xipki / xipki Goto Github PK
View Code? Open in Web Editor NEWXiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP) with HSM support.
License: Apache License 2.0
xipki's Issues
Sort the subect RDN as suggested by Annex B of ITU-T X.521
add option to control whether certificates will be returned only if CA can generate certificate for all single certificate requests in one request
Cannot disable audit in OCSP responder.
The regex for dateOfBirth in subject is not correct
add support of extension SubjectDirectoryAttributes as defined in RFC 3739
add karaf shell to export CA configuration
add support of qCStatement PdsLocations
The syntax is specified in eIDAS standard EN 319 412.
add option to configure the permitted POPO signature algorithms
add support of database cluster
Update the versions of JDBC drivers
PostgreSQL: 9.4.1207.jre7 --> 9.4.1211
H2: 1.4.191 --> 1.4.192
HSQLDB: 2.3.3 --> 2.3.4
MariaDB: 1.4.3 --> 1.5.3
Commands xipki-ocsp:status and xipki-qa:ocsp-status cannot verify OCSP response with Plain-ECDSA signature
RandomDnCompleter.java
In /xipki/ca/ca-client-shell/src/main/java/org/xipki/pki/ca/client/shell/completer/
RandomDnCompleter.java exists with 2 files :
RandomDnCompleter.java and RandomDNCompleter.java.
Maven doens't compile and gives a error. Removing RandomDNCompleter.java fixes the issue
What set own dataSource.password ?
Hello.
In file "ca-db.properties":
....
#encrypted password 123456
dataSource.password = PBE:B9A/zfIDGOTc+xhshvJGWMMdft32EjtEZPWGH9M0JvoWFA==
...
What crypt my own password for this set ?
Use hsqldb instead h2 due as default database due to performance problem in case of exporting database
Compatible cisco ?
For local lab with GNS3 (www.gns3.com)
IOS: c7200-adventerprisek9-mz.124-24.T5.image
!
hostname R1
ip domain name xipki.org
#conf t
R1(config)#
R1(config)#crypto key generate rsa label KEY2048 modulus 2048
Next, set trust:
!
crypto pki trustpoint SubCAwithCRL1
enrollment mode ra
enrollment url http://fqdn-host-ca-name:8080/scep/SubCAwithCRL/OCSP
serial-number
fqdn R1.xipki.org
subject-name CN=R1.xipki.org,O=xipki,C=DE
revocation-check crl none
rsakeypair KEY2048
hash sha1
!
Ubuntu 16 x64:
version xipki-pki-2.1.0
karaf@root()> source xipki/demo/demo.script SHA1 PKCS12 RSA 2048
...
all sucsess
back to cisco:
R1(config)#crypto pki authenticate SubCAwithCRL1
...
Trustpoint CA certificate accepted.
Good, next get cert:
R1(config)#crypto pki enroll SubCAwithCRL1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=R1.xipki.org,O=xipki,C=DE
% The subject name in the certificate will include: R1.xipki.org
% The serial number in the certificate will be: 4279256517
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose SubCAwithCRL1' commandwill show the fingerprint.
R1(config)#
log cisco, last lines:
*Feb 21 19:31:47.670: CRYPTO_PKI: make trustedCerts list for SubCAwithCRL1
*Feb 21 19:31:47.670: CRYPTO_PKI: subject="cn=SCEP Responder1,o=xipki,c=DE" serial number= 61 62 0A 53 4A B5 E7 6E
*Feb 21 19:31:47.678: CRYPTO_PKI: subject="cn=PREFIX SubCAwithCRL1 SUFFIX,o=xipki,c=DE" serial number= 51 1F A4 32 DE A7 70 C4
*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(283) : E_INVALID_PARAMETER : invalid function parameter (inputBER)
*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(2843) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/sour
R1(config)#ce/p7spprt.c(2433) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(911) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(614) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to verify
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to process the inner content
*Feb 21 19:31:47.710: %PKI-6-CERTFAIL: Certificate enrollment failed.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.714: CRYPTO_PKI: All enrollment requests comp
R1(config)#leted for trustpoint SubCAwithCRL1.
