[Pkg-freeipa-devel] pki: Changes to 'upstream-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Thu Jun 28 15:21:57 UTC 2012
Rebased ref, commits from common ancestor:
commit bde3a10e82a94e9203e3d8639e3c8dcff1c79864
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Thu Jun 28 12:19:53 2012 +0300
remove ./dogtag/ca-ui/shared/webapps/ca/agent/xenroll.dll
diff --git a/dogtag/ca-ui/shared/webapps/ca/agent/xenroll.dll b/dogtag/ca-ui/shared/webapps/ca/agent/xenroll.dll
deleted file mode 100644
index 9375e98..0000000
Binary files a/dogtag/ca-ui/shared/webapps/ca/agent/xenroll.dll and /dev/null differ
commit 60fdb857be509120b2abc470407d12b560ba5a1b
Author: Andrew Wnuk <awnuk at redhat.com>
Date: Wed May 30 13:50:25 2012 -0700
Perldap workaround.
Ticket #373
This fix just appends a dummy value to the array, which consumes the error 53.
Patch provided by mreynolds.
diff --git a/base/tps/lib/perl/PKI/TPS/Common.pm b/base/tps/lib/perl/PKI/TPS/Common.pm
index c669425..5b078d8 100755
--- a/base/tps/lib/perl/PKI/TPS/Common.pm
+++ b/base/tps/lib/perl/PKI/TPS/Common.pm
@@ -65,9 +65,8 @@ sub add_schema_update
foreach my $attr (@addtypes) {
my @vals = $aentry->getValues($attr);
- push @vals, $vals[0]; # HACK! for some reason, first value always fails with server unwilling to perform
-
- foreach my $val (@vals) {
+ my @values = ("dummyAttr: dummy value", @vals); # this dummy entry consumes the error 53
+ foreach my $val (@values) {
$sentry->addValue( $attr, $val );
$conn->update($sentry);
my $rc = $conn->getErrorCode();
commit 8bc416983f328a2058080a638670c464087bc6ba
Author: Christina Fu <cfu at redhat.com>
Date: Sun May 27 14:58:11 2012 -0700
Bug 823618 - TPS installation wizard (ECC): admin certificate panel needs to support ECC
This patch allows TPS administrators to enroll for EC cert during installation wizard. It follows the same implementation as the Java subsystems and defaults to nistp256
diff --git a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/adminpanel.vm b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/adminpanel.vm
index 3d0843b..aab1b76 100644
--- a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/adminpanel.vm
+++ b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/adminpanel.vm
@@ -35,13 +35,19 @@ function performPanel() {
var dn = "cn=" + name + ",uid=admin,e="+email+",o="+o;
document.forms[0].subject.value = dn;
var keyGenAlg = "rsa-dual-use";
+ var keyParams = null;
+
+ if (document.forms[0].keytype.value == 'ecc') {
+ keyGenAlg = "ec-dual-use";
+ keyParams = "curve=nistp256"
+ }
if (navigator.appName == "Netscape" &&
typeof(crypto.version) != "undefined") {
crmfObject = crypto.generateCRMFRequest(
dn, "regToken", "authenticator", null,
- "setCRMFRequest();", 1024, null, keyGenAlg);
+ "setCRMFRequest();", 2048, keyParams, keyGenAlg);
} else {
Send_OnClick();
}
@@ -230,6 +236,10 @@ The administrator is a privileged user who manages this subsystem. Please enter
<input type="hidden" name="securitydomain" value="$securityDomain" />
<input type="hidden" name="subject" value="cn=x" />
</tr>
+ <tr>
+ <th>Key Type:</th>
+ <td><select name="keytype"><option value="rsa">RSA</option><option value="ecc">ECC</option></select></td>
+ </tr>
</table>
<div align="right">
<hr />
commit fcc77b8a389ceb7ca8e48e5403891564e88125d1
Author: Andrew Wnuk <awnuk at redhat.com>
Date: Mon May 7 13:02:29 2012 -0700
New build
