Re: [Pki-devel] ACME Support: Error issuing certificate

[Endi Sukma Dewata]

- Original Message -
> > Hi -
> > 
> > My team is adding ACME 2.0 client support to the Open Liberty application
> > server and wanted to test against Dogtag PKI's ACME server. My intention is
> > to containerize the ACME server and drive it through the same functional
> > tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
> > instance) to verify compatibility.
> > 
> > The first error I hit was an issue with using JSS 4.7 and I understand that
> > will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .
> >
> > [snip]
> >
> > To move past this error, I was advised to move down to JSS 4.6.2. Upon
> > doing
> > so, I made it past the initial error but now hit the following error:
> >
> > [snip]
> >
> > I can see in the ACME server's trace that it does indeed authorize my
> > ownership of the domain and then try to issue the certificate. Examining
> > the
> > AcmeIssuer class shows that this class has several methods that are not
> > implemented.
> > 
> > https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61
> > Is this expected or is it possible I have a misconfiguration? I assume I am
> > testing too early and need to wait until the implementation is further
> > along, but I wanted to test early enough that if there were issues I could
> > detect them earlier rather than later.
> > 
> > If it matters, I am testing the with the image from @pki/master on a Fedora
> > 30 docker container.
> 
> Hi Jesse,
> 
> Thanks for your interest on Dogtag PKI and particularly the ACME responder.
> Please note that the ACME responder itself is not a CA; it requires another
> CA to issue the certificates. Currently the only supported CA is Dogtag PKI
> CA which is connected through PKIIssuer:
> https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
> 
> The ACMEIssuer is just a base class. It's possible to support other CAs
> by extending ACMEIssuer. If you would like to add support for another issuer
> upstream feel free to submit a pull request. We have a prototype for OpenSSL
> that we might add later.
> 
> The issue with JSS is correct, and we're still working to fix it.
> 
> The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please
> follow these docs to install 389 DS, then install Dogtag PKI CA:
> https://www.dogtagpki.org/wiki/Installing_DS
> https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA.md
> 
> Then follow these docs to install and verify ACME:
> https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_ACME_Responder.md
> https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Responder.md
> 
> Officially we do not support containerization yet, but it's possible to run
> ACME, CA, and DS in containers under some scenarios.
> 
> If you run Fedora 30 as a local Docker container, you can execute commands in
> the container to install ACME, CA, and DS like regular Fedora applications.
> 
> However, if you want to run each of them as a single process in separate
> Docker containers, it is possible with some code changes and tricks:
> https://www.dogtagpki.org/wiki/PKI_ACME_Container
> https://www.dogtagpki.org/wiki/PKI_CA_Container
> https://www.dogtagpki.org/wiki/DS_Container
> 
> Similarly, here are the docs for OpenShift deployment:
> https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift
> https://www.dogtagpki.org/wiki/PKI_CA_OpenShift
> https://www.dogtagpki.org/wiki/DS_OpenShift
> 
> Please note that the wiki is used for development, so the content might be
> outdated. The official docs are on GitHub.
> 
> The ACME responder is easier to containerize. We might be able to officially
> support its containerization soon. However, the CA might be more difficult
> due to its dependency on systemd and other issues. The DS seems to require at
> least some code changes.
> 
> If you want to test ACME containerization, you probably can install ACME
> in container with CA and DS running on the host machine. If you just want
> to test ACME compatibility without containerization, it might be best to
> install ACME, CA, and DS on regular machine for now.
> 
> Hope this helps. Let me know if you have any question.
> 
> --
> Endi S. Dewata

Hi Jesse,

I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] ACME Support: Error issuing certificate

[Endi Sukma Dewata]

- Original Message -
> Hi -
> 
> My team is adding ACME 2.0 client support to the Open Liberty application
> server and wanted to test against Dogtag PKI's ACME server. My intention is
> to containerize the ACME server and drive it through the same functional
> tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
> instance) to verify compatibility.
> 
> The first error I hit was an issue with using JSS 4.7 and I understand that
> will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .
>
> [snip]
>
> To move past this error, I was advised to move down to JSS 4.6.2. Upon doing
> so, I made it past the initial error but now hit the following error:
>
> [snip]
>
> I can see in the ACME server's trace that it does indeed authorize my
> ownership of the domain and then try to issue the certificate. Examining the
> AcmeIssuer class shows that this class has several methods that are not
> implemented.
> 
> https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61
> Is this expected or is it possible I have a misconfiguration? I assume I am
> testing too early and need to wait until the implementation is further
> along, but I wanted to test early enough that if there were issues I could
> detect them earlier rather than later.
> 
> If it matters, I am testing the with the image from @pki/master on a Fedora
> 30 docker container.

Hi Jesse,

Thanks for your interest on Dogtag PKI and particularly the ACME responder.
Please note that the ACME responder itself is not a CA; it requires another
CA to issue the certificates. Currently the only supported CA is Dogtag PKI
CA which is connected through PKIIssuer:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java

The ACMEIssuer is just a base class. It's possible to support other CAs
by extending ACMEIssuer. If you would like to add support for another issuer
upstream feel free to submit a pull request. We have a prototype for OpenSSL
that we might add later.

The issue with JSS is correct, and we're still working to fix it.

The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please
follow these docs to install 389 DS, then install Dogtag PKI CA:
https://www.dogtagpki.org/wiki/Installing_DS
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA.md

Then follow these docs to install and verify ACME:
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_ACME_Responder.md
https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Responder.md

Officially we do not support containerization yet, but it's possible to run
ACME, CA, and DS in containers under some scenarios.

If you run Fedora 30 as a local Docker container, you can execute commands in
the container to install ACME, CA, and DS like regular Fedora applications.

However, if you want to run each of them as a single process in separate
Docker containers, it is possible with some code changes and tricks:
https://www.dogtagpki.org/wiki/PKI_ACME_Container
https://www.dogtagpki.org/wiki/PKI_CA_Container
https://www.dogtagpki.org/wiki/DS_Container

Similarly, here are the docs for OpenShift deployment:
https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift
https://www.dogtagpki.org/wiki/PKI_CA_OpenShift
https://www.dogtagpki.org/wiki/DS_OpenShift

Please note that the wiki is used for development, so the content might be
outdated. The official docs are on GitHub.

The ACME responder is easier to containerize. We might be able to officially
support its containerization soon. However, the CA might be more difficult
due to its dependency on systemd and other issues. The DS seems to require at
least some code changes.

If you want to test ACME containerization, you probably can install ACME
in container with CA and DS running on the host machine. If you just want
to test ACME compatibility without containerization, it might be best to
install ACME, CA, and DS on regular machine for now.

Hope this helps. Let me know if you have any question.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] ACME certificate IDs

[Endi Sukma Dewata]

- Original Message -
> > Let me backtrack a little bit. Is there a plan to modify Dogtag to
> > eventually support different serial number domains? If not, this is
> > not an issue for Dogtag.
>
> There is no plan to do so.  It is not an issue for Dogtag.  But
> still, I feel basing certificate ID on only serial number is not a
> robust approach in general.
> 
> > If there is such plan, will the issuer DN
> > be unique across LWCAs? If issuer DN will be unique, it's something
> > to consider. If not, (issuer DN, serial number) will not be unique
> > either, so we need to use something else such as authority ID.
> > 
> > Or is there another backend with multiple issuers that we want to
> > support in the future? The cert ID will have to be something like
> > (issuer ID, serial number) where the issuer ID is unique for the
> > backend. If the issuer DN is unique, it can be used as the issuer
> > ID. Otherwise, it needs to be a backend-specific unique ID similar
> > to authority ID in Dogtag.
>
> All certs must have unique (issuer,serial).  This is implied by the
> requirement that all certs from a given issuer must have different
> serial numbers.
> 
> > We need to consider these possibilities before changing the cert ID.
> > On the other hand, I'm still not sure it's actually necessary to
> > include these information into cert ID.
> > 
> > Let's look at the code. For cert enrollment (ACMEFinalizeOrderService)
> > we convert the serial number that we get from ACMEBackend into cert ID:
> > 
> >   BigInteger serialNumber = backend.issueCertificate(csr);
> >   String certID =
> >   Base64.encodeBase64URLSafeString(serialNumber.toByteArray());
> > 
> > We can change it so ACMEBackend can generate the cert ID like this:
> > 
> >   String certID = backend.issueCertificate(csr);
> > 
> 
> I strongly agree with pushing the certID generation into the
> ACMEBackend.  Stepping away from the whole (issuer,serial)
> discussion, say (for example) the only "handle" a backend has for
> accessing a cert is a UUID.  Then storing the serial number is no
> good - you cannot derive the UUID handle from the serial number.
> 
> So the backend must generate the (String) certID that is appropriate
> for that backend.
> 
> > If the cert ID is (issuer DN, serial number), we can generate the
> > cert ID from the new cert. But does the backend return the new cert
> > or just the serial number?
> >
> Yeah, good question; of course you must be able to retrieve the
> cert (and therefore you can learn the Issuer DN) but this could mean
> another round-trip to Dogtag.  Which is the next thing you said :)
> 
> > If the serial number is not unique, the
> > backend might need to be changed to return the cert itself so we
> > can get the issuer DN.
> > 
> > If the cert ID is (authority ID, serial number), how do we get the
> > authority ID since it's not included in the cert? The backend might
> > need to be changed to return the authority ID along with the new
> > cert, or to provide a way to look up the authority ID using a cert.
> >
> I am not suggesting to use the authority ID.  But FWIW Dogtag does
> enforce that Issuer DN <-> Authority ID is a bijection.
> 
> > 
> > For cert retrieval (ACMECertificateService) we're passing the cert ID
> > to ACMEBackend:
> > 
> >   String certChain = backend.getCertificateChain(certID);
> > 
> > The ACMEBackend can extract the issuer DN or authority ID from the
> > cert ID so it can retrieve the cert from the backend again.
> > 
> > Since we get the cert during enrollment anyway, we can actually store
> > it into ACME database like this:
> > 
> >   String certChain = backend.issueCertificate(csr);
> >   String certID = database.addCert(certChain, orderID, accountID,
> >   expirationTime);
> > 
> > Later we can simply retrieve it from the database instead of calling
> > the backend again:
> > 
> >   String certChain = database.getCertificateChain(certID);
> > 
> As I said in previous email, I am opposed to storing the cert
> (chain) in the ACME database.  If some backend requires it e.g.
> because the backend itself does not store the cert, then it can be
> optional.  But we do not need that now.
> 
> > Here the cert ID can simply be a unique ID generated by the database.
> > Unlike earlier, the backend doesn't need to know about cert ID at all.
> > 
> > For cert revocation (ACMERevokeCertificateService) the client will
> > only provide the cert binaries. It doesn't provide the cert ID.
> > 
> And the ACMEBackend implementation receives the cert, and must work
> out what to do with it.  How it tells the backend system to revoke
> the certificate, and whether that process even involves a string
> CertID handle, or just a serial number, or the (issuer,serial) pair,
> or whatever, depends on the backend system.  But I think that the
> current interface:
> 
> public void revokeCert(ACMERevocation revocation) ...
> 
> ... is suitable.
> 
> > Currently the ACMEEngine.validateRevocation() will 

Re: [Pki-devel] ACME certificate IDs

[Endi Sukma Dewata]

