[Pki-devel] [pki-devel][PATCH]
Ticket: TPS throws "err=6" when attempting to format and e :
https://fedorahosted.org/pki/ticket/2544
Fix tested on standard card, it does what it is supposed to do. It checks first
to make sure the lifecycle
state needs to be changed before attempting to do so. This will prevent any
cards that return an error when
one tries to over write the value with the same value it had before.
From bc03fc3c6f124dfaac33946c6983bde9b106af89 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 15 Nov 2016 17:37:07 -0800
Subject: [PATCH] Change lifecycle at end of enrollment if it is not already
set.
---
base/common/src/org/dogtagpki/tps/apdu/APDU.java | 3 +-
.../org/dogtagpki/tps/apdu/GetLifecycleAPDU.java | 19 ++
.../server/tps/processor/TPSEnrollProcessor.java | 17 -
.../server/tps/processor/TPSProcessor.java | 41 ++
4 files changed, 78 insertions(+), 2 deletions(-)
create mode 100644 base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDU.java b/base/common/src/org/dogtagpki/tps/apdu/APDU.java
index 86f07ee..390252f 100644
--- a/base/common/src/org/dogtagpki/tps/apdu/APDU.java
+++ b/base/common/src/org/dogtagpki/tps/apdu/APDU.java
@@ -56,7 +56,8 @@ public abstract class APDU {
APDU_IMPORT_KEY_ENC,
APDU_SET_ISSUERINFO,
APDU_GET_ISSUERINFO,
-APDU_GENERATE_KEY_ECC
+APDU_GENERATE_KEY_ECC,
+APDU_GET_LIFECYCLE
}
protected byte cla;
diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
new file mode 100644
index 000..3f82be1
--- /dev/null
+++ b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
@@ -0,0 +1,19 @@
+package org.dogtagpki.tps.apdu;
+
+
+public class GetLifecycleAPDU extends APDU {
+public GetLifecycleAPDU() {
+setCLA((byte) 0xB0);
+setINS((byte) 0xf2);
+setP1((byte) 0x0);
+setP2((byte) 0x0);
+}
+
+@Override
+public Type getType()
+{
+return Type.APDU_GET_LIFECYCLE;
+}
+
+
+}
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 31d3eed..1bdcf02 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -100,6 +100,12 @@ public class TPSEnrollProcessor extends TPSProcessor {
AppletInfo appletInfo = null;
TokenRecord tokenRecord = null;
+
+byte lifecycleState = (byte) 0xf0;
+
+
+lifecycleState = getLifecycleState();
+
try {
appletInfo = getAppletInfo();
auditOpRequest("enroll", appletInfo, "success", null);
@@ -542,7 +548,16 @@ public class TPSEnrollProcessor extends TPSProcessor {
writeIssuerInfoToToken(channel, appletInfo);
statusUpdate(99, "PROGRESS_SET_LIFECYCLE");
-channel.setLifeycleState((byte) 0x0f);
+
+
+
+if( lifecycleState != 0x0f) {
+channel.setLifeycleState((byte) 0x0f);
+} else {
+CMS.debug(method + " No need to reset lifecycle state, it is already at the proper value.");
+}
+
+
//update the tokendb with new certs
CMS.debug(method + " updating tokendb with certs.");
try {
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 582e3f9..75314b7 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -60,6 +60,7 @@ import org.dogtagpki.server.tps.mapping.FilterMappingParams;
import org.dogtagpki.tps.apdu.APDU;
import org.dogtagpki.tps.apdu.APDUResponse;
import org.dogtagpki.tps.apdu.GetDataAPDU;
+import org.dogtagpki.tps.apdu.GetLifecycleAPDU;
import org.dogtagpki.tps.apdu.GetStatusAPDU;
import org.dogtagpki.tps.apdu.GetVersionAPDU;
import org.dogtagpki.tps.apdu.InitializeUpdateAPDU;
@@ -387,6 +388,44 @@ public class TPSProcessor {
}
+protected byte getLifecycleState() {
+
+byte resultState = 0xf;
+
+String method = "TPSProcessor.getLifecycleState:";
+CMS.debug(".getLifecycleState: ");
+
+GetLifecycleAPDU getLifecycle = new GetLifecycleAPDU();
+
+try {
+
+selectCoolKeyApplet();
+
+APDUResponse response = handleAPDURequest(getLifecycle);
+
+if (!response.checkResult()) {
+return resultState;
+}
+
+TPSBuffer result = response.getResultDataNoCode();
+
+CMS.debug(method + " result size: " + result.size());
+
+if (result.size() >= 1) {
+resultState = result.at(0);
+
+CMS.debug(method + " result: "
[Pki-devel] [pki-devel][PATCH]
CA in the certificate profiles the startTime parameter is not working as
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4
places in the code. I felt that honing in only on the startTime value was the
best way to go. In some of the files other than ValidityDefault.java, there
were possibly some values that could be changed from int to long. Due to the
complexity of some of the calculations involved in some of those cases, it is
best to fix the exact issue at hand instead of introducing some other possible
side effects.
Tested with a simple enrollment in the caUserCert profile by setting the
startTime constraint to the offending value listed in the ticket/bug. The
correct start time 30 days in the future was calculated and made part of the
cert.
Issue:
https://pagure.io/dogtagpki/issue/2520From 91d7f82be94532a691768021a0661efd6a93e093 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Wed, 26 Apr 2017 15:21:39 -0700
Subject: [PATCH] CA in the certificate profiles the startTime parameter is not
working as expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
---
.../src/com/netscape/cms/profile/def/CAValidityDefault.java | 12 ++--
.../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java | 4 ++--
.../netscape/cms/profile/def/RandomizedValidityDefault.java | 2 +-
.../src/com/netscape/cms/profile/def/ValidityDefault.java| 10 +-
4 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
index 2df256e..2ecd484 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
@@ -24,6 +24,11 @@ import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.X509CertInfo;
-
/**
* This class implements a CA signing cert enrollment default policy
* that populates a server-side configurable validity
@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault {
if (startTimeStr == null || startTimeStr.equals("")) {
startTimeStr = "60";
}
-int startTime = Integer.parseInt(startTimeStr);
+long startTime = Long.parseLong(startTimeStr);
Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
CMS.debug("CAValidityDefault: not before: " + notBefore);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
index 6532a13..2f05f32 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
if (startTimeStr == null || startTimeStr.equals("")) {
startTimeStr = "60";
}
-int startTime = Integer.parseInt(startTimeStr);
+long startTime = Long.parseLong(startTimeStr);
Date notBefore = new Date(CMS.getCurrentDate().getTime() +
(1000 * startTime));
long notAfterVal = 0;
notAfterVal = notBefore.getTime() +
-(mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
+(mDefault * Long.parseLong(getConfig(CONFIG_DURATION)));
Date notAfter = new Date(notAfterVal);
ext = new PrivateKeyUsageExtension(notBefore, notAfter);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/c
Re: [Pki-devel] [pki-devel][PATCH]
I compared this patch with the original C patch. There was a check in C
that does not exist in your Java patch:
1019
if(data.size() != 3){
1020
lifecycle = 0xf0;
1021
RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the
wrong size, the size is: %x", data.size());
1022
goto loser;
1023
}
Why does it not apply in Java?