Back to xipki:
karaf.log:
2017-02-21 19:31:47,962 | INFO | tp1966794535-456 | AuditService | xipki.commons.audit.AuditService 69 | 116 - ki.commons.audit | AuditEvent INFO | SCEP - PERF: status: SUCCESSFUL duration: 0 name: SubCAwithCRL/OCSP reqType: SCEP mid: d38cbd85fe0fabf0 operation: GetCACaps
2017-02-21 19:31:48,544 | WARN | tp1966794535-453 | Scep | pki.pki.ca.server.impl.scep.Scep 372 | 122 - ki.pki.ca-server | tid=A48B441A902986C760285F4574F2E1B6: unsupported digest algorithm 1.2.840.113549.2.5
2017-02-21 19:31:48,545 | WARN | tp1966794535-453 | Scep | pki.pki.ca.server.impl.scep.Scep 393 | 122 - ki.pki.ca-server | tid=A48B441A902986C760285F4574F2E1B6: encryption with algorithm 1.3.14.3.2.7 is not permitted
2017-02-21 19:31:48,553 | INFO | tp1966794535-453 | AuditService | xipki.commons.audit.AuditService 69 | 116 - ki.commons.audit | AuditEvent INFO | SCEP - PERF: status: SUCCESSFUL duration: 19 name: SubCAwithCRL/OCSP reqType: SCEP mid: 7a76a7bbadb84d17 operation: PKIOperation tid: A48B441A902986C760285F4574F2E1B6 pkiStatus: FAILURE failInfo: badAlg
xiaudit.log:
2017-02-21 19:31:48,553 | INFO | SCEP - PERF: status: SUCCESSFUL duration: 19 name: SubCAwithCRL/OCSP reqType: SCEP mid: 7a76a7bbadb84d17 operation: PKIOperation tid: A48B441A902986C760285F4574F2E1B6 pkiStatus: FAILURE failInfo: badAlg
add example to generate complex certificates that can be parsed by openssl
Add option to configure the whole CA system from XML or zip configuration file
extend the OCSP responder to configure whether the expired/not-yet-valid certificates are ignored
add full native support of certificate extension admission
Update apache karaf from 4.0.5 to 4.0.7
add option to specify the duration together with unit "<duration><time unit>" to load test
add option to specify certificate serial numbers in range to command xipki-ocsp:loadtest-status
add support to communicate with CA via REST
allow certificate profile to specify customized order of RDNs in certificate subject
Signature creation with algorithm plain-ECDSA not always correct
add support to save the request in CA database
A faulty CA prevents from the use of other CAs
cleanup the name of static methods of Enum
add option to read certificate serial numbers from file to command xipki-cli:loadtest-revoke
Current Master does not build
Mvn clean install fails with latest pull.
Also git checkout v2.3.0 fails with:
error: pathspec 'v2.3.0' did not match any file(s) known to git.
MVN Build examle:
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building XiPKI :: ca-api 2.3.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:audit:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.533 s
[INFO] Finished at: 2017-11-29T17:45:38-08:00
[INFO] Final Memory: 11M/303M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project ca-api: Could not resolve dependencies for project org.xipki.pki:ca-api:bundle:2.3.0-SNAPSHOT: The following artifacts could not be resolved: org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT, org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT, org.xipki.tk:audit:jar:2.3.0-SNAPSHOT: Failure to find org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT in https://oss.sonatype.org/content/repositories/snapshots was cached in the local repository, resolution will not be reattempted until the update interval of sonatype-nexus-snapshots has elapsed or updates are forced -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Return unknown status if current time is after the notAfter of the target certificate
extend the karaf shell to allow the specification of notBefore and notAfter of the certificate to be requested
Shell command to list certificates
It would be nice to have a command to list certificates issued by a CA. Currently this is possible only via direct database queries.
An option for sorting order would also be useful. For example, sorting by expiration date could be used to list all the certificates that are about to expire.
add option to specify the maximal number of single tests to load test.
better handle of notBefore and notAfter of the certificate to be generated
add SHA3 support
add support of X.509 attribute certificate to command xipki-ocsp:status
added support to retrieve client certificate forwarded by reverse proxy
If the CA is behind a reverse proxy apache httpd, configure the proxy to forward the headers via mod_proxy with the following configuration
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"For more details please refer to
add support of non-UTF8String in field other.value in extension SubjectAltNames
add support of enrolling certificates up to 3000 bytes
Currently the column to save the base64-encoded certificate is limited to 3000, thus certificates with more than 2250 bytes cannot be saved. The limit should be extended to 4000 to save certificates up to 3000 bytes.
add support to use the choice ResponderID.byKey in OCSP response
Signer configuration part "file:" will not be replaced by the content while configing CA with CAManager.loadConf()
Use word csr instead p10
select the OCSP responder certificate according to the ResponderID in OCSP response
add option to read certificate serial numbers from file to command xipki-ocsp:loadtest-status
The CertHash Extension in OCSP Response is incorrect
add support to republish the certificates with multi-threads
clean up audit
add support to save attributes of subject in extension SubjectAltNames
Setting status to inactive does not preventing from staring CA
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.