Skip to content

Commit

Permalink
A new policy constraint to enforce p12 password quality.
Browse files Browse the repository at this point in the history 
The new *p12ExportPasswordConstraintImpl* constraint allows to check:

* `password.minSize` - the minimum size for the password;
* `password.minUpperLetter` - the minimum number of capital letters;
* `password.minLowerLetter` - the minimum number of lower letters;
* `password.minNumber` - the minimum number of digits;
* `password.minSpecialChar` - the minimum number of punctuation characters;
* `password.substringMatch` - the size of substring sequence which cannot be repeated;
* `password.maxRepeatedChar` - maximum number of repeating for each character;
* `password.cracklibCheck` - a boolean to request an additional check with *cracklib* (it has to be installed if not present).
  • Loading branch information
@fmarco76
fmarco76 committed Feb 5, 2025
1 parent bc2aa36 commit bf717d1
Show file tree
Hide file tree
Showing 6 changed files with 405 additions and 34 deletions.
5 changes: 4 additions & 1 deletion base/ca/shared/conf/registry.cfg
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl,p12ExportPasswordConstraintImpl
constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
Expand Down Expand Up @@ -27,6 +27,9 @@ constraintPolicy.nsCertTypeExtConstraintImpl.name=Netscape Certificate Type Exte
constraintPolicy.noConstraintImpl.class=com.netscape.cms.profile.constraint.NoConstraint
constraintPolicy.noConstraintImpl.desc=No Constraint
constraintPolicy.noConstraintImpl.name=No Constraint
constraintPolicy.p12ExportPasswordConstraintImpl.class=com.netscape.cms.profile.constraint.P12ExportPasswordConstraint
constraintPolicy.p12ExportPasswordConstraintImpl.desc=Generated PKCS12 Constraint
constraintPolicy.p12ExportPasswordConstraintImpl.name=Generated PKCS12 Constraint
constraintPolicy.subjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.SubjectNameConstraint
constraintPolicy.subjectNameConstraintImpl.desc=Subject Name Constraint
constraintPolicy.subjectNameConstraintImpl.name=Subject Name Constraint
Expand Down
37 changes: 16 additions & 21 deletions base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,10 +148,10 @@ public void execute(Request request) throws EProfileException, ERejectException
logger.info("CAEnrollProfile: Processing server-side keygen enrollment");
request.setExtData(Request.SSK_STAGE, Request.SSK_STAGE_KEYGEN);

Map<String, byte[]> passwordsGenerated = convertP12Password(request);
transWrappedSessionKey = passwordsGenerated.get("serverSideKeygenP12PasswdTransSession");
Map<String, byte[]> p12PasswordInfo = processP12Password(request);
transWrappedSessionKey = p12PasswordInfo.get("serverSideKeygenP12PasswdTransSession");

sessionWrappedPassphrase = passwordsGenerated.get("serverSideKeygenP12PasswdEnc");
sessionWrappedPassphrase = p12PasswordInfo.get("serverSideKeygenP12PasswdEnc");


try {
Expand Down Expand Up @@ -532,8 +532,17 @@ public void execute(Request request) throws EProfileException, ERejectException
}
}

private Map<String, byte[]> convertP12Password (Request request) throws EProfileException {
String method = "CAEnrollProfile: convertP12Password: ";
/**
* Read the p12 password and generate symmetric keys
*
* The password is read from the request and removed after the keys are generated.
*
* @param request
* @return symmetric keys
* @throws EProfileException
*/
private Map<String, byte[]> processP12Password (Request request) throws EProfileException {
String method = "CAEnrollProfile: processP12Password: ";
Map<String, byte[]> returnPass = null;

String p12passwd = request.getExtDataInString("serverSideKeygenP12Passwd");
Expand All @@ -551,29 +560,15 @@ private Map<String, byte[]> convertP12Password (Request request) throws EProfile
String transportNickname = kraConnectorConfig.getString("transportCertNickname", "KRA Transport Certificate");
transCert = cm.findCertByNickname(transportNickname);
} catch (Exception e) {
logger.debug(method + "'KRA transport certificate' not found in nssdb; need to be manually setup for Server-Side keygen enrollment");
logger.error(method + "'KRA transport certificate' not found in nssdb; need to be manually setup for Server-Side keygen enrollment");
throw new EProfileException(CMS.getUserMessage("CMS_MISSING_KRA_TRANSPORT_CERT_IN_CA_NSSDB"));

