forked from dogtagpki/pki
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1794213 Server-Side Kyegen Enrollment
This patch contains the code that provides the Server-Side Keygen Enrollment feature. Some limitations for this release: - It currently only supports RSA keys. - You need to import the KRA's transport cert into CA's nssdb with the nickname "KRA Transport Certificate" then restart the CA. - Currently, the UI (Javascript) keyType and keySize pulldown menu needs some work (ProfileSelect.template) - Some more error checking and cleanup needed (will be done before actual push) ----- This patch contains mainly the following pieces: input: The new input plugin ServerKeygenInput.java, which is supposed to work with the modification in ProfileSelect.template to - accept the p12 passwd that will be used to compose the p12 once the keys are generated on KRA and cert issued by the CA. - accept the keyType: RSA/ECC - accept the keySize: RSA key sizes or ECC curves Profile: - The new default plugin: ServerKeygenUserKeyDefault.java, which inserts temporary fake keys so code won't blow up down the road; Such fake key will be replaced later when KRA generates the new keys - The new caServerKeygen_UserCert.cfg profile which utilizes the new input and output output: The new output plugin PKCS12Output.java, which contains the p12 to be sent back to the browser when the request has been approved. What's expected: Once working, if you go to EE and click on (currently) the first profile: "Manual User Dual-User Certificate Enrollment using server-side key generation", one should expect to be able to specify the p12 password, p12 password again (verified by the Javascript), the key type (RSA/ECC), key size/curve, the subject name info, and the requestor info. Once filled out and submit, the request should go into the request queue waiting to be approved. During approval, the keys should be generated on KRA, archived, and pkcs#12 returned. Finally: Server-side key generation for enrollment is not intended to be a solution for all. It's mainly for encryption keys, unless the site administrator doesn't care about archiving signing keys. https://bugzilla.redhat.com/show_bug.cgi?id=1794213
- Loading branch information
Showing
23 changed files
with
1,198 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
desc=This certificate profile is for enrolling user certificates using server-side Key generation. | ||
visible=true | ||
enable=true | ||
enableBy=admin | ||
name=Manual User Dual-Use Certificate Enrollment using server-side Key generation | ||
auth.class_id= | ||
input.list=i1,i2,i3 | ||
input.i1.class_id=serverKeygenInputImpl | ||
input.i2.class_id=subjectNameInputImpl | ||
input.i3.class_id=submitterInfoInputImpl | ||
output.list=o1 | ||
output.o1.class_id=pkcs12OutputImpl | ||
policyset.list=userCertSet | ||
policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 | ||
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl | ||
policyset.userCertSet.1.constraint.name=Subject Name Constraint | ||
policyset.userCertSet.1.constraint.params.pattern=UID=.* | ||
policyset.userCertSet.1.constraint.params.accept=true | ||
policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl | ||
policyset.userCertSet.1.default.name=Subject Name Default | ||
policyset.userCertSet.1.default.params.name= | ||
policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl | ||
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint | ||
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 | ||
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 | ||
policyset.userCertSet.10.default.class_id=noDefaultImpl | ||
policyset.userCertSet.10.default.name=No Default | ||
policyset.userCertSet.2.constraint.class_id=validityConstraintImpl | ||
policyset.userCertSet.2.constraint.name=Validity Constraint | ||
policyset.userCertSet.2.constraint.params.range=365 | ||
policyset.userCertSet.2.constraint.params.notBeforeCheck=false | ||
policyset.userCertSet.2.constraint.params.notAfterCheck=false | ||
policyset.userCertSet.2.default.class_id=validityDefaultImpl | ||
policyset.userCertSet.2.default.name=Validity Default | ||
policyset.userCertSet.2.default.params.range=180 | ||
policyset.userCertSet.2.default.params.startTime=0 | ||
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl | ||
policyset.userCertSet.3.constraint.name=Key Constraint | ||
policyset.userCertSet.3.constraint.params.keyType=RSA | ||
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 | ||
policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl | ||
policyset.userCertSet.3.default.name=Server-Side Keygen Default | ||
policyset.userCertSet.3.default.params.keyType=RSA | ||
policyset.userCertSet.3.default.params.keySize=2048 | ||
policyset.userCertSet.4.constraint.class_id=noConstraintImpl | ||
policyset.userCertSet.4.constraint.name=No Constraint | ||
policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl | ||
policyset.userCertSet.4.default.name=Authority Key Identifier Default | ||
policyset.userCertSet.5.constraint.class_id=noConstraintImpl | ||
policyset.userCertSet.5.constraint.name=No Constraint | ||
policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl | ||
policyset.userCertSet.5.default.name=AIA Extension Default | ||
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true | ||
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName | ||
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= | ||
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 | ||
policyset.userCertSet.5.default.params.authInfoAccessCritical=false | ||
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 | ||
policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl | ||
policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint | ||
policyset.userCertSet.6.constraint.params.keyUsageCritical=true | ||
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true | ||
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true | ||
policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false | ||
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true | ||
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false | ||
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false | ||
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false | ||
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false | ||
policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false | ||
policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl | ||
policyset.userCertSet.6.default.name=Key Usage Default | ||
policyset.userCertSet.6.default.params.keyUsageCritical=true | ||
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true | ||
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true | ||
policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false | ||
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true | ||
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false | ||
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false | ||
policyset.userCertSet.6.default.params.keyUsageCrlSign=false | ||
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false | ||
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false | ||
policyset.userCertSet.7.constraint.class_id=noConstraintImpl | ||
policyset.userCertSet.7.constraint.name=No Constraint | ||
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl | ||
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default | ||
policyset.userCertSet.7.default.params.exKeyUsageCritical=false | ||
policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 | ||
policyset.userCertSet.8.constraint.class_id=noConstraintImpl | ||
policyset.userCertSet.8.constraint.name=No Constraint | ||
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl | ||
policyset.userCertSet.8.default.name=Subject Alt Name Constraint | ||
policyset.userCertSet.8.default.params.subjAltNameExtCritical=false | ||
policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name | ||
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ | ||
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true | ||
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 | ||
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl | ||
policyset.userCertSet.9.constraint.name=No Constraint | ||
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC | ||
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl | ||
policyset.userCertSet.9.default.name=Signing Alg | ||
policyset.userCertSet.9.default.params.signingAlg=- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.