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl ++policyset.ocspCertSet.9.constraint.name=No Constraint ++policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl ++policyset.ocspCertSet.9.default.name=Signing Alg ++policyset.ocspCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +new file mode 100644 +index 0000000..8215d65 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +@@ -0,0 +1,90 @@ ++desc=This certificate profile is for enrolling server certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Server Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.9.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +new file mode 100644 +index 0000000..f473f98 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling subsystem certificates using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Subsystem Certificate Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +index 29baeed..90cb424 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +@@ -1,7 +1,7 @@ +-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. ++desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. + enable=true + enableBy=admin +-name=Signed CMC-Authenticated User Certificate Enrollment ++name=Agent-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCAuth + input.list=i1,i2 +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +index 63a4bca..7bfad9c 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -1,4 +1,4 @@ +-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. ++desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. + enable=true + enableBy=admin + name=User-Signed CMC-Authenticated User Certificate Enrollment +diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml +index a550142..2666049 100644 +--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml ++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml +@@ -1553,6 +1553,167 @@ + + + ++ caProfileSubmitCMCFullCACert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCcaCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullServerCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCserverCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullOCSPCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCocspCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullSubsystemCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCsubsystemCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullAuditSigningCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCauditSigningCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullKRATransportCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCkraTransportCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ ++ caProfileSubmitCMCFullKRAstorageCert ++ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet ++ GetClientCert ++ false ++ cert_request_type ++ cmc ++ profileId ++ caCMCkraStorageCert ++ AuthzMgr ++ BasicAclAuthz ++ authorityId ++ ca ++ ID ++ caProfileSubmitCMCFull ++ templatePath ++ /ee/ca/ProfileSubmit.template ++ resourceID ++ certServer.ee.profile ++ interface ++ ee ++ ++ ++ + caProfileSubmitUserSignedCMCFull + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert +@@ -2303,6 +2464,41 @@ + + + ++ caProfileSubmitCMCFullCACert ++ /ee/ca/profileSubmitCMCFullCACert ++ ++ ++ ++ caProfileSubmitCMCFullServerCert ++ /ee/ca/profileSubmitCMCFullServerCert ++ ++ ++ ++ caProfileSubmitCMCFullOCSPCert ++ /ee/ca/profileSubmitCMCFullOCSPCert ++ ++ ++ ++ caProfileSubmitCMCFullSubsystemCert ++ /ee/ca/profileSubmitCMCFullSubsystemCert ++ ++ ++ ++ caProfileSubmitCMCFullAuditSigningCert ++ /ee/ca/profileSubmitCMCFullAuditSigningCert ++ ++ ++ ++ caProfileSubmitCMCFullKRATransportCert ++ /ee/ca/profileSubmitCMCFullKRAtransportCert ++ ++ ++ ++ caProfileSubmitCMCFullKRAstorageCert ++ /ee/ca/profileSubmitCMCFullKRAstorageCert ++ ++ ++ + caProfileSubmitUserSignedCMCFull + /ee/ca/profileSubmitUserSignedCMCFull + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index fd59aa1..9fcb8db 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -2393,7 +2393,7 @@ public class CMCRequest { + System.out.println(""); + System.out.println(""); + System.out.println("The CMC enrollment request in binary format is stored in " + +- ofilename + "."); ++ ofilename); + } catch (IOException e) { + System.out.println("CMCRequest: unable to open file " + ofilename + + " for writing:\n" + e); +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 9441167..459c7c6 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; ++import java.security.cert.X509Certificate; + import java.security.MessageDigest; + import java.security.PublicKey; + import java.util.Enumeration; +@@ -246,6 +247,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + String auditCertSubject = ILogger.UNIDENTIFIED; + String auditSignerInfo = ILogger.UNIDENTIFIED; + ++ SessionContext auditContext = SessionContext.getExistingContext(); ++ X509Certificate clientCert = ++ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); ++ + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { +@@ -361,7 +366,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + String userid = "defUser"; + String uid = "defUser"; + if (checkSignerInfo) { +- IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); ++ IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); + if (agentToken == null) { + CMS.debug(method + "agentToken null"); + throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); +@@ -812,8 +817,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + level, "CMC Authentication: " + msg); + } + +- protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { +- ++ protected IAuthToken verifySignerInfo( ++ SessionContext auditContext, ++ AuthToken authToken, ++ SignedData cmcFullReq) throws EBaseException { ++ String method = "CMCAuth: verifySignerInfo: "; ++ String msg = ""; + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OBJECT_IDENTIFIER id = ci.getContentType(); + OCTET_STRING content = ci.getContent(); +@@ -822,6 +831,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + CryptoToken signToken = null; + CryptoToken savedToken = null; + CryptoManager cm = null; ++ ++ if (auditContext == null) { ++ CMS.debug(method + " auditConext can't be null"); ++ return null; ++ } + try { + cm = CryptoManager.getInstance(); + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); +@@ -909,6 +923,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + si.verify(digest, id); + } else { + CMS.debug("CMCAuth: found signing cert... verifying"); ++ ++ X509Certificate clientCert = ++ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); ++ if (clientCert == null) { ++ // createAuditSubjectFromCert(auditContext, x509Certs[0]); ++ msg = "missing SSL client authentication certificate;"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EMissingCredential( ++ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); ++ } ++ netscape.security.x509.X500Name clientPrincipal = ++ (X500Name) clientCert.getSubjectDN(); ++ ++ netscape.security.x509.X500Name cmcPrincipal = ++ (X500Name) x509Certs[0].getSubjectDN(); ++ ++ // check ssl client cert against cmc signer ++ if (!clientPrincipal.equals(cmcPrincipal)) { ++ msg = "SSL client authentication certificate and CMC signer do not match"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EInvalidCredentials( ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ } else { ++ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); ++ } ++ + PublicKey signKey = cert.getPublicKey(); + PrivateKey.Type keyType = null; + String alg = signKey.getAlgorithm(); +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 6c3ee8f..e11a344 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ } else { ++ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + + PublicKey signKey = cert.getPublicKey(); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 8f3e986..1356035 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile + if (signingUserSerial != null) { + donePOI = true; + } ++ + // catch for invalid request + cmc_msgs = parseCMC(locale, cert_request, donePOI); + if (cmc_msgs == null) { +@@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile + byte randomSeed[] = null; + UTF8String ident_s = null; + SessionContext context = SessionContext.getContext(); ++ String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); ++ if (authManagerId == null) { ++ CMS.debug(method + "authManagerId null.????"); ++ //unlikely, but... ++ authManagerId = "none"; ++ } else { ++ CMS.debug(method + "authManagerId =" + authManagerId); ++ } ++ if(authManagerId.equals("CMCAuth")) { ++ donePOI = true; ++ } + + boolean id_cmc_revokeRequest = false; + if (!context.containsKey("numOfControls")) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index d087162..f7a6470 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -496,7 +496,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + /////////////////////////////////////////////// + String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); + if (tmpCertSerialS != null) { +- // unlikely to happenm, but do this just in case ++ // unlikely to happen, but do this just in case + CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); + CMS.debug("ProfileSubmitCMCServlet: null it out"); + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-tps-externalReg-regression.patch b/SOURCES/pki-core-tps-externalReg-regression.patch new file mode 100644 index 0000000..1b727ba --- /dev/null +++ b/SOURCES/pki-core-tps-externalReg-regression.patch @@ -0,0 +1,55 @@ +From 47fccfaa32bf327c56c5789f373e4d18c714556f Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 10 Nov 2017 15:55:36 -0800 +Subject: [PATCH] ReFix for #2824 TPS new configuration to allow the protocol + of the to determine applet loaded. + +The problem discovered was that in only the external registration case, there was a problem obtaining the protocol +information for the token being enrolled. This simple fix makes sure the protocol info is obtained correctly for external +reg and non external reg enrollment cases. + +Change-Id: Iccd40adbdafd5e94e04cbb8c391bd2706e483a1f +(cherry picked from commit e48374cd8a744fad5a03f64e8685ec3b3c465553) +(cherry picked from commit 3718b369598c3ecfdb6733c25b08e4b51042423f) +--- + .../src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 4ec277e..03d6532 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -33,8 +33,6 @@ import java.util.List; + import java.util.Map; + import java.util.Set; + +-import netscape.security.x509.RevocationReason; +- + import org.dogtagpki.server.tps.TPSSession; + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.authentication.AuthUIParameter; +@@ -102,6 +100,8 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + ++import netscape.security.x509.RevocationReason; ++ + public class TPSProcessor { + + public static final int RESULT_NO_ERROR = 0; +@@ -556,8 +556,10 @@ public class TPSProcessor { + CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData"); + } + +- // We already do this when checking for applet upgrade earlier. +- //acquireChannelPlatformAndProtocolInfo(); ++ // Do this on behalf of external reg, which needs it ++ // If already called, the routine will return anyway. ++ ++ acquireChannelPlatformAndProtocolInfo(); + + TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch b/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch new file mode 100644 index 0000000..accac88 --- /dev/null +++ b/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch @@ -0,0 +1,429 @@ +From d3f50c6a77b164cc876192ab95639ad913f33deb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 20 Jul 2017 17:50:38 -0700 +Subject: [PATCH] Ticket #1665 (code realignment) Certificate Revocation + Reasons not being updated in some cases This patch makes sure that when a + token is temporarily lost (certs on_hold), its certs are properly revoked + when moving to other revocation reasons when marked damaged or permanently + lost. In addition, on the CA side, this patch to some degree mimics the + original request for transitions from SUPERSEDED to KEY_COMPROMISED, although + in the current TPS that is prohibited. Also, the original requested code + skipped over informing CRLIssuingPoints, while in this patch, that is not + skipped as the revocation reason has changed it should be updated; Time + stamp in the cert record is also updated, which is different from the + original requested code. Development tests were conducted on currently + allowed TPS token state transitions only. + +Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168 +(cherry picked from commit 36213c8b614775feadfebef54db034e1155d33c7) +(cherry picked from commit 34aabcc5fb21f35d96f76fc5b822959f26aacf42) +--- + base/ca/src/com/netscape/ca/CAService.java | 58 +++++++++++++++++-- + .../netscape/certsrv/dbs/certdb/ICertRecord.java | 9 +++ + .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 51 +++++++++++++---- + base/server/cmsbundle/src/LogMessages.properties | 2 + + base/server/cmsbundle/src/UserMessages.properties | 1 + + .../src/com/netscape/cmscore/dbs/CertRecord.java | 65 +++++++++++++++------- + .../cmscore/dbs/CertificateRepository.java | 32 ++++++----- + 7 files changed, 166 insertions(+), 52 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index c9eacfe..7cc6a31 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -980,8 +980,28 @@ public class CAService implements ICAService, IService { + BigInteger serialno = crlentry.getSerialNumber(); + Date revdate = crlentry.getRevocationDate(); + CRLExtensions crlentryexts = crlentry.getExtensions(); ++ String msg = ""; + + CMS.debug("CAService.revokeCert: revokeCert begins"); ++ ++ // Get the revocation reason ++ Enumeration enum1 = crlentryexts.getElements(); ++ RevocationReason revReason = null; ++ while (enum1.hasMoreElements()) { ++ Extension ext = (Extension) enum1.nextElement(); ++ if (ext instanceof CRLReasonExtension) { ++ revReason = ((CRLReasonExtension) ext).getReason(); ++ break; ++ } ++ } ++ if (revReason == null) { ++ CMS.debug("CAService.revokeCert: missing revocation reason"); ++ mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_REV_REASON=", serialno.toString(16))); ++ throw new ECAException( ++ CMS.getUserMessage("CMS_CA_MISSING_REV_REASON", ++ "0x" + serialno.toString(16))); ++ } ++ + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); + + if (certRec == null) { +@@ -995,24 +1015,52 @@ public class CAService implements ICAService, IService { + // allow revoking certs that are on hold. + String certStatus = certRec.getStatus(); + +- if ((certStatus.equals(ICertRecord.STATUS_REVOKED) && +- !certRec.isCertOnHold()) || ++ RevocationReason recRevReason = null; ++ if (certStatus.equals(ICertRecord.STATUS_REVOKED)) { ++ try { ++ recRevReason = certRec.getRevReason(); ++ } catch (Exception e) { ++ throw new EBaseException(e); ++ } ++ if (recRevReason == null) { ++ msg = "existing revoked cert missing revocation reason"; ++ CMS.debug("CAService.revokeCert: " + msg); ++ throw new EBaseException(msg); ++ } ++ } ++ ++ // for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE ++ if (((certStatus.equals(ICertRecord.STATUS_REVOKED) && ++ !certRec.isCertOnHold()) && ++ ((recRevReason != RevocationReason.SUPERSEDED) || ++ revReason != RevocationReason.KEY_COMPROMISE)) ++ || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + CMS.debug("CAService.revokeCert: cert already revoked:" + + serialno.toString()); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", + "0x" + Long.toHexString(serialno.longValue()))); + } ++ + try { ++ // if cert has already revoked, update the revocation info only + CMS.debug("CAService.revokeCert: about to call markAsRevoked"); +- if (certRec.isCertOnHold()) { ++ if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) { + mCA.getCertificateRepository().markAsRevoked(serialno, +- new RevocationInfo(revdate, crlentryexts), true /*isAlreadyOnHold*/); ++ new RevocationInfo(revdate, crlentryexts), ++ true /*isAlreadyRevoked*/); ++ CMS.debug("CAService.revokeCert: on_hold cert marked revoked"); ++ mCA.log(ILogger.LL_INFO, ++ CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE", ++ recRevReason.toString(), ++ revReason.toString(), ++ serialno.toString(16))); + } else { + mCA.getCertificateRepository().markAsRevoked(serialno, + new RevocationInfo(revdate, crlentryexts)); + } +- CMS.debug("CAService.revokeCert: cert revoked"); ++ ++ CMS.debug("CAService.revokeCert: cert now revoked"); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", + serialno.toString(16))); + // inform all CRLIssuingPoints about revoked certificate +diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java +index 3a0c955..65db57e 100644 +--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java ++++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java +@@ -20,6 +20,9 @@ package com.netscape.certsrv.dbs.certdb; + import java.math.BigInteger; + import java.util.Date; + ++import com.netscape.certsrv.base.EBaseException; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.X509ExtensionException; + import netscape.security.x509.X509CertImpl; + + import com.netscape.certsrv.base.MetaInfo; +@@ -181,4 +184,10 @@ public interface ICertRecord extends IDBObj { + * is this cert on hold? + */ + public boolean isCertOnHold(); ++ ++ /** ++ * returns the revocation reason ++ */ ++ public RevocationReason getRevReason() ++ throws EBaseException, X509ExtensionException; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +index a9a6238..47062f2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +@@ -1,4 +1,4 @@ +-// --- BEGIN COPYRIGHT BLOCK --- ++ + // This program is free software; you can redistribute it and/or modify + // it under the terms of the GNU General Public License as published by + // the Free Software Foundation; version 2 of the License. +@@ -330,8 +330,10 @@ public class DoRevokeTPS extends CMSServlet { + String auditRequestType = auditRequestType(reason); + RequestStatus auditApprovalStatus = null; + String auditReasonNum = String.valueOf(reason); +- String method = "DoRevokeTPS.process"; ++ String method = "DoRevokeTPS.process:"; ++ String msg = ""; + ++ CMS.debug(method + "begins"); + if (revokeAll != null) { + CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll); + +@@ -357,6 +359,8 @@ public class DoRevokeTPS extends CMSServlet { + Vector revCertImplsV = new Vector(); + + // Construct a CRL reason code extension. ++ ++ CMS.debug(method + "reason code = " + reason); + RevocationReason revReason = RevocationReason.fromInt(reason); + CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); + +@@ -401,22 +405,47 @@ public class DoRevokeTPS extends CMSServlet { + } + + if (xcert != null) { ++ RevocationReason recRevReason = null; ++ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { ++ try { ++ recRevReason = rec.getRevReason(); ++ } catch (Exception ex) { ++ CMS.debug(method + ex.toString()); ++ throw new EBaseException(ex); ++ } ++ if (recRevReason == null) { ++ msg = "existing revoked cert missing revocation reason"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } ++ } ++ + rarg.addStringValue("serialNumber", + xcert.getSerialNumber().toString(16)); + +- if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) +- && !rec.isCertOnHold()) { +- alreadyRevokedCertFound = true; +- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " has already been revoked."); +- } else { ++ boolean updateRevocation = true; ++ if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED) && ++ revReason == RevocationReason.KEY_COMPROMISE)) { ++ updateRevocation = false; ++ if ((recRevReason == RevocationReason.SUPERSEDED) || ++ (rec.isCertOnHold())) { ++ updateRevocation = true; ++ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) ++ + " has been revoked, but reason is changed"); ++ } else { ++ alreadyRevokedCertFound = true; ++ CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " has been revoked."); ++ } ++ } ++ if (updateRevocation) { + oldCertsV.addElement(xcert); + +- RevokedCertImpl revCertImpl = +- new RevokedCertImpl(xcert.getSerialNumber(), +- CMS.getCurrentDate(), entryExtn); ++ RevokedCertImpl revCertImpl = new RevokedCertImpl(xcert.getSerialNumber(), ++ CMS.getCurrentDate(), entryExtn); + + revCertImplsV.addElement(revCertImpl); +- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " is going to be revoked."); ++ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) ++ + " is going to be revoked."); + count++; + } + } else { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 5e51440..ff432b6 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -119,7 +119,9 @@ CMSCORE_CA_STORE_SERIAL=CA stored signed certificate serial number 0x{0} + CMSCORE_CA_MARK_SERIAL=CA marked certificate serial number 0x{0} as renewed with serial number 0x{1} + CMSCORE_CA_NO_STORE_SERIAL=Could not store certificate serial number 0x{0} + CMSCORE_CA_CERT_NOT_FOUND=Cannot find certificate serial number 0x{0} ++CMSCORE_CA_MISSING_REV_REASON=Missing revocation reason for revocation request on serial number 0x{0} + CMSCORE_CA_CERT_REVOKED=Revoked certificate serial number 0x{0} ++CMSCORE_CA_CERT_REVO_INFO_UPDATE=Revocation reason changed from {0} to {1} Certificate serial number 0x{2} + CMSCORE_CA_ERROR_REVOCATION=Error revoking certificate {0}. Error {1} + CMSCORE_CA_CERT_ON_HOLD=Certificate {0} has to be on-hold. + CMSCORE_CA_CERT_UNREVOKED=Unrevoked certificate serial number 0x{0} +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index ed2a620..4d1b755 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -397,6 +397,7 @@ CMS_CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by + CMS_CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by the CLA + CMS_CA_RENEW_FAILED=One or more certificates could not be renewed + CMS_CA_CANT_FIND_CERT_SERIAL=Cannot find certificate with serial number {0} ++CMS_CA_MISSING_REV_REASON=Missing revocation reason for revocatoin request on serial number {0} + CMS_CA_TOKEN_NOT_FOUND=Token {0} not found + CMS_CA_CERT_OBJECT_NOT_FOUND=Certificate object not found + CMS_CA_TOKEN_ERROR=Token Error +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java +index a79f7a3..d4f3c03 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java +@@ -23,12 +23,6 @@ import java.util.Date; + import java.util.Enumeration; + import java.util.Vector; + +-import netscape.security.x509.CRLExtensions; +-import netscape.security.x509.CRLReasonExtension; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509ExtensionException; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.MetaInfo; +@@ -37,6 +31,12 @@ import com.netscape.certsrv.dbs.IDBObj; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.IRevocationInfo; + ++import netscape.security.x509.CRLExtensions; ++import netscape.security.x509.CRLReasonExtension; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509ExtensionException; ++ + /** + * A class represents a serializable certificate record. + *

    +@@ -274,27 +274,50 @@ public class CertRecord implements IDBObj, ICertRecord { + return mModifyTime; + } + ++ /* ++ * getRevReason - ++ * @returns RevocationReason if cert is revoked; null if not ++ * it throws exceptions if anything failed ++ */ ++ public RevocationReason getRevReason() ++ throws EBaseException, X509ExtensionException { ++ String method = "CertRecord.getRevReason:"; ++ String msg = ""; ++ //CMS.debug(method + " checking for cert serial: " ++ // + getSerialNumber().toString()); ++ IRevocationInfo revInfo = getRevocationInfo(); ++ if (revInfo == null) { ++ msg = "revInfo null for" + getSerialNumber().toString(); ++ CMS.debug(method + msg); ++ return null; ++ } ++ ++ CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); ++ if (crlExts == null) ++ throw new X509ExtensionException("crlExts null"); ++ ++ CRLReasonExtension reasonExt = null; ++ reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); ++ if (reasonExt == null) ++ throw new EBaseException("reasonExt null"); ++ ++ return reasonExt.getReason(); ++ } ++ + public boolean isCertOnHold() { + String method = "CertRecord.isCertOnHold:"; + CMS.debug(method + " checking for cert serial: " +- + getSerialNumber().toString()); +- IRevocationInfo revInfo = getRevocationInfo(); +- if (revInfo != null) { +- CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); +- if (crlExts == null) return false; +- CRLReasonExtension reasonExt = null; +- try { +- reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); +- } catch (X509ExtensionException e) { +- CMS.debug(method + " returning false:" + e.toString()); +- return false; +- } +- if (reasonExt.getReason() == RevocationReason.CERTIFICATE_HOLD) { +- CMS.debug(method + " returning true"); ++ + getSerialNumber().toString()); ++ try { ++ RevocationReason revReason = getRevReason(); ++ if (revReason == RevocationReason.CERTIFICATE_HOLD) { ++ CMS.debug(method + "for " + getSerialNumber().toString() + " returning true"); + return true; + } ++ } catch (Exception e) { ++ CMS.debug(method + e); + } +- CMS.debug(method + " returning false"); ++ CMS.debug(method + "for " + getSerialNumber().toString() + " returning false"); + return false; + } + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +index 9a333fe..367917f 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +@@ -1110,19 +1110,21 @@ public class CertificateRepository extends Repository + + /** + * Marks certificate as revoked. +- * isAlreadyOnHold - boolean to indicate that the cert was revoked onHold +- * When a cert was originally onHold, some of the ldap attributes +- * already exist, so "MOD_REPLACE" is needed instead of "MOD_ADD" ++ * isAlreadyRevoked - boolean to indicate that the cert was revoked ++ * ( possibly onHold ) ++ * When a cert was originally revoked (possibly onHold), ++ * some of the ldap attributes already exist, ++ * so "MOD_REPLACE" is needed instead of "MOD_ADD" + */ + public void markAsRevoked(BigInteger id, IRevocationInfo info) + throws EBaseException { + markAsRevoked(id, info, false); + } +- public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyOnHold) ++ ++ public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyRevoked) + throws EBaseException { +- String method = "CertificateRepository.markAsRevoked:"; + ModificationSet mods = new ModificationSet(); +- if (isAlreadyOnHold) { ++ if (isAlreadyRevoked) { + mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info); + } else { + mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info); +@@ -1134,30 +1136,30 @@ public class CertificateRepository extends Repository + * When already revoked onHold, the fields already existing in record + * can only be replaced instead of added + */ +- if (isAlreadyOnHold) { ++ if (isAlreadyRevoked) { + if (uid == null) { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, +- "system"); ++ "system"); + } else { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, +- uid); ++ uid); + } + mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_REPLACE, +- CMS.getCurrentDate()); ++ CMS.getCurrentDate()); + } else { + if (uid == null) { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, +- "system"); ++ "system"); + } else { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, +- uid); ++ uid); + } + mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_ADD, +- CMS.getCurrentDate()); ++ CMS.getCurrentDate()); ++ mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, ++ CertRecord.STATUS_REVOKED); + } + +- mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, +- CertRecord.STATUS_REVOKED); + modifyCertificateRecord(id, mods); + } + +-- +1.8.3.1 diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec new file mode 100644 index 0000000..142b6f1 --- /dev/null +++ b/SPECS/pki-core.spec @@ -0,0 +1,3630 @@ +# Python, keep every statement on a single line +%{!?__python2: %global __python2 /usr/bin/python2} +%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} + +%if 0%{?rhel} || 0%{?fedora} < 24 +%global with_python3 0 +%else +%global with_python3 1 +%endif + +%if 0%{?rhel} +# Package RHEL-specific RPMS Only +%global package_rhel_packages 1 +# Package RHCS-specific RPMS Only +%global package_rhcs_packages 0 +%define pki_core_rhel_version 10.4.1 +%else +# 0%{?fedora} +# Fedora always packages all RPMS +%global package_fedora_packages 1 +%endif + +# Java +%define java_home /usr/lib/jvm/jre-1.8.0-openjdk + +# Tomcat +%if 0%{?fedora} >= 23 +%define with_tomcat7 0 +%define with_tomcat8 1 +%else +# 0%{?rhel} || 0%{?fedora} <= 22 +%define with_tomcat7 1 +%define with_tomcat8 0 +%endif + +# RESTEasy +%if 0%{?rhel} +%define jaxrs_api_jar /usr/share/java/resteasy-base/jaxrs-api.jar +%define resteasy_lib /usr/share/java/resteasy-base +%else +%if 0%{?fedora} >= 24 +%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar +%define resteasy_lib /usr/share/java/resteasy +%else +%define jaxrs_api_jar /usr/share/java/resteasy/jaxrs-api.jar +%define resteasy_lib /usr/share/java/resteasy +%endif +%endif + +# Dogtag +%bcond_without server +%bcond_without javadoc + +# ignore unpackaged files from native 'tpsclient' +# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app +%define _unpackaged_files_terminate_build 0 + +# pkiuser and group. The uid and gid are preallocated +# see /usr/share/doc/setup/uidgid +%define pki_username pkiuser +%define pki_uid 17 +%define pki_groupname pkiuser +%define pki_gid 17 +%define pki_homedir /usr/share/pki + +Name: pki-core +%if 0%{?rhel} +Version: 10.4.1 +#Release: 17%{?dist} +Release: 17.el7_4 +%else +Version: 10.4.8 +Release: 8%{?dist} +%endif +Summary: Certificate System - PKI Core Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake >= 2.8.9-1 +BuildRequires: gcc-c++ +BuildRequires: zip +BuildRequires: java-1.8.0-openjdk-devel +BuildRequires: redhat-rpm-config +BuildRequires: ldapjdk +BuildRequires: apache-commons-cli +BuildRequires: apache-commons-codec +BuildRequires: apache-commons-io +BuildRequires: apache-commons-lang +BuildRequires: jakarta-commons-httpclient +BuildRequires: slf4j +%if ! 0%{?rhel} +BuildRequires: slf4j-jdk14 +%endif +BuildRequires: nspr-devel +%if 0%{?rhel} +BuildRequires: nss-devel >= 3.28.3 +%else +%if 0%{?fedora} >= 25 +BuildRequires: nss-devel >= 3.28.3 +%else +BuildRequires: nss-devel >= 3.27.0 +%endif +%endif + +%if 0%{?rhel} +BuildRequires: nuxwdog-client-java >= 1.0.1-11 +%else +BuildRequires: nuxwdog-client-java >= 1.0.3 +%endif + +BuildRequires: openldap-devel +BuildRequires: pkgconfig +BuildRequires: policycoreutils +BuildRequires: python-lxml +BuildRequires: python-sphinx +BuildRequires: velocity +BuildRequires: xalan-j2 +BuildRequires: xerces-j2 + +%if 0%{?rhel} +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on RHEL platforms +BuildRequires: resteasy-base-atom-provider >= 3.0.6-1 +BuildRequires: resteasy-base-client >= 3.0.6-1 +BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 +BuildRequires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +%if 0%{?fedora} >= 24 +BuildRequires: jboss-annotations-1.2-api +BuildRequires: jboss-jaxrs-2.0-api +BuildRequires: jboss-logging +BuildRequires: resteasy-atom-provider >= 3.0.17-1 +BuildRequires: resteasy-client >= 3.0.17-1 +BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 +BuildRequires: resteasy-core >= 3.0.17-1 +BuildRequires: resteasy-jackson-provider >= 3.0.17-1 +%else +%if 0%{?fedora} >= 22 +# Starting from Fedora 22, resteasy packages were split into +# subpackages. +BuildRequires: resteasy-atom-provider >= 3.0.6-7 +BuildRequires: resteasy-client >= 3.0.6-7 +BuildRequires: resteasy-jaxb-provider >= 3.0.6-7 +BuildRequires: resteasy-core >= 3.0.6-7 +BuildRequires: resteasy-jaxrs-api >= 3.0.6-7 +BuildRequires: resteasy-jackson-provider >= 3.0.6-7 +%else +BuildRequires: resteasy >= 3.0.6-2 +%endif +%endif +%endif + +%if ! 