- Original Message -
> > > Currently on ACMEBackend interface we have
> > > 
> > >   public BigInteger issueCertificate(String csr);
> > > 
> > > I think this is a bit of a problem.  e.g. Dogtag currently supports
> > > multiple issuers (LWCAs).  It is incidental that serial numbers do
> > > not collide.  This might not hold for other backends.  Yet we need
> > > the certificate ID to uniquely identify the certificate, so that we
> > > can retrieve it, revoke it, etc.
> > > 
> > > I suggest changing the return value to a string (which is how it
> > > gets stored in the ACMEOrder object anyway).
> > > 
> > > I'd further suggest that by convention, where possible, the string
> > > be a representation of issuer+serial, which is a bit nicer for
> > > humans looking at the stored objects than a base64url-encoded
> > > big-endian bigint.
> >
> > I agree there is a problem, but I'm not sure about using issuer+serial
> > as certificate ID. What do we use as "issuer", is it the issuer DN
> > or the authority ID?
>
> The issuer DN.
> 
> > Is issuer DN unique enough?
>
> (issuer, serial) pair must be globally unique.
> 
> > How do we join with the serial number?
> > What format do we use for serial number?
>
> Doesn't really matter as long as it is unambiguous.  For example,
> serial as decimal number, followed by ';', followed by string
> representation of Issuer DN.
> 
> > What if we need to add another field in the future? It seems there's going
> > to
> > be many questions/issues with this solution.
>
> It is up to the ACMEBackend to produce a certificate ID.  I'm simply
> proposing this because a backend could contain multiple CAs with
> separate serial number domains, hence deriving certificate ID from
> serial number alone would not be unique.  The idea of
> (issuer,serial) pair is just a suggested convention.  Some backends
> e.g. might prefer UUIDs or whatever makes it easy to retrieve a
> certificate/chain.
>
> > How about this instead?
> > 
> > 1. Change issueCertificate() to return the full cert chain.
> > 2. Store the cert chain in a "certs" table in ACME database.
> > 3. Autogenerate the cert ID for each cert record.
> > 4. Store the account ID in the cert record.
> > 5. Store the cert ID in the order record.
> > 
> > So a copy of the cert will be stored in ACME database. The cert
> > ID will be unique for that particular ACME server. We don't need
> > to include the issuer DN/ID. The cert serial number will not matter
> > either. We can also use the certs table to authorize revocation
> > requests.
>
> I thought about this a little while back, and I prefer the current
> approach of storing an identifier as a "handle" to retrieve the cert
> from the backend.  Cert objects will increase the size of
> records/objects significantly.  For the LDAP backend it could be a
> problem, both for disk usage but in particular for replication.
> 
> I'm OK with the idea of *optional* certificate/chain storage in the
> ACME database, e.g. for backends that do not support retrieval.  But
> I don't think we need that with the current backends (certainly not
> with the PKIBackend).
> 
> > The cert ID is not meant to be human readable anyway (as
> > shown in RFC 8555).
>
> But it doesn't matter if it is human readable.  Either way, storing
> only the serial number is not enough IMO.

Let me backtrack a little bit. Is there a plan to modify Dogtag to
eventually support different serial number domains? If not, this is
not an issue for Dogtag. If there is such plan, will the issuer DN
be unique across LWCAs? If issuer DN will be unique, it's something
to consider. If not, (issuer DN, serial number) will not be unique
either, so we need to use something else such as authority ID.

Or is there another backend with multiple issuers that we want to
support in the future? The cert ID will have to be something like
(issuer ID, serial number) where the issuer ID is unique for the
backend. If the issuer DN is unique, it can be used as the issuer
ID. Otherwise, it needs to be a backend-specific unique ID similar
to authority ID in Dogtag.

We need to consider these possibilities before changing the cert ID. 
On the other hand, I'm still not sure it's actually necessary to
include these information into cert ID.

Let's look at the code. For cert enrollment (ACMEFinalizeOrderService)
we convert the serial number that we get from ACMEBackend into cert ID:

  BigInteger serialNumber = backend.issueCertificate(csr);
  String certID = Base64.encodeBase64URLSafeString(serialNumber.toByteArray());

We can change it so ACMEBackend can generate the cert ID like this:

  String certID = backend.issueCertificate(csr);

If the cert ID is (issuer DN, serial number), we can generate the
cert ID from the new cert. But does the backend return the new cert
or just the serial number? If the serial number is not unique, the
backend might need to be changed to return the cert itself so we
can get the issuer DN.

If the cert ID is (authority ID, 

Re: [Pki-devel] [acme] getOrderByAuthorization() / orders and authorisations

[Endi Sukma Dewata]

- Original Message -
> Just want to flag something related to ACME orders and
> authorisations.
> 
> In ACME authorizations can be shared by multiple orders.  In fact
> you can also "preauthorize" your account for an identifier, so there
> can also be a authorizations with no orders attached.
> 
> Does the way we have implemented the ACME service ensure that an
> authorization has only one order (or at most one order)?  If so, do
> we want it that way?  It entails that every identifier must be
> re-authorised upon every order.
> 
> Personally I think this is not the way we want to go.  Let me
> describe a scenario.
> 
> Client orders a cert for a.example.com, completes the authorisation
> for a.example.com, and gets the cert.
> 
> Shortly afterwards, they realise they also need b.example.com on the
> certificate.  So they make a new order with BOTH identifiers.
> 
> Should the client have to complete another authorisation for
> a.example.com, while their existing authorisation remains "fresh"
> (unexpired)?  It is valid to require the client to re-authorise
> every identifier for every order.  But it is not optimal.  Ideally
> we should observe that for the account there is already a
> non-expired authorisation for "a.example.com", and attach that to
> the order (along with the new authorisation for "b.example.com"
> which the client must complete).
> 
> Anyhow just some ideas as I proceed with implementation of the LDAP
> database implement.  Let me know your thoughts.

I think you're right. The database schema itself is not limiting to
one order per authorization, but the current code is making that
assumption.

We could change getOrderByAuthorization() to getOrdersByAuthorization(),
then move this code into a loop to process all orders associated to
that authorization:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/org/dogtagpki/acme/server/ACMEChallengeService.java#L124-L144

If we want to reuse existing authorizations, we will need to modify this
code to find an existing authorization that is still valid instead of
creating a new one:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/org/dogtagpki/acme/server/ACMENewOrderService.java#L72-L83

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] PKI 10.6.6 Release

[Endi Sukma Dewata]

Hi,

PKI 10.6.6 is now available upstream:
https://github.com/dogtagpki/pki/releases/tag/v10.6.6

Fedora 28 builds are available via the following update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-9132d6f913

Fedora 29 builds are available in Koji.

Fedora 27 builds are available in this COPR repository:
https://copr.fedorainfracloud.org/coprs/g/pki/10.6/

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] JSS 4.4 branching

[Endi Sukma Dewata]

Hi,

Just FYI, the JSS repository has been branched. The JSS_4_4_BRANCH
will be used for JSS 4.4.x maintenance. The master branch will be
used for JSS 4.5 development.

If you are fixing something in the 4.4 branch, please also fix it
in the master branch.

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] PKI 10.6.1 Release

[Endi Sukma Dewata]

Hi,

PKI 10.6.1 is now available upstream:
https://github.com/dogtagpki/pki/releases/tag/v10.6.1

Fedora 28 builds are available via the following update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f684aab1a

Fedora Rawhide builds are available in Koji.

Fedora 27 builds are available in this COPR repository:
https://copr.fedorainfracloud.org/coprs/g/pki/10.6/

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] PKI 10.6.0 and TomcatJSS 7.3.0

[Endi Sukma Dewata]

Hi,

PKI 10.6.0 and TomcatJSS 7.3.0 has officially been released
upstream and in Fedora 28:

https://github.com/dogtagpki/pki/releases/tag/v10.6.0
https://github.com/dogtagpki/tomcatjss/releases/tag/v7.3.0

Please note that there are no changes since the last Release
Candidate.

Thanks for your contributions!

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] TomcatJSS 7.3.0 Release Candidate

[Endi Sukma Dewata]

Hi,

TomcatJSS 7.3.0 Release Candidate is now available upstream:
https://github.com/dogtagpki/tomcatjss/releases/tag/v7.3.0-rc

Fedora 28 build is available via the following update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a52fb8dd30

Fedora Rawhide build is available in Koji.

Fedora 27 build is available in this COPR repository:
https://copr.fedorainfracloud.org/coprs/g/pki/10.6/

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] PKI 10.6.0 Beta on Fedora

[Endi Sukma Dewata]

Hi,

PKI 10.6.0 Beta is now available on Fedora 28 Beta via the
following update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9

Fedora Rawhide builds are available in Koji.

Fedora 27 builds are available in PKI 10.6 COPR repository
(for development only):
https://copr.fedorainfracloud.org/coprs/g/pki/10.6/

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] CMS.debug(Throwable e); stack trace suppressed?

[Endi Sukma Dewata]

Hi Fraser,

Yeah, there's a bug in the message formatter. Could you take a
look at this patch?
https://review.gerrithub.io/#/c/403387/

Here's some documentation (still work in progress):
http://pki.fedoraproject.org/wiki/PKI_10.6_Logging_Improvements

Thanks!

--
Endi S. Dewata

- Original Message -
> Hi,
> 
> It seems that with the change in logging backend, calls to
> CMS.debug(Throwable e) no longer print the stack trace.  The name of
> the exception is printed by the error message has been suppressed.
> 
> I couldn't work out why this is happening but in my working tree I'm
> carrying the below change to get the stack traces back.  Not sure if
> it's a "proper" way to fix it but it's doing the trick.
> 
> Cheers,
> Fraser
> 
> diff --git a/base/server/cmscore/src/com/netscape/cmscore/util/Debug.java
> b/base/server/cmscore/src/com/netscape/cmscore/util/Debug.java
> index 21e964c1a..135ca75bc 100644
> --- a/base/server/cmscore/src/com/netscape/cmscore/util/Debug.java
> +++ b/base/server/cmscore/src/com/netscape/cmscore/util/Debug.java
> @@ -20,6 +20,9 @@ package com.netscape.cmscore.util;
>  import java.util.Hashtable;
>  import java.util.StringTokenizer;
>  
> +import java.io.StringWriter;
> +import java.io.PrintWriter;
> +
>  import org.dogtagpki.util.logging.PKILogger;
>  
>  import com.netscape.certsrv.apps.CMS;
> @@ -167,7 +170,16 @@ public class Debug
>  if (!TRACE_ON)
>  return;
>  
> -CMS.logger.warn(e.getMessage(), e);
> +/*
> +String msg = e.getMessage(); // may be null
> +if (msg == null)
> +msg = e.toString();
> +CMS.logger.warn(msg, e);
> +*/
> +StringWriter sw = new StringWriter();
> +PrintWriter pw = new PrintWriter(sw);
> +e.printStackTrace(pw);
> +CMS.logger.warn(sw.toString());
>  }
>  
>  /**
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] HTTP NIO Connector

[Endi Sukma Dewata]

Hi,

We have just implemented the switch to HTTP NIO connector
in the master branch:
https://github.com/dogtagpki/pki/commit/3be16204bed2bf075fbe894135ca7d59cd7b408d

See this page for explanation:
http://www.dogtagpki.org/wiki/PKI_10.6_HTTP_NIO_Connector_Support

If you have an existing PKI 10.6 (not 10.5) instance with HSM or
Nuxwdog, follow this procedure when you pull the latest code from
master branch:
http://www.dogtagpki.org/wiki/Upgrading_PKI_10.5_to_PKI_10.6

Note: PKI 10.6 is still under development, it's not recommended to
upgrade from PKI 10.5 at this point.

Thanks.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Fixed pylint errors (re-sent)

[Endi Sukma Dewata]

On 5/31/2017 6:30 PM, Matthew Harmsen wrote:

The attached patch was altered to change "args" ==> "argv" rather than
"argv" ==> "args" since it was discovered that a number of the routines
utilized "args" as a local variable that would have to be changed since
if the "argv" input parameter were changed to "args".  Consequently,
this patch converts "args" ==> "argv".

Please review the attached patch which addresses the following issues:

  * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues


These changes were successfully compiled on a Fedora 27 machine with the
following packages:

  * python2-2.7.13-10.fc27.x86_64
  * python3-3.6.1-7.fc27.x86_64
  * pylint-1.7.1-1.fc27.noarch

Additionally, a CA instance was installed and configured, and the
following smoke test was run:

  * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
  * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-user-add testuser --fullName "Test User"
  * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
  * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 client-cert-request uid=testuser
  * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-cert-request-review 7 --action approve
  * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-user-cert-add testuser --serial 0x7
  * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 client-cert-import testuser --serial 0x7
  * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L



Just one thing, I was under the impression that we're supposed to remove 
PKIServerUpgradeScriptlet.__init__() altogether.


Christian, could you take a look a this?

Everything else is good.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Updated debug logs in SystemConfigService.

[Endi Sukma Dewata]

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/f902b0365f2cf92f14f0a814394cd025669b3ea8

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Fixed missing IAuditor.log(AuditEvent).