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3a23bf9..839e12f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -23,7 +23,7 @@ elseif (BUILD_REDHAT_PKI_THEME)
elseif (BUILD_PKI_CORE)
set(APPLICATION_FLAVOR_PKI_CORE TRUE)
# override APPLICATION VERSION
- set(APPLICATION_VERSION_PATCH "19")
+ set(APPLICATION_VERSION_PATCH "20")
elseif (BUILD_PKI_KRA)
set(APPLICATION_FLAVOR_PKI_KRA TRUE)
# override APPLICATION VERSION
diff --git a/scripts/compose_pki_core_packages b/scripts/compose_pki_core_packages
index da3fb2f..0abb27e 100755
--- a/scripts/compose_pki_core_packages
+++ b/scripts/compose_pki_core_packages
@@ -31,7 +31,7 @@ PKI_PWD=`pwd`
##
PKI_CORE="pki-core"
-PKI_CORE_VERSION="9.0.19"
+PKI_CORE_VERSION="9.0.20"
##
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index ad75e32..b761011 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -1,6 +1,6 @@
Name: pki-core
-Version: 9.0.19
-Release: 4%{?dist}
+Version: 9.0.20
+Release: 1%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -749,6 +749,9 @@ fi
%changelog
+* Mon May 7 2012 Andrew Wnuk <awnuk at redhat.com> 9.0.20-1
+- New official build
+
* Mon May 7 2012 Ade Lee <alee at redhat.com> 9.0.19-4
- Bugzilla Bug #819111 - non-existent container breaks replication
commit 2566d4ddfb533d81fe6203d8457b52e7423b418e
Author: Ade Lee <alee at redhat.com>
Date: Mon May 7 11:55:37 2012 -0400
BZ 819111 non-existent container breaks replication
Added code to add the required ou=cmsusers container to cn=config
on the master if it does not exist, when replication users are set up.
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
index 6c8cbbb..4a78e40 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
@@ -1238,7 +1238,27 @@ public class DatabasePanel extends WizardPanelBase {
throws LDAPException {
LDAPAttributeSet attrs = null;
LDAPEntry entry = null;
- String dn = "cn=" + bindUser + ",ou=csusers,cn=config";
+
+ // for older subsystems, the container ou=csusers, cn=config may not yet exist
+ String dn = "ou=csusers, cn=config";
+ try {
+ attrs = new LDAPAttributeSet();
+ attrs.add(new LDAPAttribute("objectclass", "top"));
+ attrs.add(new LDAPAttribute("objectclass", "organizationalUnit"));
+ attrs.add(new LDAPAttribute("ou", "csusers"));
+ entry = new LDAPEntry(dn, attrs);
+ conn.add(entry);
+ } catch (LDAPException e) {
+ if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
+ CMS.debug("createReplicationManager: containing ou already exists");
+ } else {
+ CMS.debug("createReplicationManager: Failed to create containing ou. Exception: "
+ + e.toString());
+ throw e;
+ }
+ }
+
+ dn = "cn=" + bindUser + ",ou=csusers,cn=config";
try {
attrs = new LDAPAttributeSet();
attrs.add(new LDAPAttribute("objectclass", "top"));
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 633487d..ad75e32 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -1,6 +1,6 @@
Name: pki-core
Version: 9.0.19
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -749,6 +749,9 @@ fi
%changelog
+* Mon May 7 2012 Ade Lee <alee at redhat.com> 9.0.19-4
+- Bugzilla Bug #819111 - non-existent container breaks replication
+
* Mon Apr 16 2012 Ade Lee <alee at redhat.com> 9.0.19-3
- Bugzilla Bug #813075 - selinux denial for file size access
commit f103db30263625858736595902863f93cff808fe
Author: Christina Fu <cfu at redhat.com>
Date: Wed May 2 16:48:19 2012 -0700
Bug 744207 - Key archival fails when KRA is configured with lunasa
- The real fix is in JSS alone; This patch only adds better error handling and non-static salt.