0%{?rhel} +BuildRequires: pylint +%if 0%{?fedora} >= 24 +BuildRequires: python-flake8 >= 2.5.4 +BuildRequires: python3-flake8 >= 2.5.4 +# python-flake8 2.5.4 package should require pyflakes >= 1.2.3 +BuildRequires: pyflakes >= 1.2.3 +# python3-flake8 2.5.4 package should require python3-pyflakes >= 1.2.3 +BuildRequires: python3-pyflakes >= 1.2.3 +%else +BuildRequires: python-flake8 +BuildRequires: python3-flake8 +%endif +%endif + +BuildRequires: python2-cryptography +BuildRequires: python-nss +BuildRequires: python-requests >= 2.6.0 +BuildRequires: python-six +BuildRequires: libselinux-python +BuildRequires: policycoreutils-python +%if 0%{?fedora} >= 23 +BuildRequires: policycoreutils-python-utils +%endif +BuildRequires: python-ldap +BuildRequires: junit +BuildRequires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} +BuildRequires: jss >= 4.4.0-8 +%else +%if 0%{?fedora} >= 25 +BuildRequires: jss >= 4.4.2-5 +%else +BuildRequires: jss >= 4.2.6-44 +%endif +%endif +BuildRequires: systemd-units +%if 0%{?rhel} +BuildRequires: tomcatjss >= 7.2.1-4 +%else +%if 0%{?fedora} >= 25 +BuildRequires: tomcatjss >= 7.2.3 +%else +BuildRequires: tomcatjss >= 7.1.3 +%endif +%endif + +%if 0%{?with_python3} +BuildRequires: python3-cryptography +BuildRequires: python3-devel +BuildRequires: python3-lxml +BuildRequires: python3-nss +BuildRequires: python3-pyldap +BuildRequires: python3-requests >= 2.6.0 +BuildRequires: python3-six +%endif # with_python3 +BuildRequires: python-devel + +# additional build requirements needed to build native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel >= 2.4.2 +BuildRequires: pcre-devel +BuildRequires: python +BuildRequires: systemd +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel + +%if 0%{?rhel} +# NOTE: In the future, as a part of its path, this URL will contain a release +# directory which consists of the fixed number of the upstream release +# upon which this tarball was originally based. +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/rhel/%{name}-%{version}%{?prerel}.tar.gz +%else +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz +%endif + +####################### +## pki-core-10.4.1-2 +####################### +Patch0: pki-core-alpha.patch +####################### +## pki-core-10.4.1-3 +####################### +Patch1: pki-core-beta.patch +####################### +## pki-core-10.4.1-4 +####################### +Patch2: pki-core-post-beta.patch +####################### +## pki-core-10.4.1-5 +####################### +Patch3: pki-core-snapshot-1.patch +####################### +## pki-core-10.4.1-6 +####################### +Patch4: pki-core-Always-check-FIPS-mode-at-installation-time.patch +####################### +## pki-core-10.4.1-7 +####################### +Patch5: pki-core-snapshot-2.patch +####################### +## pki-core-10.4.1-8 +####################### +Patch6: pki-core-snapshot-3.patch +Patch7: pki-core-SecurityDataRecoveryService.patch +####################### +## pki-core-10.4.1-9 +####################### +Patch8: pki-core-snapshot-4.patch +####################### +## pki-core-10.4.1-10 +## (pki-core-snapshot-5.patch) +####################### +Patch9: pki-core-Fix-3DES-archival.patch +Patch10: pki-core-Fix-token-enrollment-and-recovery-ivs.patch +Patch11: pki-core-CMC-check-HTTPS-client-authentication-cert.patch +Patch12: pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch +####################### +## pki-core-10.4.1-11 +## (pki-core 0-day patch) +####################### +Patch13: pki-core-cmc-plugin-default-change.patch +####################### +## pki-core-10.4.1-12 +####################### +## RHEL 7.4 Batch Update 1 +Patch14: pki-core-server-access-banner-validation.patch +Patch15: pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch +Patch16: pki-core-platform-dependent-python-import.patch +Patch17: pki-core-CMC-id-cmc-statusInfoV2.patch +Patch18: pki-core-subsystem-cert-update-CLI-cert-option.patch +Patch19: pki-core-HSM-key-changeover-SCP03-support.patch +Patch20: pki-core-system-cert-CMC-enroll-profile.patch +####################### +## pki-core-10.4.1-13 +####################### +## RHEL 7.4 Batch Update 1 +Patch21: pki-core-server-access-banner-retrieval-validation.patch +####################### +## pki-core-10.4.1-14 +####################### +## RHEL 7.4 Batch Update 2 +Patch22: pki-core-Fix-lightweight-CA-replication-NPE-failure.patch +Patch23: pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch +Patch24: pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch +Patch25: pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch +Patch26: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch +Patch27: pki-core-Fix-JSON-encoding-in-Python-3.patch +## RHCS 9.2 Batch Update 2 +#Patch28: pki-core-Fix-tokenOrigin-and-tokenType-attrs-in-recovered-certs.patch +#Patch29: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI.patch +####################### +## pki-core-10.4.1-15 +####################### +Patch30: pki-core-Make-PKCS12-files-compatible-with-PBES2.patch +####################### +## pki-core-10.4.1-16 +####################### +## RHCS 9.2 Batch Update 3 +#Patch31: pki-core-externalRegRecover-multiple-KRA.patch +#Patch32: pki-core-TPS-applet-protocol-determination.patch +#Patch33: pki-core-update-RHCS-cert-revocation-reasons.patch +## RHEL 7.4 Batch Update 3 +Patch34: pki-core-update-RHEL-cert-revocation-reasons.patch +Patch35: pki-core-fix-issuance-sans-subject-key-ID-ext.patch +Patch36: pki-core-fix-ipa-replica-install-timing-issue.patch +####################### +## pki-core-10.4.1-17 +####################### +## RHCS 9.2 Batch Update 3 +Patch37: pki-core-tps-externalReg-regression.patch + + + +# Obtain version phase number (e. g. - used by "alpha", "beta", etc.) +# +# NOTE: For "alpha" releases, will be ".a1", ".a2", etc. +# For "beta" releases, will be ".b1", ".b2", etc. +# +%define version_phase "%(echo `echo %{version} | awk -F. '{ print $4 }'`)" + +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ +================================== \ +|| ABOUT "CERTIFICATE SYSTEM" || \ +================================== \ + \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +PKI Core contains ALL top-level java-based Tomcat PKI components: \ + \ + * pki-symkey \ + * pki-base \ + * pki-base-python2 (alias for pki-base) \ + * pki-base-python3 \ + * pki-base-java \ + * pki-tools \ + * pki-server \ + * pki-ca \ + * pki-kra \ + * pki-ocsp \ + * pki-tks \ + * pki-tps \ + * pki-javadoc \ + \ +which comprise the following corresponding PKI subsystems: \ + \ + * Certificate Authority (CA) \ + * Key Recovery Authority (KRA) \ + * Online Certificate Status Protocol (OCSP) Manager \ + * Token Key Service (TKS) \ + * Token Processing Service (TPS) \ + \ +Python clients need only install the pki-base package. This \ +package contains the python REST client packages and the client \ +upgrade framework. \ + \ +Java clients should install the pki-base-java package. This package \ +contains the legacy and REST Java client packages. These clients \ +should also consider installing the pki-tools package, which contain \ +native and Java-based PKI tools and utilities. \ + \ +Certificate Server instances require the fundamental classes and \ +modules in pki-base and pki-base-java, as well as the utilities in \ +pki-tools. The main server classes are in pki-server, with subsystem \ +specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. \ + \ +Finally, if Certificate System is being deployed as an individual or \ +set of standalone rather than embedded server(s)/service(s), it is \ +strongly recommended (though not explicitly required) to include at \ +least one PKI Theme package: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * dogtag-pki-server-theme \ + * redhat-pki-server-theme (Red Hat Certificate System deployments) \ + * redhat-pki-server-theme \ + * customized pki theme (Customized Certificate System deployments) \ + * -pki-server-theme \ + \ + NOTE: As a convenience for standalone deployments, top-level meta \ + packages may be provided which bind a particular theme to \ + these certificate server packages. \ + \ +%{nil} + +%description %{overview} + + +%package -n pki-symkey +Summary: Symmetric Key JNI Package +Group: System Environment/Libraries + +Requires: java-1.8.0-openjdk-headless +%if 0%{?rhel} +Requires: nss >= 3.28.3 +%else +%if 0%{?fedora} >= 25 +Requires: nss >= 3.28.3 +%else +Requires: nss >= 3.27.0 +%endif +%endif +Requires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} +Requires: jss >= 4.4.0-8 +%else +%if 0%{?fedora} >= 25 +Requires: jss >= 4.4.2-5 +%else +Requires: jss >= 4.2.6-44 +%endif +%endif + +Provides: symkey = %{version}-%{release} + +Obsoletes: symkey < %{version}-%{release} + +%if 0%{?rhel} +## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all +## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages: +# pki-console +Obsoletes: pki-console < 10.3.0 +# pki-core +Obsoletes: pki-core-debug = 10.2.6 +Obsoletes: pki-ocsp < 10.3.0 +Obsoletes: pki-tks < 10.3.0 +Obsoletes: pki-tps < 10.3.0 +# redhat-pki +Obsoletes: redhat-pki < 10.3.0 +# redhat-pki-theme +Obsoletes: redhat-pki-console-theme < 10.3.0 +Obsoletes: redhat-pki-server-theme < 10.3.0 +%endif + +%description -n pki-symkey +The Symmetric Key Java Native Interface (JNI) package supplies various native +symmetric key operations to Java programs. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-base +Summary: Certificate System - PKI Framework +Group: System Environment/Base + +BuildArch: noarch + +Provides: pki-common = %{version}-%{release} +Provides: pki-util = %{version}-%{release} +Provides: pki-base-python2 = %{version}-%{release} + +Obsoletes: pki-common < %{version}-%{release} +Obsoletes: pki-util < %{version}-%{release} + +Conflicts: freeipa-server < 3.0.0 + +%if 0%{?rhel} +Requires: nss >= 3.28.3 +%else +%if 0%{?fedora} >= 25 +Requires: nss >= 3.28.3 +%else +Requires: nss >= 3.27.0 +%endif +%endif +Requires: python2-cryptography +Requires: python-nss +Requires: python-requests >= 2.6.0 +Requires: python-six + +%description -n pki-base +The PKI Framework contains the common and client libraries and utilities +written in Python. This package is a part of the PKI Core used by the +Certificate System. + +%{overview} + +%package -n pki-base-java +Summary: Certificate System - Java Framework +Group: System Environment/Base +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +Requires: apache-commons-cli +Requires: apache-commons-codec +Requires: apache-commons-io +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jakarta-commons-httpclient +Requires: slf4j +%if ! 0%{?rhel} +Requires: slf4j-jdk14 +%endif +Requires: javassist +Requires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} +Requires: jss >= 4.4.0-8 +%else +%if 0%{?fedora} >= 25 +Requires: jss >= 4.4.2-5 +%else +Requires: jss >= 4.2.6-44 +%endif +%endif +Requires: ldapjdk +Requires: pki-base = %{version}-%{release} + +%if 0%{?rhel} +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on RHEL platforms +Requires: resteasy-base-atom-provider >= 3.0.6-1 +Requires: resteasy-base-client >= 3.0.6-1 +Requires: resteasy-base-jaxb-provider >= 3.0.6-1 +Requires: resteasy-base-jaxrs >= 3.0.6-1 +Requires: resteasy-base-jaxrs-api >= 3.0.6-1 +Requires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +%if 0%{?fedora} >= 24 +Requires: resteasy-atom-provider >= 3.0.17-1 +Requires: resteasy-client >= 3.0.17-1 +Requires: resteasy-jaxb-provider >= 3.0.17-1 +Requires: resteasy-core >= 3.0.17-1 +Requires: resteasy-jackson-provider >= 3.0.17-1 +%else +%if 0%{?fedora} >= 22 +# Starting from Fedora 22, resteasy packages were split into +# subpackages. +Requires: resteasy-atom-provider >= 3.0.6-7 +Requires: resteasy-client >= 3.0.6-7 +Requires: resteasy-jaxb-provider >= 3.0.6-7 +Requires: resteasy-core >= 3.0.6-7 +Requires: resteasy-jaxrs-api >= 3.0.6-7 +Requires: resteasy-jackson-provider >= 3.0.6-7 +%else +Requires: resteasy >= 3.0.6-2 +%endif +%endif +%endif + +Requires: xalan-j2 +Requires: xerces-j2 +Requires: xml-commons-apis +Requires: xml-commons-resolver + +%description -n pki-base-java +The PKI Framework contains the common and client libraries and utilities +written in Java. This package is a part of the PKI Core used by the +Certificate System. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + +%if 0%{?with_python3} + +%package -n pki-base-python3 +Summary: Certificate System - PKI Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: pki-base = %{version}-%{release} + +Requires: python3-cryptography +Requires: python3-lxml +Requires: python3-nss +Requires: python3-requests >= 2.6.0 +Requires: python3-six + +%description -n pki-base-python3 +This package contains PKI client library for Python 3. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + +%endif # with_python3 for python3-pki + +%package -n pki-tools +Summary: Certificate System - PKI Tools +Group: System Environment/Base + +Provides: pki-native-tools = %{version}-%{release} +Provides: pki-java-tools = %{version}-%{release} + +Obsoletes: pki-native-tools < %{version}-%{release} +Obsoletes: pki-java-tools < %{version}-%{release} + +Requires: openldap-clients +%if 0%{?rhel} +Requires: nss-tools >= 3.28.3 +%else +%if 0%{?fedora} >= 25 +Requires: nss-tools >= 3.28.3 +%else +Requires: nss-tools >= 3.27.0 +%endif +%endif +Requires: java-1.8.0-openjdk-headless +Requires: pki-base = %{version}-%{release} +Requires: pki-base-java = %{version}-%{release} +Requires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?fedora} >= 23 +Requires: tomcat-servlet-3.1-api +%else +%if 0%{?fedora} >= 22 +Requires: tomcat-servlet-3.0-api >= 7.0.68 +%endif +%endif + +%description -n pki-tools +This package contains PKI executables that can be used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%if %{with server} + +%package -n pki-server +Summary: Certificate System - PKI Server Framework +Group: System Environment/Base + +BuildArch: noarch + +Provides: pki-deploy = %{version}-%{release} +Provides: pki-setup = %{version}-%{release} +Provides: pki-silent = %{version}-%{release} + +Obsoletes: pki-deploy < %{version}-%{release} +Obsoletes: pki-setup < %{version}-%{release} +Obsoletes: pki-silent < %{version}-%{release} + +Requires: java-1.8.0-openjdk-headless +Requires: hostname +Requires: net-tools + +%if 0%{?rhel} +Requires: nuxwdog-client-java >= 1.0.1-11 +%else +Requires: nuxwdog-client-java >= 1.0.3 +%endif + +Requires: policycoreutils +Requires: procps-ng +Requires: openldap-clients +Requires: openssl +Requires: pki-base = %{version}-%{release} +Requires: pki-base-java = %{version}-%{release} +Requires: pki-tools = %{version}-%{release} +Requires: python-ldap +Requires: python-lxml +Requires: libselinux-python +Requires: policycoreutils-python +%if 0%{?fedora} >= 23 +Requires: policycoreutils-python-utils +%endif + +Requires: selinux-policy-targeted >= 3.13.1-159 +Obsoletes: pki-selinux + +%if 0%{?rhel} +Requires: tomcat >= 7.0.69 +%else +Requires: tomcat >= 7.0.68 +%if 0%{?fedora} >= 23 +Requires: tomcat-el-3.0-api +Requires: tomcat-jsp-2.3-api +Requires: tomcat-servlet-3.1-api +%else +Requires: tomcat-el-2.2-api >= 7.0.68 +Requires: tomcat-jsp-2.2-api >= 7.0.68 +Requires: tomcat-servlet-3.0-api >= 7.0.68 +%endif +%endif + +Requires: velocity +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(pre): shadow-utils +%if 0%{?rhel} +Requires: tomcatjss >= 7.2.1-4 +%else +%if 0%{?fedora} >= 25 +Requires: tomcatjss >= 7.2.3 +%else +Requires: tomcatjss >= 7.1.3 +%endif +%endif + +%if 0%{?rhel} +## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all +## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages: +# pki-console +Obsoletes: pki-console < 10.3.0 +# pki-core +Obsoletes: pki-core-debug = 10.2.6 +Obsoletes: pki-ocsp < 10.3.0 +Obsoletes: pki-tks < 10.3.0 +Obsoletes: pki-tps < 10.3.0 +# redhat-pki +Obsoletes: redhat-pki < 10.3.0 +# redhat-pki-theme +Obsoletes: redhat-pki-console-theme < 10.3.0 +Obsoletes: redhat-pki-server-theme < 10.3.0 +%endif + +%description -n pki-server +The PKI Server Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Key Recovery Authority (KRA), + the Online Certificate Status Protocol (OCSP) Manager, + the Token Key Service (TKS), and + the Token Processing Service (TPS). + +This package is a part of the PKI Core used by the Certificate System. +The package contains scripts to create and remove PKI subsystems. + +%{overview} + +%package -n pki-ca +Summary: Certificate System - Certificate Authority +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +Requires: pki-server = %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-ca +The Certificate Authority (CA) is a required PKI subsystem which issues, +renews, revokes, and publishes certificates as well as compiling and +publishing Certificate Revocation Lists (CRLs). + +The Certificate Authority can be configured as a self-signing Certificate +Authority, where it is the root CA, or it can act as a subordinate CA, +where it obtains its own signing certificate from a public CA. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-kra +Summary: Certificate System - Key Recovery Authority +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +Requires: pki-server = %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-kra +The Key Recovery Authority (KRA) is an optional PKI subsystem that can act +as a key archival facility. When configured in conjunction with the +Certificate Authority (CA), the KRA stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the KRA which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the KRA archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ocsp +Summary: Certificate System - Online Certificate Status Protocol Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +Requires: pki-server = %{version}-%{release} +%else +Requires: pki-server >= %{pki_core_rhel_version} +%endif +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-ocsp +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-tks +Summary: Certificate System - Token Key Service +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +Requires: pki-server = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} +%else +Requires: pki-server >= %{pki_core_rhel_version} +Requires: pki-symkey >= %{pki_core_rhel_version} +%endif +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-tks +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-tps +Summary: Certificate System - Token Processing Service +Group: System Environment/Daemons + +Provides: pki-tps-tomcat +Provides: pki-tps-client + +Obsoletes: pki-tps-tomcat +Obsoletes: pki-tps-client + +Requires: java-1.8.0-openjdk-headless +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +Requires: pki-server = %{version}-%{release} +%else +Requires: pki-server >= %{pki_core_rhel_version} +%endif +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +# additional runtime requirements needed to run native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app + +%if 0%{?rhel} +Requires: nss-tools >= 3.28.3 +%else +%if 0%{?fedora} >= 25 +Requires: nss-tools >= 3.28.3 +%else +Requires: nss-tools >= 3.27.0 +%endif +%endif +Requires: openldap-clients +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +Requires: pki-symkey = %{version}-%{release} +%else +Requires: pki-symkey >= %{pki_core_rhel_version} +%endif + +%description -n pki-tps +The Token Processing System (TPS) is an optional PKI subsystem that acts +as a Registration Authority (RA) for authenticating and processing +enrollment requests, PIN reset requests, and formatting requests from +the Enterprise Security Client (ESC). + +TPS is designed to communicate with tokens that conform to +Global Platform's Open Platform Specification. + +TPS communicates over SSL with various PKI backend subsystems (including +the Certificate Authority (CA), the Key Recovery Authority (KRA), and the +Token Key Service (TKS)) to fulfill the user's requests. + +TPS also interacts with the token database, an LDAP server that stores +information about individual tokens. + +The utility "tpsclient" is a test tool that interacts with TPS. This +tool is useful to test TPS server configs without risking an actual +smart card. + +%{overview} + + +%package -n pki-javadoc +Summary: Certificate System - PKI Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Provides: pki-util-javadoc = %{version}-%{release} +Provides: pki-java-tools-javadoc = %{version}-%{release} +Provides: pki-common-javadoc = %{version}-%{release} + +Obsoletes: pki-util-javadoc < %{version}-%{release} +Obsoletes: pki-java-tools-javadoc < %{version}-%{release} +Obsoletes: pki-common-javadoc < %{version}-%{release} + +%description -n pki-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Framework and Tools. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + +%endif # %{with server} + + +%prep +%setup -q -n %{name}-%{version}%{?prerel} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +#%patch28 -p1 +#%patch29 -p1 +%patch30 -p1 +#%patch31 -p1 +#%patch32 -p1 +#%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +#%patch37 -p1 + +%clean +%{__rm} -rf %{buildroot} + +%build +%{__mkdir_p} build +cd build +%cmake -DVERSION=%{version}-%{release} \ + -DVAR_INSTALL_DIR:PATH=/var \ + -DBUILD_PKI_CORE:BOOL=ON \ + -DJAVA_HOME=%{java_home} \ + -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ + -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ +%if %{version_phase} + -DAPPLICATION_VERSION_PHASE="%{version_phase}" \ +%endif +%if ! %{with_tomcat7} + -DWITH_TOMCAT7:BOOL=OFF \ +%endif +%if ! %{with_tomcat8} + -DWITH_TOMCAT8:BOOL=OFF \ +%endif + -DJAXRS_API_JAR=%{jaxrs_api_jar} \ + -DRESTEASY_LIB=%{resteasy_lib} \ +%if ! %{with server} + -DWITH_SERVER:BOOL=OFF \ +%endif +%if ! %{with server} + -DWITH_SERVER:BOOL=OFF \ +%endif +%if ! %{with javadoc} + -DWITH_JAVADOC:BOOL=OFF \ +%endif + .. +%{__make} VERBOSE=1 %{?_smp_mflags} all +# %{__make} VERBOSE=1 %{?_smp_mflags} unit-test + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +# Create symlinks for admin console (TPS does not use admin console) +for subsystem in ca kra ocsp tks; do + %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin + ln -s %{_datadir}/pki/server/webapps/pki/admin/console %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin +done + +# Create compatibility symlink for DRMTool -> KRATool +ln -s %{_bindir}/KRATool %{buildroot}%{_bindir}/DRMTool +# Create compatibility symlink for DRMTool.cfg -> KRATool.cfg +ln -s %{_datadir}/pki/java-tools/KRATool.cfg %{buildroot}%{_datadir}/pki/java-tools/DRMTool.cfg +# Create compatibility symlink for DRMTool.1.gz -> KRATool.1.gz +ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz + +# Customize system upgrade scripts in /usr/share/pki/upgrade +%if 0%{?rhel} + +# merge newer upgrade scripts into 10.3.3 for RHEL +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.5 + +# merge newer upgrade scripts into 10.4.1 for RHEL +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.2 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.3 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.5 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.6 +%endif + +# Customize client library links in /usr/share/pki/lib +%if 0%{?fedora} >= 24 + rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar + rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-api.jar + rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-jandex.jar + ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/lib/jboss-jaxrs-2.0-api.jar + ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar + ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar +%else + +if [ -f /etc/debian_version ]; then + ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/lib/httpclient.jar + ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/lib/httpcore.jar + ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/lib/jackson-core-asl.jar + ln -sf /usr/share/java/jackson-jaxrs.jar %{buildroot}%{_datadir}/pki/lib/jackson-jaxrs.jar + ln -sf /usr/share/java/jackson-mapper-asl.jar %{buildroot}%{_datadir}/pki/lib/jackson-mapper-asl.jar + ln -sf /usr/share/java/jackson-mrbean.jar %{buildroot}%{_datadir}/pki/lib/jackson-mrbean.jar + ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/lib/jackson-smile.jar + ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/lib/jackson-xc.jar + ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/lib/jss4.jar +fi + +%endif + +%if %{with server} + +# Customize server upgrade scripts in /usr/share/pki/server/upgrade +%if 0%{?rhel} + +# merge newer upgrade scripts into 10.3.3 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixDeploymentDescriptor \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixDeploymentDescriptor +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5 + +# merge newer upgrade scripts into 10.4.1 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/01-AddSessionAuthenticationPlugin +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/02-AddKRAWrappingParams \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/02-AddKRAWrappingParams +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/03-UpdateKeepAliveTimeout +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.3 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.5 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6 + +%endif + +# Customize server library links in /usr/share/pki/server/common/lib +%if 0%{?fedora} >= 24 + rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar + rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar + ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar + ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar + ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar + +%else + +if [ -f /etc/debian_version ]; then + ln -sf /usr/share/java/commons-collections3.jar %{buildroot}%{_datadir}/pki/server/common/lib/commons-collections.jar + ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpclient.jar + ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpcore.jar + ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-core-asl.jar + ln -sf /usr/share/java/jackson-jaxrs.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-jaxrs.jar + ln -sf /usr/share/java/jackson-mapper-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mapper-asl.jar + ln -sf /usr/share/java/jackson-mrbean.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mrbean.jar + ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-smile.jar + ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-xc.jar + ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/server/common/lib/jss4.jar + ln -sf /usr/share/java/symkey.jar %{buildroot}%{_datadir}/pki/server/common/lib/symkey.jar + ln -sf /usr/share/java/xercesImpl.jar %{buildroot}%{_datadir}/pki/server/common/lib/xerces-j2.jar + ln -sf /usr/share/java/xml-apis.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-apis.jar + ln -sf /usr/share/java/xml-resolver.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-resolver.jar +fi + +%endif + +%if ! 0%{?rhel} +# Scanning the python code with pylint. +%{__python2} ../pylint-build-scan.py rpm --prefix %{buildroot} +if [ $? -ne 0 ]; then + echo "pylint failed. RC: $?" + exit 1 +fi + +%{__python2} ../pylint-build-scan.py rpm --prefix %{buildroot} -- --py3k +if [ $? -ne 0 ]; then + echo "pylint --py3k failed. RC: $?" + exit 1 +fi + +flake8 --config ../tox.ini %{buildroot} +if [ $? -ne 0 ]; then + echo "flake8 for Python 2 failed. RC: $?" + exit 1 +fi + +python3-flake8 --config ../tox.ini %{buildroot} +if [ $? -ne 0 ]; then + echo "flake8 for Python 3 failed. RC: $?" + exit 1 +fi + +%endif + +%{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib + +%endif # %{with server} + +%{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki +%{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki + +%if ! 0%{?rhel} +%pretrans -n pki-base -p +function test(a) + if posix.stat(a) then + for f in posix.files(a) do + if f~=".." and f~="." then + return true + end + end + end + return false +end + +if (test("/etc/sysconfig/pki/ca") or + test("/etc/sysconfig/pki/kra") or + test("/etc/sysconfig/pki/ocsp") or + test("/etc/sysconfig/pki/tks")) then + msg = "Unable to upgrade to Fedora 20. There are Dogtag 9 instances\n" .. + "that will no longer work since they require Tomcat 6, and \n" .. + "Tomcat 6 is no longer available in Fedora 20.\n\n" .. + "Please follow these instructions to migrate the instances to \n" .. + "Dogtag 10:\n\n" .. + "http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10" + error(msg) +end +%endif + +%if %{with server} + +%pre -n pki-server +getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +if ! getent passwd %{pki_username} >/dev/null ; then + if ! getent passwd %{pki_uid} >/dev/null ; then + useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + else + useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + fi +fi +exit 0 + +%endif # %{with server} + +%post -n pki-base + +if [ $1 -eq 1 ] +then + # On RPM installation create system upgrade tracker + echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version + +else + # On RPM upgrade run system upgrade + echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 + /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 + echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 +fi + +%postun -n pki-base + +if [ $1 -eq 0 ] +then + # On RPM uninstallation remove system upgrade tracker + rm -f %{_sysconfdir}/pki/pki.version +fi + +%if %{with server} + +%post -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + +echo "Upgrading PKI server configuration at `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 +/sbin/pki-server-upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 +echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 + +# Migrate Tomcat configuration +/sbin/pki-server migrate >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 +echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 + +# Reload systemd daemons on upgrade only +if [ "$1" == "2" ] +then + systemctl daemon-reload +fi + +## %preun -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + + +## %postun -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + +%endif # %{with server} + + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-symkey +%defattr(-,root,root,-) +%doc base/symkey/LICENSE +%{_jnidir}/symkey.jar +%{_libdir}/symkey/ +%endif + + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-base +%defattr(-,root,root,-) +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%doc %{_datadir}/doc/pki-base/html +%dir %{_datadir}/pki +%{_datadir}/pki/VERSION +%{_datadir}/pki/etc/ +%{_datadir}/pki/upgrade/ +%{_datadir}/pki/key/templates +%dir %{_sysconfdir}/pki +%config(noreplace) %{_sysconfdir}/pki/pki.conf +%exclude %{python2_sitelib}/pki/server +%{python2_sitelib}/pki +%dir %{_localstatedir}/log/pki +%{_sbindir}/pki-upgrade +%{_mandir}/man1/pki-python-client.1.gz +%{_mandir}/man5/pki-logging.5.gz +%{_mandir}/man8/pki-upgrade.8.gz +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-base-java +%{_datadir}/pki/examples/java/ +%{_datadir}/pki/lib/ +%dir %{_javadir}/pki +%{_javadir}/pki/pki-cmsutil.jar +%{_javadir}/pki/pki-nsutil.jar +%{_javadir}/pki/pki-certsrv.jar +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%if %{with_python3} +%files -n pki-base-python3 +%defattr(-,root,root,-) +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%exclude %{python3_sitelib}/pki/server +%{python3_sitelib}/pki +%endif # with_python3 +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-tools +%defattr(-,root,root,-) +%doc base/native-tools/LICENSE base/native-tools/doc/README +%{_bindir}/pki +%{_bindir}/p7tool +%{_bindir}/revoker +%{_bindir}/setpin +%{_bindir}/sslget +%{_bindir}/tkstool +%{_datadir}/pki/native-tools/ +%{_bindir}/AtoB +%{_bindir}/AuditVerify +%{_bindir}/BtoA +%{_bindir}/CMCEnroll +%{_bindir}/CMCRequest +%{_bindir}/CMCResponse +%{_bindir}/CMCRevoke +%{_bindir}/CRMFPopClient +%{_bindir}/DRMTool +%{_bindir}/ExtJoiner +%{_bindir}/GenExtKeyUsage +%{_bindir}/GenIssuerAltNameExt +%{_bindir}/GenSubjectAltNameExt +%{_bindir}/HttpClient +%{_bindir}/KRATool +%{_bindir}/OCSPClient +%{_bindir}/PKCS10Client +%{_bindir}/PKCS12Export +%{_bindir}/PrettyPrintCert +%{_bindir}/PrettyPrintCrl +%{_bindir}/TokenInfo +%{_javadir}/pki/pki-tools.jar +%{_datadir}/pki/java-tools/ +%{_mandir}/man1/AtoB.1.gz +%{_mandir}/man1/AuditVerify.1.gz +%{_mandir}/man1/BtoA.1.gz +%{_mandir}/man1/CMCEnroll.1.gz +%{_mandir}/man1/DRMTool.1.gz +%{_mandir}/man1/KRATool.1.gz +%{_mandir}/man1/PrettyPrintCert.1.gz +%{_mandir}/man1/PrettyPrintCrl.1.gz +%{_mandir}/man1/pki.1.gz +%{_mandir}/man1/pki-audit.1.gz +%{_mandir}/man1/pki-ca-kraconnector.1.gz +%{_mandir}/man1/pki-ca-profile.1.gz +%{_mandir}/man1/pki-cert.1.gz +%{_mandir}/man1/pki-client.1.gz +%{_mandir}/man1/pki-group.1.gz +%{_mandir}/man1/pki-group-member.1.gz +%{_mandir}/man1/pki-key.1.gz +%{_mandir}/man1/pki-pkcs12-cert.1.gz +%{_mandir}/man1/pki-pkcs12-key.1.gz +%{_mandir}/man1/pki-pkcs12.1.gz +%{_mandir}/man1/pki-securitydomain.1.gz +%{_mandir}/man1/pki-tps-profile.1.gz +%{_mandir}/man1/pki-user.1.gz +%{_mandir}/man1/pki-user-cert.1.gz +%{_mandir}/man1/pki-user-membership.1.gz +%endif + +%if %{with server} + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-server +%defattr(-,root,root,-) +%doc base/common/THIRD_PARTY_LICENSES +%doc base/server/LICENSE +%doc base/server/README +%{_sysconfdir}/pki/default.cfg +%{_sbindir}/pkispawn +%{_sbindir}/pkidestroy +%{_sbindir}/pki-server +%{_sbindir}/pki-server-nuxwdog +%{_sbindir}/pki-server-upgrade +%{python2_sitelib}/pki/server/ +%dir %{_datadir}/pki/deployment +%{_datadir}/pki/deployment/config/ +%dir %{_datadir}/pki/scripts +%{_datadir}/pki/scripts/operations +%{_bindir}/pkidaemon +%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants +%attr(644,-,-) %{_unitdir}/pki-tomcatd@.service +%attr(644,-,-) %{_unitdir}/pki-tomcatd.target +%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants +%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service +%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target +%{_javadir}/pki/pki-cms.jar +%{_javadir}/pki/pki-cmsbundle.jar +%{_javadir}/pki/pki-cmscore.jar +%{_javadir}/pki/pki-tomcat.jar +%dir %{_sharedstatedir}/pki +%{_mandir}/man1/pkidaemon.1.gz +%{_mandir}/man5/pki_default.cfg.5.gz +%{_mandir}/man5/pki-server-logging.5.gz +%{_mandir}/man8/pki-server-upgrade.8.gz +%{_mandir}/man8/pkidestroy.8.gz +%{_mandir}/man8/pkispawn.8.gz +%{_mandir}/man8/pki-server.8.gz +%{_mandir}/man8/pki-server-instance.8.gz +%{_mandir}/man8/pki-server-subsystem.8.gz +%{_mandir}/man8/pki-server-nuxwdog.8.gz +%{_mandir}/man8/pki-server-migrate.8.gz + +%{_datadir}/pki/setup/ +%{_datadir}/pki/server/ +%endif + + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-ca +%defattr(-,root,root,-) +%doc base/ca/LICENSE +%{_javadir}/pki/pki-ca.jar +%dir %{_datadir}/pki/ca +%{_datadir}/pki/ca/conf/ +%{_datadir}/pki/ca/emails/ +%dir %{_datadir}/pki/ca/profiles +%{_datadir}/pki/ca/profiles/ca/ +%{_datadir}/pki/ca/setup/ +%{_datadir}/pki/ca/webapps/ +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%files -n pki-kra +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages} +%files -n pki-ocsp +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages} +%files -n pki-tks +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages} +%files -n pki-tps +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%{_javadir}/pki/pki-tps.jar +%dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/applets/ +%{_datadir}/pki/tps/conf/ +%{_datadir}/pki/tps/setup/ +%{_datadir}/pki/tps/webapps/ +%{_mandir}/man5/pki-tps-connector.5.gz +%{_mandir}/man5/pki-tps-profile.5.gz +%{_mandir}/man1/tpsclient.1.gz +# files for native 'tpsclient' +# REMINDER: Remove this comment once 'tpsclient' is rewritten as a Java app +%{_bindir}/tpsclient +%{_libdir}/tps/libtps.so +%{_libdir}/tps/libtokendb.so +%endif + +%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} +%if %{with javadoc} +%files -n pki-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-%{version}/ +%endif +%endif + +%endif # %{with server} + +%changelog +* Fri Nov 10 2017 Dogtag Team 10.4.1-17 +- ########################################################################### +- ## RHCS 9.2 +- ########################################################################### +- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of + #the to determine applet loaded (jmagne) + +* Fri Oct 13 2017 Dogtag Team 10.4.1-16 +- ########################################################################### +- ## RHCS 9.2 +- ########################################################################### +- #Bugzilla Bug #1439228 - externalRegRecover does not support multiple + #KRA instances (cfu) +- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of + #the to determine applet loaded (jmagne) +- #Bugzilla Bug #1471996 - Certificate Revocation Reasons not being updated + #in some cases [RHCS 9] (cfu) +- ########################################################################### +- ## RHEL 7.4 +- ########################################################################### +- Bugzilla Bug #1500499 - Certificate Revocation Reasons not being updated + in some cases [rhel-7.4.z] (cfu) +- Bugzilla Bug #1502527 - CA cert without Subject Key Identifier causes + issuance failure [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 + [rhel-7.4.z] (ftweedal) + NOTE: Check-ins for #1492560 all reference the dogtagpki Pagure Issue + associated with Bugzilla Bug #1402280 - CA Cloning: Failed to + update number range in few cases (which is not yet fully resolved) + +* Mon Sep 18 2017 Dogtag Team 10.4.1-15 +- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 + [rhel-7.4.z] (ftweedal) + +* Tue Sep 12 2017 Dogtag Team 10.4.1-14 +- Require "jss >= 4.4.0-8" as a build and runtime requirement +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 +- Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) + [RHEL 7.4.z] (ftweedal) +- Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error + in cmc user-signed [rhel-7.4.z] (cfu) +- Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from + RHEL 7.1 [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) + [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin + for token certificates on TPS UI Server [rhel-7.4.z] (edewata) +- dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: + TypeError: ... is not JSON serializable (ftweedal) +- ########################################################################## +- RHCS 9.2: +- ########################################################################## +- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 +- Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and + "tokenType" certificate attribute for recovered certificates. (cfu) +- Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin + for token certificates on TPS UI (edewata) + +* Mon Aug 21 2017 Dogtag Team 10.4.1-13 +- Resolves: rhbz #1463350 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1463350 - Access banner validation (edewata) + [pki-core-server-access-banner-retrieval-validation.patch] + +* Wed Jul 19 2017 Dogtag Team 10.4.1-12 +- Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing + certificate requests (cfu) + [PREVIOUS PATCH: pki-core-beta.patch] + [PREVIOUS PATCH: pki-core-snapshot-4.patch] +- Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause + error (cfu) + [PREVIOUS PATCH: pki-core-post-beta.patch] +- Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert + against CMC signer (cfu) + [PREVIOUS PATCH: pki-core-CMC-check-HTTPS-client-authentication-cert.patch] +- Bugzilla Bug #1463350 - Access banner validation (edewata) + [pki-core-server-access-banner-validation.patch] +- Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal + non-signing cert requests (cfu) + [PREVIOUS PATCH: pki-core-snapshot-1.patch] + [pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch] +- Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) + [pki-core-platform-dependent-python-import.patch] +- Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with + id-cmc-statusInfoV2 (cfu) + [pki-core-CMC-id-cmc-statusInfoV2.patch] +- Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option + (dmoluguw) + [pki-core-subsystem-cert-update-CLI-cert-option.patch] +- Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 + (jmagne) + [pki-core-HSM-key-changeover-SCP03-support.patch] +- Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system + certificates (cfu) + [pki-core-system-cert-CMC-enroll-profile.patch] + +* Mon Jul 17 2017 Dogtag Team 10.4.1-11 +- Resolves: rhbz #1469432 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1469432 - CMC plugin default change +- Resolves CVE-2017-7537 +- Fixes BZ #1470948 + +* Mon Jun 19 2017 Dogtag Team 10.4.1-10 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1458043 - Key recovery on token fails with + invalid public key error on KRA (alee) +- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client + authentication cert against CMC signer (cfu) +- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after + deleting the any of the subsystem certs from it (ftweedal) + +* Mon Jun 12 2017 Dogtag Team 10.4.1-9 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) + using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) +- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC + non-signing certificate requests (cfu) +- Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC + revocation non-signing cert requests (cfu) +- Bugzilla Bug #1458047 - change the way aes clients refer to + aes keysets (alee) +- Bugzilla Bug #1458055 - dont reuse IVs in the CMC code + (alee) +- Bugzilla Bug #1460028 - In keywrap mode, key recovery on + KRA with HSM causes KRA to crash (ftweedal) + +* Mon Jun 5 2017 Dogtag Team 10.4.1-8 +- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement +- Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS + enabled system (edewata) +- Bugzilla Bug #1447144 - CA brought down during separate KRA instance + creation (edewata) +- Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure + ACCESS_SESSION_ESTABLISH_FAILURE (edewata) +- Bugzilla Bug #1454450 - SubCA installation failure with 2 step + installation in fips enabled mode (edewata) +- Bugzilla Bug #1456597 - Certificate import using pki client-cert-import + is asking for password when already provided (edewata) +- Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes) +- Bugzilla Bug #1458043 - Key recovery using externalReg fails + with java null pointer exception on KRA (alee) +- Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter + (edewata) +- Bugzilla Bug #1458429 - client-cert-import --ca-cert should + import CA cert with trust bits "CT,C,C" (edewata) +- ########################################################################## +- RHCS 9.2: +- ########################################################################## +- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) + +* Tue May 30 2017 Dogtag Team 10.4.1-7 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) + using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) +- Bugzilla Bug #1445519 - CA Server installation with HSM fails + (jmagne) +- Bugzilla Bug #1452617 - Unable to create IPA Sub CA + (ftweedal) +- Bugzilla Bug #1454471 - Enabling all subsystems on startup + (edewata) +- Bugzilla Bug #1455617 - Key recovery on token fails because + key record is not marked encrypted (alee) + +* Tue May 23 2017 Dogtag Team 10.4.1-6 +- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error + (mharmsen) + +* Mon May 22 2017 Dogtag Team 10.4.1-5 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal + non-signing cert requests (cfu) +- Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed) + CMC with identity proof (cfu) +- Bugzilla Bug #1447144 - CA brought down during separate KRA instance + creation (mharmsen) +- Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when + defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata) +- Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne) +- Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen) +- Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in + ConnectorServlet. (edewata) +- Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata) +- Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED + audit event. (edewata) + +* Tue May 9 2017 Dogtag Team 10.4.1-4 +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Bugzilla Bug #1386303 - cannot extract generated private key from KRA when + HSM is used. (alee) +- Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes) +- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause + error (cfu) +- Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from + the KRA (ftweedal) +- Bugzilla Bug #1448204 - pkispawn of clone install fails with + InvalidBERException (ftweedal) +- Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on + thales hsm (alee) +- Updated "jss" build and runtime requirements (mharmsen) +- ########################################################################## +- RHCS 9.2: +- ########################################################################## +- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) + +* Mon May 1 2017 Dogtag Team 10.4.1-3 +- ############################################################################ +- RHEL 7.4: +- ############################################################################ +- Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in + conjuction with FreeIPA (ftweedal) +- Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the + startTime parameter is not working as expected. (jmagne) +- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing + certificate requests (cfu) +- Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal) +- Bugzilla Bug #1445088 - profile modification cannot remove existing config + parameters (ftweedal) +- Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption) + (RHEL) (alee) +- Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when + pki CLI terminates SSL connection (edewata) +- Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) +- ############################################################################ +- RHCS 9.2: +- ############################################################################ +- Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) + (RHCS) (alee) + +* Mon Apr 17 2017 Dogtag Team 10.4.1-2 +- ############################################################################ +- RHEL 7.4: +- ############################################################################ +- Bugzilla Bug #1282504 - Installing pki-server in container reports + scriptlet failed, exit status 1 (jpazdziora) +- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS + enabled system (edewata) +- Bugzilla Bug #1410650 - [RFE] Add SCP03 support + for sc 7 g & d cards (RHEL) (jmagne) +- Bugzilla Bug #1437591 - cli authentication using expired cert throws an + exception (edewata) +- Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a + request (edewata) +- ############################################################################ +- RHCS 9.2: +- ############################################################################ +- Bugzilla Bug #1274086 - [RFE] Add SCP03 support + for sc 7 g & d cards (RHCS) (jmagne) +- ############################################################################ +- Common Criteria +- ############################################################################ +- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures + (edewata) +- Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata) +- Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature + implementation (cfu) + +* Mon Mar 27 2017 Dogtag Team 10.4.1-1 +- Require "nss >= 3.28.3" as a build and runtime requirement +- Require "jss >= 4.4.0-4" as a build and runtime requirement +- Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement +- dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find + failure (edewata) +- ############################################################################ +- Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 +- Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + pki-console to 10.4.x +- ############################################################################ +- RHEL 7.4: +- ############################################################################ +- ############################################################################ +- RHCS 9.2: +- ############################################################################ +- ############################################################################ +- Common Criteria +- ############################################################################ +- Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature + implementation (cfu) +- Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption + cert requests (cfu) +- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures + (edewata) +- Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance + protection cert mechanism (cfu) + +* Tue Mar 14 2017 Dogtag Team 10.4.0-1 +- Require "jss >= 4.4.0-1" as a build and runtime requirement +- Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement +- ############################################################################ +- Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 +- Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + pki-console to 10.4.x +- ############################################################################ +- RHEL 7.4: +- ############################################################################ +- Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System + 8.1 fail NIST validation test with parameter field. (cfu) +- Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate + when --usages verify (vakwetu) +- Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port + with remote CA shows authentication failure (edewata) +- Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does + not show proper error message (vakwetu) +- Bugzilla Bug #1305993 - Add profile component that copies CN to SAN + (ftweedal) +- Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because + of missing authentication even if it should not require any (edewata) +- Bugzilla Bug #1325071 - add options to enable/disable cert or crl + publishing. (vakwetu) +- Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service + ("ipa-cacert-manage renew" failed?) (edewata) +- Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata) +- Bugzilla Bug #1372052 - Unable to search certificate requests using the + latest request ID (edewata) +- Bugzilla Bug #1375347 - Typo in comment line of + UserPwdDirAuthentication.java (edewata) +- Bugzilla Bug #1376226 - IPA replica-prepare failed with error + "Profile caIPAserviceCert Not Found" (ftweedal) +- Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as + a dependency package (mharmsen) +- Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due + to missing AuthorityID (ftweedal) +- Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal) +- Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata) +- Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA + with partial certificate chain (edewata) +- Bugzilla Bug #1382066 - Problems with FIPS mode (edewata) +- Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen) +- Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar + files (edewata) +- Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (RHEL 7) (edewata) +- Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA + (vakwetu) +- Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS + mode (edewata) +- Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from + nistp256 when nistp384 is specified in spawn config (jmagne) +- Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata) +- Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) +- Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL) + (jmagne) +- Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate + (vakwetu) +- Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website + incorrect (vakwetu) +- Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne) +- Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata) +- Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata) +- Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will + not finish start, hangs (ftweedal) +- Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert + (edewata) +- Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 + environment. (edewata) +- ############################################################################ +- RHCS 9.2: +- ############################################################################ +- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) +- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) +- Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single + user on multiple tokens. (jmagne) +- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed + tokens (jmagne) +- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working + when a token is physically damaged and a temporary token is issued (jmagne) +- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial + number and key id on the ldap user mismatches (cfu) +- Bugzilla Bug #1381635 - Token format with external reg fails when + op.format.externalRegAddToToken.revokeCert=true (cfu) +- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when + set on a token (jmagne) +- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (RHCS 9) (edewata) +- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS + tokendb shows different certificate status (cfu) +- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (RHCS) (jmagne) +- Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata) +- Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS) + (jmagne) +- ############################################################################ + +* Mon Mar 6 2017 Dogtag Team 10.3.3-18 +- ## RHEL 7.3.z Batch Update 4 +- Bugzilla Bug #1429492 - Add profile component that copies CN to SAN + (ftweedal) + +* Mon Jan 30 2017 Dogtag Team 10.3.3-17 +- ## RHCS 9.1.z Batch Update 3 +- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS + tokendb shows different certificate status (cfu) +- ## RHEL 7.3.z Batch Update 3 +- Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System + 8.1 fail NIST validation test with parameter field. (cfu) +- Bugzilla Bug #1417064 - Unable to search certificate requests using the + latest request ID (edewata) +- Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website + incorrect (alee) +- Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will + not finish start, hangs (ftweedal) +- Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert + (edewata) +- Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6 + environment. (edewata) + +* Thu Dec 15 2016 Dogtag Team 10.3.3-16 +- Separate original patches into RHEL and RHCS portions +- ## RHEL 7.3.z Batch Update 2 +- Bugzilla Bug #1404176 - logging properties and man pages (edewata) +- Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) +- ## RHCS 9.1.z Batch Update 2 +- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) +- Bugzilla Bug #1404900 - RHCS logging properties (edewata) + +* Tue Dec 13 2016 Dogtag Team 10.3.3-15 +- ## RHEL 7.3.z Batch Update 2 +- Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port + with remote CA shows authentication failure (edewata) +- Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because + of missing authentication even if it should not require any (edewata) +- Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI [pki-base] (edewata) +- Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS + mode (edewata) +- Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from + nistp256 when nistp384 is specified in spawn config (jmagne) +- Bugzilla Bug #1404176 - logging properties and man pages (edewata) +- ## RHCS 9.1.z Batch Update 2 +- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI [pki-tps] (edewata) +- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS + tokendb shows different certificate status (cfu) +- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) + +* Tue Nov 8 2016 Dogtag Team 10.3.3-14 +- Marked the following RHCS 9.1.z bug: + Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel + when TPS and TKS security db is on fips mode. (jmagne) + as a duplicate of RHEL 7.3.z bug: + Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) + and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug. + +* Thu Nov 3 2016 Dogtag Team 10.3.3-13 +- ## RHEL 7.3.z Batch Update 1 +- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) + (added KRA key recovery via CLI in FIPS mode) +- ## RHCS 9.1.z Batch Update 1 +- Reverted patches associated with + Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (edewata) + +* Mon Oct 31 2016 Dogtag Team 10.3.3-12 +- ## RHEL 7.3.z Batch Update 1 +- Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does + not show proper error message (alee) +- Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service + ("ipa-cacert-manage renew" failed?) (edewata) +- Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as + a dependency package (mharmsen) +- Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due + to missing AuthorityID (ftweedal) +- Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) +- Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA + with partial certificate chain (edewata) +- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) +- Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar + files (edewata) +- Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java + (edewata) +- ## RHCS 9.1.z Batch Update 1 +- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) +- Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a + single user on multiple tokens. (jmagne) +- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed + tokens (jmagne) +- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working + when a token is physically damaged and a temporary token is issued (jmagne) +- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial + number and key id on the ldap user mismatches +- Bugzilla Bug #1381635 - Token format with external reg fails when + op.format.externalRegAddToToken.revokeCert=true (cfu) +- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when + set on a token (jmagne) +- Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel + when TPS and TKS security db is on fips mode. (jmagne) +- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (edewata) + +* Mon Oct 10 2016 Dogtag Team 10.3.3-11 +- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) +- PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single + user on multiple tokens. (jmagne) +- PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a + dependency package (mharmsen) +- PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed + tokens (jmagne) +- PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial + number and key id on the ldap user mismatches (cfu) +- PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar + files (edewata) + +* Fri Sep 9 2016 Dogtag Team 10.3.3-10 +- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates + in different tokens (edewata) +- Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate +- Restores: rhbz #1319557 - pkispawn KRA instance is failing server +- Removes from Errata: rhbz #1372041 - Unable to create system certificates + in different tokens + +* Tue Sep 6 2016 Dogtag Team 10.3.3-9 +- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion + (ftweedal) +- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements + (edewata) +- PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry + deleted (ftweedal) +- PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if + USN plugin enabled (ftweedal) +- PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per + instance name (for shared HSM) (cfu) +- PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu) +- PKI TRAC Ticket #2449 - Unable to create system certificates in different + tokens (edewata) + +* Mon Aug 29 2016 Dogtag Team 10.3.3-8 +- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne) +- PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor) +- PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata) +- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open +- PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata) + +* Tue Aug 23 2016 Dogtag Team 10.3.3-7 +- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen) + - CMCEnroll +- PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message + "PKIException: LDAP error (21): error result" (edewata) +- PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. + (cheimes, edewata, mharmsen) +- PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata) +- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements + (edewata, mharmsen) +- PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem + format with/without header works while pkcs7 with header is not allowed + (edewata) +- PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata) + +* Mon Aug 15 2016 Dogtag Team 10.3.3-6 +- Bugzilla Bug #1366465 - Errata TPS upgrade test fails + +* Mon Aug 8 2016 Dogtag Team 10.3.3-5 +- PKI TRAC Ticket #978 - TPS connector man page: add revocation routing + info (cfu) +- PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from + Firefox' workarounds to appropriate 'pki' man page (jmagne) +- PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu) +- PKI TRAC Ticket #2381 - Throws exception while providing invalid module. + (edewata) +- PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable + should accept only boolean value (edewata) +- PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter + beyond CA signing cert in case of external or existing CA (cfu) +- PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements + (akasurde, alee, cheimes, edewata, jmagne, mharmsen) +- PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not + rpm-require hostname (mharmsen) +- PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and + pki-server (cheimes) +- PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata) +- PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne) +- PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not + apply the specified trust bits (alee) +- PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen + during installation (alee) +- PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are + not used (ftweedal) +- PKI TRAC Ticket #2421 - Incorrect SELinux contexts + Installation/Configuration (edewata) +- PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server + is converted from CA-less to CA-full (edewata) +- PKI TRAC Ticket #2428 - broken request links for CA's system certs in + agent request viewing (cfu) +- PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial + number in migration case (jmagne) +- PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. + (mharmsen) +- PKI TRAC Ticket #2433 - Lightweight CA GET /chain returns bogus PEM + data (ftweedal) + +* Tue Jul 5 2016 Dogtag Team 10.3.3-3 +- PKI TRAC Ticket #691 - [MAN] pki-server man pages (mharmsen) +- PKI TRAC Ticket #1114 - [MAN] Generting Symmetric key fails with + key-generate when --usages verify is passed (jmagne) +- PKI TRAC Ticket #1306 - [RFE] Add granularity to token termination in TPS + (cfu) +- PKI TRAC Ticket #1308 - [RFE] Provide ability to perform off-card key + generation for non-encryption token keys (cfu) +- PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to + 'pki_default.cfg' & 'pkispawn' man pages (mharmsen) +- PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for + shared vs non shared tomcat instance installation (mharmsen) +- PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single + user on multiple tokens. (jmagne) +- PKI TRAC Ticket #1711 - CLI :: pki-server ca-cert-request-find throws + IOError (edewata, ftweedal) +- PKI TRAC Ticket #2285 - freeipa fails to start correctly after pki-core + update on upgraded system (ftweedal) +- PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing + it to "internal" (mharmsen) +- PKI TRAC Ticket #2349 - Separated TPS does not automatically receive shared + secret from remote TKS (jmagne) +- PKI TRAC Ticket #2364 - CLI :: pki-server ca-cert-request-show throws + attribute error (ftweedal) +- PKI TRAC Ticket #2368 - pki-server subsystem subcommands throws error with + --help option (edewata) +- PKI TRAC Ticket #2374 - KRA cloning overwrites CA signing certificate trust + flags (edewata) +- PKI TRAC Ticket #2380 - Pki-server instance commands throws exception while + specifying invalid parameters. (edewata) +- PKI TRAC Ticket #2384 - CA installation with HSM prompts for HSM password + during silent installation (edewata) +- PKI TRAC Ticket #2385 - Upgraded CA lacks ca.sslserver.certreq in CS.cfg + (ftweedal) +- PKI TRAC Ticket #2387 - Add config for default OCSP URI if none given + (ftweedal) +- PKI TRAC Ticket #2388 - CA creation responds 500 if certificate issuance + fails (ftweedal) +- PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter + beyond CA signing cert in case of external or existing CA (cfu) +- PKI TRAC Ticket #2390 - Dogtag 10.3.4: Miscellaneous Enhancements + (akasurde, edewata) + +* Thu Jun 30 2016 Dogtag Team 10.3.3-2 +- PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks + pki-core (ftweedal) + +* Mon Jun 20 2016 Dogtag Team 10.3.3-1 +- Updated release number to 10.3.3-1 + +* Tue Jun 7 2016 Dogtag Team 10.3.3-0.1 +- Updated version number to 10.3.3-0.1 + +* Tue Jun 7 2016 Dogtag Team 10.3.2-5 +- Provided cleaner runtime dependency separation + +* Tue Jun 7 2016 Dogtag Team 10.3.2-4 +- Updated tomcatjss version dependencies + +* Tue Jun 7 2016 Dogtag Team 10.3.2-3 +- Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0. + +* Tue Jun 7 2016 Dogtag Team 10.3.2-2 +- Updated tomcat version dependencies + +* Tue Jun 7 2016 Dogtag Team 10.3.2-1 +- Updated version number to 10.3.2-1 + +* Wed May 18 2016 Dogtag Team 10.3.2-0.1 +- Updated version number to 10.3.2-0.1 + +* Tue May 17 2016 Dogtag Team 10.3.1-1 +- Updated version number to 10.3.1-1 (to allow upgrade from 10.3.0.b1) + +* Mon May 16 2016 Dogtag Team 10.3.0-1 +- Updated version number to 10.3.0-1 + +* Mon Apr 18 2016 Dogtag Team 10.3.0.b1-1 +- Build for F24 beta + +* Fri Apr 8 2016 Dogtag Team 10.3.0.a2-2 +- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes. + +* Thu Apr 7 2016 Dogtag Team 10.3.0.a2-1 +- Updated build for F24 alpha + +* Wed Mar 23 2016 Dogtag Team 10.3.0.a1-2 +- PKI TRAC Ticket #1625 - Allow multiple ACLs of same name + (union of rules) [ftweedal] +- PKI TRAC Ticket #2237 - Add CRL dist points extension to OIDMap + unconditionally [edewata] +- PKI TRAC Ticket #1803 - Removed unnecessary URL encoding for admin cert + request. [edewata] +- PKI TRAC Ticket #1742 - Added support for cloning 3rd-party CA + certificates. [edewata] +- PKI TRAC Ticket #1482 - Added TPS token filter dialog. [edewata] +- PKI TRAC Ticket #1808 - Fixed illegal token state transition + via TEMP_LOST. [edewata] + +* Fri Mar 4 2016 Dogtag Team 10.3.0.a1-1 +- Build for F24 alpha + +* Tue Mar 1 2016 Dogtag Team 10.3.0-0.5 +- PKI Trac Ticket #1399 - Move java components out of pki-base + +* Thu Feb 11 2016 Dogtag Team 10.3.0-0.4 +- PKI TRAC Ticket #1850 - Rename DRMTool --> KRATool + +* Thu Feb 4 2016 Dogtag Team 10.3.0-0.3 +- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps + should be removed + +* Sat Oct 3 2015 Dogtag Team 10.3.0-0.2 +- PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing + +* Sat Aug 8 2015 Dogtag Team 10.3.0-0.1 +- Updated version number to 10.3.0-0.1 + +* Fri Aug 7 2015 Dogtag Team 10.2.7-0.3 +- Added dep on tomcat-servlet-3.1-api [Fedora 23 and later] or dep on + tomcat-servlet-3.0-api [Fedora 22 and later] to pki-tools +- Updated dep on tomcatjss [Fedora 23 and later] + +* Fri Jul 24 2015 Tomas Radej - 10.2.7-0.2 +- Updated dep on policycoreutils-python-utils [Fedora 23 and later] + +* Sat Jul 18 2015 Dogtag Team 10.2.7-0.1 +- Updated version number to 10.2.7-0.1 + +* Sat Jul 18 2015 Dogtag Team 10.2.6-1 +- Update release number for release build + +* Fri Jul 17 2015 Dogtag Team 10.2.6-0.3 +- Remove setup directory and remaining Perl dependencies + +* Sat Jun 20 2015 Dogtag Team 10.2.6-0.2 +- Remove ExcludeArch directive + +* Fri Jun 19 2015 Dogtag Team 10.2.6-0.1 +- Updated version number to 10.2.6-0.1 + +* Fri Jun 19 2015 Dogtag Team 10.2.5-1 +- Update release number for release build + +* Wed Jun 17 2015 Dogtag Team 10.2.5-0.2 +- Resolves rhbz #1230970 - Errata TPS tests for rpm verification failed + +* Tue May 26 2015 Dogtag Team 10.2.5-0.1 +- Updated version number to 10.2.5-0.1 + +* Tue May 26 2015 Dogtag Team 10.2.4-1 +- Update release number for release build + +* Tue