[Endi Sukma Dewata]

The IAuditor has been modified to define a log() method for
AuditEvent object.

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/ba32351d7c362e6b0e313cde0929c56f3f55ec5f

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Added AdminServlet.audit(AuditEvent).

[Endi Sukma Dewata]

A new audit() methods have been added to log AuditEvents in
AdminServlet.

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/17e71d3ec1f52cc2e13590499dd70c5932885b20

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Refactored additional line concatenation.

[Endi Sukma Dewata]

The code that concatenates lines has been simplified using
String.replace().

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/6bb1757a035d3439a65aa604a19dcdf48b7b2dbc

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Refactored line concatenation.

[Endi Sukma Dewata]

The code that concatenates lines has been simplified using
String.replace().

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/46cc674dcb6ff09167c69391054b36bdcfb36cbb

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] AdminConnection cleanup by Eclipse.

[Endi Sukma Dewata]

Pushed to master under trivial rule.

https://github.com/dogtagpki/pki/commit/e12a9367108ca9dbdd2cc02f35f68be8d6865457

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 1045 Fixed ClientIP field in SSL session audit log.

[Endi Sukma Dewata]

The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.

https://pagure.io/dogtagpki/issue/2602

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 0aebe0b9192d5c549cc3350926ecf42276dbccb0 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Thu, 13 Apr 2017 08:13:26 +0200
Subject: [PATCH] Fixed ClientIP field in SSL session audit log.

The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.

https://pagure.io/dogtagpki/issue/2602

Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
---
 .../cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 11 +++
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
index 7016bc8ea02e216c8aca010d68b071001f97a698..093776f6f88a9224a6d3ba7d6c42011f1689a04d 100644
--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -18,8 +18,6 @@
 package org.dogtagpki.server;
 
 import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
 import java.security.Principal;
 
 import org.mozilla.jss.crypto.X509Certificate;
@@ -45,8 +43,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
 try {
 SSLSocket socket = event.getSocket();
 
-SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+InetAddress clientAddress = socket.getInetAddress();
 InetAddress serverAddress = socket.getLocalAddress();
 String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
 String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
@@ -85,8 +82,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
 try {
 SSLSocket socket = event.getSocket();
 
-SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+InetAddress clientAddress = socket.getInetAddress();
 InetAddress serverAddress = socket.getLocalAddress();
 String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
 String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
@@ -139,8 +135,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
 try {
 SSLSocket socket = event.getSocket();
 
-SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+InetAddress clientAddress = socket.getInetAddress();
 InetAddress serverAddress = socket.getLocalAddress();
 String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
 String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 1043 Updated CMS.getLogMessage().

[Endi Sukma Dewata]

The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 9fa3323e017079e490a3749dfdbf5d59a08c65e9 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 12 Apr 2017 21:44:31 +0200
Subject: [PATCH] Updated CMS.getLogMessage().

The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.

Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
---
 base/common/src/com/netscape/certsrv/apps/CMS.java  | 2 +-
 base/common/src/com/netscape/certsrv/apps/ICMSEngine.java   | 2 +-
 base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java| 2 +-
 base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index d2210df8a47e1c7e71d647bdf794f542eae544ea..8f1d648cc6c3b8b9c804b1b82b4eb3901e0723d1 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -701,7 +701,7 @@ public final class CMS {
  * @param p an array of parameters
  * @return localized log message
  */
-public static String getLogMessage(String msgID, String p[]) {
+public static String getLogMessage(String msgID, Object p[]) {
 return _engine.getLogMessage(msgID, p);
 }
 
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index 97fc4679eccef3d27dff01402e72625bb38a0fea..3655b0389a3dc7f8c9d232ba23b630511f1f32ed 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -334,7 +334,7 @@ public interface ICMSEngine extends ISubsystem {
  * @param p an array of parameters
  * @return localized log message
  */
-public String getLogMessage(String msgID, String p[]);
+public String getLogMessage(String msgID, Object p[]);
 
 /**
  * Retrieves the centralized log message from LogMessages.properties.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 90ee8b90a4841ee79970c9b857b95468d7ecd2ec..ef9a6a28a8430560652e4c19dc8b96971187e1ec 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1583,7 +1583,7 @@ public class CMSEngine implements ICMSEngine {
 return getUserMessage(locale, msgID, params);
 }
 
-public String getLogMessage(String msgID, String params[]) {
+public String getLogMessage(String msgID, Object params[]) {
 ResourceBundle rb = ResourceBundle.getBundle(
 "LogMessages");
 String msg = rb.getString(msgID);
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index d6305cbb9aa85df89b7ff1bb9de49ded48364d98..dd28adb56892643b6b94880b5ab4b7e1e9820636 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -211,7 +211,7 @@ public class CMSEngineDefaultStub implements ICMSEngine {
 return null;
 }
 
-public String getLogMessage(String msgID, String p[]) {
+public String getLogMessage(String msgID, Object p[]) {
 return null;
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 1044 Added methods to log AuditEvent object.

[Endi Sukma Dewata]

New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 92b68d7ab3f58ad80a545f550f0598de2c43da2c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Thu, 13 Apr 2017 01:45:37 +0200
Subject: [PATCH] Added methods to log AuditEvent object.

New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.

Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
---
 base/ca/src/com/netscape/ca/CAService.java | 10 ++
 .../src/com/netscape/kra/AsymKeyGenService.java| 10 ++
 .../src/com/netscape/kra/EnrollmentService.java| 10 ++
 .../src/com/netscape/kra/KeyRecoveryAuthority.java | 10 ++
 .../src/com/netscape/kra/NetkeyKeygenService.java  | 10 ++
 .../com/netscape/kra/SecurityDataProcessor.java| 10 ++
 .../kra/src/com/netscape/kra/SymKeyGenService.java | 10 ++
 .../com/netscape/kra/TokenKeyRecoveryService.java  |  9 +
 .../com/netscape/cms/authentication/CMCAuth.java   | 10 ++
 .../cms/src/com/netscape/cms/logging/LogFile.java  | 10 ++
 .../netscape/cms/profile/common/BasicProfile.java  | 11 +++
 .../netscape/cms/profile/input/EnrollInput.java| 10 ++
 .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +++--
 .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 10 ++
 .../com/netscape/cms/servlet/base/CMSServlet.java  | 10 ++
 .../cms/servlet/connector/ConnectorServlet.java| 10 ++
 .../cms/servlet/processors/CAProcessor.java| 10 ++
 .../cms/servlet/processors/PKIProcessor.java   | 23 --
 .../org/dogtagpki/server/rest/ACLInterceptor.java  | 10 ++
 .../src/com/netscape/cmscore/cert/CertUtils.java   | 10 ++
 .../src/com/netscape/cmscore/logging/Auditor.java  | 11 +++
 .../cmscore/selftests/SelfTestSubsystem.java   | 10 ++
 .../server/tps/processor/TPSProcessor.java | 10 ++
 23 files changed, 240 insertions(+), 8 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index 5b364b85c2fef05c19d223b87a645168295ce80e..2ad196720ea59d145b0637866b5b1526ec8b1a89 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -1177,6 +1177,16 @@ public class CAService implements ICAService, IService {
 msg);
 }
 
+protected void audit(AuditEvent event) {
+
+String template = event.getMessage();
+Object[] params = event.getParameters();
+
+String message = CMS.getLogMessage(template, params);
+
+audit(message);
+}
+
 /**
  * Signed Audit Log Subject ID
  *
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index 75e340cd32c6b228fb7546772ada2c94f95e295f..bd2be704dec410051643ccba28bd1a75edb8ec53 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -228,6 +228,16 @@ public class AsymKeyGenService implements IService {
 msg);
 }
 
+protected void audit(AuditEvent event) {
+
+String template = event.getMessage();
+Object[] params = event.getParameters();
+
+String message = CMS.getLogMessage(template, params);
+
+audit(message);
+}
+
 private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID,
 String clientKeyID,
 String keyID, String reason) {
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index d2748a2180e812198c5f256b0abf01dd346b426c..7c179d4bdbc00eb957e092c6c8519f625d36be93 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -1034,4 +1034,14 @@ public class EnrollmentService implements IService {
 ILogger.LL_SECURITY,
 msg);
 }
+
+protected void audit(AuditEvent event) {
+
+String template = event.getMessage();
+Object[] params = event.getParameters();
+
+String message = CMS.getLogMessage(template, params);
+
+audit(message);
+}
 }
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index b6e437655e389218eaeef3ef40d98ea69380222d..1df04db1bc32f9f2c49af48e6c558db9e148c1de 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -1570,6 +1570,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 msg);
 }
 
+protected void audit(AuditEvent event) {
+
+String 

[Pki-devel] [PATCH] 1032-1033 Added pki-server CLI commands to inspect audit log files.

[Endi Sukma Dewata]

New pki-server CLI commands have been added to simplify
inspecting the audit log files on the server.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 11 Apr 2017 18:04:41 +0200
Subject: [PATCH] Added pki-server -audit-file-find CLI.

A new pki-server -audit-file-find CLI has been added
to list audit log files on the server.

Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
---
 base/server/python/pki/server/__init__.py  |  14 
 base/server/python/pki/server/cli/audit.py | 109 +
 base/server/python/pki/server/cli/ca.py|   2 +
 base/server/python/pki/server/cli/kra.py   |   2 +
 base/server/python/pki/server/cli/ocsp.py  |   2 +
 base/server/python/pki/server/cli/tks.py   |   2 +
 base/server/python/pki/server/cli/tps.py   |   2 +
 7 files changed, 133 insertions(+)
 create mode 100644 base/server/python/pki/server/cli/audit.py

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 5032274705744290313b29e878721c638909bc57..112dcbff3625c752d6130b847d4448799e8c8224 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,20 @@ class PKISubsystem(object):
 
 pki.util.customize_file(input_file, output_file, params)
 
+def get_audit_log_files(self):
+
+current_file_path = self.config['log.instance.SignedAudit.fileName']
+(log_dir, current_file) = os.path.split(current_file_path)
+
+# sort log files based on timestamp
+files = [f for f in os.listdir(log_dir) if f != current_file]
+files.sort()
+
+# put the current log file at the end
+files.append(current_file)
+
+return files
+
 def __repr__(self):
 return str(self.instance) + '/' + self.name
 
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
new file mode 100644
index ..3bb9d5f0f68748797d9809b0d3e93952c5cd2d5d
--- /dev/null
+++ b/base/server/python/pki/server/cli/audit.py
@@ -0,0 +1,109 @@
+# Authors:
+# Endi S. Dewata 
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import getopt
+import sys
+
+import pki.cli
+
+
+class AuditCLI(pki.cli.CLI):
+
+def __init__(self, parent):
+super(AuditCLI, self).__init__(
+'audit', 'Audit management commands')
+
+self.parent = parent
+self.add_module(AuditFileFindCLI(self))
+
+
+class AuditFileFindCLI(pki.cli.CLI):
+
+def __init__(self, parent):
+super(AuditFileFindCLI, self).__init__(
+'file-find', 'Find audit log files')
+
+self.parent = parent
+
+def print_help(self):
+print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name)
+print()
+print('  -i, --instanceInstance ID (default: pki-tomcat).')
+print('  --help Show help message.')
+print()
+
+def execute(self, args):
+
+try:
+opts, _ = getopt.gnu_getopt(args, 'i:v', [
+'instance=',
+'verbose', 'help'])
+
+except getopt.GetoptError as e:
+print('ERROR: ' + str(e))
+self.print_help()
+sys.exit(1)
+
+instance_name = 'pki-tomcat'
+
+for o, a in opts:
+if o in ('-i', '--instance'):
+instance_name = a
+
+elif o in ('-v', '--verbose'):
+self.set_verbose(True)
+
+elif o == '--help':
+self.print_help()
+sys.exit()
+
+else:
+print('ERROR: unknown option ' + o)
+self.print_help()
+sys.exit(1)
+
+instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
+instance.load()
+
+subsystem_name = self.parent.parent.name
+subsystem = 

[Pki-devel] [PATCH] 1030 Fixed pki user and group commands.