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index 9158db8..fd49480 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -459,11 +459,20 @@ public class RecoveryService implements IService {
SEQUENCE safeContents = new SEQUENCE();
PasswordConverter passConverter = new
PasswordConverter();
- byte salt[] = {0x01, 0x01, 0x01, 0x01};
+ Random ran = new SecureRandom();
+ byte[] salt = new byte[20];
+ ran.nextBytes(salt);
ASN1Value key = EncryptedPrivateKeyInfo.createPBE(
PBEAlgorithm.PBE_SHA1_DES3_CBC,
pass, salt, 1, passConverter, priKey, ct);
+ CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned");
+ if (key == null) {
+ CMS.debug("RecoverService: createPFX() key null");
+ throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed");
+ } else {
+ CMS.debug("RecoverService: createPFX() key not null");
+ }
SET keyAttrs = createBagAttrs(
x509cert.getSubjectDN().toString(),
@@ -501,8 +510,11 @@ public class RecoveryService implements IService {
// put final PKCS12 into volatile request
params.put(ATTR_PKCS12, fos.toByteArray());
+ CMS.debug("RecoverService: createPFX() completed.");
} catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString()));
+ CMS.debug("RecoverService: createPFX() exception caught:"+
+ e.toString());
throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString()));
}
commit 98fed48e7731d46b93e92871dfeeb5e2d8c7337d
Author: Christina Fu <cfu at redhat.com>
Date: Tue May 1 15:00:21 2012 -0700
Bug 640046 - TPS installation wizard: unsupported module not logged in with password in password.conf
This patch allows config panel ModulePanel to log into "Other Modules" (unsupported modules).
Also to note: the modules passwords appear to be stored in pwcache.conf, not password.conf.
diff --git a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/modulepanel.vm b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/modulepanel.vm
index d3e525f..58efc88 100644
--- a/dogtag/tps-ui/shared/docroot/tps/admin/console/config/modulepanel.vm
+++ b/dogtag/tps-ui/shared/docroot/tps/admin/console/config/modulepanel.vm
@@ -141,7 +141,11 @@ Since a security module may consist of slots for one or more tokens, the user mu
<input type=radio name="choice" value="$token.getNickName()">
#end
</td>
- <td></td>
+ <td>
+ #if (!$token.isLoggedIn())
+<a href="wizard?p=$subpanelno&SecToken=$token.getNickName()">Login</a>
+ #end
+ </td>
</tr>
#end
#end
commit df46c7f1229bb736131800cb3aa2ca5746f45092
Author: Ade Lee <alee at redhat.com>
Date: Mon Apr 16 16:06:07 2012 -0400
BZ813075 - Added selinux rule to allow finding available space.
diff --git a/patches/pki-core-selinux-Dogtag-9-f17-1.patch b/patches/pki-core-selinux-Dogtag-9-f17-1.patch
new file mode 100644
index 0000000..7a012ec
--- /dev/null
+++ b/patches/pki-core-selinux-Dogtag-9-f17-1.patch
@@ -0,0 +1,36 @@
+diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
+index 0709176..20dfc17 100644
+--- a/pki/base/selinux/src/pki.if
++++ b/pki/base/selinux/src/pki.if
+@@ -206,6 +206,21 @@ template(`pki_ca_template',`
+ optional_policy(`
+ unconfined_domain($1_script_t)
+ ')
++
++ # tomcat6 init scripts do runuser and touch lockfile
++ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
++ allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
++ consoletype_exec($1_t)
++ fs_read_hugetlbfs_files($1_t)
++ hostname_exec($1_t)
++ kernel_read_kernel_sysctls($1_t)
++ fs_getattr_xattr_fs($1_t)
++
++ # java (mislabeled as lib_t?) calls build_classpath
++ libs_exec_lib_files($1_t)
++
++ selinux_get_enforce_mode($1_t)
++
+ ')
+
+ ########################################
+diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
+index 7f6e657..dab02d4 100644
+--- a/pki/base/selinux/src/pki.te
++++ b/pki/base/selinux/src/pki.te
+@@ -1,4 +1,4 @@
+-policy_module(pki,9.0.2)
++policy_module(pki,9.0.4)
+
+ attribute pki_ca_config;
+ attribute pki_ca_executable;
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 098aea6..633487d 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -1,6 +1,6 @@
Name: pki-core
Version: 9.0.19