Thanks,
Christina
On 11/15/2016 06:20 PM, John Magne wrote:
Ticket: TPS throws "err=6" when attempting to format and e :
https://fedorahosted.org/pki/ticket/2544
Fix tested on standard card, it does what it is supposed to do. It checks first
to make sure the lifecycle
state needs to be changed before attempting to do so. This will prevent any
cards that return an error when
one tries to over write the value with the same value it had before.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH]
Verbally discussed issue with cfu, was given cond ack upon fixing the issue:
Issue has been fixed, checked into master.
commit cdb8d2f7a3655b4ba97b70a9460721e0d2d8afe7
Author: Jack Magne
Date: Tue Nov 15 17:37:07 2016 -0800
Change lifecycle at end of enrollment if it is not already set.
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
Closed ticket # 2544
- Original Message -
> From: "Christina Fu"
> To: pki-devel@redhat.com
> Sent: Wednesday, November 16, 2016 6:25:49 PM
> Subject: Re: [Pki-devel] [pki-devel][PATCH]
>
>
>
> I compared this patch with the original C patch. There was a check in C that
> does not exist in your Java patch:
> 1019
> if(data.size() != 3){
>
> 1020
> lifecycle = 0xf0;
>
> 1021
> RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the
> wrong size, the size is: %x", data.size());
>
> 1022
> goto loser;
>
> 1023
> }
>
> Why does it not apply in Java?
>
> Thanks,
> Christina
>
> On 11/15/2016 06:20 PM, John Magne wrote:
>
>
>
> Ticket: TPS throws "err=6" when attempting to format and e :
> https://fedorahosted.org/pki/ticket/2544 Fix tested on standard card, it
> does what it is supposed to do. It checks first to make sure the lifecycle
> state needs to be changed before attempting to do so. This will prevent any
> cards that return an error when
> one tries to over write the value with the same value it had before.
>
>
> ___
> Pki-devel mailing list Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH]
On 04/26/2017 04:29 PM, John Magne wrote: CA in the certificate profiles the startTime parameter is not working as expected. This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects. Tested with a simple enrollment in the caUserCert profile by setting the startTime constraint to the offending value listed in the ticket/bug. The correct start time 30 days in the future was calculated and made part of the cert. Issue: https://pagure.io/dogtagpki/issue/2520 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel Tested this out, and agree that limiting this to simply "startTime" was the right decision. ACK ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch
#2540 Creating symmetric key (sharedSecret) using tkstool is failing when
operating system is in FIPS mode.
From 820b3f16d1cb3f0532a464aee399512725c2a858 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Mon, 10 Apr 2017 11:27:12 -0700
Subject: [PATCH] Tkstool, FIPS Mode fix.
Now the program can create and import shared secret keys while under FIPS mode.
---
base/native-tools/src/tkstool/key.c | 96 ++---
base/native-tools/src/tkstool/tkstool.c | 4 +-
base/native-tools/src/tkstool/tkstool.h | 3 +-
3 files changed, 81 insertions(+), 22 deletions(-)
diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c
index 4fd3796..a027d27 100644
--- a/base/native-tools/src/tkstool/key.c
+++ b/base/native-tools/src/tkstool/key.c
@@ -19,6 +19,11 @@
#include "tkstool.h"
+secuPWDatapwdata = { PW_NONE,
+ 0 };
+
+
+
/***/
/** local private functions **/
/***/
@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8*newKey,
goto done;
}
-key = PK11_ImportSymKeyWithFlags(
- /* slot */slot,
- /* mechanism type */CKM_DES3_ECB,
- /* origin */PK11_OriginGenerated,
- /* operation */CKA_ENCRYPT,
- /* key*/&keyItem,
- /* flags */CKF_ENCRYPT,
- /* isPerm */PR_FALSE,
- /* wincx */0 );
+key = TKS_ImportSymmetricKey( NULL,
+slot,
+CKM_DES3_ECB,
+CKA_ENCRYPT,
+&keyItem,
+&pwdata, PR_FALSE );
+
+
+
+ /* key = PK11_ImportSymKeyWithFlags(
+ slot,
+ CKM_DES3_ECB,
+ PK11_OriginGenerated,
+ CKA_ENCRYPT,
+ &keyItem,
+ CKF_ENCRYPT,
+ PR_FALSE,
+ 0 );
+ */
if( ! key ) {
PR_fprintf( PR_STDERR,
"ERROR: Failed to import %s key!\n\n\n",
@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char *symmetricKeyName,
CK_MECHANISM_TYPE mechanism,
CK_ATTRIBUTE_TYPE operation,
SECItem *sessionKeyShare,
-secuPWData*pwdata )
+secuPWData*pwdata, PRBool isPerm )
{
PK11Origin origin = PK11_OriginGenerated;
PK11SymKey *symKey = NULL;
+PK11SymKey *sessKey = NULL;
+PK11Context *context = NULL;
+static SECItem noParams = { siBuffer, NULL, 0 };
+SECItem wrappeditem = { siBuffer, NULL, 0 };
+
+int len = 0;
+unsigned char wrappedkey[DES_LENGTH * 3];
+SECStatus s = SECSuccess;
if( slot == NULL ) {
return NULL;
@@ -1077,15 +1100,50 @@ TKS_ImportSymmetricKey( char *symmetricKeyName,
"Generating %s symmetric key . . .\n\n",
symmetricKeyName );
-symKey = PK11_ImportSymKeyWithFlags(
- /* slot */slot,
- /* mechanism type */mechanism,
- /* origin */origin,
- /* operation */operation,
- /* key*/sessionKeyShare,
- /* flags */0,
- /* isPerm */PR_FALSE,
- /* wincx */pwdata );
+sessKey = PK11_TokenKeyGenWithFlags(slot, // slot handle
+ CKM_DES3_KEY_GEN, // mechanism type
+ NULL, // pointer to params (SECItem structure)
+ 0, // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms)
+ 0, // pointer to keyid (SECItem structure)
+ CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags
+ PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set)
+ NULL);
+
+if( sessKey == NULL ) {
+goto cleanup;
+}
+
+// Import the key onto the token using the temp session key and the key data.
+//
+
+context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT,
+sessKey,
+&noParams);
+
+if (context == NULL) {
+goto cleanup;
+}
+
+len = sessionKeyShare->len;
+/* encrypt the key with the master key */
+s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 );
+if (s != SECSuccess)
+{
+goto cleanup;
+
[Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special
characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card
because the client uri encodes
the authentication creds and the server needs to decode them.
From e6bcb9f1fac9c7db95a1aa4767cdfe6ac4ccbd16 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Wed, 27 Apr 2016 13:52:10 -0700
Subject: [PATCH] TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
---
base/common/src/org/dogtagpki/tps/msg/TPSMessage.java | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
index 84e991e..f622b9b 100644
--- a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
+++ b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
@@ -456,17 +456,17 @@ public class TPSMessage {
break;
case MSG_EXTENDED_LOGIN_RESPONSE:
result =
-new ExtendedLoginResponseMsg(op_val,
-get(UID_NAME),
-get(PASSWORD_NAME),
-extsMap);
+new ExtendedLoginResponseMsg(op_val,
+Util.uriDecode(get(UID_NAME)),
+Util.uriDecode(get(PASSWORD_NAME)),
+extsMap);
break;
case MSG_LOGIN_REQUEST:
break;
case MSG_LOGIN_RESPONSE:
result =
-new LoginResponseMsg(get(SCREEN_NAME_NAME),
-get(PASSWORD_NAME_1));
+new LoginResponseMsg(Util.uriDecode(get(SCREEN_NAME_NAME)),
+Util.uriDecode(get(PASSWORD_NAME_1)));
break;
case MSG_NEW_PIN_REQUEST:
break;
--
2.5.0
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch
Fix attached.From 3a1ef233ec8e63e5ec34cd0746cd5e94e327c65f Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Mon, 6 Jun 2016 16:36:16 -0700
Subject: [PATCH] Fix coverity warnings for 'tkstool'
Issues listed in the ticket addressed by this patch.
