xipki / xipki Goto Github PK

XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP) with HSM support.

License: Apache License 2.0

Java 98.72% Shell 1.28% Batchfile 0.01%

ocsp-responder certificate-authority crl ocsp hsm pkcs11 pki certificate scep ca

xipki's Introduction

XiPKI

XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).

License

The Apache Software License, Version 2.0

Support

Just create new issue.

For bug-report please upload the test data and log files, describe the version of XiPKI, OS and JRE/JDK, and the steps to reproduce the bug.

Get Started

Binaries

The binary xipki-setup-<version>.zip can be retrieved using one of the following methods

Download the binary from https://github.com/xipki/xipki/releases
Download the binary from the maven repositories
- Directly via HTTP download
  - Release version: https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/
  - SNASPSHOT version: https://oss.sonatype.org/content/repositories/snapshots/org/xipki/assembly/xipki-setup/
- Via the maven-dependency-plugin
```
<artifactItem>
  <groupId>org.xipki.assembly</groupId>
  <artifactId>xipki-setup</artifactId>
  <version>..version..</version>
  <type>zip</type>
</artifactItem>
```
Build it from source code
- Get a copy of project code, e.g.
```
git clone https://github.com/xipki/xipki
```
- Build the project
  
  In folder xipki
```
./install.sh
```
  Then you will find the binary assemblies/xipki-setup/target/xipki-setup-<version>.zip

Install and Setup

Unpack xipki-setup-<version>.zip and follow the xipki-setup-<version>/INSTALL.md.

Features

Supported Platform

OS
- Linux, Windows, MacOS
JRE / JDK
- Java 11+.
Database
- DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
Hardware
- Any available hardware (tested on Raspberry Pi 2 Model B with 900MHz quad-core ARM CPU and 1 GB Memory)
Servlet Container
- Tomcat 8, 9, 10, 11
HSM Devices
- AWS CloudHSM
- Nitrokey HSM 2 / Smartcard HSM EA+
- nCipher Connect / Solo
- Sansec HSM
- Softhsm v1 & v2
- TASS HSM
- Thales LUNA / ProtectServer
- Utimaco Se
- And shall also work on other HSMs with PKCS#11 support.

CA Protocol Gateway

EST (RFC 7030)
SCEP (RFC 8894)
CMP (RFC 4210, 4211, 9045, 9480)
ACME (RFC 8555, RFC 8737)
- Challenge types: dns-01, http-01, tls-apln-01
RESTful API (XiPKI own API)

CA (Certification Authority)

X.509 Certificate v3 (RFC 5280)
X.509 CRL v2 (RFC 5280)
EdDSA Certificates (RFC 8410, RFC 8032)
SHAKE Certificates (RFC 8692)
Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
EN 319 411 and 319 412 (eIDAS)
Direct and indirect CRL
FullCRL and DeltaCRL
API to specify customized certificate profiles
Support of JSON-based certificate profile
API to specify customized publisher, e.g. for LDAP and OCSP responder
Support of publisher for OCSP responder
Public key types of certificates: RSA, EC, DSA, Ed25519, Ed448, SM2, X25519, X448
Signature algorithms of certificates
- DSA with hash algorithms: SHA-1, SHA-2, and SHA-3
- ECDSA with hash algorithms: SHA-1, SHA-2, SHA-3, and SHAKE
- Ed25519, Ed448
- Plain ECDSA with hash algorithms: SHA-1, and SHA-2
- RSA PKCS1v1.5 with hash algorithms: SHA-1, SHA-2, and SHA-3
- RSA PSS with hash algorithms: SHA-1, SHA-2, and SHA-3, and SHAKE
- SM3withSM2
Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
- RFC 3739
  - BiometricInfo
  - QCStatements (also in eIDAS standard EN 319 412)
  - SubjectDirectoryAttributes
- RFC 4262
  - SMIMECapabilities
- RFC 5280
  - AuthorityInformationAccess, AuthorityKeyIdentifier
  - BasicConstraints
  - CertificatePolicies, CRLDistributionPoints
  - ExtendedKeyUsage
  - FreshestCRL
  - InhibitAnyPolicy, IssuerAltName
  - KeyUsage
  - NameConstraints
  - PolicyConstrains, PolicyMappings, PrivateKeyUsagePeriod
  - SubjectAltName, SubjectInfoAccess, SubjectKeyIdentifier
- RFC 6960
  - OcspNoCheck
- RFC 6962
  - CT Precertificate SCTs
- RfC 7633
  - TLSFeature
- Car Connectivity Consortium
  - ExtensionSchema
- Common PKI (German national standard)
  - AdditionalInformation, Admission
  - Restriction
  - ValidityModel
- GM/T 0015-2012 (Chinese national standard)
  - ICRegistrationNumber, IdentityCode, InsuranceNumber
  - OrganizationCode
  - TaxationNumber
Management of multiple CAs in one software instance
- Support of database cluster
- Multiple software instances (all can be in active mode) for the same CA
- Native support of management of CA via embedded OSGi commands
- API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.
- Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
- All configuration of CA except those of databases is saved in database