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -49,7 +49,7 @@ BuildRequires: tomcatjss >= 2.0.0
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz
Patch0: %{name}-selinux-Dogtag-9-f16.patch
-Patch1: %{name}-selinux-Dogtag-9-f17.patch
+Patch1: %{name}-selinux-Dogtag-9-f17-1.patch
%if 0%{?rhel}
ExcludeArch: ppc ppc64 s390 s390x
@@ -749,6 +749,9 @@ fi
%changelog
+* Mon Apr 16 2012 Ade Lee <alee at redhat.com> 9.0.19-3
+- Bugzilla Bug #813075 - selinux denial for file size access
+
* Tue Apr 10 2012 Christina Fu <cfu at redhat.com> 9.0.19-2
- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
commit a6879237a4623778edb1d3b507fd575d116428fe
Author: Christina Fu <cfu at redhat.com>
Date: Tue Apr 10 11:50:13 2012 -0700
Fix for Bug 745278 - [RFE] ECC encryption keys cannot be archived.
For the ECC plan and the different phases, please refer to
http://pki.fedoraproject.org/wiki/ECC_in_Dogtag
Design for each phase is on the same wiki page.
Note: the designs beyond phase 2 were more like a brain dump. Although I said
"Do Not Review," you are free to take a peak at what's intended down the road.
I will go back and take a closer look and refine/adjust the designs when I
begin implementation for each new phase.
What you need to know:
* Problem 1 - nethsm issue:
On the server side, if you turn on FIPS mode, in addition to nethsm, you need
to attach certicom as well to have ECC SSL working on the server side. This
problem has already been reported to Thales last year and they said they'd look
into putting the item on their next release. Recently through a different
contact, we learned there might be a way to "turn it on" (still waiting for
their further instruction)
* Problem 2- Certicom issue:
This is a show-stopper for deployment. Initially, on the client side, I used Kai's special
version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF
requests can be generated with key archival option. However, I encountered
(or, re-encountered) an issue with certicom token. Certicom generates ECC keys
with the wrong format (not PKCS7 conforming), which makes ECC key archival
impossible on the server side if you use non-certicom token with DRM (but we
expect an HSM in most product deployment). I have contacted Certicom for this
issue, and they confirmed that they indeed have such issue. We are hoping they will fix it.
But then you might ask, "I thought I saw some ECC enrollment
profiles/javascripts being checked in? How were the tests done?" The tests for
those profiles were done against this ECC key archival/recovery DRM prototype I
implemented last year (needs to be turned on manually in 8.1), where I
"cheated" (yeah, that's why it's called a prototype) by decrypting the private
key in the CRMF on DRM, and then manipulating the byte array to strip off the
offending bytes before archival.
In the real, non-prototype implementation, which is what's in this patch, for
security reasons, private keys are unwrapped directly onto the token during key
archival, so there is no way to manipulate the keys in memory and bypass the
Certicom issue.
A word about Kai's special version of Xulrunner/Firefox. It is not yet
publicly available (due out in Firefox 10.0.4 on RHEL 5.8).
* Problem 3- Firefox with nethsm issue:
Another option was to connect Kai's special version firefox with an HSM to test
my DRM/JSS code. However, for whatever reason, I could not get SSL going
between such Firefox and ECC CA ( I did not try very hard though, as I have one
other option -- writing my own ECC CRMF generation tool. I might come back to
try the nethsm Firefox idea later)
My solution (how I work on this official implementation):
* I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current
releases), gutting out the RSA part of the code, and replacing it with ECC
code. I call it CRMFPopClientEC. Two types of ECC key pairs could be
generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I
don't know if you can select which type to generate in the Javascript... maybe
you can, I just don't know). I'm in no way condoning archival of signing
keys!! This is just a test tool.