[Endi Sukma Dewata]

The UserCLI and GroupCLI have been fixed to use the subsystem name
in the client configuration object if available.

https://pagure.io/dogtagpki/issue/2626

--
Endi S. Dewata
>From 0409bfa35601a0b59f75c05cf8a34aed6514fc24 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sat, 8 Apr 2017 09:04:54 +0200
Subject: [PATCH] Fixed pki user and group commands.

The UserCLI and GroupCLI have been fixed to use the subsystem name
in the client configuration object if available.

https://pagure.io/dogtagpki/issue/2626

Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f
---
 base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 3 ++-
 base/java-tools/src/com/netscape/cmstools/user/UserCLI.java   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
index 5ccf70df54fde2a59123f8147649957ec36af243..95eb3a21d2d82c0c799d66b588f0996a2476a6cc 100644
--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
@@ -73,7 +73,8 @@ public class GroupCLI extends CLI {
 SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
 subsystem = subsystemCLI.getName();
 } else {
-subsystem = "ca";
+subsystem = client.getSubsystem();
+if (subsystem == null) subsystem = "ca";
 }
 
 // create new group client
diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
index 1acbf0b726ac64147daa955b62a542818e180593..affda9cfb2a19a5196d2c5f3455eca3ea626d8fe 100644
--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
@@ -76,7 +76,8 @@ public class UserCLI extends CLI {
 SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
 subsystem = subsystemCLI.getName();
 } else {
-subsystem = "ca";
+subsystem = client.getSubsystem();
+if (subsystem == null) subsystem = "ca";
 }
 
 // create new user client
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 1028 Fixed pki_console_wrapper.

[Endi Sukma Dewata]

The pki_console_wrapper script has been fixed to load cascading
pki.conf properly and to set the logging configuration property.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 10d8f53c25d8ed7907b55c247fc77e5c3900029b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 7 Apr 2017 16:42:58 +0200
Subject: [PATCH] Fixed pki_console_wrapper.

The pki_console_wrapper script has been fixed to load cascading
pki.conf properly and to set the logging configuration property.

Change-Id: Ie7b83f3c87bea133ee61d018457d7d4daf0fb757
---
 base/console/templates/pki_console_wrapper | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/base/console/templates/pki_console_wrapper b/base/console/templates/pki_console_wrapper
index 3e3c1692672d69bd9a71052e00f646bd7aed4393..3ee90bd3034ec910d65d32aeab5636d52224d4b9 100755
--- a/base/console/templates/pki_console_wrapper
+++ b/base/console/templates/pki_console_wrapper
@@ -19,11 +19,20 @@
 # --- END COPYRIGHT BLOCK ---
 #
 
-# Read default PKI configuration.
+# default PKI configuration
 . /usr/share/pki/etc/pki.conf
 
-# Read user-defined PKI configuration.
-. /etc/pki/pki.conf
+# system-wide PKI configuration
+if [ -f /etc/pki/pki.conf ]
+then
+. /etc/pki/pki.conf
+fi
+
+# user-specific PKI configuration
+if [ -f $HOME/.dogtag/pki.conf ]
+then
+. $HOME/.dogtag/pki.conf
+fi
 
 # Check to insure that this script's original invocation directory
 # has not been deleted!
@@ -151,6 +160,7 @@ ${JAVA} ${JAVA_OPTIONS} \
   -cp ${CP} \
   -Djava.util.prefs.systemRoot=/tmp/.java \
   -Djava.util.prefs.userRoot=/tmp/java \
+  -Djava.util.logging.config.file=${LOGGING_CONFIG} \
   com.netscape.admin.certsrv.Console \
   -s instanceID \
   -a $1
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 1027 Fixed PKIServerSocketListener.

[Endi Sukma Dewata]

The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.

The log message has been modified to include the reason for the
termination.

https://pagure.io/dogtagpki/issue/2602

Pushed to master under trivial rule.

--
Endi S. Dewata

From 4ab0608cbda0c9336c5eb9ea40a7d3ca769ab17b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 4 Apr 2017 17:53:53 +0200
Subject: [PATCH] Fixed PKIServerSocketListener.

The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.

The log message has been modified to include the reason for the
termination.

https://pagure.io/dogtagpki/issue/2602

Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
---
 .../dogtagpki/server/PKIServerSocketListener.java  | 39 +-
 base/server/cmsbundle/src/LogMessages.properties   |  2 +-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
index f147c771062d4224330fa115e7848221d56cad38..adba676ac18a7f4cffcfdfb2a15b66705414fb47 100644
--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -41,6 +41,42 @@ public class PKIServerSocketListener implements SSLSocketListener {
 
 @Override
 public void alertReceived(SSLAlertEvent event) {
+try {
+SSLSocket socket = event.getSocket();
+
+SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+InetAddress serverAddress = socket.getLocalAddress();
+String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+
+SSLSecurityStatus status = socket.getStatus();
+X509Certificate peerCertificate = status.getPeerCertificate();
+Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+String subjectID = subjectDN == null ? "" : subjectDN.toString();
+
+int description = event.getDescription();
+String reason = SSLAlertDescription.valueOf(description).toString();
+
+logger.debug("SSL alert received:");
+logger.debug(" - client: " + clientAddress);
+logger.debug(" - server: " + serverAddress);
+logger.debug(" - reason: " + reason);
+
+IAuditor auditor = CMS.getAuditor();
+
+String auditMessage = CMS.getLogMessage(
+"LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+clientIP,
+serverIP,
+subjectID,
+reason);
+
+auditor.log(auditMessage);
+
+} catch (Exception e) {
+e.printStackTrace();
+}
 }
 
 @Override
@@ -75,7 +111,8 @@ public class PKIServerSocketListener implements SSLSocketListener {
 "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
 clientIP,
 serverIP,
-subjectID);
+subjectID,
+reason);
 
 auditor.log(auditMessage);
 
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index dde53ba73e676df87509bdcb55640f97bc4dfa6c..7572db4568003f8038cf0fbd67534b4fc662ca69 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2737,7 +2737,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #separated by + (if more than one name;;value pair) of config params changed
 #
 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\

[Pki-devel] [PATCH] 1024 Removed redundant Context attributes.

[Endi Sukma Dewata]

All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 7fc7d3e8844d4992db60a637370b8599bff5a282 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 31 Mar 2017 19:23:43 +0200
Subject: [PATCH] Removed redundant Context attributes.

All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.

Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
---
 .../org/dogtagpki/server/ca/rest/AuthorityService.java  | 17 -
 .../dogtagpki/server/ca/rest/CertRequestService.java| 17 -
 .../src/org/dogtagpki/server/ca/rest/CertService.java   | 17 -
 .../dogtagpki/server/ca/rest/KRAConnectorService.java   | 17 -
 .../org/dogtagpki/server/ca/rest/ProfileService.java| 16 
 .../dogtagpki/server/kra/rest/KeyRequestService.java| 17 -
 .../src/org/dogtagpki/server/kra/rest/KeyService.java   | 17 -
 .../cms/src/org/dogtagpki/server/rest/AuditService.java | 17 -
 .../cms/src/org/dogtagpki/server/rest/GroupService.java | 17 -
 .../dogtagpki/server/rest/SecurityDomainService.java| 17 -
 .../src/org/dogtagpki/server/rest/SelfTestService.java  | 17 -
 .../org/dogtagpki/server/rest/SystemConfigService.java  | 17 -
 .../cms/src/org/dogtagpki/server/rest/UserService.java  | 17 -
 .../dogtagpki/server/tks/rest/TPSConnectorService.java  |  9 -
 .../org/dogtagpki/server/tps/config/ConfigService.java  | 17 -
 .../org/dogtagpki/server/tps/rest/ActivityService.java  | 17 -
 .../dogtagpki/server/tps/rest/AuthenticatorService.java | 17 -
 .../org/dogtagpki/server/tps/rest/ConnectorService.java | 17 -
 .../server/tps/rest/ProfileMappingService.java  | 17 -
 .../org/dogtagpki/server/tps/rest/ProfileService.java   | 17 -
 .../org/dogtagpki/server/tps/rest/TPSCertService.java   | 17 -
 .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 -
 22 files changed, 365 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index c734fbf4645aabf2b068b56ead3a0d0a04e8d639..215d0fa150759e8709c24b08fed0b7abac167311 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -27,13 +27,8 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
 import javax.ws.rs.core.GenericEntity;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -75,18 +70,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
 hostCA = (ICertificateAuthority) CMS.getSubsystem("ca");
 }
 
-@Context
-private UriInfo uriInfo;
-
-@Context
-private HttpHeaders headers;
-
-@Context
-private Request request;
-
-@Context
-private HttpServletRequest servletRequest;
-
 private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
 "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
 
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index a0d36b95f8331efce24839a1d76b4418cdde4d71..a0f3d46fbea3b7106dade5e176599ccf3be6883f 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -24,13 +24,8 @@ import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.PathParam;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -81,18 +76,6 @@ import netscape.security.x509.X500Name;
  */
 public class CertRequestService extends PKIService implements CertRequestResource {
 
-@Context
-private UriInfo uriInfo;
-
-@Context
-private HttpHeaders headers;
-
-@Context
-private Request request;
-
-@Context
-private HttpServletRequest servletRequest;
-
 public static final int DEFAULT_START = 0;
 public static final int DEFAULT_PAGESIZE = 20;
 public static 

[Pki-devel] [PATCH] 1018-1020 Removed duplicate constants.

[Endi Sukma Dewata]

Some constants in RollingLogFile have been replaced with their 
equivalents in Constants class.


Pushed to master under trivial rule.

--
Endi S. Dewata
>From 8d60caa44803915c153e1919ccaf08b166d38190 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 29 Mar 2017 03:36:39 +0200
Subject: [PATCH] Removed duplicate PROP_ROLLOVER_INTERVAL constant.

Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
---
 .../src/com/netscape/cms/logging/RollingLogFile.java   | 18 +-
 .../netscape/cms/servlet/admin/LogAdminServlet.java|  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index 32568dac053b6ff2bc2e5d11983fc6ba55db552e..d84c441702592884f774f721b1a18a3f1c0390fe 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.logging.ConsoleError;
 import com.netscape.certsrv.logging.ELogException;
@@ -49,7 +50,6 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class RollingLogFile extends LogFile {
 public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
-public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval";
 public static final String PROP_EXPIRATION_TIME = "expirationTime";
 
 /**
@@ -116,7 +116,7 @@ public class RollingLogFile extends LogFile {
 super.init(config);
 
 rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
-config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL),
+config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
 config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
 }
 
@@ -585,7 +585,7 @@ public class RollingLogFile extends LogFile {
 Vector v = super.getDefaultParams();
 
 v.addElement(PROP_MAX_FILE_SIZE + "=");
-v.addElement(PROP_ROLLOVER_INTERVAL + "=");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
 //v.addElement(PROP_EXPIRATION_TIME + "=");
 return v;
 }
@@ -596,15 +596,15 @@ public class RollingLogFile extends LogFile {
 try {
 v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
 if (mRolloverInterval / 1000 <= 60 * 60)
-v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly");
 else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
-v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Daily");
 else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7)
-v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Weekly");
 else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30)
-v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Monthly");
 else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366)
-v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly");
+v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Yearly");
 
 //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000);
 } catch (Exception e) {
@@ -622,7 +622,7 @@ public class RollingLogFile extends LogFile {
 }
 info.addElement(PROP_MAX_FILE_SIZE
 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
-info.addElement(PROP_ROLLOVER_INTERVAL
+info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
 info.addElement(PROP_EXPIRATION_TIME
 + ";integer;The amount of time before a backed up log is removed in seconds");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
index d665224212b1a9eb0f1f9689dad8154d99d350e4..08c329356b4e2a5b740c41ec29d98c7fb05535e1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
@@ -1645,7 +1645,7 @@ public class 

[Pki-devel] [PATCH] 1010-1017 Fixed unnecessary CLI connection.

[Endi Sukma Dewata]

Additional changes to remove unnecessary CLI connection using lazy 
initialization.


Pushed to master under trivial rule.

--
Endi S. Dewata
>From a6b64e4f45348011885f268db92beab0d563ff22 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 24 Mar 2017 03:42:55 +0100
Subject: [PATCH] Refactored ActivityCLI.

The ActivityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
---
 .../src/com/netscape/cmstools/logging/ActivityCLI.java   | 9 ++---
 .../src/com/netscape/cmstools/logging/ActivityFindCLI.java   | 4 +++-
 .../src/com/netscape/cmstools/logging/ActivityShowCLI.java   | 4 +++-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/logging/ActivityCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/ActivityCLI.java
index f53e687001f80ce6976ba537abcd6b00572e55c2..f0f125edd1ef080d767bc7c8e478e65a9edc08f9 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/ActivityCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/ActivityCLI.java
@@ -20,6 +20,7 @@ package com.netscape.cmstools.logging;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
+import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.logging.ActivityClient;
 import com.netscape.certsrv.logging.ActivityData;
 import com.netscape.cmstools.cli.CLI;
@@ -38,12 +39,14 @@ public class ActivityCLI extends CLI {
 addModule(new ActivityShowCLI(this));
 }
 
-public void execute(String[] args) throws Exception {
+public ActivityClient getActivityClient() throws Exception {
 
-client = parent.getClient();
+if (activityClient != null) return activityClient;
+
+PKIClient client = getClient();
 activityClient = (ActivityClient)parent.getClient("activity");
 
-super.execute(args);
+return activityClient;
 }
 
 public static void printActivity(ActivityData activity, boolean showAll) {
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/ActivityFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/ActivityFindCLI.java
index 9e31795b4415fe34dc37a6e2f835c4a0a39b3d3e..75c635bdcff0cc525f8f70d73d984f739761ccb6 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/ActivityFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/ActivityFindCLI.java
@@ -24,6 +24,7 @@ import java.util.Collection;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 
+import com.netscape.certsrv.logging.ActivityClient;
 import com.netscape.certsrv.logging.ActivityCollection;
 import com.netscape.certsrv.logging.ActivityData;
 import com.netscape.cmstools.cli.CLI;
@@ -75,7 +76,8 @@ public class ActivityFindCLI extends CLI {
 s = cmd.getOptionValue("size");
 Integer size = s == null ? null : Integer.valueOf(s);
 
-ActivityCollection result = activityCLI.activityClient.findActivities(filter, start, size);
+ActivityClient activityClient = activityCLI.getActivityClient();
+ActivityCollection result = activityClient.findActivities(filter, start, size);
 
 MainCLI.printMessage(result.getTotal() + " entries matched");
 if (result.getTotal() == 0) return;
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/ActivityShowCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/ActivityShowCLI.java
index bae172c7912eb854ecdfb716cb1eafa67efdcfa3..e31cbf6ab50159ae1995f12533900270eabf7af4 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/ActivityShowCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/ActivityShowCLI.java
@@ -22,6 +22,7 @@ import java.util.Arrays;
 
 import org.apache.commons.cli.CommandLine;
 
+import com.netscape.certsrv.logging.ActivityClient;
 import com.netscape.certsrv.logging.ActivityData;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
@@ -59,7 +60,8 @@ public class ActivityShowCLI extends CLI {
 
 String activityID = args[0];
 
-ActivityData activityData = activityCLI.activityClient.getActivity(activityID);
+ActivityClient activityClient = activityCLI.getActivityClient();
+ActivityData activityData = activityClient.getActivity(activityID);
 
 MainCLI.printMessage("Activity \"" + activityID + "\"");
 
-- 
2.9.3

>From ca04971010a92f84db8b0f18df0761192ea26023 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 24 Mar 2017 03:46:09 +0100
Subject: [PATCH] Refactored AuditCLI.

The AuditCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
---
 base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java  | 9 ++---
 .../src/com/netscape/cmstools/logging/AuditModifyCLI.java| 6 --
 .../src/com/netscape/cmstools/logging/AuditShowCLI.java  | 4 +++-
 3 files changed, 13 

[Pki-devel] [PATCH] 1002-1008 Fixed unnecessary CLI connection.

[Endi Sukma Dewata]

Additional changes to remove unnecessary CLI connection using lazy 
initialization.


Pushed to master under trivial rule.

--
Endi S. Dewata
>From 043aa471f9e243faad58917e9e055affdb694c79 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 24 Mar 2017 02:02:51 +0100
Subject: [PATCH] Refactored AuthorityCLI.

The AuthorityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
---
 .../src/com/netscape/cmstools/authority/AuthorityCLI.java | 11 ---
 .../com/netscape/cmstools/authority/AuthorityCreateCLI.java   |  4 +++-
 .../com/netscape/cmstools/authority/AuthorityDisableCLI.java  |  4 +++-
 .../com/netscape/cmstools/authority/AuthorityEnableCLI.java   |  4 +++-
 .../src/com/netscape/cmstools/authority/AuthorityFindCLI.java |  4 +++-
 .../com/netscape/cmstools/authority/AuthorityRemoveCLI.java   |  4 +++-
 .../src/com/netscape/cmstools/authority/AuthorityShowCLI.java |  4 +++-
 7 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
index a3fccbb027e4391b2fb83621ff829117a07fa76f..c8d469937e93a89f0901d1ca267ef1bc2b886988 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
@@ -4,6 +4,7 @@ import java.math.BigInteger;
 
 import com.netscape.certsrv.authority.AuthorityClient;
 import com.netscape.certsrv.authority.AuthorityData;
+import com.netscape.certsrv.client.PKIClient;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
 
@@ -32,10 +33,14 @@ public class AuthorityCLI extends CLI {
 }
 }
 
-public void execute(String[] args) throws Exception {
-client = parent.getClient();
+public AuthorityClient getAuthorityClient() throws Exception {
+
+if (authorityClient != null) return authorityClient;
+
+PKIClient client = getClient();
 authorityClient = new AuthorityClient(client, "ca");
-super.execute(args);
+
+return authorityClient;
 }
 
 protected static void printAuthorityData(AuthorityData data) {
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCreateCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCreateCLI.java
index 9cea963bfd09e025e2dbabafd72f4b04278322b9..e39a126e01d2b5ffccc5e9839d8c9b0aea4edf0f 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCreateCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCreateCLI.java
@@ -5,6 +5,7 @@ import java.util.Arrays;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 
+import com.netscape.certsrv.authority.AuthorityClient;
 import com.netscape.certsrv.authority.AuthorityData;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.cmstools.cli.CLI;
@@ -67,7 +68,8 @@ public class AuthorityCreateCLI extends CLI {
 String dn = cmdArgs[0];
 AuthorityData data = new AuthorityData(
 null, dn, null, parentAIDString, null, null, true /* enabled */, desc, null);
-AuthorityData newData = authorityCLI.authorityClient.createCA(data);
+AuthorityClient authorityClient = authorityCLI.getAuthorityClient();
+AuthorityData newData = authorityClient.createCA(data);
 AuthorityCLI.printAuthorityData(newData);
 }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityDisableCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityDisableCLI.java
index 7c5da13de3357d853e5e376786a98a9b9d505600..bae8ada7355c44a813e40167c765a796eed348fb 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityDisableCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityDisableCLI.java
@@ -4,6 +4,7 @@ import java.util.Arrays;
 
 import org.apache.commons.cli.CommandLine;
 
+import com.netscape.certsrv.authority.AuthorityClient;
 import com.netscape.certsrv.authority.AuthorityData;
 import com.netscape.cmstools.cli.CLI;
 
@@ -37,7 +38,8 @@ public class AuthorityDisableCLI extends CLI {
 
 AuthorityData data = new AuthorityData(
 null, null, cmdArgs[0], null, null, null, false, null, null);
-data = authorityCLI.authorityClient.modifyCA(data);
+AuthorityClient authorityClient = authorityCLI.getAuthorityClient();
+data = authorityClient.modifyCA(data);
 AuthorityCLI.printAuthorityData(data);
 }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityEnableCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityEnableCLI.java
index 7ff25a45011e3355bb1c9632ab6f5457d46ed5c8..2b2eac1f03832b0087cc7ba9b49528db845b4209 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityEnableCLI.java
+++ 

[Pki-devel] [PATCH] 991 Added support for disabling SSL ciphers in pki.conf.

[Endi Sukma Dewata]

The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 8ba95a89a7de733c5319f575e80621faa2b45e90 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 19:25:07 +0100
Subject: [PATCH] Added support for disabling SSL ciphers in pki.conf.

The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.
---
 base/common/share/etc/pki.conf| 3 ++-
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 9 -
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 4bb874f63f7ad70f14eb8c019e38d3d3d2865543..c0b607308156d9de6522c83625c82869f06b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -38,8 +38,9 @@ SSL_DEFAULT_CIPHERS="true"
 export SSL_DEFAULT_CIPHERS
 
 # SSL ciphers
-# This parameter lists SSL ciphers to enable in addition to the default ciphers.
+# This parameter lists SSL ciphers to enable/disable in addition to the default ciphers.
 # The list contains IANA-registered cipher names or hex IDs separated by white spaces.
 # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+# To disable a cipher, specify a "-" sign in front of the cipher name or ID.
 SSL_CIPHERS=""
 export SSL_CIPHERS
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 5e6659363ae209080225342ddc2c2e97d9367bca..c436b4d02dd5bb7006acbcfa65fd8a64bcd02140 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -955,7 +955,14 @@ public class CryptoUtil {
 
 while (st.hasMoreTokens()) {
 String cipher = st.nextToken();
-setSSLCipher(cipher, true);
+boolean enabled = true;
+
+if (cipher.startsWith("-")) {
+enabled = false;
+cipher = cipher.substring(1);
+}
+
+setSSLCipher(cipher, enabled);
 }
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 990 Added support for hex cipher IDs in pki.conf.

[Endi Sukma Dewata]

The CryptoUtil.setSSLCipher() has been modified to support ciphers
specified using hex ID.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From bc6ad11480c4d5185cf70334b4cbc03e3a1cff61 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 20:23:23 +0100
Subject: [PATCH] Added support for hex cipher IDs in pki.conf.

The CryptoUtil.setSSLCipher() has been modified to support ciphers
specified using hex ID.
---
 base/common/share/etc/pki.conf|  2 +-
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 +---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 9f4df6371fea716c9e6097aedfd79486bc91dc5b..4bb874f63f7ad70f14eb8c019e38d3d3d2865543 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -39,7 +39,7 @@ export SSL_DEFAULT_CIPHERS
 
 # SSL ciphers
 # This parameter lists SSL ciphers to enable in addition to the default ciphers.
-# The list contains IANA-registered cipher names separated by white spaces.
+# The list contains IANA-registered cipher names or hex IDs separated by white spaces.
 # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
 SSL_CIPHERS=""
 export SSL_CIPHERS
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index fd7b1bb23ff9af9049822cf6714c48e4386e3e0f..5e6659363ae209080225342ddc2c2e97d9367bca 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -961,9 +961,15 @@ public class CryptoUtil {
 
 public static void setSSLCipher(String cipher, boolean enabled) throws SocketException {
 
-Integer cipherID = cipherMap.get(cipher);
-if (cipherID == null) {
-throw new SocketException("Unsupported cipher: " + cipher);
+Integer cipherID;
+if (cipher.toLowerCase().startsWith("0x")) {
+cipherID = Integer.parseInt(cipher.substring(2), 16);
+
+} else {
+cipherID = cipherMap.get(cipher);
+if (cipherID == null) {
+throw new SocketException("Unsupported cipher: " + cipher);
+}
 }
 
 SSLSocket.setCipherPreferenceDefault(cipherID, enabled);
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 987 Allowing pki client-init without NSS database password.

[Endi Sukma Dewata]

The pki client-init has been modified to support creating NSS
database without password.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 4c6a98d79a02fd0bf6e5da56835e8dd0ce2e7485 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Mon, 20 Mar 2017 01:21:34 +0100
Subject: [PATCH] Allowing pki client-init without NSS database password.

