From mharmsen at redhat.com Wed Mar 1 02:46:05 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 28 Feb 2017 19:46:05 -0700 Subject: [Pki-devel] Sunset of Fedorahosted.org Resources Message-ID: <2ee5e1e2-3104-886d-185c-16a511744d64@redhat.com> Everyone, February 28, 2017 marked the sunset of fedorahosted.org. As a consequence, many of the various ticketing, repositories, and Wikis were required to be moved. For the Dogtag PKI project and several of the closely associated projects have been relocated, and can be found at the following link: * RELOCATION OF PROJECT ISSUES, REPOSITORIES, AND WIKI INFORMATION -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Mar 1 17:55:00 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 1 Mar 2017 11:55:00 -0600 Subject: [Pki-devel] [PATCH] 966 Refactored PKIInstance.load(). Message-ID: <1d3196a9-e01e-7e51-09ae-975981fd6859@redhat.com> The code that loads the password.conf in PKIInstance.load() has been converted into a general purpose load_properties() method. A corresponding store_properties() method has been added as well. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0966-Refactored-PKIInstance.load.patch Type: text/x-patch Size: 3013 bytes Desc: not available URL: From ftweedal at redhat.com Thu Mar 2 07:35:53 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 2 Mar 2017 17:35:53 +1000 Subject: [Pki-devel] [PATCH] 0166 CMS.getLogMessage: escape format elements in arguments Message-ID: <20170302073553.GG6697@dhcp-40-8.bne.redhat.com> Hi team, Please review attached patch that fixes an issue in CMS message formatting: if one of the message arguments contains '{' or '}', in subsequent logging this is interpreted as a FormatElement and parsing fails. Thanks, Fraser -------------- next part -------------- From 45c90767ff697209c4e46581f796807c0093f527 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Mar 2017 16:32:21 +1000 Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments CMS.getLogMessage performs message formatting via MessageFormat, then the message gets logged via a Logger. The Logger also performs message formatting via MessageFormat. If the formatted log message contains '{' or '}' (e.g. if it contains JSON) the MessageFormat implementation interprets these as FormatElement delimiters and parsing fails. Update CMS.getLogMessage() to scan arguments for unsafe characters and if found, escape the whole message so that subsequent logging will succeed. Part of: https://pagure.io/dogtagpki/issue/1359 --- .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index 90ee8b90a4841ee79970c9b857b95468d7ecd2ec..31ec53f8aaeda818bf174111f115cf611267897c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1592,7 +1592,21 @@ public class CMSEngine implements ICMSEngine { return msg; MessageFormat mf = new MessageFormat(msg); - return mf.format(params); + String escapedParams[] = new String[params.length]; + for (int i = 0; i < params.length; i++) + escapedParams[i] = escapeLogMessageParam(params[i]); + + return mf.format(escapedParams); + } + + /** Quote a string for inclusion in a java.text.MessageFormat + */ + private String escapeLogMessageParam(String s) { + if (s == null) + return null; + if (s.contains("{") || s.contains("}")) + return "'" + s.replaceAll("'", "''") + "'"; + return s; } public void debug(byte data[]) { -- 2.9.3 From ftweedal at redhat.com Tue Mar 7 01:16:37 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 7 Mar 2017 11:16:37 +1000 Subject: [Pki-devel] [PATCH] 0167..0175 external authentication support Message-ID: <20170307011637.GP6697@dhcp-40-8.bne.redhat.com> Hi team, Please review the attached patches, which add support for external authentication (e.g. GSS-API/SPNEGO). These patches depend on some other outstanding patches: 0157, 0158, 0165, 0166. You can review the whole branch (including those commits just mentioned) on GitHub: https://github.com/dogtagpki/pki/compare/master...frasertweedale:feature/1359-gssapi Thanks! Fraser -------------- next part -------------- From 13620e08e639e40bfd5eac986f6a692dd6e88ffc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 17:58:50 +1000 Subject: [PATCH 167/175] Add groups and request attributes to external principals Add the ExternalAuthenticationValve valve, which, if an externally authenticated principal is available, reads the REMOTE_USER_GROUP information from the Coyote request and adds the groups ("roles" in Tomcat terminology) to the principal. It also saves a complete copy of the request attribute map in the princpial. The new class ExternalPrincipal is used to achieve this. Part of: https://pagure.io/dogtagpki/issue/1359 --- base/ca/tomcat8/conf/Catalina/localhost/ca.xml | 2 + base/server/tomcat/src/CMakeLists.txt | 8 +++ .../cms/tomcat/ExternalAuthenticationValve.java | 80 ++++++++++++++++++++++ .../com/netscape/cms/tomcat/ExternalPrincipal.java | 43 ++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java diff --git a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml index 46f270817a58282b950b75a15bb3bd052f178f0c..0268bc17e055b98198a9a44275319e77217c87fd 100644 --- a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml +++ b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml @@ -27,6 +27,8 @@ + + groups = new ArrayList<>(); + for (int i = 1; i <= numGroups; i++) { + String k = "REMOTE_USER_GROUP_" + i; + String s = (String) coyoteReq.getAttribute(k); + if (s != null && !s.isEmpty()) + groups.add(s); + else + System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k); + } + + // replace the principal + principal = new ExternalPrincipal( + principal.getName(), null, groups, coyoteReq.getAttributes()); + System.out.println("ExternalAuthenticationValve: setting new principal: " + principal); + req.setUserPrincipal(principal); + + // cache principal in session + Session session = req.getSessionInternal(); + session.setAuthType(req.getAuthType()); + session.setPrincipal(principal); + } + + getNext().invoke(req, resp); + } +} diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java new file mode 100644 index 0000000000000000000000000000000000000000..a7bb0e110382d6b45e66d0c2748b4ac206ce99e2 --- /dev/null +++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java @@ -0,0 +1,43 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.tomcat; + +import org.apache.catalina.realm.GenericPrincipal; + +import java.util.List; +import java.util.HashMap; + +/** + * Principal that carries additional request attributes. + */ +public class ExternalPrincipal extends GenericPrincipal { + + private HashMap attributes; + + public ExternalPrincipal(String name, String password, List roles, + HashMap attributes) { + super(name, password, roles); + this.attributes = attributes; + } + + public HashMap getAttributes() { + return attributes; + } + +} -- 2.9.3 -------------- next part -------------- From cb05006dd35618f7caa898b7368b6fd54efd96d9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:10:58 +1000 Subject: [PATCH 168/175] Add IAuthToken implementation for external principals Many parts of Dogtag expect an IAuthToken, which represents the authenticated user. The sole implementation, AuthToken, uses some concepts that do not carry across to externally authenticated principals, e.g. an external principal does not have an associated IAuthManager that was used to authenticate the principal. Therefore something different is needed. Implement ExternalAuthToken which wraps a GenericPrincipal and provides access to the data therein. Part of: https://pagure.io/dogtagpki/issue/1359 --- .../certsrv/authentication/ExternalAuthToken.java | 154 +++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java diff --git a/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java new file mode 100644 index 0000000000000000000000000000000000000000..07c09d1404f57e526e742ae2b47e111c5516c475 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java @@ -0,0 +1,154 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2015 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.authentication; + +import java.math.BigInteger; +import java.security.Principal; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; + +import org.apache.catalina.realm.GenericPrincipal; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.usrgrp.Certificates; + + +/** + * Authentication token that wraps an externally authenticated + * principal to return. + */ +public class ExternalAuthToken implements IAuthToken { + + protected GenericPrincipal principal; + + public ExternalAuthToken(GenericPrincipal principal) { + this.principal = principal; + } + + public Principal getPrincipal() { + return principal; + } + + public Enumeration getElements() { + ArrayList keys = new ArrayList<>(); + keys.add(GROUPS); + keys.add(TOKEN_AUTHMGR_INST_NAME); + keys.add(UID); + keys.add(USER_ID); + return Collections.enumeration(keys); + } + + public Object get(String k) { + return null; + } + + public boolean set(String k, String v) { + return false; + } + + public String getInString(String k) { + if (k == null) + return null; + if (k.equals(USER_ID) || k.equals(UID)) + return principal.getName(); + if (k.equals(TOKEN_AUTHMGR_INST_NAME)) + return "external"; + return null; + } + + public boolean set(String k, byte[] v) { + return false; + } + + public byte[] getInByteArray(String k) { + return null; + } + + public boolean set(String k, Integer v) { + return false; + } + + public Integer getInInteger(String k) { + return null; + } + + public boolean set(String k, BigInteger[] v) { + return false; + } + + public BigInteger[] getInBigIntegerArray(String k) { + return null; + } + + public boolean