This tool takes a curve name as option (along with others), generates an ECC
key pair, crafts up an CRMF request with key archival option, and sends request
directly to the specified CA. You will see a "Deferred" message in the HTML
response (see attachment for example)
Once CA agent approves the request, the archival request goes to DRM and the
user private key is archived.
For recovery, DRM agent selects key recovery, etc, and you get your pkcs12.
I did some sanity test with the pkcs12 recovered:
* Import the recovered pkcs12 into a certicom library:
pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12
I also tested by retrieving a p12, importing it into a browser, and adding the
user as an agent and the user could act as agent via ssl client auth to the CA.
Finally, much of the RSA-centric code had been cleared out of the way at the
time when I worked on the DRM ECC prototype, so you don't see much of that in
this round.
How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up
with a nethsm (like I did), or write your own tool, you can't really test it
until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to
work with ceriticom, although you would run into the same issue I mentioned
above)
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
index f795ff9..f86d64b 100644
--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -87,6 +87,13 @@ public interface IKeyRecord {
public Integer getKeySize() throws EBaseException;
/**
+ * Retrieves meta info.
+ *
+ * @return MetaInfo
+ */
+ public MetaInfo getMetaInfo();
+
+ /**
* Retrieves archiver identifier.
*
* @return archiver uid
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 810e893..0a72a8e 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -500,14 +500,14 @@ public class SizePanel extends WizardPanelBase {
CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
pair = CryptoUtil.generateECCKeyPair(token, curveName,
null,
- ECDH_usages_mask);
+ ECDH_usages_mask, false, -1, -1);
} else {
if (ct.equals("sslserver")) {
CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
}
pair = CryptoUtil.generateECCKeyPair(token, curveName,
null,
- usages_mask);
+ usages_mask, false, -1, -1);
}
// XXX - store curve , w
diff --git a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
index 43e772c..7dfc806 100644
--- a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+++ b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
@@ -20,6 +20,7 @@ package com.netscape.cms.servlet.key;
import com.netscape.cms.servlet.common.*;
import com.netscape.cms.servlet.base.*;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
import java.io.*;
import java.util.*;
@@ -52,6 +53,7 @@ public class KeyRecordParser {
public final static String OUT_KEY_ALGORITHM = "keyAlgorithm";
public final static String OUT_PUBLIC_KEY = "publicKey";
public final static String OUT_KEY_LEN = "keyLength";
+ public final static String OUT_KEY_EC_CURVE = "EllipticCurve";
public final static String OUT_ARCHIVED_BY = "archivedBy";
public final static String OUT_ARCHIVED_ON = "archivedOn";
public final static String OUT_RECOVERED_BY = "recoveredBy";
@@ -86,6 +88,16 @@ public class KeyRecordParser {
} else {
rarg.addIntegerValue(OUT_KEY_LEN, keySize.intValue());
}
+
+ // handles EC
+ MetaInfo metaInfo = rec.getMetaInfo();
+ if (metaInfo != null) {
+ String curve = (String)metaInfo.get(OUT_KEY_EC_CURVE);
+ if (curve != null) {
+ rarg.addStringValue(OUT_KEY_EC_CURVE, curve);
+ }
+ }
+
rarg.addStringValue(OUT_ARCHIVED_BY,
rec.getArchivedBy());
rarg.addLongValue(OUT_ARCHIVED_ON,
diff --git a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
index 7b6fcdb..43eb7ce 100644
--- a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -265,6 +265,16 @@ public class KeyRecord implements IDBObj, IKeyRecord {
}
/**
+ * Retrieves the metaInfo.
+ * <P>
+ *
+ * @return metaInfo
+ */
+ public MetaInfo getMetaInfo() {
+ return mMetaInfo;
+ }
+
+ /**
* Sets key size.
* <P>
*/
@@ -327,10 +337,6 @@ public class KeyRecord implements IDBObj, IKeyRecord {
return mAlgorithm;
}
- public MetaInfo getMetaInfo() {
- return mMetaInfo;
- }
-
/**
* Retrieves the creation time of this record.