The pki client-init has been modified to support creating NSS
database without password.
---
 .../netscape/cmstools/client/ClientInitCLI.java| 30 ++
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
index 96853913664d35012da4a4627ff9f96c9b8a9223..893b40b345c0aed00509295465a6d141cf524ed0 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
@@ -23,7 +23,9 @@ import java.io.File;
 import java.io.FileWriter;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.io.FileUtils;
@@ -67,10 +69,6 @@ public class ClientInitCLI extends CLI {
 
 MainCLI mainCLI = (MainCLI)parent.getParent();
 
-if (mainCLI.config.getCertPassword() == null) {
-throw new Exception("Security database password is required.");
-}
-
 boolean force = cmd.hasOption("force");
 File certDatabase = mainCLI.certDatabase;
 
@@ -97,16 +95,28 @@ public class ClientInitCLI extends CLI {
 File passwordFile = new File(certDatabase, "password.txt");
 
 try {
-try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) {
-out.println(mainCLI.config.getCertPassword());
-}
-
 String[] commands = {
 "/usr/bin/certutil", "-N",
 "-d", certDatabase.getAbsolutePath(),
-"-f", passwordFile.getAbsolutePath()
 };
 
+List list = new ArrayList<>(Arrays.asList(commands));
+
+if (mainCLI.config.getCertPassword() == null) {
+list.add("--empty-password");
+
+} else {
+try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) {
+out.println(mainCLI.config.getCertPassword());
+}
+
+list.add("-f");
+list.add(passwordFile.getAbsolutePath());
+}
+
+commands = new String[list.size()];
+list.toArray(commands);
+
 Runtime rt = Runtime.getRuntime();
 Process p = rt.exec(commands);
 
@@ -119,7 +129,7 @@ public class ClientInitCLI extends CLI {
 MainCLI.printMessage("Client initialized");
 
 } finally {
-passwordFile.delete();
+if (passwordFile.exists()) passwordFile.delete();
 }
 }
 }
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 989 Allowing client cert auth without NSS database password.

[Endi Sukma Dewata]

The PKI CLI has been modified to support client cert authentication
without NSS database password.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 516e9360f96721bdbd0301b12120c9d47225e5e4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 21 Mar 2017 02:46:12 +0100
Subject: [PATCH] Allowing client cert auth without NSS database password.

The PKI CLI has been modified to support client cert authentication
without NSS database password.
---
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 11 ---
 1 file changed, 11 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 6536951733dda38ef27b48871ff945aa55eb58de..d7246d60ccdd7357fa236acca959c27de1e07510 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -366,9 +366,6 @@ public class MainCLI extends CLI {
 
 if (certPasswordFile != null && certPassword != null) {
 throw new Exception("The '-C' and '-c' options are mutually exclusive.");
-
-} else if (certPasswordFile == null && certPassword == null) {
-throw new Exception("Missing security database password.");
 }
 
 } else if (username != null) { // basic authentication
@@ -402,14 +399,6 @@ public class MainCLI extends CLI {
 // XXX TBD set client security database token
 
 certPassword = tokenPasswordPair[1];
-
-} else if (certNickname != null && certPassword == null) {
-// prompt for security database password if required for authentication
-//
-// NOTE:  This overrides the password callback provided
-//by JSS for NSS security database authentication.
-//
-certPassword = promptForPassword("Enter Client Security Database Password: ");
 }
 
 // store security database password
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0988 Allowing pki pkcs12-import without NSS database password.

[Endi Sukma Dewata]

The pki.nssdb module has been modified to support operations
without NSS database password.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 2c4beb83a1dd772e02f5809e610319fcf1812034 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Mon, 20 Mar 2017 01:28:05 +0100
Subject: [PATCH] Allowing pki pkcs12-import without NSS database password.

The pki.nssdb module has been modified to support operations
without NSS database password.
---
 base/common/python/pki/nssdb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 430cacd83ee7eb6edd4f965e18d941ddb141251c..cad89081eee7fd4d34b5be6bddf3ddbc3b65bec5 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -123,7 +123,7 @@ class NSSDatabase(object):
 self.password_file = password_file
 
 else:
-raise Exception('Missing NSS database password')
+self.password_file = None
 
 if internal_password:
 # Store the specified internal token into password file.
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 984 Added pki.conf parameter for default SSL ciphers.

[Endi Sukma Dewata]

A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From de4b48b9e4523a865e74f8122e130e976b124410 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 21:47:08 +0100
Subject: [PATCH] Added pki.conf parameter for default SSL ciphers.

A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.
---
 base/common/share/etc/pki.conf | 5 +
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 7 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index e6d53714d6378ffa04327363f8089b819b67ae39..9f4df6371fea716c9e6097aedfd79486bc91dc5b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -32,6 +32,11 @@ export SSL_DATAGRAM_VERSION_MIN
 SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
 export SSL_DATAGRAM_VERSION_MAX
 
+# SSL default ciphers
+# This boolean parameter determines whether to enable default SSL ciphers.
+SSL_DEFAULT_CIPHERS="true"
+export SSL_DEFAULT_CIPHERS
+
 # SSL ciphers
 # This parameter lists SSL ciphers to enable in addition to the default ciphers.
 # The list contains IANA-registered cipher names separated by white spaces.
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 053d72c4e55dfe125fb110044acc048f48939ea1..83090a108a15997039fe217aa0a0296a54f59cf9 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -537,7 +537,12 @@ public class MainCLI extends CLI {
 SSLVersion.valueOf(datagramVersionMax)
 );
 
-CryptoUtil.setDefaultSSLCiphers();
+String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS");
+if (Boolean.parseBoolean(defaultCiphers)) {
+CryptoUtil.setDefaultSSLCiphers();
+} else {
+CryptoUtil.unsetSSLCiphers();
+}
 
 String ciphers = System.getenv("SSL_CIPHERS");
 CryptoUtil.setSSLCiphers(ciphers);
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 980 Fixed error handling in CryptoUtil.unsetSSLCiphers().

[Endi Sukma Dewata]

The CryptoUtil.unsetSSLCiphers() has been modified not to ignore
exceptions.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From cdffde5b5449db804e98ccac624cdc5eeab29dce Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 19:52:51 +0100
Subject: [PATCH] Fixed error handling in CryptoUtil.unsetSSLCiphers().

The CryptoUtil.unsetSSLCiphers() has been modified not to ignore
exceptions.
---
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 17d314a010a8ba3e4c30e41c8816c14979cfb86a..70aaa373fc3a9e0ed9d533aaaf61de87912e4d7b 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -985,13 +985,13 @@ public class CryptoUtil {
 /*
  * unset all implemented cipehrs; for enforcing strict list of ciphers
  */
-private static void unsetSSLCiphers() throws SocketException {
-int ciphers[] = SSLSocket.getImplementedCipherSuites();
-try {
-for (int i = 0; ciphers != null && i < ciphers.length; i++) {
-SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
-}
-} catch (Exception e) {
+public static void unsetSSLCiphers() throws SocketException {
+
+int cipherIDs[] = SSLSocket.getImplementedCipherSuites();
+if (cipherIDs == null) return;
+
+for (int cipherID : cipherIDs) {
+SSLSocket.setCipherPreferenceDefault(cipherID, false);
 }
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 982 Refactored CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The code that converts cipher name into cipher ID and enables
the cipher in CryptoUtil.setClientCiphers() has been moved into
a separate method.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From af7be30e164b1aebbb0e6eaf1fbfc6b9fb46360e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 20:16:53 +0100
Subject: [PATCH] Refactored CryptoUtil.setClientCiphers().

The code that converts cipher name into cipher ID and enables
the cipher in CryptoUtil.setClientCiphers() has been moved into
a separate method.
---
 .../src/com/netscape/cmsutil/crypto/CryptoUtil.java | 17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 729d71d63edc84d6681ddd3e5299e877d8ea8250..d708230e3597f0834d0d2e184bd5df2b8efd53f5 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -48,8 +48,8 @@ import java.util.Vector;
 
 import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.NoSuchTokenException;
+import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.SecretDecoderRing.KeyManager;
 import org.mozilla.jss.asn1.ANY;
 import org.mozilla.jss.asn1.ASN1Util;
@@ -105,6 +105,7 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
 import org.mozilla.jss.util.Base64OutputStream;
 import org.mozilla.jss.util.Password;
 
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
 
@@ -942,14 +943,18 @@ public class CryptoUtil {
 unsetSSLCiphers();
 
 for (String cipher : ciphers) {
+setSSLCipher(cipher, true);
+}
+}
 
-Integer cipherID = cipherMap.get(cipher);
-if (cipherID == null) {
-throw new SocketException("Unsupported cipher: " + cipher);
-}
+public static void setSSLCipher(String cipher, boolean enabled) throws SocketException {
 
-SSLSocket.setCipherPreferenceDefault(cipherID, true);
+Integer cipherID = cipherMap.get(cipher);
+if (cipherID == null) {
+throw new SocketException("Unsupported cipher: " + cipher);
 }
+
+SSLSocket.setCipherPreferenceDefault(cipherID, enabled);
 }
 
 public static void setDefaultSSLCiphers() throws SocketException {
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 981 Fixed error handling in CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The CryptoUtil.setClientCiphers() has been modified to throw
an exception on unsupported cipher.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 035f37b6416e9b001ff49e06142751b974835a9b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 20:08:50 +0100
Subject: [PATCH] Fixed error handling in CryptoUtil.setClientCiphers().

The CryptoUtil.setClientCiphers() has been modified to throw
an exception on unsupported cipher.
---
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 70aaa373fc3a9e0ed9d533aaaf61de87912e4d7b..729d71d63edc84d6681ddd3e5299e877d8ea8250 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -944,7 +944,9 @@ public class CryptoUtil {
 for (String cipher : ciphers) {
 
 Integer cipherID = cipherMap.get(cipher);
-if (cipherID == null) continue;
+if (cipherID == null) {
+throw new SocketException("Unsupported cipher: " + cipher);
+}
 
 SSLSocket.setCipherPreferenceDefault(cipherID, true);
 }
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 979 Renamed CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The setClientCiphers() in CryptoUtil has been renamed to
setDefaultSSLCiphers() for clarity.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From a168db3f36584a6a576daa91c993d18c134835fe Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 18:44:06 +0100
Subject: [PATCH] Renamed CryptoUtil.setClientCiphers().

The setClientCiphers() in CryptoUtil has been renamed to
setDefaultSSLCiphers() for clarity.
---
 .../src/com/netscape/admin/certsrv/connection/JSSConnection.java  | 2 +-
 base/java-tools/src/com/netscape/cmstools/HttpClient.java | 2 +-
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java| 2 +-
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index 8678b537886bc28b1ec81f9f61be8337b2f8c00f..5513155051d24c12e6c83a8aef5c2fd1b2cca6f4 100644
--- a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -121,7 +121,7 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
 
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 
 s = new SSLSocket(host, port, null, 0, this, this);
 
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index aa3bd174385c4fa6a04ac5ce330a5a0d54b6973a..29b7446b4b6785b427affb511dd4d3d0d5d9d4e2 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -126,7 +126,7 @@ public class HttpClient {
 
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 
 sslSocket = new SSLSocket(_host, _port);
 // SSLSocket.setSSLVersionRange() needs to be exposed in JSS
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index b3de8757f2fbf46a6a9cfdb6b770e20830037a2c..f2e0d08d948381421ee69d1cde2eb035a5a6467b 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -537,7 +537,7 @@ public class MainCLI extends CLI {
 SSLVersion.valueOf(datagramVersionMax)
 );
 
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 }
 
 public PKIClient getClient() throws Exception {
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index fccda69e4789ffbc4285099b2847a8aafdd2a694..17d314a010a8ba3e4c30e41c8816c14979cfb86a 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -932,7 +932,7 @@ public class CryptoUtil {
 
 if (list == null) {
 // use default
-setClientCiphers();
+setDefaultSSLCiphers();
 return;
 }
 
@@ -950,7 +950,7 @@ public class CryptoUtil {
 }
 }
 
-public static void setClientCiphers() throws SocketException {
+public static void setDefaultSSLCiphers() throws SocketException {
 
 int ciphers[] = SSLSocket.getImplementedCipherSuites();
 if (ciphers == null) return;
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 978 Added configuration parameters for SSL version ranges.

[Endi Sukma Dewata]

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 31683301b69fda23893c80af7c34c42a75e1b906 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 19:20:30 +0100
Subject: [PATCH] Added configuration parameters for SSL version ranges.

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.
---
 base/common/share/etc/pki.conf   | 14 ++
 .../src/com/netscape/cmstools/cli/MainCLI.java   | 20 ++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 5eeb187922791c51c851e30a4b38475a20c6bd9b..617c07f9c57e79b6d49fc32ab0beb43b95580df2 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -17,3 +17,17 @@ export LOGGING_CONFIG
 # PKI CLI options
 PKI_CLI_OPTIONS=
 export PKI_CLI_OPTIONS
+
+# SSL version ranges
+# Valid values: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2
+SSL_STREAM_VERSION_MIN="TLS_1_0"
+export SSL_STREAM_VERSION_MIN
+
+SSL_STREAM_VERSION_MAX="TLS_1_2"
+export SSL_STREAM_VERSION_MAX
+
+SSL_DATAGRAM_VERSION_MIN="TLS_1_1"
+export SSL_DATAGRAM_VERSION_MIN
+
+SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
+export SSL_DATAGRAM_VERSION_MAX
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 8f575dbf738af06885fb80bfaec6ca996a8db401..b3de8757f2fbf46a6a9cfdb6b770e20830037a2c 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -519,8 +519,24 @@ public class MainCLI extends CLI {
 
 }
 
-CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
-CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
+// See default SSL configuration in /usr/share/pki/etc/pki.conf.
+
+String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN");
+String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX");
+
+CryptoUtil.setSSLStreamVersionRange(
+SSLVersion.valueOf(streamVersionMin),
+SSLVersion.valueOf(streamVersionMax)
+);
+
+String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN");
+String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX");
+
+CryptoUtil.setSSLDatagramVersionRange(
+SSLVersion.valueOf(datagramVersionMin),
+SSLVersion.valueOf(datagramVersionMax)
+);
+
 CryptoUtil.setClientCiphers();
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 977 Fixed PKIClient initialization in PKI CLI.

[Endi Sukma Dewata]

The PKI CLI has been modified such that it initializes the
PKIClient (and retrieves the access banner) only if the CLI
needs to access the PKI server.

https://pagure.io/dogtagpki/issue/2612

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 6bcb89b55db870766ddcf09002a5997b323bd196 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sat, 18 Mar 2017 07:45:30 +0100
Subject: [PATCH] Fixed PKIClient initialization in PKI CLI.

The PKI CLI has been modified such that it initializes the
PKIClient (and retrieves the access banner) only if the CLI
needs to access the PKI server.

https://pagure.io/dogtagpki/issue/2612
---
 base/java-tools/src/com/netscape/cmstools/cli/CLI.java  |  2 +-
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java  | 11 +++
 base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
index 0a9106705f6d965b62b2600710ffb855b3a94485..65fad75e017ed57df871b45c7ce3009ca9f91857 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
@@ -183,7 +183,7 @@ public class CLI {
 return null;
 }
 
-public PKIClient getClient() {
+public PKIClient getClient() throws Exception {
 return client;
 }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 4c0a9182341f62b8718f4202b0825a7cdc2068d4..8f575dbf738af06885fb80bfaec6ca996a8db401 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -522,6 +522,15 @@ public class MainCLI extends CLI {
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
 CryptoUtil.setClientCiphers();
+}
+
+public PKIClient getClient() throws Exception {
+
+if (client != null) return client;
+
+if (verbose) {
+System.out.println("Initializing PKIClient");
+}
 
 client = new PKIClient(config, null);
 client.setVerbose(verbose);
@@ -558,6 +567,8 @@ public class MainCLI extends CLI {
 }
 }
 }
+
+return client;
 }
 
 public void execute(String[] args) throws Exception {
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
index c5387cf0320c65459102f38f9f8b3d50ad060055..1cf6feaf2b044f2ec7473cdf0a1810761097ac1b 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
@@ -87,7 +87,7 @@ public class ProxyCLI extends CLI {
 return module.removeModule(name);
 }
 
-public PKIClient getClient() {
+public PKIClient getClient() throws Exception {
 return module.getClient();
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 976 Cleaned up CryptoUtil.setClientCiphers(String).

[Endi Sukma Dewata]

The CryptoUtil.setClientCiphers(String) has been reformatted to
simplify future refactoring.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 2b9f9b7ef9e936dc5dc7ecc7bcc4c2fd8236dd1f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sat, 18 Mar 2017 03:33:10 +0100
Subject: [PATCH] Cleaned up CryptoUtil.setClientCiphers(String).

The CryptoUtil.setClientCiphers(String) has been reformatted to
simplify future refactoring.
---
 .../com/netscape/cmsutil/crypto/CryptoUtil.java| 41 +-
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index f8b087120f88587084fa32c66bb27a0b3e903d65..fccda69e4789ffbc4285099b2847a8aafdd2a694 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -928,32 +928,25 @@ public class CryptoUtil {
 
 }
 
+public static void setClientCiphers(String list) throws SocketException {
 
-// if clientOverrideCiphers is provided in config, use it
-public static void setClientCiphers(String clientOverrideCiphers)
-throws SocketException {
-if (clientOverrideCiphers != null) {
-String strCiphers[] = clientOverrideCiphers.split(",");
-if (strCiphers.length != 0) {
-unsetSSLCiphers();
-int cipherid;
-for (int i=0; i< strCiphers.length; i++) {
-Object mapValue;
-
-mapValue = cipherMap.get(strCiphers[i]);
-if (mapValue == null) {
-cipherid = 0;
-} else {
-cipherid = (Integer) mapValue;
-}
-if (cipherid != 0) {
-SSLSocket.setCipherPreferenceDefault(cipherid, true);
-}
-}
-}
-return;
-} else { //use default
+if (list == null) {
+// use default
 setClientCiphers();
+return;
+}
+
+String ciphers[] = list.split(",");
+if (ciphers.length == 0) return;
+
+unsetSSLCiphers();
+
+for (String cipher : ciphers) {
+
+Integer cipherID = cipherMap.get(cipher);
+if (cipherID == null) continue;
+
+SSLSocket.setCipherPreferenceDefault(cipherID, true);
 }
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 974 Default NSS database for PKI CLI.

[Endi Sukma Dewata]

The PKI CLI has been modified to create a default NSS database
without a password if there is no existing database at the
expected location.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 8b85ace2a2761c8451a11b4df8f142bd291cd6d4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 07:55:11 +0100
Subject: [PATCH] Default NSS database for PKI CLI.

The PKI CLI has been modified to create a default NSS database
without a password if there is no existing database at the
expected location.
---
 .../src/com/netscape/cmstools/cli/MainCLI.java | 28 ++
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 0a9ddf0a6db3a205cdc0a11bdaa521d883f22d05..75904edc69b822b56007c0935f66d8b1b20960a3 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -467,12 +467,32 @@ public class MainCLI extends CLI {
 
 public void init() throws Exception {
 
-// Main program should initialize client security database
-if (certDatabase.exists()) {
-if (verbose) System.out.println("Initializing client security database");
-CryptoManager.initialize(certDatabase.getAbsolutePath());
+// Create security database if it doesn't exist
+if (!certDatabase.exists()) {
+
+if (verbose) System.out.println("Creating security database");
+
+certDatabase.mkdirs();
+
+String[] commands = {
+"/usr/bin/certutil", "-N",
+"-d", certDatabase.getAbsolutePath(),
+"--empty-password"
+};
+
+Runtime rt = Runtime.getRuntime();
+Process p = rt.exec(commands);
+
+int rc = p.waitFor();
+if (rc != 0) {
+throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")");
+}
 }
 
+// Main program should initialize security database
+if (verbose) System.out.println("Initializing security database");
+CryptoManager.initialize(certDatabase.getAbsolutePath());
+
 // If password is specified, use password to access security token
 if (config.getCertPassword() != null) {
 if (verbose) System.out.println("Logging into security token");
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 973 Added missing Eclipse dependency.

[Endi Sukma Dewata]

The Eclipse .classpath file has been modified to include
tomcat-coyote.jar to avoid build problem.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 686303c3b71f9c929face7c0f947cf7563e9da68 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 06:41:44 +0100
Subject: [PATCH] Added missing Eclipse dependency.

The Eclipse .classpath file has been modified to include
tomcat-coyote.jar to avoid build problem.
---
 .classpath | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.classpath b/.classpath
index 88b1903ce06d7819feff7a370397332d01727373..55096b8312eea1d0e27df2ceefc84bad27d2bfbd 100644
--- a/.classpath
+++ b/.classpath
@@ -64,5 +64,6 @@
 	
 	
 	
+	
 	
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 971 Removed duplicate code to configure SSL version ranges.

[Endi Sukma Dewata]

The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 4d6e6d05d5270a0e81ae12e2583cae9c49667c88 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 02:01:20 +0100
Subject: [PATCH] Removed duplicate code to configure SSL version ranges.

The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
---
 .../com/netscape/certsrv/client/PKIConnection.java | 27 ++--
 .../admin/certsrv/connection/JSSConnection.java| 73 --
 .../src/com/netscape/cmstools/HttpClient.java  | 24 ++-
 .../com/netscape/cmsutil/crypto/CryptoUtil.java| 24 +++
 4 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index 301c4c69b5e14181dae3471156d046b643727d54..2c979eac22db32036b2653a510a561e0a979d7a9 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -84,7 +84,7 @@ import org.mozilla.jss.ssl.SSLSocket;
 
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.cmsutil.crypto.CryptoUtil;
-
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 
 public class PKIConnection {
 
@@ -332,24 +332,8 @@ public class PKIConnection {
 localAddr = localAddress.getAddress();
 }
 
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
-new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
-SSLSocket.setSSLVersionRangeDefault(
-org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
-stream_range);
-
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
-new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
-org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
-SSLSocket.setSSLVersionRangeDefault(
-org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
-datagram_range);
-
+CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
+CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
 CryptoUtil.setClientCiphers();
 
 SSLSocket socket;
@@ -364,8 +348,9 @@ public class PKIConnection {
 } else {
 socket = new SSLSocket(sock, hostName, callback, null);
 }
-// setSSLVersionRange needs to be exposed in jss
-//socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+// SSLSocket.setSSLVersionRange() needs to be exposed in JSS
+// socket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2);
 
 String certNickname = config.getCertNickname();
 if (certNickname != null) {
diff --git a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index 6908ed992154ef3bd04124cc2ba116e49bb865cf..8678b537886bc28b1ec81f9f61be8337b2f8c00f 100644
--- a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -17,24 +17,45 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.admin.certsrv.connection;
 
-import java.util.*;
-import java.net.*;
-import java.io.*;
+import java.awt.Container;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.net.SocketException;
+import java.net.UnknownHostException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import com.netscape.admin.certsrv.*;
-import com.netscape.certsrv.common.*;
-import com.netscape.management.client.util.Debug;
-import com.netscape.management.client.util.*;
-import org.mozilla.jss.ssl.*;
-import org.mozilla.jss.*;
-import org.mozilla.jss.util.*;
-import org.mozilla.jss.crypto.*;
-import org.mozilla.jss.pkcs11.*;
-import javax.swing.*;
-import java.awt.*;
+import java.util.Enumeration;
+import java.util.ResourceBundle;
+import java.util.Vector;
 
+import javax.swing.JComboBox;
+import javax.swing.JFrame;
+import javax.swing.JLabel;
+
+import 

[Pki-devel] [PATCH] 970 Exporting environment variables for PKI client.

[Endi Sukma Dewata]

The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From f2c3331176be82317cd5401b8b69d8adef18b188 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Thu, 16 Mar 2017 06:22:09 +0100
Subject: [PATCH] Exporting environment variables for PKI client.

