diff --git a/.github/workflows/ca-hsm-operation-test.yml b/.github/workflows/ca-hsm-operation-test.yml index 4b52aebe220..5041648ce87 100644 --- a/.github/workflows/ca-hsm-operation-test.yml +++ b/.github/workflows/ca-hsm-operation-test.yml @@ -84,7 +84,7 @@ jobs: -D pki_audit_signing_token=HSM \ -D pki_subsystem_token=HSM \ -D pki_sslserver_token=internal \ - -D pki_ca_signing_opsFlagMask=sign \ + -D pki_ca_signing_opFlagsMask=sign \ -v continue-on-error: true id: hsm_no_sign @@ -108,8 +108,8 @@ jobs: -D pki_audit_signing_token=HSM \ -D pki_subsystem_token=HSM \ -D pki_sslserver_token=internal \ - -D pki_ca_signing_opsFlag=sign \ - -D pki_ca_signing_opsFlagMask=sign \ + -D pki_ca_signing_opFlags=sign \ + -D pki_ca_signing_opFlagsMask=sign \ -v - name: Gather artifacts diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index c8a9c3765cc..1945174822d 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -646,8 +646,8 @@ def create_key( key_wrap=False, curve=None, ssl_ecdh=False, - ops_flag=None, - ops_flag_mask=None): + op_flags=None, + op_flags_mask=None): cmd = [ 'pki', @@ -688,11 +688,11 @@ def create_key( if ssl_ecdh: cmd.append('--ssl-ecdh') - if ops_flag: - cmd.extend(['--ops-flag', ops_flag]) + if op_flags: + cmd.extend(['--op-flags', op_flags]) - if ops_flag_mask: - cmd.extend(['--ops-flag-mask', ops_flag_mask]) + if op_flags_mask: + cmd.extend(['--op-flags-mask', op_flags_mask]) if logger.isEnabledFor(logging.DEBUG): cmd.append('--debug') diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 8ff8e1cc033..4172763db0a 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -56,8 +56,8 @@ pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_token= -pki_audit_signing_opsFlag= -pki_audit_signing_opsFlagMask= +pki_audit_signing_opFlags= +pki_audit_signing_opFlagsMask= pki_backup_keys=False pki_backup_file= @@ -125,8 +125,8 @@ pki_sslserver_key_type=%(pki_ssl_server_key_type)s pki_sslserver_nickname=%(pki_ssl_server_nickname)s pki_sslserver_subject_dn=%(pki_ssl_server_subject_dn)s pki_sslserver_token=%(pki_ssl_server_token)s -pki_sslserver_opsFlag= -pki_sslserver_opsFlagMask= +pki_sslserver_opFlags= +pki_sslserver_opFlagsMask= pki_self_signed_nickname=temp %(pki_sslserver_nickname)s pki_self_signed_token= @@ -138,8 +138,8 @@ pki_subsystem_key_type=rsa pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_subsystem_token= -pki_subsystem_opsFlag= -pki_subsystem_opsFlagMask= +pki_subsystem_opFlags= +pki_subsystem_opFlagsMask= #Set this if we want to use PSS signing when RSA is specified pki_use_pss_rsa_signing_algorithm=False @@ -276,8 +276,8 @@ pki_ca_signing_serial_number=1 pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ca_signing_token= -pki_ca_signing_opsFlag= -pki_ca_signing_opsFlagMask= +pki_ca_signing_opFlags= +pki_ca_signing_opFlagsMask= # DEPRECATED: Use 'pki_ca_signing_csr_path' instead. pki_external_csr_path= @@ -313,8 +313,8 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ocsp_signing_token= -pki_ocsp_signing_opsFlag= -pki_ocsp_signing_opsFlagMask= +pki_ocsp_signing_opFlags= +pki_ocsp_signing_opFlagsMask= pki_profiles_in_ldap=False pki_random_serial_numbers_enable=False @@ -421,8 +421,8 @@ pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_storage_signing_algorithm=SHA256withRSA pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_storage_token= -pki_storage_opsFlag= -pki_storage_opsFlagMask= +pki_storage_opFlags= +pki_storage_opFlagsMask= pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 @@ -431,8 +431,8 @@ pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_transport_token= -pki_transport_opsFlag= -pki_transport_opsFlagMask= +pki_transport_opFlags= +pki_transport_opFlagsMask= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s @@ -518,8 +518,8 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ocsp_signing_token= -pki_ocsp_signing_opsFlag= -pki_ocsp_signing_opsFlagMask= +pki_ocsp_signing_opFlags= +pki_ocsp_signing_opFlagsMask= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 087f2f4b825..237de9d7747 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -2839,8 +2839,8 @@ def create_system_cert_info(self, subsystem, tag): system_cert.nickname = self.mdict['pki_%s_nickname' % cert_id] system_cert.subjectDN = self.mdict['pki_%s_subject_dn' % cert_id] system_cert.token = self.mdict['pki_%s_token' % cert_id] - system_cert.ops_flag = self.mdict['pki_%s_opsFlag' % cert_id] - system_cert.ops_flag_mask = self.mdict['pki_%s_opsFlagMask' % cert_id] + system_cert.op_flags = self.mdict['pki_%s_opFlags' % cert_id] + system_cert.op_flags_mask = self.mdict['pki_%s_opFlagsMask' % cert_id] if not system_cert.token: if config.str2bool(self.mdict['pki_hsm_enable']): @@ -2973,8 +2973,8 @@ def create_cert_key(self, tag, request): token = request.systemCert.token key_type = request.systemCert.keyType - ops_flag = request.systemCert.ops_flag - ops_flag_mask = request.systemCert.ops_flag_mask + op_flags = request.systemCert.op_flags + op_flags_mask = request.systemCert.op_flags_mask