*/
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 422eb3a..2a0e095 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -371,6 +371,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
PrivateKey.Type keytype = null;
String alg = pubKey.getAlgorithm();
+ CMS.debug("EncryptionUnit.unwrap alg ="+ alg);
if (alg.equals("DSA")) {
keytype = PrivateKey.DSA;
} else if (alg.equals("EC")) {
@@ -385,21 +386,26 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
} catch (TokenException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (NoSuchAlgorithmException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (InvalidAlgorithmParameterException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (InvalidKeyException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (Exception e) {
CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
}
}
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 2dfc188..3cdc803 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.kra;
-
import java.util.StringTokenizer;
import java.util.Vector;
import java.util.Arrays;
@@ -33,7 +32,11 @@ import netscape.security.util.*;
import netscape.security.util.BigInt;
import netscape.security.x509.*;
import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import org.mozilla.jss.pkcs11.PK11ParameterSpec;
+import org.mozilla.jss.crypto.*;
import org.mozilla.jss.asn1.*;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
import org.mozilla.jss.pkix.cms.*;
import org.mozilla.jss.pkix.cms.EnvelopedData;
//import org.mozilla.jss.pkcs7.*;
@@ -42,6 +45,7 @@ import org.mozilla.jss.pkix.crmf.EncryptedKey;
import org.mozilla.jss.pkix.crmf.EncryptedKey.Type;
import org.mozilla.jss.pkix.primitive.*;
import org.mozilla.jss.pkix.primitive.AVA;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
import com.netscape.certsrv.util.*;
import com.netscape.certsrv.logging.*;
import com.netscape.certsrv.security.*;
@@ -55,6 +59,7 @@ import com.netscape.certsrv.dbs.keydb.*;
import com.netscape.certsrv.request.*;
import com.netscape.certsrv.authentication.*;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.cms.servlet.key.KeyRecordParser;
/**
@@ -72,7 +77,7 @@ import com.netscape.certsrv.apps.CMS;
* <P>
*
* @author thomask (original)
- * @author cfu (non-RSA keys; private keys secure handling);
+ * @author cfu (partial RFC4211; non-RSA keys; private keys secure handling)
* @version $Revision$, $Date$
*/
public class EnrollmentService implements IService {
@@ -136,6 +141,17 @@ public class EnrollmentService implements IService {
*/
public boolean serviceRequest(IRequest request)
throws EBaseException {
+ CryptoManager cm = null;
+ IConfigStore config = null;
+ Boolean allowEncDecrypt_archival = false;
+
+ try {
+ cm = CryptoManager.getInstance();
+ config = CMS.getConfigStore();
+ allowEncDecrypt_archival = config.getBoolean("kra.allowEncDecrypt.archival", false);
+ } catch (Exception e) {
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+ }
IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats");
if (statsSub != null) {
@@ -162,6 +178,7 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_INFO, "KRA services enrollment request");
// unwrap user key with transport
byte unwrapped[] = null;
+ byte tmp_unwrapped[] = null;
PKIArchiveOptionsContainer aOpts[] = null;
String profileId = request.getExtDataInString("profileId");
@@ -199,13 +216,14 @@ public class EnrollmentService implements IService {
for (int i = 0; i < aOpts.length; i++) {
ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO);
+ if (allowEncDecrypt_archival == true) {
if (statsSub != null) {
statsSub.startTiming("decrypt_user_key");
}
mKRA.log(ILogger.LL_INFO, "KRA decrypts external private");
if (CMS.debugOn())
CMS.debug("EnrollmentService::about to decryptExternalPrivate");
- unwrapped = mTransportUnit.decryptExternalPrivate(
+ tmp_unwrapped = mTransportUnit.decryptExternalPrivate(
opts.getEncSymmKey(),
opts.getSymmAlgOID(),
opts.getSymmAlgParams(),
@@ -215,7 +233,7 @@ public class EnrollmentService implements IService {
}
if (CMS.debugOn())
CMS.debug("EnrollmentService::finished decryptExternalPrivate");
- if (unwrapped == null) {
+ if (tmp_unwrapped == null) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
auditMessage = CMS.getLogMessage(
@@ -230,6 +248,17 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
+ /* making sure leading 0's are removed */