May 12 2015 Dogtag Team 10.2.4-0.2 +- Updated nuxwdog and tomcatjss requirements (alee) + +* Thu Apr 23 2015 Dogtag Team 10.2.4-0.1 +- Updated version number to 10.2.4-0.1 +- Added nuxwdog systemd files + +* Thu Apr 23 2015 Dogtag Team 10.2.3-1 +- Update release number for release build + +* Thu Apr 9 2015 Dogtag Team 10.2.3-0.1 +- Reverted version number back to 10.2.3-0.1 +- Added support for Tomcat 8. + +* Mon Apr 6 2015 Dogtag Team 10.3.0-0.1 +- Updated version number to 10.3.0-0.1 + +* Wed Mar 18 2015 Dogtag Team 10.2.3-0.1 +- Updated version number to 10.2.3-0.1 + +* Tue Mar 17 2015 Dogtag Team 10.2.2-1 +- Update release number for release build + +* Thu Jan 8 2015 Dogtag Team 10.2.2-0.1 +- Updated version number to 10.2.2-0.1 +- Moved web application deployment locations. +- Updated Resteasy and Jackson dependencies. +- Added missing python-lxml build dependency. + +* Thu Jan 8 2015 Dogtag Team 10.2.1-1 +- Update release number for release build + +* Tue Dec 16 2014 Matthew Harmsen - 10.2.1-0.4 +- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 +- PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. +- Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime + dependencies + +* Fri Dec 12 2014 Ade Lee 10.2.1-0.3 +- Change resteasy dependencies for F22+ + +* Mon Nov 24 2014 Christina Fu 10.2.1-0.2 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by + default and upgrade (cfu) +- PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) +- up the release number to 0.2 + +* Fri Oct 24 2014 Dogtag Team 10.2.1-0.1 +- Updated version number to 10.2.1-0.1. +- Added CLIs to simplify generating user certificates +- Added enhancements to KRA Python API +- Added a man page for pki ca-profile commands. +- Added python api docs + +* Wed Oct 1 2014 Ade Lee 10.2.0-3 +- Disable pylint dependency for RHEL builds +- Added jakarta-commons-httpclient requirements +- Added tomcat version for RHEL build +- Added resteasy-base-client for RHEL build + +* Wed Sep 24 2014 Matthew Harmsen - 10.2.0-2 +- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec + +* Wed Sep 3 2014 Dogtag Team 10.2.0-1 +- Update release number for release build + +* Wed Sep 3 2014 Matthew Harmsen - 10.2.0-0.10 +- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps + +* Fri Aug 29 2014 Matthew Harmsen - 10.2.0-0.9 +- Merged jmagne@redhat.com's spec file changes from the stand-alone + 'pki-tps-client' package needed to build/run the native 'tpsclient' + command line utility into this 'pki-core' spec file under the 'tps' package. +- Original tps libararies must be built to support this native utility. +- Modifies tps package from 'noarch' into 'architecture-specific' package + +* Wed Aug 27 2014 Matthew Harmsen - 10.2.0-0.8 +- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' + packages . . . + +* Sun Aug 17 2014 Fedora Release Engineering - 10.2.0-0.5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Jack Magne - 10.2.0-0.7 +- Respin to include the applet files with the rpm install. No change + to spec file needed. + +* Tue Jul 15 2014 Matthew Harmsen - 10.2.0-0.6 +- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- + drop dependency on java-atk-wrapper +- Removed 'java-atk-wrapper' dependency from 'pki-server' + +* Wed Jul 2 2014 Matthew Harmsen - 10.2.0-0.5 +- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . . + +* Tue Jul 1 2014 Ade Lee - 10.2.0-0.4 +- Update rawhide build + +* Sat Jun 07 2014 Fedora Release Engineering - 10.2.0-0.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Mar 28 2014 Michael Simacek - 10.2.0-0.2 +- Use Requires: java-headless rebuild (#1067528) + +* Fri Nov 22 2013 Dogtag Team 10.2.0-0.1 +- Added option to build without server packages. +- Replaced Jettison with Jackson. +- Added python-nss build requirement +- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python +- TRAC Ticket #840 - pkispawn requires policycoreutils-python +- Updated requirements for resteasy +- Added template files for archive, retrieve and generate key + requests to the client package. + +* Fri Nov 15 2013 Ade Lee 10.1.0-1 +- Trac Ticket 788 - Clean up spec files +- Update release number for release build +- Updated requirements for resteasy + +* Sun Nov 10 2013 Ade Lee 10.1.0-0.14 +- Change release number for beta build + +* Thu Nov 7 2013 Ade Lee 10.1.0-0.13 +- Updated requirements for tomcat + +* Fri Oct 4 2013 Ade Lee 10.1.0-0.12 +- Removed additional /var/run, /var/lock references. + +* Fri Oct 4 2013 Ade Lee 10.1.0-0.11 +- Removed delivery of /var/lock and /var/run directories for fedora 20. + +* Wed Aug 14 2013 Endi S. Dewata 10.1.0-0.10 +- Moved Tomcat-based TPS into pki-core. + +* Wed Aug 14 2013 Abhishek Koneru 10.1.0.0.9 +- Listed new packages required during build, due to issues reported + by pylint. +- Packages added: python-requests, python-ldap, libselinux-python, + policycoreutils-python + +* Fri Aug 09 2013 Abhishek Koneru 10.1.0.0.8 +- Added pylint scan to the build process. + +* Mon Jul 22 2013 Endi S. Dewata 10.1.0-0.7 +- Added man pages for upgrade tools. + +* Wed Jul 17 2013 Endi S. Dewata 10.1.0-0.6 +- Cleaned up the code to install man pages. + +* Tue Jul 16 2013 Endi S. Dewata 10.1.0-0.5 +- Reorganized deployment tools. + +* Tue Jul 9 2013 Ade Lee 10.1.0-0.4 +- Bugzilla Bug 973224 - resteasy-base must be split into subpackages + to simplify dependencies + +* Fri Jun 14 2013 Endi S. Dewata 10.1.0-0.3 +- Updated dependencies to Java 1.7. + +* Wed Jun 5 2013 Matthew Harmsen 10.1.0-0.2 +- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page +- TRAC Ticket 610 - Document limitation in using GUI install +- TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory + +* Tue May 7 2013 Ade Lee 10.1.0-0.1 +- Change release number for 10.1 development + +* Mon May 6 2013 Endi S. Dewata 10.0.2-5 +- Fixed incorrect JNI_JAR_DIR. + +* Sat May 4 2013 Ade Lee 10.0.2-4 +- TRAC Ticket 605 Junit internal function used in TestRunner, + breaks F19 build + +* Sat May 4 2013 Ade Lee 10.0.2-3 +- TRAC Ticket 604 Added fallback methods for pkispawn tests + +* Mon Apr 29 2013 Endi S. Dewata 10.0.2-2 +- Added default pki.conf in /usr/share/pki/etc +- Create upgrade tracker on install and remove it on uninstall + +* Fri Apr 26 2013 Ade Lee 10.0.2-1 +- Change release number for official release. + +* Thu Apr 25 2013 Ade Lee 10.0.2-0.8 +- Added %pretrans script for f19 +- Added java-atk-wrapper dependency + +* Wed Apr 24 2013 Endi S. Dewata 10.0.2-0.7 +- Added pki-server-upgrade script and pki.server module. +- Call upgrade scripts in %post for pki-base and pki-server. + +* Tue Apr 23 2013 Endi S. Dewata 10.0.2-0.6 +- Added dependency on commons-io. + +* Mon Apr 22 2013 Ade Lee 10.0.2-0.5 +- Add /var/log/pki and /var/lib/pki directories + +* Tue Apr 16 2013 Endi S. Dewata 10.0.2-0.4 +- Run pki-upgrade on post server installation. + +* Mon Apr 15 2013 Endi S. Dewata 10.0.2-0.3 +- Added dependency on python-lxml. + +* Fri Apr 5 2013 Endi S. Dewata 10.0.2-0.2 +- Added pki-upgrade script. + +* Fri Apr 5 2013 Endi S. Dewata 10.0.2-0.1 +- Updated version number to 10.0.2-0.1. + +* Fri Apr 5 2013 Endi S. Dewata 10.0.1-9 +- Renamed base/deploy to base/server. +- Moved pki.conf into pki-base. +- Removed redundant pki/server folder declaration. + +* Tue Mar 19 2013 Ade Lee 10.0.1-8 +- Removed jython dependency + +* Mon Mar 11 2013 Endi S. Dewata 10.0.1-7 +- Added minimum python-requests version. + +* Fri Mar 8 2013 Matthew Harmsen 10.0.1-6 +- Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar + +* Thu Mar 7 2013 Endi S. Dewata 10.0.1-5 +- Added dependency on python-requests. +- Reorganized Python module packaging. + +* Thu Mar 7 2013 Endi S. Dewata 10.0.1-4 +- Added dependency on python-ldap. + +* Mon Mar 4 2013 Matthew Harmsen 10.0.1-3 +- TRAC Ticket #517 - Clean up theme dependencies +- TRAC Ticket #518 - Remove UI dependencies from pkispawn . . . + +* Fri Mar 1 2013 Matthew Harmsen 10.0.1-2 +- Removed runtime dependency on 'pki-server-theme' to resolve + Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme + +* Tue Jan 15 2013 Ade Lee 10.0.1-1 +- TRAC Ticket 214 - Missing error description for duplicate user +- TRAC Ticket 213 - Add nonces for cert revocation +- TRAC Ticket 367 - pkidestroy does not remove connector +- TRAC Ticket #430 - License for 3rd party code +- Bugzilla Bug 839426 - [RFE] ECC CRL support for OCSP +- Fix spec file to allow f17 to work with latest tomcatjss +- TRAC Ticket 466 - Increase root CA validity to 20 years +- TRAC Ticket 469 - Fix tomcatjss issue in spec files +- TRAC Ticket 468 - pkispawn throws exception +- TRAC Ticket 191 - Mapping HTTP Exceptions to HTTP error codes +- TRAC Ticket 271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . . +- TRAC Ticket 437 - Make admin cert p12 file location configurable +- TRAC Ticket 393 - pkispawn fails when selinux is disabled +- Punctuation and formatting changes in man pages +- Revert to using default config file for pkidestroy +- Hardcode setting of resteasy-lib for instance +- TRAC Ticket 436 - Interpolation for pki_subsystem +- TRAC Ticket 433 - Interpolation for paths +- TRAC Ticket 435 - Identical instance id and instance name +- TRAC Ticket 406 - Replace file dependencies with package dependencies + +* Wed Jan 9 2013 Matthew Harmsen 10.0.0-5 +- TRAC Ticket #430 - License for 3rd party code + +* Fri Jan 4 2013 Matthew Harmsen 10.0.0-4 +- TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and + dogtag-pki.spec . . . +- TRAC Ticket #468 - pkispawn throws exception + +* Wed Dec 12 2012 Ade Lee 10.0.0-3 +- Replaced file dependencies with package dependencies + +* Mon Dec 10 2012 Ade Lee 10.0.0-2 +- Updated man pages + +* Fri Dec 7 2012 Ade Lee 10.0.0-1 +- Update to official release for rc1 + +* Thu Dec 6 2012 Matthew Harmsen 10.0.0-0.56.b3 +- TRAC Ticket #315 - Man pages for pkispawn/pkidestroy. +- Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages. + +* Thu Dec 6 2012 Endi S. Dewata 10.0.0-0.55.b3 +- Added system-wide configuration /etc/pki/pki.conf. +- Removed redundant lines in %files. + +* Tue Dec 4 2012 Endi S. Dewata 10.0.0-0.54.b3 +- Moved default deployment configuration to /etc/pki. + +* Mon Nov 19 2012 Ade Lee 10.0.0-0.53.b3 +- Cleaned up spec file to provide only support rhel 7+, f17+ +- Added resteasy-base dependency for rhel 7 +- Update cmake version + +* Mon Nov 12 2012 Ade Lee 10.0.0-0.52.b3 +- Update release to b3 + +* Fri Nov 9 2012 Endi S. Dewata 10.0.0-0.51.b2 +- Removed dependency on CA, KRA, OCSP, TKS theme packages. + +* Thu Nov 8 2012 Endi S. Dewata 10.0.0-0.50.b2 +- Renamed pki-common-theme to pki-server-theme. + +* Thu Nov 8 2012 Matthew Harmsen 10.0.0-0.49.b2 +- TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to + 'pki-server' + +* Mon Oct 29 2012 Ade Lee 10.0.0-0.48.b2 +- Update release to b2 + +* Wed Oct 24 2012 Matthew Harmsen 10.0.0-0.47.b1 +- TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . . + +* Tue Oct 23 2012 Ade Lee 10.0.0-0.46.b1 +- Added Obsoletes for pki-selinux + +* Tue Oct 23 2012 Ade Lee 10.0.0-0.45.b1 +- Remove build of pki-selinux for f18, use system policy instead + +* Fri Oct 12 2012 Ade Lee 10.0.0-0.44.b1 +- Update required tomcatjss version +- Added net-tools dependency + +* Mon Oct 8 2012 Ade Lee 10.0.0-0.43.b1 +- Update selinux-policy version to fix error from latest policy changes + +* Mon Oct 8 2012 Ade Lee 10.0.0-0.42.b1 +- Fix typo in selinux policy versions + +* Mon Oct 8 2012 Ade Lee 10.0.0-0.41.b1 +- Added build requires for correct version of selinux-policy-devel + +* Mon Oct 8 2012 Ade Lee 10.0.0-0.40.b1 +- Update release to b1 + +* Fri Oct 5 2012 Endi S. Dewata 10.0.0-0.40.a2 +- Merged pki-silent into pki-server. + +* Fri Oct 5 2012 Endi S. Dewata 10.0.0-0.39.a2 +- Renamed "shared" folder to "server". + +* Fri Oct 5 2012 Ade Lee 10.0.0-0.38.a2 +- Added required selinux versions for new policy. + +* Tue Oct 2 2012 Endi S. Dewata 10.0.0-0.37.a2 +- Added Provides to packages replacing obsolete packages. + +* Mon Oct 1 2012 Ade Lee 10.0.0-0.36.a2 +- Update release to a2 + +* Sun Sep 30 2012 Endi S. Dewata 10.0.0-0.36.a1 +- Modified CMake to use RPM version number + +* Tue Sep 25 2012 Endi S. Dewata 10.0.0-0.35.a1 +- Added VERSION file + +* Mon Sep 24 2012 Endi S. Dewata 10.0.0-0.34.a1 +- Merged pki-setup into pki-server + +* Thu Sep 13 2012 Ade Lee 10.0.0-0.33.a1 +- Added Conflicts for IPA 2.X +- Added build requires for zip to work around mock problem + +* Wed Sep 12 2012 Matthew Harmsen 10.0.0-0.32.a1 +- TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances + upon RPM "update" . . . +- TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" + from /usr/bin to /usr/sbin . . . + +* Wed Sep 12 2012 Endi S. Dewata 10.0.0-0.31.a1 +- Fixed pki-server to include everything in shared dir. + +* Tue Sep 11 2012 Endi S. Dewata 10.0.0-0.30.a1 +- Added build dependency on redhat-rpm-config. + +* Thu Aug 30 2012 Endi S. Dewata 10.0.0-0.29.a1 +- Merged Javadoc packages. + +* Thu Aug 30 2012 Endi S. Dewata 10.0.0-0.28.a1 +- Added pki-tomcat.jar. + +* Thu Aug 30 2012 Endi S. Dewata 10.0.0-0.27.a1 +- Moved webapp creation code into pkispawn. + +* Mon Aug 20 2012 Endi S. Dewata 10.0.0-0.26.a1 +- Split pki-client.jar into pki-certsrv.jar and pki-tools.jar. + +* Mon Aug 20 2012 Endi S. Dewata 10.0.0-0.25.a1 +- Merged pki-native-tools and pki-java-tools into pki-tools. +- Modified pki-server to depend on pki-tools. + +* Mon Aug 20 2012 Endi S. Dewata 10.0.0-0.24.a1 +- Split pki-common into pki-base and pki-server. +- Merged pki-util into pki-base. +- Merged pki-deploy into pki-server. + +* Thu Aug 16 2012 Matthew Harmsen 10.0.0-0.23.a1 +- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 17 +- Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' +- Altered PKI Package Dependency Chain (top-to-bottom): + pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common + +* Mon Aug 13 2012 Endi S. Dewata 10.0.0-0.22.a1 +- Added pki-client.jar. + +* Fri Jul 27 2012 Endi S. Dewata 10.0.0-0.21.a1 +- Merged pki-jndi-realm.jar into pki-cmscore.jar. + +* Tue Jul 24 2012 Matthew Harmsen 10.0.0-0.20.a1 +- PKI TRAC Task #254 - Dogtag 10: Fix spec file to build successfully + via mock on Fedora 17 . . . + +* Wed Jul 11 2012 Matthew Harmsen 10.0.0-0.19.a1 +- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7) + +* Thu Jun 14 2012 Matthew Harmsen 10.0.0-0.18.a1 +- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18 + +* Tue May 29 2012 Endi S. Dewata 10.0.0-0.17.a1 +- Added CLI for REST services + +* Fri May 18 2012 Matthew Harmsen 10.0.0-0.16.a1 +- Integration of Tomcat 7 +- Addition of centralized 'pki-tomcatd' systemd functionality to the + PKI Deployment strategy +- Removal of 'pki_flavor' attribute + +* Mon Apr 16 2012 Ade Lee 10.0.0-0.15.a1 +- BZ 813075 - selinux denial for file size access + +* Thu Apr 5 2012 Christina Fu 10.0.0-0.14.a1 +- Bug 745278 - [RFE] ECC encryption keys cannot be archived + +* Tue Mar 27 2012 Endi S. Dewata 10.0.0-0.13.a1 +- Replaced candlepin-deps with resteasy + +* Fri Mar 23 2012 Endi S. Dewata 10.0.0-0.12.a1 +- Added option to build without Javadoc + +* Fri Mar 16 2012 Ade Lee 10.0.0-0.11.a1 +- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes +- Corrected patch selected for selinux f17 rules + +* Wed Mar 14 2012 Matthew Harmsen 10.0.0-0.10.a1 +- Corrected 'junit' dependency check + +* Mon Mar 12 2012 Matthew Harmsen 10.0.0-0.9.a1 +- Initial attempt at PKI deployment framework described in + 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'. + +* Fri Mar 09 2012 Jack Magne 10.0.0-0.8.a1 +- Added support for pki-jndi-realm in tomcat6 in pki-common + and pki-kra. +- Ticket #69. + +* Fri Mar 2 2012 Matthew Harmsen 10.0.0-0.7.a1 +- For 'mock' purposes, removed platform-specific logic from around + the 'patch' files so that ALL 'patch' files will be included in + the SRPM. + +* Wed Feb 29 2012 Endi S. Dewata 10.0.0-0.6.a1 +- Removed dependency on OSUtil. + +* Tue Feb 28 2012 Ade Lee 10.0.0-0.5.a1 +- 'pki-selinux' +- Added platform-dependent patches for SELinux component +- Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17) + +* Thu Feb 23 2012 Endi S. Dewata 10.0.0-0.4.a1 +- Added dependency on Apache Commons Codec. + +* Wed Feb 22 2012 Matthew Harmsen 10.0.0-0.3.a1 +- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes + in fundamental path structure in Fedora 17 +- 'pki-setup' +- Hard-code Perl dependencies to protect against bugs such as + Bugzilla Bug #772699 - Adapt perl and python fileattrs to + changed file 5.10 magics +- 'pki-selinux' +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess + +* Mon Feb 20 2012 Matthew Harmsen 10.0.0-0.2.a1 +- Integrated 'pki-kra' into 'pki-core' +- Integrated 'pki-ocsp' into 'pki-core' +- Integrated 'pki-tks' into 'pki-core' +- Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements + +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Mon Jan 16 2012 Ade Lee 9.0.16-3 +- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup + +* Mon Nov 28 2011 Endi S. Dewata 9.0.16-2 +- Added JUnit tests + +* Fri Oct 28 2011 Matthew Harmsen 9.0.16-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after + the in-place upgrade( CS 8.0->8.1) (cfu) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #746367 - Typo in the profile name. (jmagne) +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 + (rawhide) . . . (mharmsen) +- Bugzilla Bug #749945 - Installation error reported during CA, DRM, + OCSP, and TKS package installation . . . (mharmsen) +- 'pki-silent' + +* Thu Sep 22 2011 Matthew Harmsen 9.0.15-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-setup' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) +- 'pki-symkey' +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-native-tools' +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-util' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737218 - Incorrect request attribute name matching + ignores request attributes during request parsing. (awnuk) +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-selinux' +- Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-silent' +- Bugzilla Bug #739201 - pkisilent does not take arch into account + as Java packages migrated to arch-dependent directories (mharmsen) + +* Fri Sep 9 2011 Matthew Harmsen 9.0.14-1 +- 'pki-setup' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-symkey' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-java-tools' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-common' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-silent' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Tue Sep 6 2011 Ade Lee 9.0.13-1 +- 'pki-setup' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-ca' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-common' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Tue Aug 23 2011 Matthew Harmsen 9.0.12-1 +- 'pki-setup' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-symkey' +- 'pki-native-tools' +- Bugzilla Bug #717643 - Fopen without NULL check and other Coverity + issues (awnuk) +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #700522 - pki tomcat6 instances currently running + unconfined, allow server to come up when selinux disabled (alee) +- Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated + correctly when subsystem cloned (using hsm) (alee) +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-selinux' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-silent' + +* Wed Aug 10 2011 Matthew Harmsen 9.0.12 +- 'pki-setup' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by + renumbering "cn=" (mharmsen) +- 'pki-common' +- Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like + (jmagne, awnuk) +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- Bugzilla Bug #708075 - Clone installation does not work over NAT + (alee) +- Bugzilla Bug #726785 - If replication fails while setting up a clone + it will wait forever (alee) +- Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-selinux' +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-ca' +- Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs + in IPA profile (awnuk) +- 'pki-silent' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) + +* Fri Jul 22 2011 Matthew Harmsen 9.0.10-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #720510 - Console: Adding a certificate into nethsm + throws Token not found error. (jmagne) +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- Bugzilla Bug #722989 - Registering an agent when a subsystem is + created - does not log AUTHZ_SUCCESS event. (alee) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert + (awnuk) +- 'pki-silent' + +* Thu Jul 14 2011 Matthew Harmsen 9.0.9-1 +- Updated release of 'jss' +- Updated release of 'tomcatjss' for Fedora 15 +- 'pki-setup' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-symkey' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-native-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #717765 - TPS configuration: logging into security domain + from tps does not work with clientauth=want. (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-util' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-java-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record + processing) (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-common' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system + logs throws 'Invalid protocol' for OCSP subsystems (alee) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (alee) +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (jmagne) +- Bugzilla Bug #698885 - Race conditions during IPA installation (alee) +- Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: + SubjectID=$Unidentified$ fails audit evaluation (jmagne) +- Bugzilla Bug #705914 - SCEP mishandles nicknames when processing + subsequent SCEP requests. (awnuk) +- Bugzilla Bug #661142 - Verification should fail when a revoked + certificate is added. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) +- Bugzilla Bug #707607 - Published certificate summary has list of + non-published certificates with succeeded status (jmagne) +- Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated + for tps and ca on server shutdown (jmagne) +- Bugzilla Bug #697939 - DRM signed audit log message - operation should + be read instead of modify (jmagne) +- Bugzilla Bug #718427 - When audit log is full, server continue to + function. (alee) +- Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in + CA's signedaudit log when a directory based user enrollment is + performed (jmagne) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-selinux' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #720503 - RA and TPS require additional SELinux + permissions to run in "Enforcing" mode (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-ca' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #699837 - service command is not fully backwards + compatible with Dogtag pki subsystems (mharmsen) +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an + administrator group. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee + pages (alee) +- Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs + for a revocation invoked by EE user (awnuk) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-silent' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Wed May 25 2011 Matthew Harmsen 9.0.8-2 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Added 'DRMTool.cfg' configuration file to inventory +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Wed May 25 2011 Matthew Harmsen 9.0.8-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #532548 - Tool to do DRM re-key +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 26 2011 Matthew Harmsen 9.0.7-1 +- 'pki-setup' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs + throws 'Invalid protocol' for OCSP subsystems +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #694143 - CA Agent not returning specified request +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #698885 - Race conditions during IPA installation +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #699837 - service command is not fully backwards compatible + with Dogtag pki subsystems +- 'pki-silent' + +* Mon Apr 11 2011 Matthew Harmsen 9.0.6-2 +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + +* Tue Apr 5 2011 Matthew Harmsen 9.0.6-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #693327 - Missing requires: tomcatjss +- 'pki-setup' +- Bugzilla Bug #690626 - pkiremove removes the registry entry for + all instances on a machine +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception. +- 'pki-common' +- Bugzilla Bug #692990 - Audit log messages needed to match CC doc: + DRM Recovery audit log messages +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 5 2011 Matthew Harmsen 9.0.5-2 +- Bugzilla Bug #693327 - Missing requires: tomcatjss + +* Fri Mar 25 2011 Matthew Harmsen 9.0.5-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Require "jss >= 4.2.6-15" as a build and runtime requirement +- Require "tomcatjss >= 2.1.1" as a build and runtime requirement + for Fedora 15 and later platforms +- 'pki-setup' +- Bugzilla Bug #688287 - Add "deprecation" notice regarding using + "shared ports" in pkicreate -help . . . +- Bugzilla Bug #688251 - Dogtag installation under IPA takes + too much time - SELinux policy compilation +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple + extensions +- 'pki-common' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled + on the EE port +- 'pki-selinux' +- Bugzilla Bug #684871 - ldaps selinux link change +- 'pki-ca' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception.(profile and CS.cfg only) +- 'pki-silent' + +* Thu Mar 17 2011 Matthew Harmsen 9.0.4-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found +- 'pki-setup' +- Bugzilla Bug #678157 - uninitialized variable warnings from Perl +- Bugzilla Bug #679574 - Velocity fails to load all dependent classes +- Bugzilla Bug #680420 - xml-commons-apis.jar dependency +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath +- Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library + name for SafeNet LunaSA +- 'pki-common' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #678715 - netstat loop fixes needed +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- 'pki-selinux' +- Bugzilla Bug #674195: SELinux error message thrown during token + enrollment +- 'pki-ca' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- Bugzilla Bug #676330 - init script cannot start service +- 'pki-silent' +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath + +* Wed Feb 9 2011 Matthew Harmsen 9.0.3-2 +- 'pki-common' +- Bugzilla Bug #676051 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance + +* Fri Feb 4 2011 Matthew Harmsen 9.0.3-1 +- 'pki-common' +- Bugzilla Bug #674894 - ipactl restart : an annoy output line +- Bugzilla Bug #675179 - ipactl restart : an annoy output line + +* Thu Feb 3 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes +- 'pki-setup' +- Bugzilla Bug #673638 - Installation within IPA hangs +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- 'pki-common' +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection + error. +- Bugzilla Bug #504056 - Completed SCEP requests are assigned to the + "begin" state instead of "complete". +- Bugzilla Bug #504055 - SCEP requests are not properly populated +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" - +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- Bugzilla Bug #672920 - CA console: adding policy to a profile throws + 'Duplicate policy' error in some cases. +- Bugzilla Bug #673199 - init script returns control before web apps have + started +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #504013 - sscep request is rejected due to authentication + error if submitted through one time pin router certificate enrollment. +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-silent' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package + +* Wed Feb 2 2011 Matthew Harmsen 9.0.1-3 +- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Thu Jan 20 2011 Matthew Harmsen 9.0.1-2 +- 'pki-symkey' +- Bugzilla Bug #671265 - pki-symkey jar version incorrect +- 'pki-common' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Tue Jan 18 2011 Matthew Harmsen 9.0.1-1 +- Allow 'pki-native-tools' to be installed independently of 'pki-setup' +- Removed explicit 'pki-setup' requirement from 'pki-ca' + (since it already requires 'pki-common') +- 'pki-setup' +- Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group +- Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP + and TKS. +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, + pkicreate fails Fedora 14 and above +- Bugzilla Bug #23346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-symkey' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-native-tools' +- template change +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-util' +- Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical + cannot be set to true +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and + CS interface +- Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse + ASN.1 encoding/decoding is broken +- Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #223319 - Certificate Status inconsistency between token + db and CA +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-java-tools' +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to + 5000 bytes +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-common' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable + started before configuration completed +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 + policy mappings (seem hardcoded) +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #548699 - subCA's admin certificate should be generated by + itself +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile + caAgentServerCert (null cert_request) +- Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited + number of times +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #629677 - TPS: token enrollment fails. +- Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN + in a SCEP request +- Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection + pools not reliable - improve connections or discovery +- Bugzilla Bug #629769 - password decryption logs plain text password +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #489342 - + com.netscape.cms.servlet.common.CMCOutputTemplate.java + doesn't support EC +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated + for SCEP signing and encryption. +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #648757 - expose and use updated cert verification + function in JSS +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #651040 - cloning shoud not include sslserver +- Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to + CS.cfg files imcomplete when the cert is stored on a hsm +- Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #642359 - CC Feature - need to verify certificate when it + is added +- Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires + auditing +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an + error to TPS even if certificate in question is already revoked. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #642741 - CS build uses deprecated functions +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- 'pki-selinux' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - + selinux changes +- 'pki-ca' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of + CC interface doc review +- Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with + admin privilege throws error "You are not authorized to perform this + operation". +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws + 'Internal Server Error'. +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA + release -- DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in + certificates (RFC 4262) +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object + signing support in RHCS +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke + certs in TPS +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key + usage +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-silent' +- Bugzilla Bug #627309 - pkisilent subca configuration fails. +- Bugzilla Bug #640091 - pkisilent panels need to match with changed java + subsystems +- Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM + Clone. +- Bugzilla Bug #643053 - pkisilent DRM configuration fails +- Bugzilla Bug #583754 - pki-silent needs an option to configure signing + algorithm for CA certificates +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module + Panel up to before Security Domain Panel +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #588323 - Failed to enable cipher 0xc001 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, + signing algorithm +- Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords + with special characters +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Thu Jan 13 2011 Matthew Harmsen 9.0.0-3 +- Bugzilla Bug #668839 - Review Request: pki-core +- Removed empty "pre" from "pki-ca" +- Consolidated directory ownership +- Corrected file ownership within subpackages +- Removed all versioning from NSS and NSPR packages + +* Thu Jan 13 2011 Matthew Harmsen 9.0.0-2 +- Bugzilla Bug #668839 - Review Request: pki-core +- Added component versioning comments +- Updated JSS from "4.2.6-10" to "4.2.6-12" +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) +