Ticket #1199 : Fix coverity warnings for 'tkstool'.
---
base/native-tools/src/tkstool/secutil.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/base/native-tools/src/tkstool/secutil.c b/base/native-tools/src/tkstool/secutil.c
index 9cf2c37..c31ce9b 100644
--- a/base/native-tools/src/tkstool/secutil.c
+++ b/base/native-tools/src/tkstool/secutil.c
@@ -668,7 +668,7 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
SECStatus rv;
if (ascii) {
/* First convert ascii to binary */
- SECItem filedata;
+ SECItem filedata = {siBuffer,0};
char *asc, *body;
/* Read in ascii data */
@@ -1419,7 +1419,7 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
{
SECU_PrintObjectID(out, &a->algorithm, m, level);
-if (a->parameters.len == 0
+if (a == NULL || a->parameters.len == 0
|| (a->parameters.len == 2
&& PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
/* No arguments or NULL argument */
@@ -2471,6 +2471,10 @@ static void
secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src,
char *m, int level)
{
+if (src == NULL) {
+fprintf(out,"Invalid input to secu_PrintPKCS7EncContent!\n");
+return;
+}
if (src->contentTypeTag == NULL)
src->contentTypeTag = SECOID_FindOID(&(src->contentType));
@@ -3074,16 +3078,23 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd)
if (optstate->value) {
cmd->options[i].arg = (char *)optstate->value;
} else if (cmd->options[i].needsArg) {
-return SECFailure;
+status = PL_OPT_BAD;
+goto done;
}
found = PR_TRUE;
break;
}
}
- if (!found)
- return SECFailure;
+ if (!found) {
+status = PL_OPT_BAD;
+goto done;
+}
}
+done:
+
+if (optstring != NULL)
+free(optstring);
if (status == PL_OPT_BAD)
return SECFailure;
return SECSuccess;
--
2.5.0
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch
Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path
laready
have audit logs issued separately for success or failure.
Ticket #2340.
From cecb728768166c9dc252b4c9fe25e38b9cbb72db Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 14 Jun 2016 16:00:39 -0700
Subject: [PATCH] Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.
Ticket #2340.
---
base/ca/src/com/netscape/ca/CAService.java | 172 ++---
1 file changed, 81 insertions(+), 91 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index 485acc6..9bf237f 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -31,6 +31,33 @@ import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
+import netscape.security.extensions.CertInfo;
+import netscape.security.util.BigInt;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.Extension;
+import netscape.security.x509.LdapV3DNStrConverter;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.SerialNumber;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509ExtensionException;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authority.IAuthority;
import com.netscape.certsrv.authority.ICertAuthority;
@@ -68,33 +95,6 @@ import com.netscape.cmscore.dbs.RevocationInfo;
import com.netscape.cmscore.util.Debug;
import com.netscape.cmsutil.util.Utils;
-import netscape.security.extensions.CertInfo;
-import netscape.security.util.BigInt;
-import netscape.security.util.DerValue;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateIssuerName;
-import netscape.security.x509.CertificateSerialNumber;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.Extension;
-import netscape.security.x509.LdapV3DNStrConverter;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.SerialNumber;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500NameAttrMap;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509ExtensionException;
-
/**
* Request Service for CertificateAuthority.
*/
@@ -192,7 +192,7 @@ public class CAService implements ICAService, IService {
if (kraConfig != null) {
mArchivalRequired = kraConfig.getBoolean(
-"archivalRequired", true);
+"archivalRequired", true);
mKRAConnector = getConnector(kraConfig);
if (mKRAConnector != null) {
if (Debug.ON) {
@@ -293,10 +293,12 @@ public class CAService implements ICAService, IService {
String clientCiphers = config.getString("clientCiphers", null);
if (timeout == 0)
-connector = new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, resendInterval, config);
+connector = new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, rese
[Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch
Make starting CRL Number configurable.
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
From f514cf776fd2918935bdd26939151f22f335cbe6 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Wed, 27 Jul 2016 11:43:33 -0700
Subject: [PATCH] Make starting CRL Number configurable.
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
---
base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 65 +++---
.../server/ca/rest/CAInstallerService.java | 7 +++
.../certsrv/system/ConfigurationRequest.java | 12
base/server/etc/default.cfg| 1 +
.../python/pki/server/deployment/pkihelper.py | 4 ++
5 files changed, 69 insertions(+), 20 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index fc9e6a3..a593eb8 100644
--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -31,6 +31,23 @@ import java.util.StringTokenizer;
import java.util.TimeZone;
import java.util.Vector;
+import netscape.security.util.BitArray;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLNumberExtension;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.DeltaCRLIndicatorExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.FreshestCRLExtension;
+import netscape.security.x509.IssuingDistributionPoint;
+import netscape.security.x509.IssuingDistributionPointExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509ExtensionException;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
@@ -66,23 +83,6 @@ import com.netscape.cmscore.dbs.CertRecord;
import com.netscape.cmscore.dbs.CertificateRepository;
import com.netscape.cmscore.util.Debug;
-import netscape.security.util.BitArray;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLNumberExtension;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.DeltaCRLIndicatorExtension;
-import netscape.security.x509.Extension;
-import netscape.security.x509.FreshestCRLExtension;
-import netscape.security.x509.IssuingDistributionPoint;
-import netscape.security.x509.IssuingDistributionPointExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.RevokedCertificate;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509ExtensionException;
-
/**
* This class encapsulates CRL issuing mechanism. CertificateAuthority
* contains a map of CRLIssuingPoint indexed by string ids. Each issuing
@@ -112,6 +112,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
private static final int CRL_PAGE_SIZE = 1;
+private static final String PROP_CRL_STARTING_NUMBER = "startingCrlNumber";
+
/* configuration file property names */
public IPublisherProcessor mPublisherProcessor = null;
@@ -923,13 +925,36 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
if (crlRecord == null) {
// no crl was ever created, or crl in db is corrupted.
// create new one.
+
+IConfigStore ipStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE).g
[Pki-devel] [pki-devel][PATCH] Non server keygen issue in SCP03.
[PATCH] Non server keygen issue in SCP03.
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when
performing the non server side keygen case. For instance , we don't need to
generate a kek session key in this case, and we were trying to print info about
it to the logs. This fix allows this case to work without issue.
From d58e929de707ad5139c57cd493fae5485ca3acae Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Fri, 5 May 2017 11:44:17 -0700
Subject: [PATCH] Non server keygen issue in SCP03.
