diff --git a/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md b/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md index b1019eb32e..879b410550 100644 --- a/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md +++ b/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md @@ -58,7 +58,7 @@ Doc. ID: IG-CS | 02.01.2024 | 2.38 | Loopback ports added | Justas Samuolis | | 25.04.2024 | 2.39 | Updated for Ubuntu 24.04 | Madis Loitmaa | | 12.06.2024 | 2.40 | Update network diagram | Petteri Kivimäki | -| 21.10.2024 | 2.41 | Update for configurable parameters in the `/etc/xroad/devices.ini` after added support for ECDSA keys | Ovidijus Narkevicius | +| 21.10.2024 | 2.41 | Update for configurable parameters in the `/etc/xroad/devices.ini` after added support for ECDSA Configuration signing keys | Ovidijus Narkevicius | ## Table of Contents @@ -521,6 +521,10 @@ The Central Server produces global configuration version V2. Version V2 is suppo The Central Server produces global configuration version V3. Version V3 is supported by Security Servers from version 7.4.0 and up. +### 4.3 Use EC Algorithm in Configuration Signing keys + +Since version 7.6.0, the Central Server supports EC algorithm for configuration signing keys. Refer to [UG-CS](#Ref_UG-CS) section „Migrating to EC based Configuration Signing keys“. + ## 5 Installation Error Handling ### 5.1 Cannot Set LC_ALL to Default Locale diff --git a/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md b/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md index 9fa95e49ee..a6e96c4691 100644 --- a/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md +++ b/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md @@ -2,7 +2,7 @@ **X-ROAD 7** -Version: 2.54 +Version: 2.53 Doc. ID: IG-SS --- @@ -73,8 +73,6 @@ Doc. ID: IG-SS | 12.06.2024 | 2.51 | Add ACME server to the network diagram, add a section about enabling ACME support | Petteri Kivimäki | | 25.06.2024 | 2.52 | Add global configuration download port 443 to the network diagram | Petteri Kivimäki | | 24.09.2024 | 2.53 | Add mail server to the network diagram | Mikk-Erik Bachmann | -| 21.10.2024 | 2.54 | Update for configurable parameters in the `/etc/xroad/devices.ini` after added support for ECDSA keys | Ovidijus Narkevicius | - ## License @@ -201,7 +199,7 @@ The software can be installed both on physical and virtualized hardware (of the | 1.6 | **Inbound ports from internal network** | Ports for inbound connections from the internal network to the Security Server | |   | TCP 4000 | User interface and management REST API (local network). **Must not be accessible from the internet!** | |   | TCP 8080, 8443 | Information system access points (in the local network). **Must not be accessible from the external network without strong authentication. If open to the external network, IP filtering is strongly recommended.** | -|   | TCP 587 | Communication with the mail server | +|   | TCP 587 | Communication with the mail server | | 1.7 | **Outbound ports to internal network** | Ports for inbound connections from the internal network to the Security Server | |   | TCP 80, 443, *other* | Producer information system endpoints | |   | TCP 2080 | Message exchange between Security Server and operational data monitoring daemon (by default on localhost) | @@ -435,26 +433,24 @@ If you are running a high availability (HA) hardware token setup (such as a clus Depending on the hardware token there may be a need for more additional configuration. All possible configurable parameters in the `/etc/xroad/devices.ini` are described in the next table. -| Parameter | Type | Default Value | Explanation | -|-----------------------------------------|-------------|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| *enabled* | BOOLEAN | *true* | Indicates whether this device is enabled. | -| *library* | STRING | | The path to the pkcs#11 library of the device driver. | -| *library_cant_create_os_threads* | BOOLEAN | *false* | Indicates whether application threads, which are executing calls to the pkcs#11 library, may not use native operating system calls to spawn new threads (in other words, the library’s code may not create its own threads). | -| *os_locking_ok* | BOOLEAN | *false* | Indicates whether the pkcs#11 library may use the native operation system threading model for locking. | -| *sign_verify_pin* | BOOLEAN | *false* | Indicates whether the PIN should be entered per signing operation. | -| *token_id_format* | STRING | *{moduleType}{slotIndex}{serialNumber}{label}* | Specifies the identifier format used to uniquely identify a token. In certain high availability setups may need be constrained to support replicated tokens (eg. by removing the slot index part which may be diffirent for the token replicas). | -| *sign_mechanism* | STRING | *CKM_RSA_PKCS* | Specifies the signing mechanism. Supported values: *CKM_RSA_PKCS*, *CKM_RSA_PKCS_PSS*. | -| *rsa_sign_mechanism* | STRING | *CKM_RSA_PKCS* | Specifies the signing mechanism. Supported values: *CKM_RSA_PKCS*, *CKM_RSA_PKCS_PSS*. If value isn't provided then defaults to value of *sign_mechanism* if present. | -| *ec_sign_mechanism* | STRING | *CKM_ECDSA* | Specifies the signing mechanism for EC keys. Supported values: *CKM_ECDSA*. | -| *pub_key_attribute_encrypt* | BOOLEAN | *true* | Indicates whether public key can be used for encryption. | -| *pub_key_attribute_verify* | BOOLEAN | *true* | Indicates whether public key can be used for verification. | -| *pub_key_attribute_wrap* | BOOLEAN | | Indicates whether public key can be used for wrapping other keys. | -| *pub_key_attribute_allowed_mechanisms* | STRING LIST | | Specifies public key allowed mechanisms. Supported values: *CKM_RSA_PKCS*, *CKM_SHA256_RSA_PKCS*, *CKM_SHA384_RSA_PKCS*, *CKM_SHA512_RSA_PKCS*, and *CKM_RSA_PKCS_PSS*, *CKM_SHA256_RSA_PKCS_PSS*, *CKM_SHA384_RSA_PKCS_PSS*, *CKM_SHA512_RSA_PKCS_PSS*, *CKM_ECDSA*, *CKM_ECDSA_SHA256*, *CKM_ECDSA_SHA384*, *CKM_ECDSA_SHA512*. | -| *priv_key_attribute_sensitive* | BOOLEAN | *true* | Indicates whether private key is sensitive. | -| *priv_key_attribute_decrypt* | BOOLEAN | *true* | Indicates whether private key can be used for encryption. | -| *priv_key_attribute_sign* | BOOLEAN | *true* | Indicates whether private key can be used for signing. | -| *priv_key_attribute_unwrap* | BOOLEAN | | Indicates whether private key can be used for unwrapping wrapped keys. | -| *priv_key_attribute_allowed_mechanisms* | STRING LIST | | Specifies private key allowed mechanisms. Supported values: *CKM_RSA_PKCS*, *CKM_SHA256_RSA_PKCS*, *CKM_SHA384_RSA_PKCS*, *CKM_SHA512_RSA_PKCS*, and *CKM_RSA_PKCS_PSS*, *CKM_SHA256_RSA_PKCS_PSS*, *CKM_SHA384_RSA_PKCS_PSS*, *CKM_SHA512_RSA_PKCS_PSS*, *CKM_ECDSA*, *CKM_ECDSA_SHA256*, *CKM_ECDSA_SHA384*, *CKM_ECDSA_SHA512*. | +| Parameter | Type | Default Value | Explanation | +|-----------------------------------------|-------------|------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| *enabled* | BOOLEAN | *true* | Indicates whether this device is enabled. | +| *library* | STRING | | The path to the pkcs#11 library of the device driver. | +| *library_cant_create_os_threads* | BOOLEAN | *false* | Indicates whether application threads, which are executing calls to the pkcs#11 library, may not use native operating system calls to spawn new threads (in other words, the library’s code may not create its own threads). | +| *os_locking_ok* | BOOLEAN | *false* | Indicates whether the pkcs#11 library may use the native operation system threading model for locking. | +| *sign_verify_pin* | BOOLEAN | *false* | Indicates whether the PIN should be entered per signing operation. | +| *token_id_format* | STRING | *{moduleType}{slotIndex}{serialNumber}{label}* | Specifies the identifier format used to uniquely identify a token. In certain high availability setups may need be constrained to support replicated tokens (eg. by removing the slot index part which may be diffirent for the token replicas). | +| *sign_mechanism* | STRING | *CKM_RSA_PKCS* | Specifies the signing mechanism. Supported values: *CKM_RSA_PKCS*, *CKM_RSA_PKCS_PSS*. | +| *pub_key_attribute_encrypt* | BOOLEAN | *true* | Indicates whether public key can be used for encryption. | +| *pub_key_attribute_verify* | BOOLEAN | *true* | Indicates whether public key can be used for verification. | +| *pub_key_attribute_wrap* | BOOLEAN | | Indicates whether public key can be used for wrapping other keys. | +| *pub_key_attribute_allowed_mechanisms* | STRING LIST | | Specifies public key allowed mechanisms. Supported values: *CKM_RSA_PKCS*, *CKM_SHA256_RSA_PKCS*, *CKM_SHA384_RSA_PKCS*, *CKM_SHA512_RSA_PKCS*, and *CKM_RSA_PKCS_PSS*, *CKM_SHA256_RSA_PKCS_PSS*, *CKM_SHA384_RSA_PKCS_PSS*, *CKM_SHA512_RSA_PKCS_PSS*. | +| *priv_key_attribute_sensitive* | BOOLEAN | *true* | Indicates whether private key is sensitive. | +| *priv_key_attribute_decrypt* | BOOLEAN | *true* | Indicates whether private key can be used for encryption. | +| *priv_key_attribute_sign* | BOOLEAN | *true* | Indicates whether private key can be used for signing. | +| *priv_key_attribute_unwrap* | BOOLEAN | | Indicates whether private key can be used for unwrapping wrapped keys. | +| *priv_key_attribute_allowed_mechanisms* | STRING LIST | | Specifies private key allowed mechanisms. Supported values: *CKM_RSA_PKCS*, *CKM_SHA256_RSA_PKCS*, *CKM_SHA384_RSA_PKCS*, *CKM_SHA512_RSA_PKCS*, and *CKM_RSA_PKCS_PSS*, *CKM_SHA256_RSA_PKCS_PSS*, *CKM_SHA384_RSA_PKCS_PSS*, *CKM_SHA512_RSA_PKCS_PSS*. | **Note 1:** Only parameter *library* is mandatory, all the others are optional. **Note 2:** The item separator of the type STRING LIST is ",". diff --git a/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md b/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md index 5526c80e60..8baf76c9d2 100644 --- a/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md +++ b/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md @@ -26,8 +26,7 @@ Doc. ID: UG-CP | 26.09.2022 | 2.10 | Remove Ubuntu 18.04 support | Andres Rosenthal | | 30.10.2023 | 2.11 | Configuring TLS Certificates | Madis Loitmaa | | 25.04.2024 | 2.12 | Updated for Ubuntu 24.04 | Madis Loitmaa | -| 21.10.2024 | 2.13 | Update for configurable parameters in the `/etc/xroad/devices.ini` after added support for ECDSA keys | Ovidijus Narkevicius | - +| 21.10.2024 | 2.13 | Update for configurable parameters in the `/etc/xroad/devices.ini` after added support for ECDSA keys and addtinal arguments for `confproxy-add-signing-key` to enable EC key creation | Ovidijus Narkevicius | ## Table of Contents @@ -298,14 +297,14 @@ Modify '/etc/xroad/conf.d/local.ini' to contain the following: The configuration of this parameter is necessary for generating a correctly formatted configuration anchor file that will need to be uploaded to central servers that should receive configurations mediated by this proxy, this process is described in detail in [3.4](#34-proxy-instance-configuration). There are several more system parameters that can be configured in '/etc/xroad/conf.d/local.ini' under the 'configuration-proxy' section, their descriptions and default values can be seen from the following table: -| Parameter | Default value | Explanation | -|------------------------|----------------------------------------|-------------| -| address | 0.0.0.0 | The public IP or NAT address (reference data: 1.5) which can be accessed for downloading the distributed global configurations. | -| configuration-path | /etc/xroad/confproxy/ | Absolute path to the directory containing the configuration files of the proxy instance. The format of the configuration directory is described in [3.2.1](#321-configuration-structure-of-the-instances). | -| generated-conf-path | /var/lib/xroad/public | Absolute path to the public web server directory where the global configuration files generated by this configuration proxy, should be placed for distribution. | -| signature-digest-algorithm-id | SHA-512 | ID of the digest algorithm the configuration proxy should use when computing global configuration signatures. The possible values are: *SHA-256*, *SHA-384*, *SHA-512*. | -| hash-algorithm-uri | http://www.w3.org/2001/04/xmlenc#sha512 | URI identifying the algorithm the configuration proxy should use to calculate hash values for the global configuration file. The possible values are:
http://www.w3.org/2001/04/xmlenc#sha256,
http://www.w3.org/2001/04/xmlenc#sha512. | -| download-script | /usr/share/xroad/scripts/download_instance_configuration.sh | Absolute path to the location of the script that initializes the global configuration download procedure. | +| Parameter | Default value | Explanation | +|-------------------------------|-------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| address | 0.0.0.0 | The public IP or NAT address (reference data: 1.5) which can be accessed for downloading the distributed global configurations. | +| configuration-path | /etc/xroad/confproxy/ | Absolute path to the directory containing the configuration files of the proxy instance. The format of the configuration directory is described in [3.2.1](#321-configuration-structure-of-the-instances). | +| generated-conf-path | /var/lib/xroad/public | Absolute path to the public web server directory where the global configuration files generated by this configuration proxy, should be placed for distribution. | +| signature-digest-algorithm-id | SHA-512 | ID of the digest algorithm the configuration proxy should use when computing global configuration signatures. The possible values are: *SHA-256*, *SHA-384*, *SHA-512*. | +| hash-algorithm-uri | http://www.w3.org/2001/04/xmlenc#sha512 | URI identifying the algorithm the configuration proxy should use to calculate hash values for the global configuration file. The possible values are:
http://www.w3.org/2001/04/xmlenc#sha256,
http://www.w3.org/2001/04/xmlenc#sha512. | +| download-script | /usr/share/xroad/scripts/download_instance_configuration.sh | Absolute path to the location of the script that initializes the global configuration download procedure. | The configuration proxy is periodically started by a cron job. It reads the properties described above, from the configuration file before executing each proxy instance configured in 'configuration-path', generating new global configuration directories using algorithms as defined by 'signature-digest-algorithm-id' and 'hash-algorithm-uri'. The generated directories are subsequently placed in 'generated-conf-path' for distribution. @@ -341,11 +340,11 @@ The configuration of proxy instances is described in [3.4](#34-proxy-instance-co **ATTENTION:** The names in the angle brackets<> are chosen by the X-Road configuration proxy administrator. -| Ref | | Explanation | -|-----|----------------------------|-------------| -| 