+ int first=0;
+ for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) {
+ first++;
+ }
+ unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length);
+ } /*else { allowEncDecrypt_archival != true
+ this is done below with unwrap()
+ }
+ */
+
// retrieve pubic key
X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos);
byte publicKeyData[] = publicKey.getEncoded();
@@ -251,29 +280,55 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
- /* Bugscape #54948 - verify public and private key before archiving key */
+ String keyAlg = publicKey.getAlgorithm();
+ CMS.debug("EnrollmentService: algorithm of key to archive is: "+ keyAlg);
- if (statsSub != null) {
- statsSub.startTiming("verify_key");
- }
- if (verifyKeyPair(publicKeyData, unwrapped) == false) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ PublicKey pubkey = null;
+ org.mozilla.jss.crypto.PrivateKey entityPrivKey = null;
+ if ( allowEncDecrypt_archival == false) {
+ try {
+ pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData));
+ } catch (Exception e) {
+ CMS.debug("EnrollmentService: parsePublicKey:"+e.toString());
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+ }
+ entityPrivKey =
+ mTransportUnit.unwrap(
+ opts.getEncSymmKey(),
+ opts.getSymmAlgOID(),
+ opts.getSymmAlgParams(),
+ opts.getEncValue(),
+ (PublicKey) pubkey);
+ } // !allowEncDecrypt_archival
+ if (keyAlg.equals("RSA") && (allowEncDecrypt_archival == true)) {
- auditMessage = CMS.getLogMessage(
+ /* Bugscape #54948 - verify public and private key before archiving key */
+
+ if (statsSub != null) {
+ statsSub.startTiming("verify_key");
+ }
+ // verifyKeyPair() is RSA-centric
+ if (verifyKeyPair(publicKeyData, unwrapped) == false) {
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+
+
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditArchiveID);
- audit(auditMessage);
- throw new EKRAException(
+ audit(auditMessage);
+ throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
- }
- if (statsSub != null) {
- statsSub.endTiming("verify_key");
+ }
+ if (statsSub != null) {
+ statsSub.endTiming("verify_key");
+ }
}
/**
@@ -306,8 +361,15 @@ public class EnrollmentService implements IService {
if (statsSub != null) {
statsSub.startTiming("encrypt_user_key");
}
- byte privateKeyData[] = mStorageUnit.encryptInternalPrivate(
+ byte privateKeyData[] = null;
+
+ if (allowEncDecrypt_archival == true) {
+ privateKeyData = mStorageUnit.encryptInternalPrivate(
unwrapped);
+ } else {
+ privateKeyData = mStorageUnit.wrap(entityPrivKey);
+ }
+
if (statsSub != null) {
statsSub.endTiming("encrypt_user_key");
}
@@ -345,24 +407,55 @@ public class EnrollmentService implements IService {
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
- // we deal with RSA key only
- try {
- RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
+ if (keyAlg.equals("RSA")) {
+ try {
+ RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
- rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
- } catch (InvalidKeyException e) {
+ rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
+ } catch (InvalidKeyException e) {
- auditMessage = CMS.getLogMessage(
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditArchiveID);
- audit(auditMessage);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
- }
+ audit(auditMessage);
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+ }
+ } else if (keyAlg.equals("EC")) {
+ String oidDescription = "UNDETERMINED";
+ // for KeyRecordParser
+ MetaInfo metaInfo = new MetaInfo();
+ try {
+ byte curve[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ false /* without tag and size */);
+ if (curve.length != 0) {
+ oidDescription = ASN1Util.getOIDdescription(curve);
+ } else {
+ /* this is to be used by derdump */
+ byte curveTS[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ true /* with tag and size */);
+ if (curveTS.length != 0) {
+ oidDescription = CMS.BtoA(curveTS);
+ }
+ }
+ } catch (Exception e) {
+ CMS.debug("EnrollmentService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString());
+ CMS.debug("EnrollmentService: exception alowed. continue");
+ }
+
+ metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE,
+ oidDescription);
+
+ rec.set(IKeyRecord.ATTR_META_INFO, metaInfo);
+ // key size does not apply to EC;
+ rec.setKeySize(-1);
+ }
// if record alreay has a serial number, yell out.