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
---
.../server/tps/channel/SecureChannel.java | 4 +-
.../server/tps/processor/TPSProcessor.java | 51 +++---
2 files changed, 37 insertions(+), 18 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
index fc5472c..5e5646b 100644
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
@@ -148,8 +148,8 @@ public class SecureChannel {
CMS.debug("SecureChannel.SecureChannel: For SCP03. : ");
-CMS.debug("kekDesKey: " + kekDesKey.toHexString());
-CMS.debug("keyCheck: " + keyCheck.toHexString());
+if (keyCheck != null)
+CMS.debug("keyCheck: " + keyCheck.toHexString());
this.platProtInfo = platformInfo;
this.processor = processor;
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 0cfac59..0f96915 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -33,6 +33,8 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import netscape.security.x509.RevocationReason;
+
import org.dogtagpki.server.tps.TPSSession;
import org.dogtagpki.server.tps.TPSSubsystem;
import org.dogtagpki.server.tps.authentication.AuthUIParameter;
@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.symkey.SessionKey;
-import netscape.security.x509.RevocationReason;
-
public class TPSProcessor {
public static final int RESULT_NO_ERROR = 0;
@@ -923,20 +923,39 @@ public class TPSProcessor {
TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey();
TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey();
-CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
-CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
-CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
-CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
-CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
-CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
-CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());
-
-encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
-encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
-macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
-macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
-kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
-kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+if (encSessionKeyBuff != null)
+CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
+
+if (kekSessionKeyBuff != null)
+CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
+
+if (macSessionKeyBuff != null)
+CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
+
+if (hostCryptogramBuff != null)
+CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
+
+if (keyCheckBuff != null)
+CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
+
+if (drmDesKeyBuff != null)
+CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
+
+
Re: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch
On 05/22/2017 07:27 PM, John Magne wrote: #2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel Be sure to cleanup "context" if it exists in the "cleanup:" section. Conditional ACK if tested to work. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch
Provided cleanup and checked in: commit 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Author: Jack Magne Date: Mon Apr 10 11:27:12 2017 -0700 Now the program can create and import shared secret keys while under FIPS mode. Closed #2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode. - Original Message - > From: "Matthew Harmsen" > To: "John Magne" , "pki-devel" > Sent: Tuesday, May 23, 2017 4:44:42 PM > Subject: Re: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch > > On 05/22/2017 07:27 PM, John Magne wrote: > > #2540 Creating symmetric key (sharedSecret) using tkstool is failing when > > operating system is in FIPS mode. > > > > > > > > > > ___ > > Pki-devel mailing list > > Pki-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Be sure to cleanup "context" if it exists in the "cleanup:" section. > > Conditional ACK if tested to work. > > ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch
Ticket: Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS
mode for SCP03.
From de74c600391473759bec495dc4ccafda787959bd Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Fri, 2 Jun 2017 15:40:52 -0700
Subject: [PATCH] Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
---
.../netscape/cms/servlet/tks/NistSP800_108KDF.java | 28 +-
.../server/tps/channel/SecureChannel.java | 7 +++---
.../server/tps/processor/TPSProcessor.java | 4
3 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
index 9e079aa..2d9e963 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
@@ -9,13 +9,6 @@ import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.DefaultParser;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.BadPaddingException;
import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
@@ -468,7 +461,7 @@ public class NistSP800_108KDF extends KDF {
// Collection of informal invocations of api used to create various session keys
// Done with test data.
public static void main(String[] args) {
-
+/*
Options options = new Options();
options.addOption("d", true, "Directory for tokendb");
@@ -480,16 +473,29 @@ public class NistSP800_108KDF extends KDF {
(byte) 0x47, (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, (byte) 0x4c, (byte) 0x4d, (byte) 0x4e,
(byte) 0x4f };
+
+byte devKeyGem[] = { (byte) 0x47, (byte) 0x45, (byte) 0x4d, (byte) 0x58, (byte) 0x50, (byte) 0x52, (byte) 0x45,
+(byte) 0x53, (byte) 0x53, (byte) 0x4f, (byte) 0x53, (byte) 0x41, (byte) 0x4d, (byte) 0x50, (byte) 0x4c,
+(byte) 0x45 };
+
byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 };
byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 };
+byte test_kdd_gem[] = {};
+
+
byte test_host_challenge[] = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 };
byte test_card_challenge[] = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89};
byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB };
byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 };
+
+byte test_host_challenge_gem[] = {(byte)0x5F, 02 ,(byte) 0x8A , 0x17, 0x35,(byte) 0x0B ,0x33,(byte) 0xA6};
+byte test_card_challenge_gem[] = { 0x7C,(byte) 0x81,(byte) 0xCB, 0x2D,(byte) 0xA2,(byte) 0xD4, 0x6B,(byte) 0xA9 };
+
+
byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 };
byte test_old_key_info[] = {0x01,0x03,0x00};
@@ -525,8 +531,8 @@ public class NistSP800_108KDF extends KDF {
SymmetricKey masterKey = SecureChannelProtocol.getSymKeyByName(token,"new_master");
GPParams params = new GPParams();
-params.setVersion1DiversificationScheme("emv");
-params.setDiversificationScheme("emv");
+params.setVersion1DiversificationScheme("visa2");
+params.setDiversificationScheme("visa2");
params.setDevKeyType(GPParams.AES);
params.setMasterKeyType(GPParams.AES);
@@ -576,6 +582,6 @@ public class NistSP800_108KDF extends KDF {
System.err.println("JSS error!" + e);
System.exit(1);
}
-
+*/
}
}
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
index 5e5646b..3b80f27 100644
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
@@ -421,10 +421,11 @@ public class SecureChannel {
throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL);
}
-CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() );
+
[Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key
derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name.
Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
From e4b02023290624b899192f65626f0c0f60d5638c Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 29 Mar 2016 10:39:27 -0700
Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
Audit fix.
---
.../cms/src/com/netscape/cms/servlet/tks/KDF.java | 67 +
.../netscape/cms/servlet/tks/NistSP800_108KDF.java | 200 +++
.../cms/servlet/tks/SecureChannelProtocol.java | 1412
.../com/netscape/cms/servlet/tks/StandardKDF.java | 170 +++
.../com/netscape/cms/servlet/tks/TokenServlet.java | 140 +-
.../server/tps/processor/TPSProcessor.java | 83 +-
6 files changed, 1987 insertions(+), 85 deletions(-)
create mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
create mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
create mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
create mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/StandardKDF.java
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
new file mode 100644
index 000..54028af
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
@@ -0,0 +1,67 @@
+package com.netscape.cms.servlet.tks;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+
+public class KDF {
+/* DES KEY Parity conversion table. Takes each byte >> 1 as an index, returns
+ * that byte with the proper parity bit set*/
+static final int parityTable[] =
+{
+/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
+/* E */0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e,
+/* Odd0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
+/* O */0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f,
+/* Odd0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
+/* O */0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f,
+/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
+/* E */0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e,
+/* Odd0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
+/* O */0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f,
+/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
+/* E */0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e,
+/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
+/* E */0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e,
+/* Odd0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
+/* O */0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f,
+/* Odd0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
+/* O */0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f,
+/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
+/* E */0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e,
+/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
+/* E */0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae,
+/* Odd0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
+/* O */0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf,
+/* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
+/* E */0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce,
+/* Odd0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
+/* O */0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf,
+/* Odd0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
+/* O */0xe0, 0xe3, 0xe5,
Re: [Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch
ACK On 04/27/2016 01:59 PM, John Magne wrote: TPS auth special characters fix. Ticket #1636. Smartcard token enroll/format fails when the ldap user has special characters in userid or password Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes the authentication creds and the server needs to decode them. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch
ACKED by cfu, pushed to master. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Tuesday, May 3, 2016 11:27:59 AM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch ACK On 04/27/2016 01:59 PM, John Magne wrote: TPS auth special characters fix. Ticket #1636. Smartcard token enroll/format fails when the ldap user has special characters in userid or password Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes the authentication creds and the server needs to decode them. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch
On 06/06/2016 05:39 PM, John Magne wrote:
Fix attached.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
ACK
Personally, I always prefer the use of enclosing braces "{ . . . }"
after a conditional even when it only has one line.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch
ACK'd by cfu: Pushed to master, closing ticket #2340 - Original Message - From: "John Magne" To: "pki-devel" Sent: Tuesday, June 14, 2016 4:07:49 PM Subject: [pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST The fix here is to make sure no archive related audits get issued for doing things other than key archivals. Other operations such as revoking and unrevoking cert in the code path laready have audit logs issued separately for success or failure. Ticket #2340. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch
ACK'ed by mharmsen, pushed to master: Closing ticket #1199 - Original Message - From: "John Magne" To: "pki-devel" Sent: Monday, June 6, 2016 4:39:43 PM Subject: [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch Fix attached. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch
Verbally acked by edewata thanks! : pushed to master Closing ticket: #2406 - Original Message - > From: "John Magne" > To: "pki-devel" > Sent: Wednesday, July 27, 2016 11:53:34 AM > Subject: [Pki-devel] [pki-devel][PATCH] > 0077-Make-starting-CRL-Number-configurable.patch > > Make starting CRL Number configurable. > > Ticket #2406 Make starting CRL Number configurable > > This simple patch provides a pkispawn config param that passes > some starting crl number value to the config process. > > Here is a sample: > > [CA] > pki_ca_starting_crl_number=4000 > > After the CA comes up the value of "crlNumber" in the db will > reflect that value of 4000. > > Currently no other values are changed. We can talk about if we > need more values reset in the given case. > > Also, this creates a setting in the CS.cfg > > ca.crl.MasterCrl.startingCrlNumber=4000 > > This setting is only consulted when the crl Issuing Point record is > created > for the first time. > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch
[PATCH] Authentication Instance Id PinDirEnrollment with authType
value as SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a
candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
Previously we simply manually set the desired client auth cert nickname, which
is provided
by the console interface when cofiguring the "removePin" portion of the
UidPinDir Authentication method.
