1:21 a.m.
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
1:26 a.m.
On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
And it would probably help if I attached the patches! Sorry for the
noise.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
2:03 a.m.
On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> extension support and a DNP3 profile that makes use of it. This is
> to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> Authentication v5 (SAv5) standard.
>
> In brief, the SN and all the IECUserRoles params will be given in
> profile inputs, and the key is taken from a CertReqInput.
>
> There's still a bit of work to go - notably, some of the
> IECUserRoles fields are unimplemented, and some of those that *are*
> implemented are not yet read out of the profile input but rather are
> hardcoded. The extension *does* appear on the certificate, so I
> should get that all completed tomorrow.
>
> Cheers,
>
> Fraser
>
These patches have been completed and are ready for review. New
versions are attached.
12:48 a.m.
Could someone please have a look at these changes? There's a
plugfest in a couple of weeks that I'm going to be providing
certificates for, so it would be good to get some feedback.
Cheers,
Fraser
On Mon, Aug 18, 2014 at 05:03:25PM +1000, Fraser Tweedale wrote:
On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> > Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> > extension support and a DNP3 profile that makes use of it. This is
> > to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> > Authentication v5 (SAv5) standard.
> >
> > In brief, the SN and all the IECUserRoles params will be given in
> > profile inputs, and the key is taken from a CertReqInput.
> >
> > There's still a bit of work to go - notably, some of the
> > IECUserRoles fields are unimplemented, and some of those that *are*
> > implemented are not yet read out of the profile input but rather are
> > hardcoded. The extension *does* appear on the certificate, so I
> > should get that all completed tomorrow.
> >
> > Cheers,
> >
> > Fraser
> >
These patches have been completed and are ready for review. New
versions are attached.
>From 97009318b965ecc3774b57e47b6aa58f4388d508 Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Mon, 11 Aug 2014 03:10:04 -0400
Subject: [PATCH] Add IECUserRolesExtension class
---
.../security/extensions/IECUserRolesExtension.java | 234 +++++++++++++++++++++
1 file changed, 234 insertions(+)
create mode 100644
base/util/src/netscape/security/extensions/IECUserRolesExtension.java
diff --git a/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
new file mode 100644
index 0000000000000000000000000000000000000000..2a0866cf39d605c6fd04ef325806060edd7a6bb1
--- /dev/null
+++ b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
@@ -0,0 +1,234 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package netscape.security.extensions;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.Extension;
+import netscape.security.x509.OIDMap;
+
+/**
+ * This represents the IEC 62351-8 IECUserRoles extension.
+ */
+public class IECUserRolesExtension extends Extension implements CertAttrSet {
+ public enum Operation { ADD, DELETE, CHANGE };
+
+ private static final long serialVersionUID = 172340873242193489L;
+
+ public static final String OID = "1.2.840.10070.8.1";
+
+ public static final BigInteger MAX_STATUS_CHANGE_SEQNO =
+ new BigInteger("4294967295");
+
+ private Vector<Integer> userRole;
+ private String aor;
+ private int revision;
+ private String roleDefinition;
+ private Operation operation;
+ private BigInteger statusChangeSequenceNumber;
+
+ static {
+ try {
+ OIDMap.addAttribute(IECUserRolesExtension.class.getName(),
+ OID, IECUserRolesExtension.class.getName());
+ } catch (CertificateException e) {
+ }
+ }
+
+ public IECUserRolesExtension(
+ boolean crit,
+ Vector<Integer> userRole,
+ String aor,
+ int revision,
+ String roleDefinition,
+ Operation operation,
+ BigInteger statusChangeSequenceNumber
+ ) throws CertificateException {
+ try {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ } catch (IOException e) {
+ // never here
+ }
+
+ critical = crit;
+
+ // userRole SEQUENCE SIZE (1..MAX) OF RoleID
+ // RoleId ::= INTEGER (-32 768..32 767)
+ if (userRole == null)
+ throw new CertificateException("userRole cannot be null");
+ if (userRole.size() < 1)
+ throw new CertificateException("userRole must have at least one
element");
+ for (int roleId : userRole) {