OCSP Responder

OCSP Responder (RFC 2560 and RFC 6960)
Configurable Length of Nonce (RFC 8954)
Support of Common PKI 2.0
Management of multiple certificate status sources
Support of certificate status sources
- Database of XiPKI CA
- OCSP database published by XiPKI CA
- CRL and DeltaCRL
- Database of EJBCA
API to support proprietary certificate sources
Support of both unsigned and signed OCSP requests
Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
High performance
Support of health check

Mgmt CLI (Management Client)

Configuring CA
Generating keypairs of RSA, EC and DSA in token
Deleting keypairs and certificates from token
Updating certificates in token
Generating CSR (PKCS#10 request)
Exporting certificate from token

CLI (CA/OCSP Client)

Client to enroll, revoke, and unrevoke (unsuspend) certificates, to download CRLs
Client to send OCSP request
Updating certificates in token
Generating CSR (PKCS#10 request)
Exporting certificate from token

HSM Proxy

Provide the access to the HSM remotely.

xipki's People

Contributors

Stargazers

Watchers

Forkers

tempbottle tvtritin muncescu1 songsin zuluforce rajeshkarthik techie-srik bmericc boohyung ligson sdelavega sagnitude optimuse jackzhaiyh ty1970s nhkwon brat000012001 tangzhanguo karymei jacketz burakkoprulu paulvi pkitools etsangsplk cobble007 sniperxiaojun sqf-ice hyunmin-kwak coolhoo tellerattack liuzhenxin adisheshsm captainwasabi taochong123456 feiyangqyw fleann liangruisen sundaydg frestoinc bartzjegr iunet hefy2019 linbing0518 volcanowcan 13851809588 xiong616 backhideker nhtha tiankai1 suyambuganesh thelight1 ygy203 jittagornp niushengwei hoggmania fishstormx dwabisch billsg takahashi316 4ntonioparisi leismile alexkarezin wzhxx2020 wo0o0o0o0 tank0226 freight-trust mvandermeulen koujianbocuit dahoba darkmellon apegeek rusakovichma kohpai buptzyf michael-liuq blueshark0 ljyxsg augjoh edwardt zhouxy-f1 panmason xalves ikiyun changhr2013 paloschen ykj1414 jimolucy mahendrahendi kjstart dbatowl snowblind- gtreee virgree shivamsharmamwp ygypc ewangplay ntvis mputz86 ajunlonglive zeridon

xipki's Issues

Update the versions of JDBC drivers

PostgreSQL: 9.4.1207.jre7 --> 9.4.1211
H2: 1.4.191 --> 1.4.192
HSQLDB: 2.3.3 --> 2.3.4
MariaDB: 1.4.3 --> 1.5.3

added support to retrieve client certificate forwarded by reverse proxy

If the CA is behind a reverse proxy apache httpd, configure the proxy to forward the headers via mod_proxy with the following configuration

   RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

For more details please refer to

add option to configure the permitted POPO signature algorithms

Current Master does not build

Mvn clean install fails with latest pull.
Also git checkout v2.3.0 fails with:

error: pathspec 'v2.3.0' did not match any file(s) known to git.

MVN Build examle:
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building XiPKI :: ca-api 2.3.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:audit:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.533 s
[INFO] Finished at: 2017-11-29T17:45:38-08:00
[INFO] Final Memory: 11M/303M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project ca-api: Could not resolve dependencies for project org.xipki.pki:ca-api:bundle:2.3.0-SNAPSHOT: The following artifacts could not be resolved: org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT, org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT, org.xipki.tk:audit:jar:2.3.0-SNAPSHOT: Failure to find org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT in https://oss.sonatype.org/content/repositories/snapshots was cached in the local repository, resolution will not be reattempted until the update interval of sonatype-nexus-snapshots has elapsed or updates are forced -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException

add option to specify certificate serial numbers in range to command xipki-ocsp:loadtest-status

cleanup the name of static methods of Enum

Update apache karaf from 4.0.5 to 4.0.7

Setting status to inactive does not preventing from staring CA

add support to use the choice ResponderID.byKey in OCSP response

Compatible cisco ?

For local lab with GNS3 (www.gns3.com)
IOS: c7200-adventerprisek9-mz.124-24.T5.image

!
hostname R1
ip domain name xipki.org

#conf t
R1(config)#
R1(config)#crypto key generate rsa label KEY2048 modulus 2048

Next, set trust:
!
crypto pki trustpoint SubCAwithCRL1
enrollment mode ra
enrollment url http://fqdn-host-ca-name:8080/scep/SubCAwithCRL/OCSP
serial-number
fqdn R1.xipki.org
subject-name CN=R1.xipki.org,O=xipki,C=DE
revocation-check crl none
rsakeypair KEY2048
hash sha1
!