Doing it this way has the benefit of giving us some logging to show when the
actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we
match one of those with the requested
cert name, established by the console.
This client auth problem applies ONLY to the connection pool that is used to
remove the pin attribute from
an external authentication directory.
2. Previously the code, when setting up client auth for "removePin", would make
one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS
test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line
could figure out what is going on at the lower level.
3. Was able to test this to work with the reported problem directory server
provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the
power to actually remove the pin attribute from various users.
From 9dd3ac2da23ea053f4784356823213d6354c35f8 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 16 Aug 2016 16:58:49 -0700
Subject: [PATCH] Authentication Instance Id PinDirEnrollment with authType
value as SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
Previously we simply manually set the desired client auth cert nickname, which is provided
by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.
Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
cert name, established by the console.
This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
an external authentication directory.
2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.
3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
---
.../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 69 --
1 file changed, 64 insertions(+), 5 deletions(-)
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
index 182812c..0396ca9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
@@ -18,9 +18,16 @@
package com.netscape.cmscore.ldapconn;
import java.io.IOException;
+import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
+import java.util.Iterator;
+import java.util.Vector;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSSLSocketFactoryExt;
+
+import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
import org.mozilla.jss.ssl.SSLSocket;
@@ -28,9 +35,6 @@ import org.mozilla.jss.ssl.SSLSocket;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.logging.ILogger;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPSSLSocketFactoryExt;
-
/**
* Uses HCL ssl socket.
*
@@ -54,7 +58,22 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
/*
* let inherit TLS range and cipher settings
*/
-s = new SSLSocket(host, port);
+
+if (mClientAuthCertNickname == null) {
+s = new SSLSocket(host, port);
+
Re: [Pki-devel] [pki-devel][PATCH] Non server keygen issue in SCP03.
On 05/05/2017 02:12 PM, John Magne wrote: [PATCH] Non server keygen issue in SCP03. Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel These changes look fine; ACK if tested to work. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch
On 06/02/2017 04:44 PM, John Magne wrote: Ticket: Resolve #1663 Add SCP03 support . This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel Confirmed that import statements were removed by Eclipse, and that commented out block of code is there for future testing. As jmagne confirmed that this had been tested (including on the offending machine configuration) --- ACK ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch
PUshed to master: commit a614eb15476adb00df571d3ea05fdd8ea282141d Author: Jack Magne Date: Fri Jun 2 15:40:52 2017 -0700 Resolve #1663 Add SCP03 support . This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03. - Original Message - From: "Matthew Harmsen" To: "John Magne" , "pki-devel" Sent: Friday, June 2, 2017 4:01:14 PM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch On 06/02/2017 04:44 PM, John Magne wrote: > > > > Ticket: Resolve #1663 Add SCP03 support . > > This particular fix resolves a simple issue when formatting a token in > FIPS mode for SCP03. > > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Confirmed that import statements were removed by Eclipse, and that commented out block of code is there for future testing. As jmagne confirmed that this had been tested (including on the offending machine configuration) --- ACK ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
I think I will be more conservative and give conditional ACK to this patch pending on tests on servers running on both LunaSA and nethsm. Although the code in the patch might very well work for both, those two HSM's are known to require different sets of pk11AtrFlags and often one set would work for one but not the other. thanks, Christina On 01/15/2016 04:24 PM, John Magne wrote: Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the token. Fix tested on the "internal" token by trying the various tkstool cmds to make sure having the key private does not cause issues. Also tried a simple key changeover operation with tpsclient to make sure that symkey can still do what it needs to do witht the master key. Further testing with a full hsm will be required. The goal was the create the key with the same flags that are used with the previous "PK11_GenKeyOnToken" (name approx) is used. This version had no flags and created a default set. This fix uses the version With flags and does what the old one did, but made sure the key is private and sensitive. Master key can be tested by using the tool: /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0062-Allow-cert-and-key-indexes-9.patch
Subject: [PATCH] Allow cert and key indexes > 9.
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are
greater than 9.
The id is stored as a single ASCII byte in the object id. Previous libcoolkey
patches exist to now support numbers
larger than 9, by the following:
0-9 is represented by the ascii chars for 0 through 9,.
10 - 35 represented by the ascii chars for 'A' through 'Z'.
36 - 61 represented by the ascii chars for 'a' through 'z'.
Once coolkey is updated it will be able to read these id's.
TPS with this patch will be able to both read number 0 - 62 and to set them
when creating pkcs#11 objects to be stored on the token.
When the proper libcoolkey is installed, the coolkey driver will be able to
read certs and keys with id's > 9. Thus, for instance a cert with an id of C6,
with keys of k12, and k13, will be supported and viewable in the Firefox cert
viewer. Also the certs will be usable for operations.
2. A fix to the routine that finds a free id number to assign to a soon to be
recovered cert will now have the ability to find unused slots instead of just
inrementing one over the highest currently used index.
3. Made a couple of minor cleanup fixes to externalReg functionality discovered
during testing of this feature.
Tested up to 7 certs on the token. Also did some re-tests of cfu's cert
retention feature and those checked.
From 911d7fde7a49d2f854f391ea95771b4000c8535e Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Fri, 22 Jan 2016 18:03:36 -0800
Subject: [PATCH] Allow cert and key indexes > 9.
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9.
The id is stored as a single ASCII byte in the object id. Previous libcoolkey patches exist to now support numbers
larger than 9, by the following:
0-9 is represented by the ascii chars for 0 through 9,.
10 - 35 represented by the ascii chars for 'A' through 'Z'.
36 - 61 represented by the ascii chars for 'a' through 'z'.
Once coolkey is updated it will be able to read these id's.
TPS with this patch will be able to both read number 0 - 62 and to set them when creating pkcs#11 objects to be stored on the token.
When the proper libcoolkey is installed, the coolkey driver will be able to read certs and keys with id's > 9. Thus, for instance a cert with an id of C6, with keys of k12, and k13, will be supported and viewable in the Firefox cert viewer. Also the certs will be usable for operations.