set(String k, Date v) { + return false; + } + + public Date getInDate(String k) { + return null; + } + + public boolean set(String k, String[] v) { + return false; + } + + public String[] getInStringArray(String k) { + if (k == null) + return null; + if (k.equals(GROUPS)) + return principal.getRoles(); + return null; + } + + public boolean set(String k, X509CertImpl v) { + return false; + } + + public X509CertImpl getInCert(String k) { + return null; + } + + public boolean set(String k, CertificateExtensions v) { + return false; + } + + public CertificateExtensions getInCertExts(String k) { + return null; + } + + public boolean set(String k, Certificates v) { + return false; + } + + public Certificates getInCertificates(String k) { + return null; + } + + public boolean set(String k, byte[][] v) { + return false; + } + + public byte[][] getInByteArrayArray(String k) { + return null; + } +} -- 2.9.3 -------------- next part -------------- From 9c38f89b61cbac5293f6358b57b7e1cacd3ffc29 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:24:53 +1000 Subject: [PATCH 169/175] Update AuthMethodInterceptor to handle external principals Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359 --- .../server/rest/AuthMethodInterceptor.java | 27 +++++++++++++--------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java index ac0b2518cdc42528b7c0e94153f2b02777c26785..8571ad6b1fb241956f8d437e65ff3f1e7169b015 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java @@ -33,12 +33,14 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; + import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthMethodMapping; -import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.cms.realm.PKIPrincipal; @@ -139,14 +141,11 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Anonymous access not allowed."); } - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - CMS.debug("AuthMethodInterceptor: unknown principal"); - throw new ForbiddenException("Unknown user principal"); - } - - PKIPrincipal pkiPrincipal = (PKIPrincipal) principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); + IAuthToken authToken = null; + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + else if (principal instanceof GenericPrincipal) + authToken = new ExternalAuthToken((GenericPrincipal) principal); // If missing auth token, reject request. if (authToken == null) { @@ -154,7 +153,8 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication token."); } - String authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + String authManager = authToken.getInString(IAuthToken.TOKEN_AUTHMGR_INST_NAME); + CMS.debug("AuthMethodInterceptor: authentication manager: " + authManager); if (authManager == null) { @@ -162,7 +162,12 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication manager."); } - if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + if ( + authMethods.isEmpty() + || authManager.equals("external") + || authMethods.contains(authManager) + || authMethods.contains("*") + ) { CMS.debug("AuthMethodInterceptor: access granted"); return; } -- 2.9.3 -------------- next part -------------- From 80a5ac922611dfe1a14306b8c1b89c7464c4eeeb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:39:45 +1000 Subject: [PATCH 170/175] Update SessionContextInterceptor to handle external principals Part of: https://pagure.io/dogtagpki/issue/1359 --- .../server/rest/SessionContextInterceptor.java | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java index b6461abfdee36ea4eeba4d07da815482b02712ba..b3b3c3b8ff377ba602060d79c50bbc1d9081fd70 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java @@ -29,9 +29,11 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.core.ResourceMethodInvoker; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.certsrv.base.SessionContext; @@ -80,14 +82,12 @@ public class SessionContextInterceptor implements ContainerRequestFilter { CMS.debug("SessionContextInterceptor: principal: " + principal.getName()); - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - CMS.debug("SessionContextInterceptor: Invalid user principal."); - throw new ForbiddenException("Invalid user principal."); - } + IAuthToken authToken = null; - PKIPrincipal pkiPrincipal = (PKIPrincipal) principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + else if (principal instanceof GenericPrincipal) + authToken = new ExternalAuthToken((GenericPrincipal) principal); // If missing auth token, reject request. if (authToken == null) { @@ -104,7 +104,8 @@ public class SessionContextInterceptor implements ContainerRequestFilter { context.put(SessionContext.LOCALE, locale); context.put(SessionContext.AUTH_TOKEN, authToken); - context.put(SessionContext.USER_ID, pkiPrincipal.getName()); - context.put(SessionContext.USER, pkiPrincipal.getUser()); + context.put(SessionContext.USER_ID, principal.getName()); + if (principal instanceof PKIPrincipal) + context.put(SessionContext.USER, ((PKIPrincipal) principal).getUser()); } } -- 2.9.3 -------------- next part -------------- From 5421a7b9fd925018c037a254b7287756ee2f301c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:43:48 +1000 Subject: [PATCH 171/175] Update ACLInterceptor to support external principals For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id at realm"). Part of: https://pagure.io/dogtagpki/issue/1359 --- .../org/dogtagpki/server/rest/ACLInterceptor.java | 41 +++++++++++++++------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java index 49001168130831bbb002711120891195b5d54ba5..8e02ec21c438426fe7f0b3e5d571084b7f784a70 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java @@ -31,14 +31,17 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.acls.ACLMapping; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; @@ -140,18 +143,33 @@ public class ACLInterceptor implements ContainerRequestFilter { if (principal != null) CMS.debug("ACLInterceptor: principal: " + principal.getName()); - // If unrecognized principal, reject request. - if (principal != null && !(principal instanceof PKIPrincipal)) { - CMS.debug("ACLInterceptor: Invalid user principal."); - // audit comment: no Principal, no one to blame here - throw new ForbiddenException("Invalid user principal."); - } + IAuthzSubsystem authzSubsystem = + (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - PKIPrincipal pkiPrincipal = null; IAuthToken authToken = null; + String authzMgrName = null; if (principal != null) { - pkiPrincipal = (PKIPrincipal) principal; - authToken = pkiPrincipal.getAuthToken(); + if (principal instanceof PKIPrincipal) { + authzMgrName = "DirAclAuthz"; + authToken = ((PKIPrincipal) principal).getAuthToken(); + } + else if (principal instanceof GenericPrincipal) { + String realm = null; + String[] parts = principal.getName().split("@", 2); + if (parts.length == 2) { + realm = parts[1]; + } + try { + authzMgrName = authzSubsystem.getAuthzManagerNameByRealm(realm); + } catch (EAuthzUnknownRealm e) { + throw new ForbiddenException( + "Cannot find AuthzManager for external principal " + principal.getName(), + e + ); + } + authToken = new ExternalAuthToken((GenericPrincipal) principal); + } + CMS.debug("ACLInterceptor: will use authz manager " + authzMgrName); } // If missing auth token, reject request. @@ -249,9 +267,8 @@ public class ACLInterceptor implements ContainerRequestFilter { try { // Check authorization. - IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - AuthzToken authzToken = mAuthz.authorize( - "DirAclAuthz", + AuthzToken authzToken = authzSubsystem.authorize( + authzMgrName, authToken, values[0], // resource values[1]); // operation -- 2.9.3 -------------- next part -------------- From 747bf98090677e2bc3bcfa3bb70ca15c0a04e80e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 7 Feb 2017 10:36:20 +1000 Subject: [PATCH 172/175] Allow arbitrary user data in cert request If a certificate request comes with additional data in the 'cert-request' query param, add that to the request. Profile components can then use this data. This is needed to convey the subject principal name to the ExternalProcessConstraint, when validating FreeIPA certificate requests after we switch to GSS-API authentication. Part of: https://pagure.io/dogtagpki/issue/1359 --- base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java | 5 +++++ base/common/src/com/netscape/certsrv/request/IRequest.java | 5 +++++ .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 3 +++ .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 5 +++++ 4 files changed, 18 insertions(+) diff --git a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java index 12667120e3d87deecb786965b4abcef492ac556d..34543cb72aba426402bdf6dafe4e7b59f8a4b30e 100644 --- a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java +++ b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java @@ -180,6 +180,11 @@ public interface IEnrollProfile extends IProfile { public static final String REQUEST_AUTHORITY_ID = "req_authority_id"; /** + * Arbitrary user-supplied data. + */ + public static final String REQUEST_USER_DATA = "req_user_data"; + + /** * Set Default X509CertInfo in the request. * * @param request profile-based certificate request. diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index 29b1bbb879220a485388cb38af8a8c5508578752..d929ce24b03b9d712d1c9e3a200f3a57e840b440 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -96,6 +96,11 @@ public interface IRequest extends Serializable { */ public static final String AUTHORITY_ID = "req_authority_id"; + /** + * Arbitrary user-supplied data that will be saved in request. + */ + public static final String USER_DATA = "user_data"; + public static final String RESULT = "Result"; // service result. public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value public static final Integer RES_ERROR = Integer.valueOf(2); // result value diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 8d10ec26b3db12f68eb9033473b93615d5a6d824..f03e05d72037c2c997acf6ba08f895d3ece64ddb 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -194,6 +194,9 @@ public abstract class EnrollProfile extends BasicProfile // set requested CA result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); + + // set user data + result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA)); } return result; } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index d394fd30c84a0fb7a0f19b31ba4b6973902ea931..908cbe4aecf96c24e2d356394c7ba1ead2cd3a56 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -147,6 +147,11 @@ public class EnrollmentProcessor extends CertProcessor { IProfileContext ctx = profile.createContext(); + // set arbitrary user data into request, if any + String userData = request.getParameter("user-data"); + if (userData != null) + ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); + if (aid != null) ctx.set(IEnrollProfile.REQUEST_AUTHORITY_ID, aid.toString()); -- 2.9.3 -------------- next part -------------- From 24a48dbf79c327d57371b91ae6cc4b1997e1fb00 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Feb 2017 11:55:13 +1000 Subject: [PATCH 173/175] CertProcessor: set external principal attributes into request When processing a certificate request, if the authenticated principal is an ExternalPrincipal, add its whole attribute map to the IRequest. This provides a way for AJP request attributes to be propagated through the profile system to profile components like ExternalProcessConstraint. One such attribute that is needed for GSS-API support is "KRB5CCNAME". Part of: https://pagure.io/dogtagpki/issue/1359 --- .../netscape/cms/servlet/cert/CertProcessor.java | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index 47b522208af05486a22abdd6196d8385dd615857..be59e4c0a94b603a6f077352ab7b3117cd266b32 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -18,6 +18,7 @@ package com.netscape.cms.servlet.cert; import java.math.BigInteger; +import java.security.Principal; import java.util.Date; import java.util.Enumeration; import java.util.HashMap; @@ -26,6 +27,7 @@ import java.util.Locale; import javax.servlet.http.HttpServletRequest; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -45,6 +47,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.processors.CAProcessor; +import com.netscape.cms.tomcat.ExternalPrincipal; import com.netscape.cmsutil.ldap.LDAPUtil; public class CertProcessor extends CAProcessor { @@ -138,6 +141,24 @@ public class CertProcessor extends CAProcessor { } } } + + // special processing of ExternalAuthToken / ExternalPrincipal + if (authToken instanceof ExternalAuthToken) { + Principal principal = + ((ExternalAuthToken) authToken).getPrincipal(); + if (principal instanceof ExternalPrincipal) { + HashMap m = + ((ExternalPrincipal) principal).getAttributes(); + for (String k : m.keySet()) { + req.setExtData( + IRequest.AUTH_TOKEN_PREFIX + + "." + "PRINCIPAL" + + "." + k + , m.get(k).toString() + ); + } + } + } } /* -- 2.9.3 -------------- next part -------------- From 7077e6ada1a88373d4c607b925bdaf3d45741bb3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Dec 2016 15:24:07 +1000 Subject: [PATCH 174/175] Add ExternalProcessConstraint for request validation Add the ExternalProcessConstraint profile policy constraint class. It can be configured to execute an arbitrary program that performs additional request validation, rejecting the request if it terminates with a nonzero exit status. Information about the request is conveyed in the subprocess' environment. Part of: https://pagure.io/dogtagpki/issue/1359 --- base/ca/shared/conf/registry.cfg | 5 +- .../constraint/ExternalProcessConstraint.java | 158 +++++++++++++++++++++ .../04-AddExternalProcessConstraintToRegistry | 67 +++++++++ 3 files changed, 229 insertions(+), 1 deletion(-) create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java create mode 100755 base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg index 280c71388e8f1575a8785c2009b3c728b2824876..2855b7ad7d5ae158838dec0e610a2d061702cb94 100644 --- a/base/ca/shared/conf/registry.cfg +++ b/base/ca/shared/conf/registry.cfg @@ -1,5 +1,5 @@ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater -constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint @@ -45,6 +45,9 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint +constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint +constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint +constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java new file mode 100644 index 0000000000000000000000000000000000000000..3ee0d46feea7a56f917621d1ce1fd85bc6b36b7c --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java @@ -0,0 +1,158 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2016, 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Map; +import java.util.TreeMap; +import java.util.concurrent.TimeUnit; + +import org.apache.commons.io.IOUtils; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.input.CertReqInput; + +import netscape.security.x509.X509CertInfo; + + +public class ExternalProcessConstraint extends EnrollConstraint { + + public static final String CONFIG_EXECUTABLE = "executable"; + + public static final long DEFAULT_TIMEOUT = 10; + + /* Map of envvars to include, and the corresponding IRequest keys + * + * All keys will be prefixed with "DOGTAG_" when added to environment. + */ + protected static final Map envVars = new TreeMap<>(); + + protected Map extraEnvVars = new TreeMap<>(); + + static { + envVars.put("DOGTAG_CERT_REQUEST", CertReqInput.VAL_CERT_REQUEST); + envVars.put("DOGTAG_USER", + IRequest.AUTH_TOKEN_PREFIX + "." + IAuthToken.USER_ID); + envVars.put("DOGTAG_PROFILE_ID", IRequest.PROFILE_ID); + envVars.put("DOGTAG_AUTHORITY_ID", IRequest.AUTHORITY_ID); + envVars.put("DOGTAG_USER_DATA", IRequest.USER_DATA); + } + + protected String executable; + + public ExternalProcessConstraint() { + addConfigName(CONFIG_EXECUTABLE); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + this.executable = getConfig(CONFIG_EXECUTABLE); + if (this.executable == null || this.executable.isEmpty()) { + throw new EProfileException( + "Missing required config param 'executable'"); + } + + IConfigStore envConfig = config.getSubStore("params.env"); + Enumeration names = envConfig.getPropertyNames(); + while (names.hasMoreElements()) { + String name = names.nextElement(); + try { + extraEnvVars.put(name, envConfig.getString(name)); + } catch (EBaseException e) { + // shouldn't happen; log and move on + CMS.debug( + "ExternalProcessConstraint: caught exception processing " + + "'params.env' config: " + e + ); + + } + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_EXECUTABLE)) { + return new Descriptor( + IDescriptor.STRING, null, null, "Executable path"); + } else { + return null; + } + } + + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CMS.debug("About to execute command: " + this.executable); + ProcessBuilder pb = new ProcessBuilder(this.executable); + + // set up process environment + Map env = pb.environment(); + for (String k : envVars.keySet()) { + String v = request.getExtDataInString(envVars.get(k)); + if (v != null) + env.put(k, v); + } + for (String k : extraEnvVars.keySet()) { + String v = request.getExtDataInString(extraEnvVars.get(k)); + if (v != null) + env.put(k, v); + } + + Process p; + String stdout = ""; + String stderr = ""; + boolean timedOut; + try { + p = pb.start(); + timedOut = !p.waitFor(DEFAULT_TIMEOUT, TimeUnit.SECONDS); + if (timedOut) + p.destroyForcibly(); + else + stdout = IOUtils.toString(p.getInputStream()); + stderr = IOUtils.toString(p.getErrorStream()); + } catch (Throwable e) { + String msg = + "Caught exception while executing command: " + this.executable; + CMS.debug(msg); + CMS.debug(e); + throw new ERejectException(msg, e); + } + if (timedOut) + throw new ERejectException("Request validation timed out"); + int exitValue = p.exitValue(); + CMS.debug("ExternalProcessConstraint: exit value: " + exitValue); + CMS.debug("ExternalProcessConstraint: stdout: " + stdout); + CMS.debug("ExternalProcessConstraint: stderr: " + stderr); + if (exitValue != 0) + throw new ERejectException(stdout); + } + +} diff --git a/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry new file mode 100755 index 0000000000000000000000000000000000000000..a9ee00aece2cd73b135fcd30402d81140bbc086e --- /dev/null +++ b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry @@ -0,0 +1,67 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path + +import pki +from pki.server.upgrade import PKIServerUpgradeScriptlet + + +class AddExternalProcessConstraintToRegistry(PKIServerUpgradeScriptlet): + + new_config = { + 'constraintPolicy.externalProcessConstraintImpl.class': + 'com.netscape.cms.profile.constraint.ExternalProcessConstraint', + 'constraintPolicy.externalProcessConstraintImpl.desc': + 'External Process Constraint', + 'constraintPolicy.externalProcessConstraintImpl.name': + 'External Process Constraint', + } + + constraint_name = 'externalProcessConstraintImpl' + + def __init__(self): + super(AddExternalProcessConstraintToRegistry, self).