/* future; cert nickname can't be controlled yet at import in jss
logger.debug(method + "KRA transport certificate not found in nssdb; getting from CS.cfg");
transportCertStr = connectorsConfig.getString("KRA.transportCert", "");
logger.debug(method + "transportCert found in CS.cfg: " + transportCertStr);
byte[] transportCertB = Utils.base64decode(transportCertStr);
logger.debug(method + "transportCertB.length=" + transportCertB.length);
// hmmm, can't yet control the nickname
transCert = cm.importCACertPackage(transportCertB);
logger.debug(method + "KRA transport certificate imported");
*/
}

try
{
// todo: make things configurable in CS.cfg or profile
CryptoToken ct =
CryptoUtil.getCryptoToken(CryptoUtil.INTERNAL_TOKEN_NAME);
if (ct == null)
logger.debug(method + "crypto token null");

EncryptionAlgorithm encryptAlgorithm =
EncryptionAlgorithm.AES_128_CBC_PAD;
Expand All @@ -582,7 +577,7 @@ private Map<String, byte[]> convertP12Password (Request request) throws EProfile
boolean useOAEP = caCfg.getUseOAEPKeyWrap();

KeyWrapAlgorithm wrapAlgorithm = KeyWrapAlgorithm.RSA;
if(useOAEP == true) {
if(useOAEP) {
wrapAlgorithm = KeyWrapAlgorithm.RSA_OAEP;
}

Expand Down
162 changes: 162 additions & 0 deletions base/ca/src/main/java/com/netscape/cms/profile/constraint/P12ExportPasswordConstraint.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
// --- BEGIN COPYRIGHT BLOCK ---
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; version 2 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// (C) 2025 Red Hat, Inc.
// All rights reserved.
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.profile.constraint;

import java.util.Locale;

import org.mozilla.jss.netscape.security.x509.X509CertInfo;

import com.netscape.certsrv.password.EPasswordCheckException;
import com.netscape.certsrv.profile.ERejectException;
import com.netscape.certsrv.property.EPropertyException;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.cms.password.PasswordChecker;
import com.netscape.cms.profile.def.NoDefault;
import com.netscape.cms.profile.def.PolicyDefault;
import com.netscape.cmscore.apps.CMS;
import com.netscape.cmscore.request.Request;

/**
* This class implement a policy constraint for the pkcs12 export password
*
* The policy has several configurations, the are:
* - password.minSize
* - password.minUpperLetter
* - password.minLowerLetter
* - password.minNumber
* - password.minSpecialChar
* - password.substringMatch
* - password.maxRepeatedChar
* - password.cracklibCheck
*
* @author Marco Fargetta {@literal <[email protected]>}
*/
public class P12ExportPasswordConstraint extends EnrollConstraint {

public static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(P12ExportPasswordConstraint.class);

public static final String CONFIG_PASSWORD_MIN_SIZE = "password.minSize";
public static final String CONFIG_PASSWORD_MIN_UPPER_LETTER = "password.minUpperLetter";
public static final String CONFIG_PASSWORD_MIN_LOWER_LETTER = "password.minLowerLetter";
public static final String CONFIG_PASSWORD_MIN_NUMBER = "password.minNumber";
public static final String CONFIG_PASSWORD_MIN_SPECIAL_CHAR = "password.minSpecialChar";
public static final String CONFIG_PASSWORD_SUBSTRING_MATCH = "password.substringMatch";
public static final String CONFIG_PASSWORD_MAX_REPEATED_CHAR = "password.maxRepeatedChar";
public static final String CONFIG_PASSWORD_CRACKLIB_CHECK = "password.cracklibCheck";

public P12ExportPasswordConstraint() {
super();
addConfigName(CONFIG_PASSWORD_MIN_SIZE);
}