Ubuntu 16 x64:
version xipki-pki-2.1.0

karaf@root()> source xipki/demo/demo.script SHA1 PKCS12 RSA 2048
...
all sucsess

back to cisco:
R1(config)#crypto pki authenticate SubCAwithCRL1
...
Trustpoint CA certificate accepted.

Good, next get cert:

R1(config)#crypto pki enroll SubCAwithCRL1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R1.xipki.org,O=xipki,C=DE
% The subject name in the certificate will include: R1.xipki.org
% The serial number in the certificate will be: 4279256517
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose SubCAwithCRL1' commandwill show the fingerprint.

R1(config)#

log cisco, last lines:

*Feb 21 19:31:47.670: CRYPTO_PKI: make trustedCerts list for SubCAwithCRL1
*Feb 21 19:31:47.670: CRYPTO_PKI: subject="cn=SCEP Responder1,o=xipki,c=DE" serial number= 61 62 0A 53 4A B5 E7 6E

*Feb 21 19:31:47.678: CRYPTO_PKI: subject="cn=PREFIX SubCAwithCRL1 SUFFIX,o=xipki,c=DE" serial number= 51 1F A4 32 DE A7 70 C4

*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(283) : E_INVALID_PARAMETER : invalid function parameter (inputBER)
*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(2843) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/sour
R1(config)#ce/p7spprt.c(2433) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(911) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(614) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to verify
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to process the inner content
*Feb 21 19:31:47.710: %PKI-6-CERTFAIL: Certificate enrollment failed.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.714: CRYPTO_PKI: All enrollment requests comp
R1(config)#leted for trustpoint SubCAwithCRL1.

Back to xipki:

karaf.log:

xiaudit.log:

2017-02-21 19:31:48,553 | INFO | SCEP - PERF: status: SUCCESSFUL duration: 19 name: SubCAwithCRL/OCSP reqType: SCEP mid: 7a76a7bbadb84d17 operation: PKIOperation tid: A48B441A902986C760285F4574F2E1B6 pkiStatus: FAILURE failInfo: badAlg

The CertHash Extension in OCSP Response is incorrect

add option to specify the maximal number of single tests to load test.

add full native support of certificate extension admission

add option to control whether certificates will be returned only if CA can generate certificate for all single certificate requests in one request

add example to generate complex certificates that can be parsed by openssl

add option to read certificate serial numbers from file to command xipki-ocsp:loadtest-status

select the OCSP responder certificate according to the ResponderID in OCSP response

Return unknown status if current time is after the notAfter of the target certificate

Signature creation with algorithm plain-ECDSA not always correct

Signer configuration part "file:" will not be replaced by the content while configing CA with CAManager.loadConf()

better handle of notBefore and notAfter of the certificate to be generated

add support of enrolling certificates up to 3000 bytes

Currently the column to save the base64-encoded certificate is limited to 3000, thus certificates with more than 2250 bytes cannot be saved. The limit should be extended to 4000 to save certificates up to 3000 bytes.

clean up audit

The regex for dateOfBirth in subject is not correct

extend the OCSP responder to configure whether the expired/not-yet-valid certificates are ignored

add support of extension SubjectDirectoryAttributes as defined in RFC 3739

add support to republish the certificates with multi-threads

extend the karaf shell to allow the specification of notBefore and notAfter of the certificate to be requested

Commands xipki-ocsp:status and xipki-qa:ocsp-status cannot verify OCSP response with Plain-ECDSA signature

add option to specify the duration together with unit "<duration><time unit>" to load test

add support to communicate with CA via REST

Shell command to list certificates

It would be nice to have a command to list certificates issued by a CA. Currently this is possible only via direct database queries.

An option for sorting order would also be useful. For example, sorting by expiration date could be used to list all the certificates that are about to expire.

add karaf shell to export CA configuration

A faulty CA prevents from the use of other CAs

add option to read certificate serial numbers from file to command xipki-cli:loadtest-revoke

add support to save attributes of subject in extension SubjectAltNames

add support of non-UTF8String in field other.value in extension SubjectAltNames

add SHA3 support

What set own dataSource.password ?

Hello.

In file "ca-db.properties":
....
#encrypted password 123456
dataSource.password = PBE:B9A/zfIDGOTc+xhshvJGWMMdft32EjtEZPWGH9M0JvoWFA==
...

What crypt my own password for this set ?

add support of X.509 attribute certificate to command xipki-ocsp:status

allow certificate profile to specify customized order of RDNs in certificate subject

RandomDnCompleter.java

In /xipki/ca/ca-client-shell/src/main/java/org/xipki/pki/ca/client/shell/completer/
RandomDnCompleter.java exists with 2 files :
RandomDnCompleter.java and RandomDNCompleter.java.
Maven doens't compile and gives a error. Removing RandomDNCompleter.java fixes the issue