2. A fix to the routine that finds a free id number to assign to a soon to be recovered cert will now have the ability to find unused slots instead of just inrementing one over the highest currently used index.
3. Made a couple of minor cleanup fixes to externalReg functionality discovered during testing of this feature.
---
.../org/dogtagpki/server/tps/main/ObjectSpec.java | 208 +++-
.../org/dogtagpki/server/tps/main/PKCS11Obj.java | 92 -
.../server/tps/processor/CertEnrollInfo.java | 9 +-
.../server/tps/processor/EnrolledCertsInfo.java| 7 +
.../server/tps/processor/TPSEnrollProcessor.java | 213 -
5 files changed, 380 insertions(+), 149 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/main/ObjectSpec.java b/base/tps/src/org/dogtagpki/server/tps/main/ObjectSpec.java
index a8dbdb1..00cc447 100644
--- a/base/tps/src/org/dogtagpki/server/tps/main/ObjectSpec.java
+++ b/base/tps/src/org/dogtagpki/server/tps/main/ObjectSpec.java
@@ -236,7 +236,8 @@ public class ObjectSpec {
// down to the cert's id, the code below changes both "4" and "5" back
// to "2".
-int val = (objectID.charAt(1) - '0');
+int val = objectSpec.getObjectIndex();
+
switch (objectID.charAt(0)) {
case 'c':
@@ -290,7 +291,7 @@ public class ObjectSpec {
fixedAttrs = 0x0080; /* CKA_TOKEN */
xclass = (int) PKCS11Constants.CKO_CERTIFICATE;
-id = objectID.charAt(1) - '0';
+id = objectSpec.getObjectIndex();
objectSpec.setFixedAttributes(fixedAttrs | (xclass << 4) | id);
}
@@ -453,4 +454,207 @@ public class ObjectSpec {
return data;
}
+public int getObjectIndex() {
+return ObjectSpec.getObjectIndex(this.objectID);
+}
+
+public static int getObjectIndex(long objectID) {
+char char_index = (char) ((objectID >> 16) & 0xff);
+int index = -1;
+
+if (char_index >= '0' && char_index <= '9') {
+index = char_index - '0';
+}
+if (char_index >= 'A' && char_index <= 'Z') {
+index = char_index - 'A' + 10;
+}
+if (char_index >= 'a' && char_index <= 'z') {
+index = char_index - 'a' + 26;
+
Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
On Fri, Apr 15, 2016 at 10:03:03PM -0400, John Magne wrote:
> Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
> pki-symkey into jss
>
> What is supported:
>
> 1. Everything that is needed to support Secure Channel Protocol 01.
> 2. Supports the nist sp800 kdf and the original kdf.
> 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
>
> Requires:
>
> 1. A new JSS that supports more advanced symkey operations such as key
> derivation, more advanced key
> unwrapping , and a way to list and identify a given symmetric key by name.
> Version of new Jss will be forthcoming.
>
Are you going to rebase to a new version of JSS (i.e. 4.3.x) or
apply more patches on 4.2.6? There is a feature unavailable in
4.2.6 that I'd like to get into the next release of JSS as well.
> Still to do:
>
> 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
> 2. The original symkey will remain in place until we can port over everything.
> 3. SCP03 support can be added later.
> From e4b02023290624b899192f65626f0c0f60d5638c Mon Sep 17 00:00:00 2001
> From: Jack Magne
> Date: Tue, 29 Mar 2016 10:39:27 -0700
> Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
> pki-symkey into jss
>
> What is supported:
>
> 1. Everything that is needed to support Secure Channel Protocol 01.
> 2. Supports the nist sp800 kdf and the original kdf.
> 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
>
> Requires:
>
> 1. A new JSS that supports more advanced symkey operations such as key
> derivation, more advanced key
> unwrapping , and a way to list and identify a given symmetric key by name.
> Version of new Jss will be forthcoming.
>
> Still to do:
>
> 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
> 2. The original symkey will remain in place until we can port over everything.
> 3. SCP03 support can be added later.
>
> Audit fix.
> ---
> .../cms/src/com/netscape/cms/servlet/tks/KDF.java | 67 +
> .../netscape/cms/servlet/tks/NistSP800_108KDF.java | 200 +++
> .../cms/servlet/tks/SecureChannelProtocol.java | 1412
>
> .../com/netscape/cms/servlet/tks/StandardKDF.java | 170 +++
> .../com/netscape/cms/servlet/tks/TokenServlet.java | 140 +-
> .../server/tps/processor/TPSProcessor.java | 83 +-
> 6 files changed, 1987 insertions(+), 85 deletions(-)
> create mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
> create mode 100644
> base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
> create mode 100644
> base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
> create mode 100644
> base/server/cms/src/com/netscape/cms/servlet/tks/StandardKDF.java
>
> diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
> b/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
> new file mode 100644
> index 000..54028af
> --- /dev/null
> +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/KDF.java
> @@ -0,0 +1,67 @@
> +package com.netscape.cms.servlet.tks;
> +
> +import com.netscape.certsrv.apps.CMS;
> +import com.netscape.certsrv.base.EBaseException;
> +
> +public class KDF {
> +/* DES KEY Parity conversion table. Takes each byte >> 1 as an index,
> returns
> + * that byte with the proper parity bit set*/
> +static final int parityTable[] =
> +{
> +/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
> +/* E */0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e,
> +/* Odd0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
> +/* O */0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f,
> +/* Odd0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
> +/* O */0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f,
> +/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
> +/* E */0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e,
> +/* Odd0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
> +/* O */0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f,
> +/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
> +/* E */0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e,
> +/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
> +/* E */0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e,
> +/* Odd0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
> +/* O */0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f,
> +/* Odd0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
> +/* O */0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f,
> +/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
> +/* E */0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e,
> +/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
> +/* E */0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae,
> +/* Odd0xb0,0xb2,
Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
Ticket #1641 Enhance tkstool for capabilities and security The key is now generated with the flags needed to keep the data from being displayed with simple tools such as symkeyutil. As per cfu's instructions, I was able to test this with the nethsm only. I also was able to make the key des3 and everything works fine with the master key. This will help all the warnings we get about insecure des2 keys. If there is a problem with luna, we can file another ticket. Also there could be a built in tool for luna to generate keys such as is present on hsm. Pushed to master. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Wednesday, January 27, 2016 10:24:26 AM Subject: Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch I think I will be more conservative and give conditional ACK to this patch pending on tests on servers running on both LunaSA and nethsm. Although the code in the patch might very well work for both, those two HSM's are known to require different sets of pk11AtrFlags and often one set would work for one but not the other. thanks, Christina On 01/15/2016 04:24 PM, John Magne wrote: Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the token. Fix tested on the "internal" token by trying the various tkstool cmds to make sure having the key private does not cause issues. Also tried a simple key changeover operation with tpsclient to make sure that symkey can still do what it needs to do witht the master key. Further testing with a full hsm will be required. The goal was the create the key with the same flags that are used with the previous "PK11_GenKeyOnToken" (name approx) is used. This version had no flags and created a default set. This fix uses the version With flags and does what the old one did, but made sure the key is private and sensitive. Master key can be tested by using the tool: /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
Hi,
First of all, I have to say that Jack did a wonderful job on such
daunting task. The sheer amount of code and complexity does make the
review more challenging, but I dug through them with my teeth and claws
regardless ;-).
We discussed and think we should postpone the checkin to next release so
we can make sure it gets the kind of attention in details that it deserves.
For the first round of reviews, I sent him two separate sets of review
comments last week. One for JSS, and one for the rest.