@Override
public void setConfig(String name, String value)
throws EPropertyException {
if (name.equals(CONFIG_PASSWORD_MIN_SIZE) ||
name.equals(CONFIG_PASSWORD_MIN_UPPER_LETTER) ||
name.equals(CONFIG_PASSWORD_MIN_LOWER_LETTER) ||
name.equals(CONFIG_PASSWORD_MIN_NUMBER) ||
name.equals(CONFIG_PASSWORD_MIN_SPECIAL_CHAR) ||
name.equals(CONFIG_PASSWORD_SUBSTRING_MATCH) ||
name.equals(CONFIG_PASSWORD_MAX_REPEATED_CHAR)) {
try {
Integer.parseInt(value);
} catch (Exception e) {
throw new EPropertyException(CMS.getUserMessage(
"CMS_INVALID_PROPERTY", name));
}
}
super.setConfig(name, value);
}

@Override
public IDescriptor getConfigDescriptor(Locale locale, String name) {
return null;
}

@Override
public void validate(Request req, X509CertInfo info)
throws ERejectException {
String method = "P12ExportPasswordConstraint: validate: ";
String password = req.getExtDataInString("serverSideKeygenP12Passwd");

PasswordChecker pCheck = new PasswordChecker(
Integer.parseInt(getConfig(CONFIG_PASSWORD_MIN_SIZE, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_MIN_UPPER_LETTER, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_MIN_LOWER_LETTER, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_MIN_NUMBER, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_MIN_SPECIAL_CHAR, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_SUBSTRING_MATCH, "0")),
Integer.parseInt(getConfig(CONFIG_PASSWORD_MAX_REPEATED_CHAR, "0")),
getConfigBoolean(CONFIG_PASSWORD_CRACKLIB_CHECK)
);

try {
switch (pCheck.checkPassword(password)) {
case CMS_PASSWORD_EMPTY_PASSWORD, CMS_PASSWORD_INVALID_LEN:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_INVALID_LEN", getConfig(CONFIG_PASSWORD_MIN_SIZE, "0")));
case CMS_PASSWORD_MISSING_UPPER_CASE:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_MISSING_UPPER_CASE", getConfig(CONFIG_PASSWORD_MIN_UPPER_LETTER, "0")));
case CMS_PASSWORD_MISSING_LOWER_CASE:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_MISSING_LOWER_CASE", getConfig(CONFIG_PASSWORD_MIN_LOWER_LETTER, "0")));
case CMS_PASSWORD_MISSING_NUMERIC:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_MISSING_NUMERIC", getConfig(CONFIG_PASSWORD_MIN_NUMBER, "0")));
case CMS_PASSWORD_MISSING_PUNCTUATION:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_MISSING_PUNCTUATION", getConfig(CONFIG_PASSWORD_MIN_SPECIAL_CHAR, "0")));
case CMS_PASSWORD_SEQUENCE:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_SEQUENCE"));
case CMS_PASSWORD_REPEATED_CHAR:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_REPEATED_CHAR", getConfig(CONFIG_PASSWORD_MAX_REPEATED_CHAR, "0")));
case CMS_PASSWORD_CRACKLIB_FAILS:
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PASSWORD_CRACKLIB_FAILS"));
}
} catch (EPasswordCheckException e) {
logger.error("{password rejected because }", method, e.getMessage());
throw new ERejectException(CMS.getUserMessage(getLocale(req),
"CMS_PROFILE_P12EXPORT_PASSWORD_ERROR", e.getMessage()));
}
}

@Override
public String getText(Locale locale) {
String[] params = {
getConfig(CONFIG_PASSWORD_MIN_SIZE, "-1"),
getConfig(CONFIG_PASSWORD_MIN_UPPER_LETTER, "-1"),
getConfig(CONFIG_PASSWORD_MIN_LOWER_LETTER, "-1"),
getConfig(CONFIG_PASSWORD_MIN_NUMBER, "-1"),
getConfig(CONFIG_PASSWORD_MIN_SPECIAL_CHAR, "-1"),
getConfig(CONFIG_PASSWORD_SUBSTRING_MATCH, "-1"),
getConfig(CONFIG_PASSWORD_MAX_REPEATED_CHAR, "-1"),
getConfig(CONFIG_PASSWORD_CRACKLIB_CHECK, "False")
};
return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_P12EXPORT_PASSWORD_TEXT", params);
}

@Override
public boolean isApplicable(PolicyDefault def) {
return (def instanceof NoDefault);
}
}
Loading

0 comments on commit bf717d1

Please sign in to comment.