+ if (roleId < -32768 || roleId > 32767)
+ throw new CertificateException("RoleId must be in range (-32
768..32 767)");
+ }
+ this.userRole = userRole;
+
+ // aor (area of responsibility) UTF8String (SIZE(1..64))
+ if (aor == null)
+ throw new CertificateException("aor cannot be null");
+ if (aor.isEmpty() || aor.length() > 64)
+ throw new CertificateException("aor must be of SIZE(1..64)");
+ this.aor = aor;
+
+ // revision INTEGER (0..255)
+ if (revision < 0 || revision > 255)
+ throw new CertificateException("revision must be in range
(0..255)");
+ this.revision = revision;
+
+ // roleDefinition UTF8String (0..23) OPTIONAL
+ if (roleDefinition != null && roleDefinition.length() > 23)
+ throw new CertificateException("roleDefinition must be of
SIZE(0..23)");
+ this.roleDefinition = roleDefinition;
+
+ // operation Operation OPTIONAL
+ // Operation ::= ENUMERATED { Add (1), Delete (2), Change (3) }
+ this.operation = operation;
+
+ // statusChangeSequenceNumber INTEGER (0..4 294 967 295) OPTIONAL
+ if (statusChangeSequenceNumber != null && (
+ statusChangeSequenceNumber.compareTo(BigInteger.ZERO) < 0
+ || statusChangeSequenceNumber.compareTo(MAX_STATUS_CHANGE_SEQNO) >
1))
+ throw new CertificateException(
+ "statusChangeSequenceNumber must be in range (0..4 294 967
295)");
+ this.statusChangeSequenceNumber = statusChangeSequenceNumber;
+ }
+
+ public IECUserRolesExtension(Boolean crit, Object byteVal)
+ throws IOException {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ critical = crit.booleanValue();
+ extensionValue = ((byte[]) byteVal).clone();
+ }
+
+ @Override
+ public String toString() {
+ String presentation = "oid=" + OID + " ";
+
+ if (critical) {
+ presentation += "critical=true";
+ }
+ if (extensionValue != null) {
+ StringBuffer extByteValue = new StringBuffer(" val=");
+ for (int i = 0; i < extensionValue.length; i++) {
+ extByteValue.append(extensionValue[i] + " ");
+ }
+ presentation += extByteValue.toString();
+ }
+ return presentation;
+ }
+
+ public void decode(InputStream in)
+ throws CertificateException, IOException {
+ }
+
+ public void encode(DerOutputStream out) throws IOException {
+ encodeExtValue();
+ super.encode(out);
+ }
+
+ public void encode(OutputStream out)
+ throws CertificateException, IOException {
+ DerOutputStream temp = new DerOutputStream();
+ encode(temp);
+ out.write(temp.toByteArray());
+ }
+
+ public void set(String name, Object obj)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ public Object get(String name) throws CertificateException, IOException {
+ // NOT USED
+ return null;
+ }
+
+ public Enumeration<String> getAttributeNames() {
+ return null;
+ }
+
+ public String getName() {
+ return OID;
+ }
+
+ public void delete(String name)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ private void encodeExtValue() throws IOException {
+ if (extensionValue != null)
+ return;
+
+ DerOutputStream outUserRoleInfo = new DerOutputStream();
+
+ DerOutputStream outRoles = new DerOutputStream();
+ for (int role : userRole) {
+ outRoles.putInteger(new BigInt(role));
+ }
+ outUserRoleInfo.write(DerValue.tag_Sequence, outRoles);
+
+ outUserRoleInfo.putUTF8String(aor);
+
+ outUserRoleInfo.putInteger(new BigInt(revision));
+
+ if (roleDefinition != null)
+ outUserRoleInfo.putUTF8String(roleDefinition);
+
+ if (operation != null) {
+ int op = 0;
+ switch (operation) {
+ case ADD:
+ op = 1;
+ break;
+ case DELETE:
+ op = 2;
+ break;
+ case CHANGE:
+ op = 3;
+ break;
+ }
+ outUserRoleInfo.putEnumerated(op);
+ }
+
+ if (statusChangeSequenceNumber != null)
+ outUserRoleInfo.putInteger(new BigInt(statusChangeSequenceNumber));
+
+ // write UserRoleInfo SEQUENCE (of the above information)
+ DerOutputStream outIECUserRoles = new DerOutputStream();
+ outIECUserRoles.write(DerValue.tag_Sequence, outUserRoleInfo);
+
+ // write IECUserRoles SEQUENCE OF UserRoleInfo
+ DerOutputStream out = new DerOutputStream();
+ out.write(DerValue.tag_Sequence, outIECUserRoles);
+
+ extensionValue = out.toByteArray();
+ }
+}
--
1.9.3
>From f32268e1e158ff6d80b9262386165783ce92aaca Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Tue, 12 Aug 2014 04:08:30 -0400
Subject: [PATCH] Add IECUserRolesExtInput profile input
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/input/IECUserRolesExtInput.java | 204 +++++++++++++++++++++
base/server/cmsbundle/src/UserMessages.properties | 8 +
3 files changed, 216 insertions(+), 1 deletion(-)
create mode 100644
base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index 9cd4e6d5c89b6e9bd0323fd3fd272b4af1de9568..c4e3ab86b453bec8964d62b3fbdbac14b40f6105
100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -173,7 +173,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment
Profile
profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment
Profile
profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
-profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl
+profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl,iecUserRolesExtInputImpl
profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput
profileInput.subjectAltNameExtInputImpl.desc=SAN Input
profileInput.subjectAltNameExtInputImpl.name=SAN Input
@@ -222,6 +222,9 @@ profileInput.subjectDNInputImpl.name=Subject DN Input
profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput
profileInput.subjectNameInputImpl.desc=Subject Name Input
profileInput.subjectNameInputImpl.name=Subject Name Input
+profileInput.iecUserRolesExtInputImpl.class=com.netscape.cms.profile.input.IECUserRolesExtInput
+profileInput.iecUserRolesExtInputImpl.desc=IECUserRoles Extension Input
+profileInput.iecUserRolesExtInputImpl.name=IECUserRoles Extension Input
profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl
profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput
profileOutput.certOutputImpl.desc=Certificate Output
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
new file mode 100644
index 0000000000000000000000000000000000000000..32d77d696208c17fe2dd70ea3562eb05d5b24455
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
@@ -0,0 +1,204 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.profile.input;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+
+/**
+ * This plugin accepts IEC 62351-8 IECUserRoles extension data from user.
+ */
+public class IECUserRolesExtInput extends EnrollInput implements IProfileInput {
+ public static final String CONFIG_ROLE_DEFINITION = "role_definition";
+ public static final String CONFIG_OPERATION_REQUIRED =
"operation_required";
+
+ public static final String VAL_USER_ROLES = "userRole";
+ public static final String VAL_AOR = "aor";
+ public static final String VAL_REVISION = "revision";
+ public static final String VAL_OPERATION = "operation";
+
+ public IECUserRolesExtInput() {
+ addConfigName(CONFIG_ROLE_DEFINITION);
+ addConfigName(CONFIG_OPERATION_REQUIRED);
+ }
+
+ /**
+ * Retrieves the localizable name of this policy.
+ */
+ public String getName(Locale locale) {
+ return CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME");
+ }
+
+ /**
+ * Retrieves the localizable description of this policy.
+ */
+ public String getText(Locale locale) {
+ return CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT");
+ }
+
+ public void populate(IProfileContext ctx, IRequest request)
+ throws EProfileException {
+
+ Vector<Integer> userRole = new Vector<Integer>();
+ String userRoleString = ctx.get(VAL_USER_ROLES);
+ StringTokenizer tok = new StringTokenizer(userRoleString, ",");
+ while (tok.hasMoreTokens()) {
+ try {
+ userRole.add(new Integer(tok.nextToken()));
+ } catch (NumberFormatException e) {
+ throw new EProfileException("RoleIDs must be integers");
+ }
+ }
+
+ String aor = ctx.get(VAL_AOR);
+
+ String revisionString = ctx.get(VAL_REVISION);
+ int revision = -1;
+ try {
+ revision = Integer.parseInt(revisionString);
+ } catch (NumberFormatException e) {
+ throw new EProfileException("revision must be an integer");
+ }
+
+ String roleDefinition = getConfig(CONFIG_ROLE_DEFINITION);
+
+ IECUserRolesExtension.Operation operation = null;
+ String operationString = ctx.get(VAL_OPERATION).trim();
+ if (operationString.equals("1")
+ || operationString.equalsIgnoreCase("ADD")) {
+ operation = IECUserRolesExtension.Operation.ADD;
+ } else if (operationString.equals("2")
+ || operationString.equalsIgnoreCase("DELETE")) {
+ operation = IECUserRolesExtension.Operation.DELETE;
+ } else if (operationString.equals("3")
+ || operationString.equalsIgnoreCase("CHANGE")) {
+ operation = IECUserRolesExtension.Operation.CHANGE;
+ }
+ String operationRequired = getConfig(CONFIG_OPERATION_REQUIRED);
+ if (operationRequired != null
+ && operationRequired.equalsIgnoreCase("true")
+ && operation == null) {
+ throw new EProfileException("operation is required");
+ }
+
+ // IEEE 1815-2012: "Optional if the authority can guarantee
+ // Certificate.tbsCertificate.serialNumber will always
+ // increase for this user.
+ //
+ BigInteger statusChangeSequenceNumber = null;
+
+ // create extension
+ IECUserRolesExtension ext;
+ try {
+ ext = new IECUserRolesExtension(
+ false,
+ userRole,
+ aor,
+ revision,
+ roleDefinition,
+ operation,
+ statusChangeSequenceNumber
+ );
+ } catch (CertificateException e) {
+ throw new EProfileException(
+ "failed to construct IECUserRoles extension: " +
e.toString());
+ }
+
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ try {
+ exts.set(IECUserRolesExtension.OID, ext);
+ } catch (IOException e) {
+ CMS.debug("IECUserRolesExtInput: " + e.toString());
+ throw new EProfileException("failed to set IECUserRoles
extension");
+ }
+
+ request.setExtData(EnrollProfile.REQUEST_EXTENSIONS, exts);
+ }
+
+ /**
+ * Return value names
+ */
+ public Enumeration<String> getValueNames() {
+ Vector<String> v = new Vector<String>();
+ v.addElement(VAL_USER_ROLES);
+ v.addElement(VAL_AOR);
+ v.addElement(VAL_REVISION);
+ v.addElement(VAL_OPERATION);
+ return v.elements();
+ }
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ if (name.equals(CONFIG_ROLE_DEFINITION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION"));
+ } else if (name.equals(CONFIG_OPERATION_REQUIRED)) {
+ return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED"));
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * Retrieves the descriptor of the given value
+ * parameter by name.
+ */
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ if (name.equals(VAL_USER_ROLES)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES"));
+ } else if (name.equals(VAL_AOR)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR"));
+ } else if (name.equals(VAL_REVISION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION"));
+ } else if (name.equals(VAL_OPERATION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION"));
+ }
+ return null;
+ }
+}
diff --git a/base/server/cmsbundle/src/UserMessages.properties
b/base/server/cmsbundle/src/UserMessages.properties
index fe43094e6b2a0531502570bc626da557fc9061ae..194dfb4e6146f118d75324d35067fd78a5549d1a
100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -1074,6 +1074,14 @@ CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded
CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded
CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded
CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES=User Roles
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR=Area of Responsibility (AOR)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION=Revision number
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION=Role Definition
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION=Operation (Add/Delete/Change)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED=Require Operation Value
#######################################################
# Self Tests
#
--
1.9.3
From 288a7d8ee1e3e83518547c6a1e2f6c490a38f6ab Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Thu, 14 Aug 2014 01:50:11 -0400
Subject: [PATCH] Add IECUserRolesExtDefault profile default
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/def/IECUserRolesExtDefault.java | 94 ++++++++++++++++++++++
2 files changed, 98 insertions(+), 1 deletion(-)
create mode 100644
base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index c4e3ab86b453bec8964d62b3fbdbac14b40f6105..d355d0252651cc538e482aebc9bfec17134f7566
100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -42,7 +42,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace
Period Constr
constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,iecUserRolesExtDefaultImpl
defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
@@ -160,6 +160,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject
Directory Attribut
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.class=com.netscape.cms.profile.def.IECUserRolesExtDefault
+defaultPolicy.iecUserRolesExtDefaultImpl.desc=IECUserRoles Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.name=IECUserRoles Extension Default
profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
new file mode 100644
index 0000000000000000000000000000000000000000..25dfa14b20fe3030d5f53613c7d6f3ac8b0c523c
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates IECUserRoles extension
+ * into the certificate template.
+ *
+ * @version $Revision$, $Date$
+ */
+public class IECUserRolesExtDefault extends EnrollExtDefault {
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public void setValue(String name, Locale locale,
+ X509CertInfo info, String value)
+ throws EPropertyException {
+ }
+
+ public String getValue(String name, Locale locale,
+ X509CertInfo info)
+ throws EPropertyException {
+ return null;
+ }
+
+ public String getText(Locale locale) {
+ return "IECUserRolesExtDefault";
+ //return CMS.getUserMessage(locale,
+ //"CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
+ }
+
+ /**
+ * Populates the request with this policy default.
+ */
+ public void populate(IRequest request, X509CertInfo info)
+ throws EProfileException {
+ CMS.debug("START IEC DEFAULT POPULATE");
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ IECUserRolesExtension ext = null;
+ try {
+ ext = (IECUserRolesExtension) exts.get(IECUserRolesExtension.OID);
+ } catch (IOException e) {
+ throw new EProfileException("failed to get IECUserRoles
extension");
+ }
+
+ addExtension(IECUserRolesExtension.OID, ext, info);
+ CMS.debug("DONE IEC DEFAULT POPULATE");
+ }
+}
--
1.9.3
From 9015b215be29840b008f865aadbaa3f5e6f6ae0c Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Thu, 14 Aug 2014 02:05:47 -0400
Subject: [PATCH] Add DNP3 ID certificate profile
---
base/ca/shared/conf/CS.cfg.in | 4 +-
base/ca/shared/profiles/ca/caDnp3IdCert.cfg | 61 +++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 1 deletion(-)
create mode 100644 base/ca/shared/profiles/ca/caDnp3IdCert.cfg
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..28e626b3a5c03441dca3529fa3f38da978ec5dc5
100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -961,7 +961,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment,caDnp3IdCert
profile.caUUIDdeviceCert.class_id=caEnrollImpl
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
@@ -1080,6 +1080,8 @@ profile.caEncUserCert.class_id=caEnrollImpl
profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
profile.caEncECUserCert.class_id=caEnrollImpl
profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
+profile.caDnp3IdCert.class_id=caEnrollImpl
+profile.caDnp3IdCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDnp3IdCert.cfg
registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
processor.caProfileProcess.getClientCert=true
processor.caProfileProcess.authzMgr=BasicAclAuthz
diff --git a/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..c17ca805121abcd346c88089388c360401b0cdf9
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
@@ -0,0 +1,61 @@
+desc=Profile for enrolling DNP3 ID certificates
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=DNP3 ID certificate enrollment
+input.list=i1,i2,i3,i4
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectDNInputImpl
+input.i3.class_id=iecUserRolesExtInputImpl
+input.i3.params.role_definition=IEC62351-8
+input.i3.params.operation_required=true
+input.i4.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7
+policyset.serverCertSet.1.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.1.constraint.name=No Constraint
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.6.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.6.default.name=Signing Alg
+policyset.serverCertSet.6.default.params.signingAlg=-
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=iecUserRolesExtDefaultImpl
+policyset.serverCertSet.7.default.name=IEC User Roles Extension Default
--
1.9.3
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
6 p.m.
Hi Fraser,
My apology for getting back to you this late due to Dogtag release.
(I think there may be a major issue there, so you might want to jump to
the "hmmm" part first)
General:
* It would help if in the review request email, you could put a link to
the spec you are coding against. I had to search around and every place
I looked it requires me to sign in or purchase.
IECUserRolesExtension.java
* It would help if you could put the relevant ASN1 in the extension code
IECUserRolesExtension.java
* the getName() method returns the OID string instead of the
conventional name of the class
* by convention, other existing extension classes use the JAVA class
Boolean instead of the native boolean for criticality. Please try to
stick to it.
* hmmm... Shouldn't this extension be a "SEQUENCE of"
"UserRoleInfo"?
This code seems to implement only the "UserRoleInfo" part.
This would be a major problem.
You might want to take a look of how
SubjectAlternativeNameExtension.java is done where it is a "SEQUENCE of"
GeneralName
See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a
bit to see the ASN1 definition.
Search in our code for the following:
- SubjectAlternativeNameExtension.java
- GeneralNames
- GeneralName
Again, since I don't have the spec that you code against so I might be
wrong, please supply the ASN1 spec to this extension before I continue.
I think I will stop here and let you work on / respond to the above
first as it seems like a deal breaker if I was right.
regards,
Christina
On 08/18/2014 12:03 AM, Fraser Tweedale wrote:
On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
>> Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
>> extension support and a DNP3 profile that makes use of it. This is
>> to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
>> Authentication v5 (SAv5) standard.
>>
>> In brief, the SN and all the IECUserRoles params will be given in
>> profile inputs, and the key is taken from a CertReqInput.
>>
>> There's still a bit of work to go - notably, some of the
>> IECUserRoles fields are unimplemented, and some of those that *are*
>> implemented are not yet read out of the profile input but rather are
>> hardcoded. The extension *does* appear on the certificate, so I
>> should get that all completed tomorrow.
>>
>> Cheers,
>>
>> Fraser
>>
These patches have been completed and are ready for review. New
versions are attached.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
1:53 a.m.
New subject: [PATCH] 0010..0013 v3 DNP3/IECUserRoles extension support
On Mon, Sep 08, 2014 at 04:00:16PM -0700, Christina Fu wrote:
Hi Fraser,
My apology for getting back to you this late due to Dogtag release.
(I think there may be a major issue there, so you might want to jump to the
"hmmm" part first)
General:
* It would help if in the review request email, you could put a link to the
spec you are coding against. I had to search around and every place I
looked it requires me to sign in or purchase.
IECUserRolesExtension.java
* It would help if you could put the relevant ASN1 in the extension code
IECUserRolesExtension.java
* the getName() method returns the OID string instead of the conventional
name of the class
* by convention, other existing extension classes use the JAVA class Boolean
instead of the native boolean for criticality. Please try to stick to it.
* hmmm... Shouldn't this extension be a "SEQUENCE of"
"UserRoleInfo"? This
code seems to implement only the "UserRoleInfo" part.
This would be a major problem.
You might want to take a look of how SubjectAlternativeNameExtension.java is
done where it is a "SEQUENCE of" GeneralName
See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a bit to
see the ASN1 definition.
Search in our code for the following:
- SubjectAlternativeNameExtension.java
- GeneralNames
- GeneralName
Again, since I don't have the spec that you code against so I might be
wrong, please supply the ASN1 spec to this extension before I continue.
I think I will stop here and let you work on / respond to the above first as
it seems like a deal breaker if I was right.
regards,
Christina
Above issues have been addressed; new patches attached.
Fraser
On 08/18/2014 12:03 AM, Fraser Tweedale wrote:
>On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
>>On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
>>>Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
>>>extension support and a DNP3 profile that makes use of it. This is
>>>to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
>>>Authentication v5 (SAv5) standard.
>>>
>>>In brief, the SN and all the IECUserRoles params will be given in
>>>profile inputs, and the key is taken from a CertReqInput.
>>>
>>>There's still a bit of work to go - notably, some of the
>>>IECUserRoles fields are unimplemented, and some of those that *are*
>>>implemented are not yet read out of the profile input but rather are
>>>hardcoded. The extension *does* appear on the certificate, so I
>>>should get that all completed tomorrow.
>>>
>>>Cheers,
>>>
>>>Fraser
>>>
>These patches have been completed and are ready for review. New
>versions are attached.
>
>
>_______________________________________________
>Pki-devel mailing list
>Pki-devel(a)redhat.com
>https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
10:50 p.m.
New subject: [PATCH] 0010..0013 v3 DNP3/IECUserRoles extension support
On Wed, Sep 17, 2014 at 04:53:34PM +1000, Fraser Tweedale wrote:
On Mon, Sep 08, 2014 at 04:00:16PM -0700, Christina Fu wrote:
> Hi Fraser,
>
> My apology for getting back to you this late due to Dogtag release.
> (I think there may be a major issue there, so you might want to jump to the
> "hmmm" part first)
>
> General:
> * It would help if in the review request email, you could put a link to the
> spec you are coding against. I had to search around and every place I
> looked it requires me to sign in or purchase.
>
> IECUserRolesExtension.java
> * It would help if you could put the relevant ASN1 in the extension code
> IECUserRolesExtension.java
> * the getName() method returns the OID string instead of the conventional
> name of the class
> * by convention, other existing extension classes use the JAVA class Boolean
> instead of the native boolean for criticality. Please try to stick to it.
> * hmmm... Shouldn't this extension be a "SEQUENCE of"
"UserRoleInfo"? This
> code seems to implement only the "UserRoleInfo" part.
> This would be a major problem.
> You might want to take a look of how SubjectAlternativeNameExtension.java is
> done where it is a "SEQUENCE of" GeneralName
> See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a bit to
> see the ASN1 definition.
> Search in our code for the following:
> - SubjectAlternativeNameExtension.java
> - GeneralNames
> - GeneralName
>
> Again, since I don't have the spec that you code against so I might be
> wrong, please supply the ASN1 spec to this extension before I continue.
>
> I think I will stop here and let you work on / respond to the above first as
> it seems like a deal breaker if I was right.
>
> regards,
> Christina
Above issues have been addressed; new patches attached.
Fraser
Hi everyone,
I'm reviving these old patches; there are no substantive changes,
just the rebase to latest master and minor cleanups.
It would be good to get the classes into the next release, as there
is a FreeIPA ticket to provide a DNP3 profile[1]. I'm unsure
whether to commit the profile itself to Dogtag (patch 0013) or ship
in FreeIPA instead.
[1] https://fedorahosted.org/freeipa/ticket/4752
Thanks,
Fraser
3783
days inactive
4096
days old
6 comments
2 participants
participants (2)
-
Christina Fu -
Fraser Tweedale