The JSS patch was not attached to his original email request for
review. It is attached to the following ticket:
https://fedorahosted.org/pki/ticket/801
You can find my review comments attached to this email.
thanks,
Christina
On 04/15/2016 07:03 PM, John Magne wrote:
Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key
derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name.
Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
--- Begin Message ---
Sending this out to you just to get it off my back...
this is just the JSS part.
Some of these already communicated to you. I'm just listing them out to
track for the re-review.
==
JSS
*PK11KeyWrapper.java
- The original unwrapSymmetric) assumes temporary true, and you want
to have a function that treats it as false.
You made a copy of the original and named it unwrapSymmetricPerm()
and set the temporary to false.
- I think it'd be better if you just add a "temporary" param to the
original function, and add the function with original signature to call
into the one with temporary true; Then you call into the new signature
with temporary false (instead of adding this extra unwrapSymmetricPerm()
* Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector
This function gets a list of sym keys from a token and put them into a
vector. It seems more appropriate to be called
getSymKeysInVector() ("put" made me think initially that you are
putting keys into the token)
* PK11SymKey.c: JSS_PK11_wrapSymKey
- Are we sure that all sym keys have nicknames?
Should we maintain the original "no nickname" code path by checking
if nickname is null and call original calls?
* in Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative
/* name the key */
status = PK11_SetSymKeyNickname( key, keyname );
if( status != SECSuccess ) {
JSS_throwMsgPrErr(env, TOKEN_EXCEPTION,
"Failed to name symmetric key");
- is there not an error code that you can get and throw back to make
it more useful?
I noticed this applies to many other areas as well. it's a good idea
to get errorcode to throw back
* setNickName
- you might want to check if nickname is null before passing it down to C
* might want to check if new JSS files created should bear the same
Netscape etc. license
*PK11SymmetricKeyDeriver.c : bestSlot =
PK11_GetBestSlot(deriveMechanism, NULL);
should test it out on hsm (already communicated to jack... item here
to track)
- suggest if issues found, revert to old code (or code similar to old
code) and create a separate ticket to tackle
- new code should test to work on both nethsm and lunasa
* the test SymKeyDeriving seems to fail at NSS init (Jack found the hard
coded lib): tracking here
--- End Message ---
--- Begin Message ---
=
SecureChannelProtocol.java
** diversifyKey()
- I don't see KDD being checked for null when conext is being
assigned to it.
- in the 3 calls you made to standardKDF.getDiversificationData(),
first param you passed in is "KDD". Could you mean "context"? because
if nistSP800_108KdfUseCuidAsKdd is true, then your KDD is most
likely null, isn't it?
- I got so confused with these standardKDF.getDiversificationData() calls.
reason being that the getDiversificationData() is really not
specific to "standardKDF". It is used and used if you choose
NistSP800_108KDF too!!!
How about moving the getDiversificationData() method to the base KDF
class instead?
*computeSessionKey_SCP02()
note yet implemented, but your debug log says it's SCP01.
**computeMAC_SCP01()
- are you sure the cipher needs to be initialized inside the loop
instead of before the loop?
cipher.initEncrypt(symKey);
- also, oddly, I don't see any upda
Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
This is the re-review of the patches that addressed my original comments. Overall I think it's good for this round. I only have a few comments and most have already been communicated to jack. Conditional ACK upon completion of the following, and of course, tested to work: * Please open the new tickets for tasks you wish to push for later. Feel free to combine things in same area into one ticket if it makes sense. Please list the ticket(s) at commit response. * Please write a wrapper function computeKekKey() to call the computeSessionKey_SCP01() with null null, so for people who read the code it's clear that it's actually getting the kek key handle rather than a session key. * wrapSessionKey() now takes a wrapping key, and if it's null, it takes a global transportKey. Please put this in a top block method comment to make it clear what this method does * you defined cryptogram types (per my earlier comment), but you did not replace the 0 and 1 in the calling method. * the top of method comment convention is usually using /* ...*/ instead of a whole bunch of //'s thanks! Christina On 05/17/2016 06:44 PM, John Magne wrote: Enclosed revised patches: Thanks to cfu for careful review. Also enclosed responses to comments ,for convenience. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, May 13, 2016 11:34:17 AM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch Hi, First of all, I have to say that Jack did a wonderful job on such daunting task. The sheer amount of code and complexity does make the review more challenging, but I dug through them with my teeth and claws regardless ;-). We discussed and think we should postpone the checkin to next release so we can make sure it gets the kind of attention in details that it deserves. For the first round of reviews, I sent him two separate sets of review comments last week. One for JSS, and one for the rest. The JSS patch was not attached to his original email request for review. It is attached to the following ticket: https://fedorahosted.org/pki/ticket/801 You can find my review comments attached to this email. thanks, Christina On 04/15/2016 07:03 PM, John Magne wrote: Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge pki-symkey into jss What is supported: 1. Everything that is needed to support Secure Channel Protocol 01. 2. Supports the nist sp800 kdf and the original kdf. 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI. Requires: 1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming. Still to do: 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code. 2. The original symkey will remain in place until we can port over everything. 3. SCP03 support can be added later. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
Just realized that I missed this comment for conditional ack: It was already communicated to Jack. Please file a ticket for this. derivedKey = encryptDes3.derive(); it throws exception when fail (in nethsm it seems to be the case now), and then default to encryption. It'd be better to provide a config param to turn on and off derive v.s. encryption in case we know for sure a certain hsm does not handle such thing, then the process won't waste the consistent exceptions. Once again, great job on such daunting task!! thanks, Christina On 05/18/2016 06:31 PM, Christina Fu wrote: This is the re-review of the patches that addressed my original comments. Overall I think it's good for this round. I only have a few comments and most have already been communicated to jack. Conditional ACK upon completion of the following, and of course, tested to work: * Please open the new tickets for tasks you wish to push for later. Feel free to combine things in same area into one ticket if it makes sense. Please list the ticket(s) at commit response. * Please write a wrapper function computeKekKey() to call the computeSessionKey_SCP01() with null null, so for people who read the code it's clear that it's actually getting the kek key handle rather than a session key. * wrapSessionKey() now takes a wrapping key, and if it's null, it takes a global transportKey. Please put this in a top block method comment to make it clear what this method does * you defined cryptogram types (per my earlier comment), but you did not replace the 0 and 1 in the calling method. * the top of method comment convention is usually using /* ...*/ instead of a whole bunch of //'s thanks! Christina On 05/17/2016 06:44 PM, John Magne wrote: Enclosed revised patches: Thanks to cfu for careful review. Also enclosed responses to comments ,for convenience. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, May 13, 2016 11:34:17 AM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch Hi, First of all, I have to say that Jack did a wonderful job on such daunting task. The sheer amount of code and complexity does make the review more challenging, but I dug through them with my teeth and claws regardless ;-). We discussed and think we should postpone the checkin to next release so we can make sure it gets the kind of attention in details that it deserves. For the first round of reviews, I sent him two separate sets of review comments last week. One for JSS, and one for the rest. The JSS patch was not attached to his original email request for review. It is attached to the following ticket: https://fedorahosted.org/pki/ticket/801 You can find my review comments attached to this email. thanks, Christina On 04/15/2016 07:03 PM, John Magne wrote: Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge pki-symkey into jss What is supported: 1. Everything that is needed to support Secure Channel Protocol 01. 2. Supports the nist sp800 kdf and the original kdf. 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI. Requires: 1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming. Still to do: 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code. 2. The original symkey will remain in place until we can port over everything. 3. SCP03 support can be added later. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