if (rec.getSerialNumber() != null) {
@@ -504,6 +597,9 @@ public class EnrollmentService implements IService {
return true;
}
+ /*
+ * verifyKeyPair() is RSA-centric
+ */
public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[])
{
try {
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index da3c3a8..9158db8 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -360,10 +360,9 @@ public class RecoveryService implements IService {
public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA)
throws EBaseException {
- if (!isRSA) {
- CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false");
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported"));
- }
+ CMS.debug("RecoverService: recoverKey: key to recover is RSA? "+
+ isRSA);
+
try {
if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
Credential creds[] = (Credential[])
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index ab00de3..d48fe4a 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -160,15 +160,43 @@ public class CryptoUtil {
NoSuchTokenException,
NoSuchAlgorithmException,
TokenException {
+ return generateECCKeyPair(token, keysize, usage_ops, usage_mask,
+ false, -1, -1);
+ }
+
+ /*
+ * temporary, sensitive, and extractable usages are per defined in
+ * JSS pkcs11/PK11KeyPairGenerator.java
+ */
+ public static KeyPair generateECCKeyPair(String token, int keysize,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
CryptoToken t = getTokenByName(token);
KeyPairAlgorithm alg = KeyPairAlgorithm.EC;
- KeyPairGenerator g = t.getKeyPairGenerator(alg);
+ KeyPairGenerator keygen = t.getKeyPairGenerator(alg);
- g.setKeyPairUsages(usage_ops, usage_mask);
- g.initialize(keysize);
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.temporaryPairs(temporary);
- KeyPair pair = g.genKeyPair();
+ if (sensitive == 1 )
+ keygen.sensitivePairs(true);
+ else if (sensitive == 0)
+ keygen.sensitivePairs(false);
+
+ if (extractable == 1 )
+ keygen.extractablePairs(true);
+ else if (extractable == 0)
+ keygen.extractablePairs(false);
+
+ keygen.initialize(keysize);
+
+ KeyPair pair = keygen.genKeyPair();
return pair;
}
@@ -203,6 +231,19 @@ public class CryptoUtil {
return generateECCKeyPair(t, curveName, usage_ops, usage_mask);
}
+ public static KeyPair generateECCKeyPair(String token, String curveName,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
+ CryptoToken t = getTokenByName(token);
+ return generateECCKeyPair(t, curveName, usage_ops, usage_mask,
+ temporary, sensitive, extractable);
+ }
+
public static KeyPair generateECCKeyPair(CryptoToken token, String curveName,
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask)
@@ -210,23 +251,51 @@ public class CryptoUtil {
NoSuchTokenException,
NoSuchAlgorithmException,
TokenException {
+ return generateECCKeyPair(token, curveName, usage_ops, usage_mask,
+ false, -1, -1);
+ }
+
+ /*
+ * temporary, sensitive, and extractable usages are per defined in
+ * JSS pkcs11/PK11KeyPairGenerator.java
+ */
+ public static KeyPair generateECCKeyPair(CryptoToken token, String curveName,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
KeyPairAlgorithm alg = KeyPairAlgorithm.EC;
- KeyPairGenerator g = token.getKeyPairGenerator(alg);
+ KeyPairGenerator keygen = token.getKeyPairGenerator(alg);
+
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.temporaryPairs(temporary);
+
+ if (sensitive == 1 )
+ keygen.sensitivePairs(true);
+ else if (sensitive == 0)
+ keygen.sensitivePairs(false);
+
+ if (extractable == 1 )
+ keygen.extractablePairs(true);
+ else if (extractable == 0)
+ keygen.extractablePairs(false);
- g.setKeyPairUsages(usage_ops, usage_mask);
More information about the Pkg-freeipa-devel
mailing list