The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
---
 base/common/python/pki/cli/main.py | 26 +-
 base/common/share/etc/pki.conf |  8 
 2 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
index 53e1b893a7e7a5f80c309039e08507b1ddf9c85e..268547bfc1544b2019aa004b2076bd93b3294a07 100644
--- a/base/common/python/pki/cli/main.py
+++ b/base/common/python/pki/cli/main.py
@@ -21,6 +21,7 @@
 
 from __future__ import absolute_import
 from __future__ import print_function
+import os
 import shlex
 import subprocess
 import sys
@@ -70,23 +71,9 @@ class PKICLI(pki.cli.CLI):
 
 def execute_java(self, args, stdout=sys.stdout):
 
-# read Java home
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $JAVA_HOME',
-shell=True)
-java_home = value.decode(sys.getfilesystemencoding()).strip()
-
-# read PKI library
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB',
-shell=True)
-pki_lib = value.decode(sys.getfilesystemencoding()).strip()
-
-# read logging configuration path
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $LOGGING_CONFIG',
-shell=True)
-logging_config = value.decode(sys.getfilesystemencoding()).strip()
+java_home = os.getenv('JAVA_HOME')
+pki_lib = os.getenv('PKI_LIB')
+logging_config = os.getenv('LOGGING_CONFIG')
 
 cmd = [
 java_home + '/bin/java',
@@ -122,10 +109,7 @@ class PKICLI(pki.cli.CLI):
 def execute(self, argv):
 
 # append global options
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_CLI_OPTIONS',
-shell=True)
-value = value.decode(sys.getfilesystemencoding()).strip()
+value = os.getenv('PKI_CLI_OPTIONS')
 args = shlex.split(value)
 args.extend(argv[1:])
 
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 97f3777fed9d2b5274a4fb305c81234900857a88..5eeb187922791c51c851e30a4b38475a20c6bd9b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -1,11 +1,19 @@
 # Java home
 JAVA_HOME=${JAVA_HOME}
+export JAVA_HOME
 
 # JNI jar file location
 JNI_JAR_DIR=/usr/lib/java
+export JNI_JAR_DIR
 
 # PKI library
 PKI_LIB=/usr/share/pki/lib
+export PKI_LIB
 
 # logging configuration location
 LOGGING_CONFIG=/usr/share/pki/etc/logging.properties
+export LOGGING_CONFIG
+
+# PKI CLI options
+PKI_CLI_OPTIONS=
+export PKI_CLI_OPTIONS
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 969 Added cascading configuration for PKI CLI.

[Endi Sukma Dewata]

The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.

The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 07135b5906f97a8c68148a07484e63d6896f410b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 15 Mar 2017 08:13:35 +0100
Subject: [PATCH] Added cascading configuration for PKI CLI.

The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.

The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.
---
 .../bin/pki => common/python/pki/cli/main.py}  |   0
 base/java-tools/bin/pki| 233 ++---
 pylint-build-scan.py   |  13 +-
 tox.ini|   2 +-
 4 files changed, 20 insertions(+), 228 deletions(-)
 copy base/{java-tools/bin/pki => common/python/pki/cli/main.py} (100%)

diff --git a/base/java-tools/bin/pki b/base/common/python/pki/cli/main.py
similarity index 100%
copy from base/java-tools/bin/pki
copy to base/common/python/pki/cli/main.py
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index 53e1b893a7e7a5f80c309039e08507b1ddf9c85e..6060a6e112ea22645a1023e55543cd85dbfda1f8 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -1,7 +1,6 @@
-#!/usr/bin/python
-# Authors:
-# Endi S. Dewata 
+#!/bin/sh
 #
+# --- BEGIN COPYRIGHT BLOCK ---
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; version 2 of the License.
@@ -15,222 +14,26 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Copyright (C) 2014 Red Hat, Inc.
+# Copyright (C) 2017 Red Hat, Inc.
 # All rights reserved.
+# --- END COPYRIGHT BLOCK ---
 #
 
-from __future__ import absolute_import
-from __future__ import print_function
-import shlex
-import subprocess
-import sys
-import traceback
+# default PKI configuration
+. /usr/share/pki/etc/pki.conf
 
-import pki.cli
-import pki.cli.pkcs12
+# system-wide PKI configuration
+if [ -f /etc/pki/pki.conf ]
+then
+. /etc/pki/pki.conf
+fi
 
+# user-specific PKI configuration
+if [ -f $HOME/.dogtag/pki.conf ]
+then
+. $HOME/.dogtag/pki.conf
+fi
 
-PYTHON_COMMANDS = ['pkcs12-import']
+python -m pki.cli.main "$@"
 
-
-class PKICLI(pki.cli.CLI):
-
-def __init__(self):
-super(PKICLI, self).__init__(
-'pki', 'PKI command-line interface')
-
-self.database = None
-self.password = None
-self.password_file = None
-self.token = None
-
-self.add_module(pki.cli.pkcs12.PKCS12CLI())
-
-def get_full_module_name(self, module_name):
-return module_name
-
-def print_help(self):
-print('Usage: pki [OPTIONS]')
-print()
-print('  --client-type  PKI client type (default: java)')
-print('   -dClient security database location ' +
-  '(default: ~/.dogtag/nssdb)')
-print('   -cClient security database password ' +
-  '(mutually exclusive to the -C option)')
-print('   -CClient-side password file ' +
-  '(mutually exclusive to the -c option)')
-print('  --tokenSecurity token name')
-print()
-print('  -v, --verboseRun in verbose mode.')
-print('  --debug  Show debug messages.')
-print('  --help   Show help message.')
-print()
-
-super(PKICLI, self).print_help()
-
-def execute_java(self, args, stdout=sys.stdout):
-
-# read Java home
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $JAVA_HOME',
-shell=True)
-java_home = value.decode(sys.getfilesystemencoding()).strip()
-
-# read PKI library
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB',
-shell=True)
-pki_lib = value.decode(sys.getfilesystemencoding()).strip()
-
-# read logging configuration path
-value = subprocess.check_output(
-'. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $LOGGING_CONFIG',
-shell=True)
-logging_config = value.decode(sys.getfilesystemencoding()).strip()
-
-cmd = [
-  

[Pki-devel] [PATCH] 966 Refactored PKIInstance.load().

[Endi Sukma Dewata]

The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 7810a55d0b967ff5355312e952fc4c7314a45f35 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 1 Mar 2017 07:08:11 +0100
Subject: [PATCH] Refactored PKIInstance.load().

The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
---
 base/common/python/pki/util.py| 33 +++
 base/server/python/pki/server/__init__.py | 14 +
 2 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 8a75ff6f500f86aa0e442577e48daf6913251d75..68118f439c76ad014a172dfbcba843692184c249 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -143,6 +143,39 @@ def customize_file(input_file, output_file, params):
 outfile.write(line)
 
 
+def load_properties(filename, properties):
+
+with open(filename) as f:
+
+lines = f.read().splitlines()
+
+for index, line in enumerate(lines):
+
+line = line.strip()
+
+if not line or line.startswith('#'):
+continue
+
+parts = line.split('=', 1)
+
+if len(parts) < 2:
+raise Exception('Missing delimiter in %s line %d' %
+(filename, index + 1))
+
+name = parts[0].strip()
+value = parts[1].strip()
+properties[name] = value
+
+
+def store_properties(filename, properties):
+
+with open(filename, 'w') as f:
+
+for name, value in properties.items():
+line = '%s=%s\n' % (name, value)
+f.write(line)
+
+
 def copytree(src, dst, symlinks=False, ignore=None):
 """
 Recursively copy a directory tree using copy2().
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index d556312a7c0f87cfeda025abd9d6841939d220f1..70734c3db778167ba867deecdf21473de5012671 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -568,19 +568,7 @@ class PKIInstance(object):
 # load passwords
 self.passwords.clear()
 if os.path.exists(self.password_conf):
-
-lines = open(self.password_conf).read().splitlines()
-
-for index, line in enumerate(lines):
-if not line or line.startswith('#'):
-continue
-parts = line.split('=', 1)
-if len(parts) < 2:
-raise Exception('Missing delimiter in %s line %d' %
-(self.password_conf, index + 1))
-name = parts[0]
-value = parts[1]
-self.passwords[name] = value
+pki.util.load_properties(self.password_conf, self.passwords)
 
 self.load_external_certs(self.external_certs_conf)
 
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 964 Added access banner for PKI console.

[Endi Sukma Dewata]

On 2/23/2017 8:01 PM, Endi Sukma Dewata wrote:

The PKI console has been modified to retrieve access banner from
the server and ask for user confirmation at the beginning of the
program.

https://fedorahosted.org/pki/ticket/2582


Discussed the mechanism with cfu, which is similar to the one used in 
web UI in patch #957. Pushed to master.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 963 Added access banner to TPS UI.

[Endi Sukma Dewata]

On 2/23/2017 8:01 PM, Endi Sukma Dewata wrote:

All pages in TPS UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582


Similar changes to patch #958. Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 960 Added access banner to KRA UI.

[Endi Sukma Dewata]

On 2/23/2017 7:54 PM, Endi Sukma Dewata wrote:

All pages in KRA UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582


Similar changes to patch #958. Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 961 Added access banner to OCSP UI.

[Endi Sukma Dewata]

All pages in OCSP UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582

--
Endi S. Dewata
>From ff03705118b644a6c731739b24846f3274a095d2 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 21 Feb 2017 09:33:31 -0600
Subject: [PATCH] Added access banner to OCSP UI.

All pages in OCSP UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582
---
 base/ocsp/shared/webapps/ocsp/404.html  | 8 ++--
 base/ocsp/shared/webapps/ocsp/500.html  | 8 ++--
 base/ocsp/shared/webapps/ocsp/GenUnexpectedError.template   | 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenError.template   | 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenPending.template | 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenRejected.template| 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenSuccess.template | 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenSvcPending.template  | 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenUnauthorized.template| 9 -
 base/ocsp/shared/webapps/ocsp/agent/GenUnexpectedError.template | 9 -
 base/ocsp/shared/webapps/ocsp/agent/header.template | 8 ++--
 base/ocsp/shared/webapps/ocsp/agent/index.jsp   | 8 
 base/ocsp/shared/webapps/ocsp/agent/index.template  | 8 ++--
 base/ocsp/shared/webapps/ocsp/agent/ocsp/AddCA.html | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/AddCRL.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/CheckCert.html | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/addCA.template | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/addCRL.template| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/checkCert.template | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameAddCA.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameAddCRL.html   | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameCheckCert.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameListCA.html   | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameOCSP.html | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/frameStats.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template   | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/getStats.template  | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/index.jsp  | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/listCAs.template   | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/menuAddCA.html | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/menuAddCRL.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/menuListCA.html| 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/menuOCSP.html  | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/menuStats.html | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ocsp/removeCA.template  | 6 ++
 base/ocsp/shared/webapps/ocsp/agent/ports.template  | 8 ++--
 base/ocsp/shared/webapps/ocsp/index.jsp | 8 
 base/ocsp/shared/webapps/ocsp/services.template | 8 ++--
 38 files changed, 248 insertions(+), 20 deletions(-)

diff --git a/base/ocsp/shared/webapps/ocsp/404.html b/base/ocsp/shared/webapps/ocsp/404.html
index c78f6dacf006ad10dc70481939b3409bb6f0b031..4ea9486c4bd5faa77ea44c878ba7e6f12e7aa201 100755
--- a/base/ocsp/shared/webapps/ocsp/404.html
+++ b/base/ocsp/shared/webapps/ocsp/404.html
@@ -25,8 +25,12 @@ var port = location.port;
 
 
 
-
-
+
+
+
+
+
+
 
 
 $(function() {
diff --git a/base/ocsp/shared/webapps/ocsp/500.html b/base/ocsp/shared/webapps/ocsp/500.html
index 522f62a9b39dedb1b6dfb9a362cd30352d03f589..3414e56d03623f66e47c66d0483ec3916984f36d 100755
--- a/base/ocsp/shared/webapps/ocsp/500.html
+++ b/base/ocsp/shared/webapps/ocsp/500.html
@@ -25,8 +25,12 @@ var port = location.port;
 
 
 
-
-
+
+
+
+
+
+
 
 
 $(function() {
diff --git a/base/ocsp/shared/webapps/ocsp/GenUnexpectedError.template b/base/ocsp/shared/webapps/ocsp/GenUnexpectedError.template
index 824bdb9e95756540012e912bbf0e66eb7a217003..e836320c6bcaf140b3c84e8adf528d4279b98071 100644
--- a/base/ocsp/shared/webapps/ocsp/GenUnexpectedError.template
+++ b/base/ocsp/shared/webapps/ocsp/GenUnexpectedError.template
@@ -17,10 +17,17 @@
  --- END COPYRIGHT BLOCK --- -->
 http://www.w3.org/TR/html4/loose.dtd";>
 
+
 
 
 
-
+