[Pki-devel] [PATCH] Ticket-2619-Allow-CA-to-process-user-signed-CMC-revo.patch

2017-06-07 Thread Christina Fu 
This patch is the implementation for ticket 
https://pagure.io/dogtagpki/issue/2619 Allow CA to process pre-signed 
CMC revocation non-signing cert requests


Patch description in patch comment area.

please review.

thanks,

Christina

>From c6a7a2024cddfb47a17e2c0f0309b93b656e8f53 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Tue, 30 May 2017 14:12:06 -0700
Subject: [PATCH] Ticket #2619 Allow CA to process user-signed CMC revocation
 requests First of all, the original CMC revocation only supports agent-signed
 CMC revocation requests from the UI where CMCRevReqServlet handles it with
 CMCAuth.  It is in violation with https://tools.ietf.org/html/rfc5273 CMC
 Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary
 value of the BER encoding of the PKI Request or Response,so HTML is not an
 approved method.The other way is through profileSubmitCMCFullServlet (or
 maybe not, as it was completely broken).

One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.

This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.

On the client side:

CMCRequest

- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.

- removed the revRequest.nickname parameter from the configuration.  From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request.  The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject.  By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial.  It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db.  In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.

- added support for unsigned data in support of shared secret in both CMCRequest and server;  The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.

CMCRevoke

- The original code assumed that the nss db password is the same as Shared Secret (!!).  This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.

- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out.  Both are unusable directly.  This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet);  Again, this is not RFC conforming, but I fixed it anyways;

- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)

- This code still requires the signer certificate nickname to run, making the shared secret method moot.  Since CMCRequest has been updated to work properly, we can leave this for now.

On the server side.

CMCUserSignedAuth has been updated to handle unsigned DATA;  Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests).  This addition is important to support shared secrets properly.

Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth.  The original code did not do that, I think it is because it always checks if it's an agent or not.

Something that could be improved on is to have its own servlet.  However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.

The shared secret handling is left in the CMCOutputTemplate for now.  Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement.   Shared Token plugin implementation will be added in later ticket as well.

Previously missed signing cert validation is also added for more complete check.
Some SHA1 are turned into SHA2

Finally, some auditing are added, but it is not finalized.  It will be done in the next ticket(s).
---
 base/common/src/com/netscape/certsrv/apps/CMS.java |  10 +
 .../src/com/netscape/certsrv/apps/ICMSEngine.java  |   8 +
 .../com/netscape/certsrv/base/SessionContext.java  |   5 +
 .../src/com/netscape/cmstools/CMCRequest.java  | 245 -
 .../src/com/netscape/cmstools/CMCRevoke.j

[Pki-devel] Updated Dogtag packages for Fedora 27, 26, and 25 . . .

2017-06-07 Thread Matthew Harmsen 

Everyone,

The following Dogtag packages have been updated on Fedora 27 (rawhide):

 * tomcatjss-7.2.3-1.fc27
   
 * dogtag-pki-10.4.7-1.fc27
   
 * dogtag-pki-theme-10.4.7-1.fc27
   
 * pki-core-10.4.7-1.fc27
   
 * pki-console-10.4.7-1.fc27
   

Additionally, these builds were used to generate their Fedora 25 and 
Fedora 26 equivalents as stored in the following COPR repos 
(https://copr.fedorainfracloud.org/coprs/g/pki/10.4/):


 * Fedora 25 and 26 (e. g. - /etc/yum.repos.d/pki-fedora.repo):

   [group_pki-10.4]
   name=Copr repo for 10.4 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.4/fedora-$releasever-$basearch/
   type=rpm-md
   skip_if_unavailable=True
   gpgcheck=1
   
gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.4/pubkey.gpg
   repo_gpgcheck=0
   enabled=1
   enabled_metadata=1

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel