Bug 1805541-refactor:[RFE] CA Certificate Transparency with Embedded …

…Signed Certificate Time stamp This patch reafactors the Certificate Transparency code. More refinement to come, but for this patche: - the majority of the CT v1 code originally in CAService.java now goes into CTEngine.java; - some utility methods go into CertUtils.java - new CT enablement logic is introduced to replace the original one: The logic of whether SCT extension is to be added to the issued cert or not now goes like this: IN CS.cfg * CT mode is controlled by ca.certTransparency.mode * There are three CT modes: * disabled: issued certs will not carry SCT extension * enabled: issued certs will carry SCT extension * perProfile: certs enrolled through those profiles * that contain the following policyset * will carry SCT extension * SignedCertificateTimestampListExtDefaultImpl * default is true * if unknow mode then error will be thrown. https://bugzilla.redhat.com/show_bug.cgi?id=1805541
freeipa-pr-ci2 · Jul 10, 2020 · fed6047 · fed6047
1 parent 69e9d81
commit fed6047
Show file tree

Hide file tree

Showing 6 changed files with 870 additions and 712 deletions.
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
@@ -1212,24 +1212,42 @@ multiroles._002=##
 multiroles.enable=true
 multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Administrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group,ClonedSubsystems
 ca.certTransparency._000=##
-ca.certTransparency._001=## Switch the following parameter to enable Certificate Transparency
+ca.certTransparency._001=## Certificate Transparency Configuration (V1):
 ca.certTransparency._002=##
-ca.certTransparency._003=##     ca.certTransparency.enable=true
-ca.certTransparency._004=##
-ca.certTransparency._005=## Enable the following parameters to configure Certificate Transparency
-ca.certTransparency._006=## and log certificate issuance to corresponding log servers.
-ca.certTransparency._007=## NOTE: Currently only CT version 1 supported.
-ca.certTransparency._008=##
-ca.certTransparency._009=##     ca.certTransparency.log.1.enable=true
-ca.certTransparency._010=##     ca.certTransparency.log.1.pubKey=<public key of Log Server>
-ca.certTransparency._011=##     ca.certTransparency.log.1.url=<Log server URL including port and protocol>
-ca.certTransparency._012=##     ca.certTransparency.log.1.version=1
-ca.certTransparency._013=##
-ca.certTransparency._014=## Note that the following parameter represents the total number of CT log entries defined,
-ca.certTransparency._015=## both enabled and disabled. For example: LogServer1(enabled), LogServer2(disabled),
-ca.certTransparency._016=## LogServer3(enabled). Then, the param needs to be set to:
-ca.certTransparency._017=##
-ca.certTransparency._018=##     ca.certTransparency.log.num=3
+ca.certTransparency._003=## CT mode is controlled by ca.certTransparency.mode
+ca.certTransparency._004=## There are three CT modes:
+ca.certTransparency._005=##     disabled: issued certs will not carry SCT extension
+ca.certTransparency._006=##     enabled: issued certs will carry SCT extension     
+ca.certTransparency._007=##     perProfile: certs enrolled through those profiles
+ca.certTransparency._008=##         that contain the following policyset
+ca.certTransparency._009=##         will carry SCT extension
+ca.certTransparency._010=##            SignedCertificateTimestampListExtDefaultImpl
+ca.certTransparency._011=##
+ca.certTransparency._012=## profile config example:
+ca.certTransparency._013=##   policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
+ca.certTransparency._014=##   policyset.serverCertSet.13.constraint.name=No Constraint
+ca.certTransparency._015=##   policyset.serverCertSet.13.default.class_id=
+ca.certTransparency._016=##   SignedCertificateTimestampListExtDefaultImpl
+ca.certTransparency._017=##   policyset.serverCertSet.13.default.name=
+ca.certTransparency._018=##     Certificate Transparency Poison Extension Default
 ca.certTransparency._019=##
-ca.certTransparency.enable=false
+ca.certTransparency._020=## Default profile:
+ca.certTransparency._021=##     SignedCertificateTimestampListExtDefaultImpl
+ca.certTransparency._022=##
+ca.certTransparency._023=## List of configration parameters for Certificate Transparency
+ca.certTransparency._024=##    log server(s):
+ca.certTransparency._025=##
+ca.certTransparency._026=##     ca.certTransparency.log.1.enable=true
+ca.certTransparency._027=##     ca.certTransparency.log.1.pubKey=<public key of Log Server>
+ca.certTransparency._028=##     ca.certTransparency.log.1.url=<Log server URL including port and protocol>
+ca.certTransparency._029=##     ca.certTransparency.log.1.version=1
+ca.certTransparency._031=##
+ca.certTransparency._032=## Note that the following parameter represents the total number
+ca.certTransparency._033=##     of CT log entries defined, both enabled and disabled.
+ca.certTransparency._034=## For example: LogServer1(enabled), LogServer2(disabled),
+ca.certTransparency._035=## LogServer3(enabled). Then, the param needs to be set to:
+ca.certTransparency._036=##
+ca.certTransparency._037=##     ca.certTransparency.log.num=3
+ca.certTransparency._038=##
+ca.certTransparency.mode=disabled
 ca.certTransparency.log.num=0