__init__() + self.message = 'Add ExternalProcessConstraint to registry' + + def upgrade_subsystem(self, instance, subsystem): + if subsystem.name == 'ca': + self.add_new_entries(instance, subsystem) + + def add_new_entries(self, instance, subsystem): # pylint: disable=W0613 + filename = os.path.join(subsystem.conf_dir, 'registry.cfg') + self.backup(filename) + + properties = pki.PropertyFile(filename) + properties.read() + + # add constraint to constraint list + constraints = properties.get('constraintPolicy.ids').split(',') + if self.constraint_name in constraints: + return # update not required + + constraints.append(self.constraint_name) + properties.set('constraintPolicy.ids', ','.join(constraints)) + + for k, v in self.new_config.items(): + properties.set(k, v) + + properties.write() -- 2.9.3 -------------- next part -------------- From 0a5f725bd3a44b202ab12010381b5469c3118d13 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Feb 2017 12:18:03 +1000 Subject: [PATCH 175/175] Add authn manager that reuses auth token from session To process a cert request immediately (rather than having it queued as pending), the user must be authenticated *by the profile*; auth tokens from the main authentication system are not used. For external authentication support it is possible that the external authentication is sufficient to authenticate use of a problem; especially when the profile uses componenets like ExternalProcessConstraint to perform validation of the cert request against external sources of information. To support this use case, add the SessionAuthentication profile authenticator, which merely reuses the IAuthToken from the session context, if present. Part of: https://pagure.io/dogtagpki/issue/1359 --- base/ca/shared/conf/CS.cfg | 2 + .../cms/authentication/SessionAuthentication.java | 167 +++++++++++++++++++++ .../10.4.0/05-AddSessionAuthenticationPlugin | 51 +++++++ 3 files changed, 220 insertions(+) create mode 100644 base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java create mode 100755 base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 3beb45c5392427dec411fda0bb12769b9d279f43..e4bbe5f35cf18a4f725713a5a75df591c11bd44f 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication auths.instance.TokenAuth.pluginName=TokenAuth auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents auths.instance.AgentCertAuth.pluginName=AgentCertAuth @@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth auths.instance.flatFileAuth.pluginName=FlatFileAuth auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.instance.SessionAuthentication.pluginName=SessionAuthentication auths.revocationChecking.bufferSize=50 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java new file mode 100644 index 0000000000000000000000000000000000000000..27f08cd9989361709825ec3a632c123a3f7fc0ad --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java @@ -0,0 +1,167 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.authentication; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.EMissingCredential; +import com.netscape.certsrv.authentication.IAuthCredentials; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileAuthenticator; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * Pull any existing auth token from the session context. + * + * Use with caution as a profile authenticator; if there is a + * session it will unconditionally approve the request + * (subject to constraints, etc). + */ +public class SessionAuthentication + implements IProfileAuthenticator { + + private String instName = null; + private String implName = null; + private IConfigStore config = null; + + public SessionAuthentication() { + } + + public void init(String instName, String implName, IConfigStore config) + throws EBaseException { + this.instName = instName; + this.implName = implName; + this.config = config; + } + + /** + * Gets the name of this authentication manager. + */ + public String getName() { + return instName; + } + + /** + * Gets the plugin name of authentication manager. + */ + public String getImplName() { + return implName; + } + + public boolean isSSLClientRequired() { + return false; + } + + /** + * Authenticate user. + * + * @return the auth token from existing session context, if any. + * @throws EMissingCredential if no auth token or no session + */ + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential { + SessionContext context = SessionContext.getExistingContext(); + + if (context == null) + throw new EMissingCredential("SessionAuthentication: no session"); + + IAuthToken authToken = (IAuthToken) + context.get(SessionContext.AUTH_TOKEN); + + if (authToken == null) + throw new EMissingCredential("SessionAuthentication: no auth token"); + + return authToken; + } + + public String[] getRequiredCreds() { + String[] requiredCreds = { }; + return requiredCreds; + } + + public String[] getConfigParams() { + return null; + } + + /** + * prepare this authentication manager for shutdown. + */ + public void shutdown() { + } + + /** + * gets the configuretion substore used by this authentication + * manager + * + * @return configuration store + */ + public IConfigStore getConfigStore() { + return config; + } + + // Profile-related methods + + public void init(IProfile profile, IConfigStore config) { + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); + } + + /** + * Retrieves a list of names of the value parameter. + */ + public Enumeration getValueNames() { + return Collections.emptyEnumeration(); + } + + public boolean isValueWriteable(String name) { + return false; + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public void populate(IAuthToken token, IRequest request) { + } +} diff --git a/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin new file mode 100755 index 0000000000000000000000000000000000000000..62d508ed199f2643bc05bea78c7a80b22188ec4a --- /dev/null +++ b/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin @@ -0,0 +1,51 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path + +import pki +from pki.server.upgrade import PKIServerUpgradeScriptlet + + +class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet): + def __init__(self): + super(AddSessionAuthenticationPlugin, self).__init__() + self.message = 'Add SessionAuthentication to CS.cfg' + + def upgrade_subsystem(self, instance, subsystem): + if subsystem.name == 'ca': + self.add_plugin(instance, subsystem) + + def add_plugin(self, instance, subsystem): # pylint: disable=W0613 + filename = os.path.join(subsystem.conf_dir, 'CS.cfg') + self.backup(filename) + + properties = pki.PropertyFile(filename) + properties.read() + + properties.set( + 'auths.impl.SessionAuthentication.class', + 'com.netscape.cms.authentication.SessionAuthentication') + properties.set( + 'auths.instance.SessionAuthentication.pluginName', + 'SessionAuthentication') + + properties.write() -- 2.9.3 From mharmsen at redhat.com Tue Mar 7 04:06:04 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 6 Mar 2017 21:06:04 -0700 Subject: [Pki-devel] Karma Requests for pki-core-10.3.5-13 Message-ID: <86ada612-f56f-b552-730a-90b9c3559b3f@redhat.com> *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24:* o *pki-core-10.3.5-13.fc24 * * *Fedora 25:* o *pki-core-10.3.5-13.fc25 * * ***Fedora 26:* o *pki-core-10.3.5-13.fc26 * * *Fedora 27 (rawhide):* o *pki-core-10.3.5-13.fc27 * *These builds address the following PKI TRAC tickets:* * *dogtagpki Pagure Issue #1710 - Add profile component that copies CN to SAN * *Please provide Karma for the following builds:* * *Fedora 24:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9ded483357 pki-core-10.3.5-13.fc24* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f3325addf pki-core-10.3.5-13.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0afc56a2c pki-core-10.3.5-13.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Mar 9 06:47:23 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Mar 2017 16:47:23 +1000 Subject: [Pki-devel] [PATCH] 0176..0177 small manpage fixes Message-ID: <20170309064723.GJ6697@dhcp-40-8.bne.redhat.com> Please review attached patches that fix a couple of problems in pkispawn.8 and pki_default.cfg.5. Thanks, Fraser -------------- next part -------------- From e6c683eec351be54fb65f22629e78865839bf263 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 9 Mar 2017 14:30:29 +1000 Subject: [PATCH 176/177] pkispawn.8: fix setup-ds.pl command name --- base/server/man/man8/pkispawn.