key_size = None key_wrap = False curve = None @@ -3000,8 +3000,8 @@ def create_cert_key(self, tag, request): key_wrap=key_wrap, curve=curve, ssl_ecdh=ssl_ecdh, - ops_flag=ops_flag, - ops_flag_mask=ops_flag_mask) + op_flags=op_flags, + op_flags_mask=op_flags_mask) finally: nssdb.close() diff --git a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSKeyCreateCLI.java b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSKeyCreateCLI.java index 36aba8657d9..b935f403e10 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSKeyCreateCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSKeyCreateCLI.java @@ -86,11 +86,11 @@ public void createOptions() { option.setArgName("boolean"); options.addOption(option); - option = new Option(null, "ops-flag", true, "Custom flags for key usage (empty for HSM default)"); + option = new Option(null, "op-flags", true, "Custom flags for key usage"); option.setArgName("usage list"); options.addOption(option); - option = new Option(null, "ops-flag-mask", true, "Custom flags mask for key usage (empty for HSM default)"); + option = new Option(null, "op-flags-mask", true, "Custom flags mask for key usage"); option.setArgName("usage list"); options.addOption(option); @@ -137,8 +137,8 @@ public void execute(CommandLine cmd) throws Exception { extractable = Boolean.valueOf(extractableStr); } - String opsFlag = cmd.getOptionValue("ops-flag"); - String opsFlagMask = cmd.getOptionValue("ops-flag-mask"); + String opFlags = cmd.getOptionValue("op-flags"); + String opFlagsMask = cmd.getOptionValue("op-flags-mask"); MainCLI mainCLI = (MainCLI) getRoot(); mainCLI.init(); @@ -157,13 +157,13 @@ public void execute(CommandLine cmd) throws Exception { if ("RSA".equalsIgnoreCase(keyType)) { if (keySize == null) keySize = "2048"; - if (opsFlag != null && !opsFlag.isEmpty()) { - usages = CryptoUtil.generateUsage(opsFlag); + if (opFlags != null && !opFlags.isEmpty()) { + usages = CryptoUtil.generateUsage(opFlags); } else { usages = keyWrap ? CryptoUtil.RSA_KEYPAIR_USAGES : null; } - if (opsFlagMask != null && !opsFlagMask.isEmpty()) { - usagesMask = CryptoUtil.generateUsage(opsFlagMask); + if (opFlagsMask != null && !opFlagsMask.isEmpty()) { + usagesMask = CryptoUtil.generateUsage(opFlagsMask); } else { usagesMask = keyWrap ? CryptoUtil.RSA_KEYPAIR_USAGES_MASK : null; } @@ -185,11 +185,11 @@ public void execute(CommandLine cmd) throws Exception { keyInfo.setAlgorithm(privateKey.getAlgorithm()); } else if ("EC".equalsIgnoreCase(keyType)) { - if (opsFlag != null && !opsFlag.isEmpty()) { - usages = CryptoUtil.generateUsage(opsFlagMask); + if (opFlags != null && !opFlags.isEmpty()) { + usages = CryptoUtil.generateUsage(opFlagsMask); } - if (opsFlagMask != null && !opsFlagMask.isEmpty()) { - usagesMask = CryptoUtil.generateUsage(opsFlagMask); + if (opFlagsMask != null && !opFlagsMask.isEmpty()) { + usagesMask = CryptoUtil.generateUsage(opFlagsMask); } else { usagesMask = sslECDH ? CryptoUtil.ECDH_USAGES_MASK : CryptoUtil.ECDHE_USAGES_MASK; } diff --git a/docs/changes/v11.5.0/Server-Changes.adoc b/docs/changes/v11.5.0/Server-Changes.adoc index 341fd622762..4e15e838562 100644 --- a/docs/changes/v11.5.0/Server-Changes.adoc +++ b/docs/changes/v11.5.0/Server-Changes.adoc @@ -56,11 +56,11 @@ To install a new KRA with the legacy sequential serial numbers specify the follo * `pki_request_id_generator=legacy` -== Add pki__opsFlag and pki__opsFlagMask parameters == +== Add pki__opFlags and pki__opFlagsMask parameters == Two new parameters are added to pkispawn configuration for setting the key flags in HSM. The new parameters are available for all certificates created during the subsystem installation -and their value is a comma separated list of the following flags: encrypt, decrypt, sign, -sign_recover, verify, verify_recover, wrap, unwrap and derive. The first parameter add flags to -the list identified by underneath module while the second remove them. +and their value is a comma separated list of the following flags: `encrypt`, `decrypt`, `sign`, +`sign_recover`, `verify`, `verify_recover`, `wrap`, `unwrap` and `derive`. The first parameter add +flags to the list identified by underneath module while the second remove them. Default values are empty lists to get the HSM default key flags. diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index b073100db13..841571ef3af 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -59,7 +59,7 @@ The `pki-server status` command has been updated to no longer show whether a subsystem is a new subsystem or a clone since there is no distinction between them. -== New ops-flag and ops-flag-mask options for pki nss-key-create CLI == +== New op-flags and op-flags-mask options for pki nss-key-create CLI == -The `pki nss-key-create` command has been modified to support the option `--ops-flag` and `--ops-flag-mask` +The `pki nss-key-create` command has been modified to support the option `--op-flags` and `--op-flags-mask` to specify a list of flags or masks to set for the new key.