Checked into master: commit 1d60c55940e310aa77befe09c970db3831bb5042 Author: Jack Magne Date: Tue Mar 29 10:39:27 2016 -0700 Port symkey JNI to Java classes. Ticket #801 : Merge pki-symkey into jss What is supported: 1. Everything that is needed to support Secure Channel Protocol 01. 2. Supports the nist sp800 kdf and the original kdf. 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI. Requires: 1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming. Still to do: 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code. 2. The original symkey will remain in place until we can port over everything. 3. SCP03 support can be added later. New ticket created for future refinements: https://fedorahosted.org/pki/ticket/2337 Closing #801 - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Monday, May 23, 2016 8:56:40 AM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch Just realized that I missed this comment for conditional ack: It was already communicated to Jack. Please file a ticket for this. derivedKey = encryptDes3.derive(); it throws exception when fail (in nethsm it seems to be the case now), and then default to encryption. It'd be better to provide a config param to turn on and off derive v.s. encryption in case we know for sure a certain hsm does not handle such thing, then the process won't waste the consistent exceptions. Once again, great job on such daunting task!! thanks, Christina On 05/18/2016 06:31 PM, Christina Fu wrote: > This is the re-review of the patches that addressed my original comments. > Overall I think it's good for this round. I only have a few comments > and most have already been communicated to jack. > > Conditional ACK upon completion of the following, and of course, > tested to work: > > * Please open the new tickets for tasks you wish to push for later. > Feel free to combine things in same area into one ticket if it makes > sense. Please list the ticket(s) at commit response. > * Please write a wrapper function computeKekKey() to call the > computeSessionKey_SCP01() with null null, so for people who read the > code it's clear that it's actually getting the kek key handle rather > than a session key. > * wrapSessionKey() now takes a wrapping key, and if it's null, it > takes a global transportKey. Please put this in a top block method > comment to make it clear what this method does > * you defined cryptogram types (per my earlier comment), but you did > not replace the 0 and 1 in the calling method. > * the top of method comment convention is usually using /* ...*/ > instead of a whole bunch of //'s > > > thanks! > Christina > > > On 05/17/2016 06:44 PM, John Magne wrote: >> Enclosed revised patches: >> >> Thanks to cfu for careful review. >> >> Also enclosed responses to comments ,for convenience. >> >> >> >> >> - Original Message - >>> From: "Christina Fu" >>> To: pki-devel@redhat.com >>> Sent: Friday, May 13, 2016 11:34:17 AM >>> Subject: Re: [Pki-devel] [pki-devel][PATCH] >>> 0064-Port-symkey-JNI-to-Java-classes.patch >>> >>> Hi, >>> First of all, I have to say that Jack did a wonderful job on such >>> daunting >>> task. The sheer amount of code and complexity does make the review more >>> challenging, but I dug through them with my teeth and claws >>> regardless ;-). >>> >>> We discussed and think we should postpone the checkin to next >>> release so we >>> can make sure it gets the kind of attention in details that it >>> deserves. >>> >>> For the first round of reviews, I sent him two separate sets of review >>> comments last week. One for JSS, and one for the rest. >>> The JSS patch was not attached to his original email request for >>> review. It >>> is attached to the following ticket: >>> https://fedorahosted.org/pki/ticket/801 >>> >>> You can find my review comments attached to this email. >>> >>> thanks, >>> Christina >>> >>> On 04/15/2016 07:03 PM, John Magne wrote: >>> >>> >>> >>> Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge >>> pki-symkey into jss >>> >>> What is supported: >>> >>> 1. Ever
[Pki-devel] [pki-devel][PATCH] 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch
Show KeyOwner info when viewing recovery requests.
This simple fix will grab the subject info out of the cert
associated with either pending or complete recovery requests being
viewed in the KRA UI.
For example:
KeyOwner: UID=jmagne, O=Token Key User
Will be displayed.
Have seen this display for both pending and completed recovery requests.
This simple fix should be good enough for this round, despite the bug
asking about agent info and such. Those enhancements for later.
Ticket : Ticket #1512 : Key owner info missing from the Search results of
Recovery request
From e817db639484ef61c1a228e3e8651fd835bd4eb1 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Wed, 1 Jun 2016 15:05:20 -0700
Subject: [PATCH] Show KeyOwner info when viewing recovery requests.
This simple fix will grab the subject info out of the cert
associated with either pending or complete recovery requests being
viewed in the KRA UI.
For example:
KeyOwner: UID=jmagne, O=Token Key User
Will be displayed.
This simple fix should be good enough for this round, despite the bug
asking about agent info and such.
Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request
---
.../netscape/cms/servlet/request/CertReqParser.java | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
index fd45894..88f9c5d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
@@ -59,6 +59,7 @@ import com.netscape.certsrv.request.RequestStatus;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.RawJS;
+import com.netscape.cmsutil.util.Utils;
/**
* Output a 'pretty print' of a certificate request
@@ -666,8 +667,25 @@ public class CertReqParser extends ReqParser {
arg.addStringValue("profile", "false");
String keyID = getKeyID(req);
-if (keyID != null) {
+if (keyID != null && !keyID.isEmpty()) {
arg.addStringValue("subject", keyID);
+} else {
+String cert = req.getExtDataInString("cert");
+
+if(cert != null) {
+
+X509CertImpl theCert = null;
+try {
+theCert = new X509CertImpl(Utils.base64decode(cert));
+} catch (CertificateException e) {
+}
+
+if(theCert != null) {
+String subject = theCert.getSubjectDN().toString();
+arg.addStringValue("subject", subject);
+}
+
+}
}
}
--
2.5.0
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0071-UdnPwdDirAuth-authentication-plugin-instance-is-not-.patch
UdnPwdDirAuth authentication plugin instance is not working. Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method,including the plugin itself, so intrepid individuals will not be tempted to manually configure this auth method. QE has nicely decided to independently remove the tests associated with this plugin already. From b471e0d8e260e01833343c35557488be711ddf1f Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Tue, 7 Jun 2016 16:39:40 -0700 Subject: [PATCH] UdnPwdDirAuth authentication plugin instance is not working. Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method. --- base/ca/shared/conf/CS.cfg | 1 - base/ca/shared/webapps/ca/ee/ca/UserDnEnroll.html | 472 - .../netscape/admin/certsrv/ug/AuthBaseDialog.java | 2 - .../admin/certsrv/ug/AuthConfigDialog.java | 3 - base/kra/shared/conf/CS.cfg| 1 - base/ocsp/shared/conf/CS.cfg | 1 - .../authentication/UdnPwdDirAuthentication.java| 201 - .../src/com/netscape/cmscore/apps/Setup.java | 1 - .../cmscore/connector/RequestTransfer.java | 1 - base/tks/shared/conf/CS.cfg| 1 - base/tps/shared/conf/CS.cfg| 1 - 11 files changed, 685 deletions(-) delete mode 100644 base/ca/shared/webapps/ca/ee/ca/UserDnEnroll.html delete mode 100644 base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 989a322..c896251 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -169,7 +169,6 @@ auths.impl._002=## auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication diff --git a/base/ca/shared/webapps/ca/ee/ca/UserDnEnroll.html b/base/ca/shared/webapps/ca/ee/ca/UserDnEnroll.html deleted file mode 100644 index f4798d4..000 --- a/base/ca/shared/webapps/ca/ee/ca/UserDnEnroll.html +++ /dev/null @@ -1,472 +0,0 @@ - -http://www.w3.org/TR/html4/loose.dtd";> - - -Directory Based User Enrollment Form - - - - - - -