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 40ec7f0ad17acfa3a1e909dfac2ef16782dda6c6..002520a0b2207014989b82001ec4723fefd309f1 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -1387,7 +1387,7 @@ Directory Server and Admin Server instances can be created with the following command: .IP -\fBsetup-ds-admin.pl\fP +\fBsetup-ds.pl\fP .PP Enable LDAPS in the Directory Server with the following command: -- 2.9.3 -------------- next part -------------- From 852c6e5783648bf9786aa6c4c3aa20ff90b86790 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 9 Mar 2017 15:38:50 +1000 Subject: [PATCH 177/177] pki_default.cfg.5: fix ca_signing tag name --- base/server/man/man5/pki_default.cfg.5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 index 1eb4ab99b1863a1927fba0f3f69ccf2e0431211f..856081dcf195df325fe48172f32a2afaeeef8e85 100644 --- a/base/server/man/man5/pki_default.cfg.5 +++ b/base/server/man/man5/pki_default.cfg.5 @@ -107,7 +107,7 @@ If an optional hardware security module (HSM) is being utilized (rather than the .SS SYSTEM CERTIFICATE PARAMETERS \fBpkispawn\fP sets up a number of system certificates for each subsystem. The system certificates which are required differ between subsystems. Each system certificate is denoted by a tag, as noted below. The different system certificates are: .IP -* signing certificate ("signing"). Used to sign other certificates. Required for CA. +* signing certificate ("ca_signing"). Used to sign other certificates. Required for CA. .IP * OCSP signing certificate ("ocsp_signing" in CA, "signing" in OCSP). Used to sign CRLs. Required for OCSP and CA. .IP -- 2.9.3 From tjaalton at ubuntu.com Thu Mar 9 08:07:22 2017 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Thu, 9 Mar 2017 10:07:22 +0200 Subject: [Pki-devel] [PATCH] pki-tpsd@.service: Use BindsTo= instead of BindTo= Message-ID: <1489046842-1074-1-git-send-email-tjaalton@ubuntu.com> From: Timo Aaltonen BindTo is deprecated since a few years: https://github.com/systemd/systemd/commit/7f2cddae09fd2579ae24434df577bb5e5a157d86 --- base/tps-client/lib/systemd/system/pki-tpsd at .service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/tps-client/lib/systemd/system/pki-tpsd at .service b/base/tps-client/lib/systemd/system/pki-tpsd at .service index 6a0d6a3..e93d44c 100644 --- a/base/tps-client/lib/systemd/system/pki-tpsd at .service +++ b/base/tps-client/lib/systemd/system/pki-tpsd at .service @@ -1,7 +1,7 @@ [Unit] Description=PKI Token Processing Server %i After=pki-tpsd.target -BindTo=pki-tpsd.target +BindsTo=pki-tpsd.target [Service] Type=forking -- 2.7.4 From mharmsen at redhat.com Mon Mar 13 05:39:18 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sun, 12 Mar 2017 23:39:18 -0600 Subject: [Pki-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1 Message-ID: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> *The following updated candidate builds of ldapjdk 4.19 and tomcatjss 7.2.0 were generated:* * *Fedora 25:* o *ldapjdk-4.19-1.fc25 * o *tomcatjss-7.2.0-1.fc25 * * *Fedora 26:* o *ldapjdk-4.19-1.fc26 * o *tomcatjss-7.2.0-1.fc26 * * *Fedora 27:* o *ldapjdk-4.19-1.fc27 * o *tomcatjss-7.2.0-1.fc27 * *These builds address the following Bugs and Pagure Issues:* * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no host:port * * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19 * * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+ * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15 ldapjdk-4.19-1.fc25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7 tomcatjss-7.2.0-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981 ldapjdk-4.19-1.fc26 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632 tomcatjss-7.2.0-1.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Mar 13 19:40:40 2017 From: jmagne at redhat.com (John Magne) Date: Mon, 13 Mar 2017 15:40:40 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0090-First-cut-of-scp03-support.-Supports-the-g-d-smartca.patch In-Reply-To: <1110189832.3510303.1489434020648.JavaMail.zimbra@redhat.com> Message-ID: <510095978.3510423.1489434040243.JavaMail.zimbra@redhat.com> First cut of scp03 support. Supports the g&d smartcafe out of the box. Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0090-First-cut-of-scp03-support.-Supports-the-g-d-smartca.patch Type: text/x-patch Size: 196629 bytes Desc: not available URL: From alee at redhat.com Mon Mar 13 19:59:24 2017 From: alee at redhat.com (Ade Lee) Date: Mon, 13 Mar 2017 15:59:24 -0400 Subject: [Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data In-Reply-To: <20170222021205.GX3557@dhcp-40-8.bne.redhat.com> References: <20170222021205.GX3557@dhcp-40-8.bne.redhat.com> Message-ID: <1489435164.14898.16.camel@redhat.com> ACK On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote: > The following patches add the revocation reason to the REST cert > data (i.e. GET /ca/rest/certs/{id}). > > Patches 0163 and 0164 were pushed under trivial rule. > > Please review 0165. > > Thanks, > Fraser > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Mar 13 20:01:22 2017 From: alee at redhat.com (Ade Lee) Date: Mon, 13 Mar 2017 16:01:22 -0400 Subject: [Pki-devel] [PATCH] 0176..0177 small manpage fixes In-Reply-To: <20170309064723.GJ6697@dhcp-40-8.bne.redhat.com> References: <20170309064723.GJ6697@dhcp-40-8.bne.redhat.com> Message-ID: <1489435282.14898.17.camel@redhat.com> ACK On Thu, 2017-03-09 at 16:47 +1000, Fraser Tweedale wrote: > Please review attached patches that fix a couple of problems in > pkispawn.8 and pki_default.cfg.5. > > Thanks, > Fraser > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Mon Mar 13 23:53:51 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 13 Mar 2017 17:53:51 -0600 Subject: [Pki-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1 In-Reply-To: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> References: <9e48257a-b76b-c1d3-bb78-538458bad800@redhat.com> Message-ID: <475387df-080b-b8e6-43f7-2ff9f378815e@redhat.com> On 03/12/2017 11:39 PM, Matthew Harmsen wrote: > > *The following updated candidate builds of ldapjdk 4.19 and tomcatjss > 7.2.0 were generated:* > > * *Fedora 25:* > o *ldapjdk-4.19-1.fc25 > * > o *tomcatjss-7.2.0-1.fc25 > > * > * *Fedora 26:* > o *ldapjdk-4.19-1.fc26 > * > o *tomcatjss-7.2.0-1.fc26 > > * > * *Fedora 27:* > o *ldapjdk-4.19-1.fc27 > * > o *tomcatjss-7.2.0-1.fc27 > > * > > *These builds address the following Bugs and Pagure Issues:* > > * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no > host:port * > * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19 > * > * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora > 25+ * > > *Please provide Karma for the following builds:* > > * *Fedora 25:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15 > ldapjdk-4.19-1.fc25* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7 > tomcatjss-7.2.0-1.fc25 > > * > * *Fedora 26:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981 > ldapjdk-4.19-1.fc26 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632 > tomcatjss-7.2.0-1.fc26 > > * > A problem was discovered in which the tomcatjss.spec file was embedded inside the tomcatjss tarball; this was fixed, the tarball was republished, all packages were rebuilt, and new builds were submitted to bodhi: *The following updated candidate builds of tomcatjss 7.2.0 were regenerated:* * *Fedora 25:* o *tomcatjss-7.2.0-2.fc25 * * *Fedora 26:* o *tomcatjss-7.2.0-2.fc26 * * *Fedora 27:* o *tomcatjss-7.2.0-2.fc27 * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2fc4861133 tomcatjss-7.2.0-2.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cd38eab18 tomcatjss-7.2.0-2.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Mar 14 01:25:52 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Mar 2017 11:25:52 +1000 Subject: [Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data In-Reply-To: <1489435164.14898.16.camel@redhat.com> References: <20170222021205.GX3557@dhcp-40-8.bne.redhat.com> <1489435164.14898.16.camel@redhat.com> Message-ID: <20170314012552.GH10261@dhcp-40-8.bne.redhat.com> On Mon, Mar 13, 2017 at 03:59:24PM -0400, Ade Lee wrote: > ACK > Thanks; 0165 pushed to master (6fa6b692882d00c8228aed7f5780b13f1b09c98c) > On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote: > > The following patches add the revocation reason to the REST cert > > data (i.e. GET /ca/rest/certs/{id}). > > > > Patches 0163 and 0164 were pushed under trivial rule. > > > > Please review 0165. > > > > Thanks, > > Fraser > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Tue Mar 14 01:26:55 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Mar 2017 11:26:55 +1000 Subject: [Pki-devel] [PATCH] 0176..0177 small manpage fixes In-Reply-To: <1489435282.14898.17.camel@redhat.com> References: <20170309064723.GJ6697@dhcp-40-8.bne.redhat.com> <1489435282.14898.17.camel@redhat.com> Message-ID: <20170314012655.GI10261@dhcp-40-8.bne.redhat.com> Thanks; pushed to master: - 1b23eee5387c272257e678726cdb807ca54b7165 - e1789708a9a6f66c3e3f1478e7bbc03da5b3b0df Cheers, Fraser On Mon, Mar 13, 2017 at 04:01:22PM -0400, Ade Lee wrote: > ACK > On Thu, 2017-03-09 at 16:47 +1000, Fraser Tweedale wrote: > > Please review attached patches that fix a couple of problems in > > pkispawn.8 and pki_default.cfg.5. > > > > Thanks, > > Fraser > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Tue Mar 14 07:04:48 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 14 Mar 2017 01:04:48 -0600 Subject: [Pki-devel] Karma Requests for jss-4.4.0-1 Message-ID: *The following updated candidate builds of jss 4.4.0 were generated:* * *Fedora 25:* o *jss-4.4.0-1.fc25 * * *Fedora 26:* o *jss-4.4.0-1.fc26 * * *Fedora 27:* o *jss-4.4.0-1.fc27 * *These builds address the following Bug:* * *Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+ * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-155b9d81d2 jss-4.4.0-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-70cf2c25eb jss-4.4.0-1.fc26 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Tue Mar 14 21:43:42 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 14 Mar 2017 15:43:42 -0600 Subject: [Pki-devel] Karma Requests for tomcatjss-7.2.1-1 Message-ID: Everyone, Sorry, due to a dependency glitch, tomcatjss needed to be re-spun again (please ignore previous tomcatjss Karma emails): *The following updated candidate builds of tomcatjss 7.2.1 were generated:* * *Fedora 25:* o *tomcatjss-7.2.1-1.fc25 * * *Fedora 26:* o *tomcatjss-7.2.1-1.fc26 * * *Fedora 27:* o *tomcatjss-7.2.1-1.fc27 * *Please provide Karma for the following builds:* * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-122cb7e152 tomcatjss-7.2.1-1.fc25 * * *Fedora 26:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2363353a6d tomcatjss-7.2.1-1.fc26 * -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Mar 15 18:16:40 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Mar 2017 13:16:40 -0500 Subject: [Pki-devel] [PATCH] 967 Added exception chaining for EInvalidCredentials. Message-ID: A new constructor has been added into EInvalidCredentials to support exception chaining. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0967-Added-exception-chaining-for-EInvalidCredentials.patch Type: text/x-patch Size: 5206 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 15 18:39:30 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Mar 2017 13:39:30 -0500 Subject: [Pki-devel] [PATCH] 968 Troubleshooting improvement for ClientCertValidateCLI. Message-ID: <4f4971b1-3e11-3e0a-fd16-3047e598dfba@redhat.com> The ClientCertValidateCLI has been modified to display the NSS error code and error message for invalid certificates. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0968-Troubleshooting-improvement-for-ClientCertValidateCL.patch Type: text/x-patch Size: 1862 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 15 18:57:23 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Mar 2017 13:57:23 -0500 Subject: [Pki-devel] [PATCH] 969 Added cascading configuration for PKI CLI. Message-ID: The PKI CLI has been modified to support cascading configuration files: default, system-wide, and user-specific configuration. The existing Python-based PKI CLI was moved into pki.cli.main module. A new shell script was added as a replacement which will read the configuration files and invoke the Python module. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0969-Added-cascading-configuration-for-PKI-CLI.patch Type: text/x-patch Size: 10665 bytes Desc: not available URL: From ftweedal at redhat.com Thu Mar 16 07:50:37 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 16 Mar 2017 17:50:37 +1000 Subject: [Pki-devel] [PATCH] 0167..0175 external authentication support In-Reply-To: <20170307011637.GP6697@dhcp-40-8.bne.redhat.com> References: <20170307011637.GP6697@dhcp-40-8.bne.redhat.com> Message-ID: <20170316075037.GV10261@dhcp-40-8.bne.redhat.com> On Tue, Mar 07, 2017 at 11:16:37AM +1000, Fraser Tweedale wrote: > Hi team, > > Please review the attached patches, which add support for external > authentication (e.g. GSS-API/SPNEGO). > > These patches depend on some other outstanding patches: > 0157, 0158, 0165, 0166. > > You can review the whole branch (including those commits just > mentioned) on GitHub: > https://github.com/dogtagpki/pki/compare/master...frasertweedale:feature/1359-gssapi > > Thanks! > Fraser 7 patches acked by alee; pushed to master: 67d51413323e1d55fdc04ca5edf5d9f05afb0ebe Update ACLInterceptor to support external principals ef84ef36be06944a7f6338ed022f13e066cd5c32 Update SessionContextInterceptor to handle external principals 76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b Update AuthMethodInterceptor to handle external principals 433c7b70d7dd8609dea31b28aee042e48a41ac9f Add IAuthToken implementation for external principals 00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e Add groups and request attributes to external principals 4cf87aa3babc4c7d8ea60a46cb548ebfee493ae4 CertProcessor: extract method setAuthTokenIntoRequest 295cb2f175711a85f371c0fa93c584ad235066e4 Define AgentCertAuthentication token keys in IAuthToken Thanks, Fraser From edewata at redhat.com Thu Mar 16 22:01:18 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Mar 2017 17:01:18 -0500 Subject: [Pki-devel] [PATCH] 970 Exporting environment variables for PKI client. Message-ID: <11d4859d-40ba-eb9c-7772-37d4623713b5@redhat.com> The default pki.conf has been modified to export the environment variables such that they can be used by PKI client. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0970-Exporting-environment-variables-for-PKI-client.patch Type: text/x-patch Size: 3111 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Mar 17 11:14:58 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Mar 2017 12:14:58 +0100 Subject: [Pki-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1 Message-ID: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25 updates-testing yesterday.[1] I have already provided negative karma as the update broke CA clone deployment on FreeIPA replica install. It would be nice if you could test it and provide +1/-1 ASAP so that we can push it out before it hits stable and give Matthew a change to privode fixes. I would also like to ask PKI developers to not hesitate to approach us to provide early feedback to the new updates and/or set up some sort of CI for them if possible. [1] https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c6007b406 -- Martin Babinsky From edewata at redhat.com Fri Mar 17 15:20:15 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 10:20:15 -0500 Subject: [Pki-devel] [PATCH] 971 Removed duplicate code to configure SSL version ranges. Message-ID: <7beb0a23-412c-a3eb-fe3a-a4702fe3244a@redhat.com> The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0971-Removed-duplicate-code-to-configure-SSL-version-rang.patch Type: text/x-patch Size: 12151 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 17 15:22:18 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 10:22:18 -0500 Subject: [Pki-devel] [PATCH] 972 Cleaned up CryptoUtil.setClientCiphers(). Message-ID: <85ce5306-ab2d-ab25-4de9-8350e966deaa@redhat.com> The CryptoUtil.setClientCiphers() has been reformatted to simplify future refactoring. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0972-Cleaned-up-CryptoUtil.setClientCiphers.patch Type: text/x-patch Size: 3161 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 17 15:23:22 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 10:23:22 -0500 Subject: [Pki-devel] [PATCH] 973 Added missing Eclipse dependency. Message-ID: The Eclipse .classpath file has been modified to include tomcat-coyote.jar to avoid build problem. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0973-Added-missing-Eclipse-dependency.patch Type: text/x-patch Size: 936 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 17 16:27:24 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 11:27:24 -0500 Subject: [Pki-devel] [PATCH] 974 Default NSS database for PKI CLI. Message-ID: The PKI CLI has been modified to create a default NSS database without a password if there is no existing database at the expected location. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0974-Default-NSS-database-for-PKI-CLI.patch Type: text/x-patch Size: 2360 bytes Desc: not available URL: From mharmsen at redhat.com Fri Mar 17 16:34:17 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 17 Mar 2017 10:34:17 -0600 Subject: [Pki-devel] [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1 In-Reply-To: <20170317160212.GA4265@10.4.128.1> References: <20170317111457.GB3770@dhcp129-180.brq.redhat.com> <20170317160212.GA4265@10.4.128.1> Message-ID: On 03/17/2017 10:02 AM, Lukas Slebodnik wrote: > On (17/03/17 12:14), Martin Babinsky wrote: >> A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25 >> updates-testing yesterday.[1] >> > It was also pushed to fedora26 > https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1 > >> I have already provided negative karma as the update broke CA clone deployment >> on FreeIPA replica install. >> >> It would be nice if you could test it and provide +1/-1 ASAP so that we can >> push it out before it hits stable and give Matthew a change to privode fixes. >> > The fastest will be if it will be unpushed by fedora maintainer > Adding mharmsen to CC. > > LS Lukas and Martin, After speaking with some members of the PKI team, I have unpushed both the F25 and F26 builds from Bodhi. The following unresolved issues on cloning were documented in: * dogtagpki Pagure Issue #2336 - IPA Replica CA configuration failed Clone does not have all the required certificates Was this the same cloning failure that you were seeing? If not, please file a detailed Pagure Issue describing the failure complete with log attachment. As for the vault issue, we may have an idea on this as the code in that area has been changing. Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Mar 17 17:33:42 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 12:33:42 -0500 Subject: [Pki-devel] [PATCH] 975 Moved default SSL configuration out of PKIConnection. Message-ID: To prevent conflicts, the code that configures the default SSL version ranges and ciphers for all SSL sockets created afterwards has been moved out of PKIConnection into the main program (i.e. PKI CLI). Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0975-Moved-default-SSL-configuration-out-of-PKIConnection.patch Type: text/x-patch Size: 2852 bytes Desc: not available URL: From cfu at redhat.com Fri Mar 17 19:00:15 2017 From: cfu at redhat.com (Christina Fu) Date: Fri, 17 Mar 2017 12:00:15 -0700 Subject: [Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience encrypt/decrypt/hash routines Message-ID: This patch provides code that can be shared between: https://pagure.io/dogtagpki/issue/2605 and https://pagure.io/dogtagpki/issue/2604 Note: default is DES3 for now; will switch over to AES when the cmc feature further materializes. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0161-pagure-2605-CMC-feature-id-cmc-identityProofV2-per-r.patch Type: text/x-patch Size: 10824 bytes Desc: not available URL: From cfu at redhat.com Fri Mar 17 19:06:04 2017 From: cfu at redhat.com (Christina Fu) Date: Fri, 17 Mar 2017 12:06:04 -0700 Subject: [Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience crypto routines Message-ID: <4547f165-f555-ee0f-48fd-5684a4765a94@redhat.com> This patch provides routines that can be shared between https://pagure.io/dogtagpki/issue/2605 CMC feature: id-cmc-identityProofV2 per rfc5272 and https://pagure.io/dogtagpki/issue/2604 RFE: shared secret storage and retrieval mechanism Note: symkey algorithm remains at DES3 until cmc feature materializes. thanks, Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0161-pagure-2605-CMC-feature-id-cmc-identityProofV2-per-r.patch Type: text/x-patch Size: 10824 bytes Desc: not available URL: From edewata at redhat.com Sat Mar 18 02:58:37 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Mar 2017 21:58:37 -0500 Subject: [Pki-devel] [PATCH] 976 Cleaned up CryptoUtil.setClientCiphers(String). Message-ID: The CryptoUtil.setClientCiphers(String) has been reformatted to simplify future refactoring. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0976-Cleaned-up-CryptoUtil.setClientCiphers-String.patch Type: text/x-patch Size: 2413 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 18:26:56 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 13:26:56 -0500 Subject: [Pki-devel] [PATCH] 977 Fixed PKIClient initialization in PKI CLI. Message-ID: <21030be3-7b67-f9f9-3b9e-1abbcdeec02c@redhat.com> The PKI CLI has been modified such that it initializes the PKIClient (and retrieves the access banner) only if the CLI needs to access the PKI server. https://pagure.io/dogtagpki/issue/2612 Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0977-Fixed-PKIClient-initialization-in-PKI-CLI.patch Type: text/x-patch Size: 2940 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 18:48:53 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 13:48:53 -0500 Subject: [Pki-devel] [PATCH] 978 Added configuration parameters for SSL version ranges. Message-ID: <68adab29-f9f3-4cac-9751-8dcc117398da@redhat.com> The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0978-Added-configuration-parameters-for-SSL-version-range.patch Type: text/x-patch Size: 2647 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 20:09:51 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 15:09:51 -0500 Subject: [Pki-devel] [PATCH] 979 Renamed CryptoUtil.setClientCiphers(). Message-ID: <67c2f55a-78ed-839d-6d4d-cf6dd5597d7f@redhat.com> The setClientCiphers() in CryptoUtil has been renamed to setDefaultSSLCiphers() for clarity. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0979-Renamed-CryptoUtil.setClientCiphers.patch Type: text/x-patch Size: 3865 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 20:09:56 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 15:09:56 -0500 Subject: [Pki-devel] [PATCH] 980 Fixed error handling in CryptoUtil.unsetSSLCiphers(). Message-ID: <02949913-8e0c-ebf0-16d0-6afa44382ece@redhat.com> The CryptoUtil.unsetSSLCiphers() has been modified not to ignore exceptions. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0980-Fixed-error-handling-in-CryptoUtil.unsetSSLCiphers.patch Type: text/x-patch Size: 1596 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 20:10:01 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 15:10:01 -0500 Subject: [Pki-devel] [PATCH] 981 Fixed error handling in CryptoUtil.setClientCiphers(). Message-ID: The CryptoUtil.setClientCiphers() has been modified to throw an exception on unsupported cipher. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0981-Fixed-error-handling-in-CryptoUtil.setClientCiphers.patch Type: text/x-patch Size: 1209 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 20:10:05 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 15:10:05 -0500 Subject: [Pki-devel] [PATCH] 982 Refactored CryptoUtil.setClientCiphers(). Message-ID: <4344b3da-122c-c5e8-a2a7-806ebe1bebae@redhat.com> The code that converts cipher name into cipher ID and enables the cipher in CryptoUtil.setClientCiphers() has been moved into a separate method. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0982-Refactored-CryptoUtil.setClientCiphers.patch Type: text/x-patch Size: 2438 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 21:59:17 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 16:59:17 -0500 Subject: [Pki-devel] [PATCH] 983 Added pki.conf parameter for SSL ciphers. Message-ID: <5dc8e3b2-df13-23e2-5aa7-4d352f0441ba@redhat.com> A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0983-Added-pki.conf-parameter-for-SSL-ciphers.patch Type: text/x-patch Size: 2811 bytes Desc: not available URL: From edewata at redhat.com Sun Mar 19 21:59:22 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 19 Mar 2017 16:59:22 -0500 Subject: [Pki-devel] [PATCH] 984 Added pki.conf parameter for default SSL ciphers. Message-ID: A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0984-Added-pki.conf-parameter-for-default-SSL-ciphers.patch Type: text/x-patch Size: 2103 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 01:26:00 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 20:26:00 -0500 Subject: [Pki-devel] [PATCH] 985-986 Added hard-coded default values for SSL parameters in PKI CLI. Message-ID: <20185b85-21b5-e9b6-cb88-787fb8b5a7fb@redhat.com> The PKI CLI has been modified to use hard-coded default values in case the pki.conf is not available (e.g. in Eclipse). ACKed by alee. Pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0985-Added-hard-coded-default-values-for-SSL-parameters-i.patch Type: text/x-patch Size: 2227 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0986-Fixed-default-value-for-SSL-datagram.patch Type: text/x-patch Size: 1314 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 02:35:59 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 21:35:59 -0500 Subject: [Pki-devel] [PATCH] 987 Allowing pki client-init without NSS database password. Message-ID: <638c5fba-3aa6-ed80-e8cc-7435da3d5f2d@redhat.com> The pki client-init has been modified to support creating NSS database without password. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0987-Allowing-pki-client-init-without-NSS-database-passwo.patch Type: text/x-patch Size: 2995 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 02:36:03 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 21:36:03 -0500 Subject: [Pki-devel] [PATCH] 0988 Allowing pki pkcs12-import without NSS database password. Message-ID: <60c0bc4c-c51b-e549-4417-30198c896f12@redhat.com> The pki.nssdb module has been modified to support operations without NSS database password. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0988-Allowing-pki-pkcs12-import-without-NSS-database-pass.patch Type: text/x-patch Size: 992 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 02:36:08 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 21:36:08 -0500 Subject: [Pki-devel] [PATCH] 989 Allowing client cert auth without NSS database password. Message-ID: The PKI CLI has been modified to support client cert authentication without NSS database password. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0989-Allowing-client-cert-auth-without-NSS-database-passw.patch Type: text/x-patch Size: 1911 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 03:12:09 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 22:12:09 -0500 Subject: [Pki-devel] [PATCH] 990 Added support for hex cipher IDs in pki.conf. Message-ID: The CryptoUtil.setSSLCipher() has been modified to support ciphers specified using hex ID. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0990-Added-support-for-hex-cipher-IDs-in-pki.conf.patch Type: text/x-patch Size: 2281 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 21 03:12:14 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Mar 2017 22:12:14 -0500 Subject: [Pki-devel] [PATCH] 991 Added support for disabling SSL ciphers in pki.conf. Message-ID: <4aeaf8bc-5bc1-6cd0-69a2-0d1ba07ed195@redhat.com> The CryptoUtil.setSSLCiphers() has been modified to support a "-" sign in front of the cipher name or ID to disable the cipher. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0991-Added-support-for-disabling-SSL-ciphers-in-pki.conf.patch Type: text/x-patch Size: 2132 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 24 15:48:17 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Mar 2017 10:48:17 -0500 Subject: [Pki-devel] [PATCH] 992-1001 Fixed unnecessary CLI connection. Message-ID: <4484ac5b-4e82-1019-403a-f7be64318f53@redhat.com> Previously the CLI would unnecessarily try to connect to the server while executing commands that do not need connection. The problem has been fixed using lazy initialization of the PKIClient object. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0992-Added-CLI.getConfig.patch Type: text/x-patch Size: 2080 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0993-Refactored-CLI.getClient.patch Type: text/x-patch Size: 1868 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0994-Refactored-ClientCLI.patch Type: text/x-patch Size: 7366 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0995-Refactored-ProxyCLI.patch Type: text/x-patch Size: 1590 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0996-Refactored-SubsystemCLI.patch Type: text/x-patch Size: 9689 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0997-Refactored-CA-CertCLI.patch Type: text/x-patch Size: 21699 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0998-Refactored-GroupCLI.patch Type: text/x-patch Size: 14371 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0999-Refactored-KRA-KeyCLI.patch Type: text/x-patch Size: 21135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1000-Refactored-SecurityDomainCLI.patch Type: text/x-patch Size: 3171 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1001-Refactored-UserCLI.patch Type: text/x-patch Size: 19251 bytes Desc: not available URL: From cfu at redhat.com Sat Mar 25 00:07:05 2017 From: cfu at redhat.com (Christina Fu) Date: Fri, 24 Mar 2017 20:07:05 -0400 (EDT) Subject: [Pki-devel] [PATCH] Bug 1419734 CMC: id-cmc-identityProofV2 feature In-Reply-To: <804752786.5367974.1490400357386.JavaMail.zimbra@redhat.com> Message-ID: <1768226326.5368384.1490400425799.JavaMail.zimbra@redhat.com> please review. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: identityProofV2-feature-imple.patch Type: text/x-patch Size: 28957 bytes Desc: not available URL: From cfu at redhat.com Sun Mar 26 00:55:37 2017 From: cfu at redhat.com (Christina Fu) Date: Sat, 25 Mar 2017 20:55:37 -0400 (EDT) Subject: [Pki-devel] [PATCH] CMC RFE: provide Proof of Possession for encryption cert requests (encryptedPOP and decrypedPOP) In-Reply-To: <1556754241.5486271.1490488917930.JavaMail.zimbra@redhat.com> Message-ID: <1379559604.5489669.1490489737697.JavaMail.zimbra@redhat.com> This patch provides the feature implementation for CMC encryptedPOP and decrypedPOP used for Proof of Possession for encryption keys in the following ticket: #2615 CMC: provide Proof of Possession for encryption cert requests Note tha it is an incremental patch based off #2613 CMC: id-cmc-identityProofV2 feature implementation Which I submitted yesterday There will be a small "cleanup" patch after this. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Bug-1419742-CMC-RFE-provide-Proof-of-Possession-for-.patch Type: text/x-patch Size: 117479 bytes Desc: not available URL: From cfu at redhat.com Mon Mar 27 06:15:21 2017 From: cfu at redhat.com (Christina Fu) Date: Mon, 27 Mar 2017 02:15:21 -0400 (EDT) Subject: [Pki-devel] [PATCH] Bug-2615-CMC-cleanup-code-for-Encrypted-Decrypted-PO.patch In-Reply-To: <427527656.5813448.1490595227142.JavaMail.zimbra@redhat.com> Message-ID: <1913819792.5813798.1490595321020.JavaMail.zimbra@redhat.com> This is the cleanup patch that I promised. It contains as much error-checking code as I can muster for now. It is tested to work. This is again an incremental patch from the previous CMC patch. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Bug-2615-CMC-cleanup-code-for-Encrypted-Decrypted-PO.patch Type: text/x-patch Size: 26311 bytes Desc: not available URL: From edewata at redhat.com Mon Mar 27 15:49:19 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Mar 2017 10:49:19 -0500 Subject: [Pki-devel] [PATCH] 1002-1008 Fixed unnecessary CLI connection. Message-ID: <1593fba6-29f8-7a05-4760-604b467b2062@redhat.com> Additional changes to remove unnecessary CLI connection using lazy initialization. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1002-Refactored-AuthorityCLI.patch Type: text/x-patch Size: 8991 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1003-Refactored-FeatureCLI.patch Type: text/x-patch Size: 3962 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1004-Refactored-KRAConnectorCLI-for-CA.patch Type: text/x-patch Size: 7012 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1005-Refactored-CA-ProfileCLI.patch Type: text/x-patch Size: 14012 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1006-Refactored-CA-ProfileMappingCLI.patch Type: text/x-patch Size: 9583 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1007-Refactored-SelfTestCLI.patch Type: text/x-patch Size: 6017 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1008-Refactored-TPSConnectorCLI-for-TKS.patch Type: text/x-patch Size: 8471 bytes Desc: not available URL: From edewata at redhat.com Mon Mar 27 22:41:50 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Mar 2017 17:41:50 -0500 Subject: [Pki-devel] [PATCH] 1009 Added audit logs for SSL/TLS events. Message-ID: The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 ACKed by cfu with a few changes. Pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1009-Added-audit-logs-for-SSL-TLS-events.patch Type: text/x-patch Size: 52239 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 28 00:53:16 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Mar 2017 19:53:16 -0500 Subject: [Pki-devel] [PATCH] 1010-1017 Fixed unnecessary CLI connection. Message-ID: Additional changes to remove unnecessary CLI connection using lazy initialization. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1010-Refactored-ActivityCLI.patch Type: text/x-patch Size: 4294 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1011-Refactored-AuditCLI.patch Type: text/x-patch Size: 4715 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1012-Refactored-AuthenticatorCLI.patch Type: text/x-patch Size: 9639 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1013-Refactored-TPSCertCLI.patch Type: text/x-patch Size: 4168 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1014-Refactored-TPS-ConfigCLI.patch Type: text/x-patch Size: 4138 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1015-Refactored-TPS-ProfileCLI.patch Type: text/x-patch Size: 8538 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1016-Refactored-TPS-TokenCLI.patch Type: text/x-patch Size: 7850 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1017-Refactored-TPS-ConnectorCLI.patch Type: text/x-patch Size: 8915 bytes Desc: not available URL: From jmagne at redhat.com Wed Mar 29 18:22:44 2017 From: jmagne at redhat.com (John Magne) Date: Wed, 29 Mar 2017 14:22:44 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0091-SCP03 support for g&d 7 card.patch In-Reply-To: <92669570.9203604.1490811661236.JavaMail.zimbra@redhat.com> Message-ID: <664598460.9205261.1490811764183.JavaMail.zimbra@redhat.com> [PATCH] SCP03 support for g&d sc 7 card. Ticket: https://pagure.io/dogtagpki/issue/1663 Add SCP03 support This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to generate an AES based master key. We do not as of yet have support with tkstool for this: Ex: /usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: Ex: tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. tks.defKeySet._010=## tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings tks.defKeySet._013=## Smart Cafe 6 settings: tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 tks.defKeySet._018=##Smart Cafe 7 settings: tks.defKeySet._019=## tks.defKeySet.prot3.divers=none tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES tks.defKeySet._023=## tks.defKeySet._024=## -------------- next part -------------- A non-text attachment was scrubbed... Name: 0091-SCP03-support-for-g-d-sc-7-card.patch Type: text/x-patch Size: 28917 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 30 22:36:47 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Mar 2017 17:36:47 -0500 Subject: [Pki-devel] [PATCH] 1018-1020 Removed duplicate constants. Message-ID: Some constants in RollingLogFile have been replaced with their equivalents in Constants class. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1018-Removed-duplicate-PROP_ROLLOVER_INTERVAL-constant.patch Type: text/x-patch Size: 5234 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1019-Removed-duplicate-PROP_MAX_FILE_SIZE-constant.patch Type: text/x-patch Size: 3103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1020-Removed-duplicate-PROP_EXPIRATION_TIME-constant.patch Type: text/x-patch Size: 4536 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 31 01:45:18 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Mar 2017 20:45:18 -0500 Subject: [Pki-devel] [PATCH] 1021 Fixed default subsystems for top-level CLI commands. Message-ID: The top-level CLI commands have been modified to get the subsystem name from the parent subsystem CLI if available, otherwise they will use a hard-coded default value. https://pagure.io/dogtagpki/issue/2626 Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1021-Fixed-default-subsystems-for-top-level-CLI-commands.patch Type: text/x-patch Size: 7141 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 31 03:19:22 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Mar 2017 22:19:22 -0500 Subject: [Pki-devel] [PATCH] 1022-1023 Fixed some pylint errors. Message-ID: <30ab30f4-1d24-8856-2694-267deba7b36f@redhat.com> Fixed pylint errors in pki.authority and pki.server.cli.subsystem. https://pagure.io/dogtagpki/issue/2627 Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1022-Fixed-pylint-errors-in-pki.server.cli.subsystem.patch Type: text/x-patch Size: 1644 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1023-Fixed-pylint-error-in-pki.authority.patch Type: text/x-patch Size: 893 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 31 17:48:28 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 31 Mar 2017 12:48:28 -0500 Subject: [Pki-devel] [PATCH] 1024 Removed redundant Context attributes. Message-ID: <8faf18dd-ffbe-dbce-cdfe-085126e8549e@redhat.com> All subclasses of PKIService have been modified to remove the Context attribute since they have been declared in the base class. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1024-Removed-redundant-Context-attributes.patch Type: text/x-patch Size: 30238 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 31 17:48:32 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 31 Mar 2017 12:48:32 -0500 Subject: [Pki-devel] [PATCH] 1025 Refactored AuditCLI. Message-ID: The AuditCLI has been modified to create the AuditClient with lazy initialization. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-1025-Refactored-AuditCLI.patch Type: text/x-patch Size: 3193 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 31 22:36:14 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 31 Mar 2017 17:36:14 -0500 Subject: [Pki-devel] [PATCH] Added CLIs to manage audit log files. Message-ID: These patches add new pki audit commands to list, retrieve, and remove audit log files. https://review.gerrithub.io/355356 https://review.gerrithub.io/355357 https://review.gerrithub.io/355358 -- Endi S. Dewata