2.1 | <PROXY_NAME> | Name of the proxy instance being configured | -| 2.2 | <SECURITY_TOKEN_ID> | ID of a security token (as defined by prerequisites [3.1](#31-prerequisites)) | -| 2.3 | <ANCHOR_FILENAME> | Filename of the generated anchor .xml file that the configuration proxy clients will need to use for downloading the global configuration | +| Ref | | Explanation | +|-----|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| 2.1 | <PROXY_NAME> | Name of the proxy instance being configured | +| 2.2 | <SECURITY_TOKEN_ID> | ID of a security token (as defined by prerequisites [3.1](#31-prerequisites)) | +| 2.3 | <ANCHOR_FILENAME> | Filename of the generated anchor .xml file that the configuration proxy clients will need to use for downloading the global configuration | ### 3.4 Proxy Instance Configuration @@ -378,9 +377,11 @@ active-signing-key-id: 2) Generate a signing key and a self signed certificate for the newly created proxy instance using the following command: ```bash -confproxy-add-signing-key -p -t +confproxy-add-signing-key -p -t [-a ] ``` +Note: **-a** parameter is optional and can be used to specify the key algorithm(since version 7.6.0). If not provided, the default value is RSA. If keys are using EC algorithm and consumers of the configuration proxy are using older X-Road instances then they will fail to verify global configuration signatures. + If no active signing key is configured for the proxy instance, then the new key should be set as the currently active key (example output follows): ```bash diff --git a/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md b/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md index 55577f525e..39c1dc7bc8 100644 --- a/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md +++ b/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md @@ -179,6 +179,7 @@ Doc. ID: UG-CS - [18 Migrating to Remote Database Host](#18-migrating-to-remote-database-host) - [19 Additional Security Hardening](#19-additional-security-hardening) - [20 Passing additional parameters to psql](#20-passing-additional-parameters-to-psql) +- [21 Migrating to EC based Configuration Signing keys](#21-migrating-to-ec-based-configuration-signing-keys) # License @@ -1757,3 +1758,24 @@ This example shows how SSL configurations for _psql_ could look like. List of po Some of the variables like `PGOPTIONS`, `PGDATABASE`, `PGUSER`, `PGPASSWORD` are already used by scripts(created and initialized with values from `/etc/xroad/db.properties` file) so adding same variables to `db_libpq.env` won't have any effect on script behaviour. In case it is needed to pass additional flags to internally initialized `PGOPTIONS` variable, then `PGOPTIONS_EXTRA` variable can be used. It will be appended to `PGOPTIONS` variable. + +# 21 Migrating to EC based Configuration Signing keys + +Since version 7.6.0 Central Server supports ECDSA based Configuration Signing keys. By default, both internal and external configuration signing keys will use RSA algorithm as in previous versions. EC algorithm can be enabled separately for internal and external keys so migration can be done steps first internal and then external keys or vice versa. +The instructions how to start using internal and external signing EC keys are listed below. + +Prerequisites + +* If internal key will use EC then all dependant security servers should be also of at least version 7.6.0. If not, they must be upgraded first otherwise they will not be able to verify the configuration signatures. +* If external key will use EC then all dependant security servers in federations should be also of at least version 7.6.0. If not, they must be upgraded first otherwise they will not be able to verify the configuration signatures. + +1. Update the configuration to use EC based keys. This can be done by updating the configuration file `/etc/xroad/conf.d/local.ini` and adding the following lines: + +```ini +[admin-service] +internal-key-algorithm = EC +external-key-algorithm = EC +``` + +2. Restart the `xroad-center` service to apply the changes made to the configuration file. +3. Follow the instructions in the [Generating a Configuration Signing Key](#541-generating-a-configuration-signing-key) to generate new keys, which will be using EC algorithm now. diff --git a/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md b/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md index 84afb79431..08bc982e5d 100644 --- a/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md +++ b/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md @@ -10,24 +10,25 @@ Doc. ID: UG-SC ## Version history -| Date | Version | Description | Author | -|------------|---------|---------------------------------------------------------------------------|------------------| -| 20.11.2014 | 0.1 | First draft | | -| 20.11.2014 | 0.2 | Some improvements done | | -| 01.12.2014 | 1.0 | Minor corrections done | | -| 19.01.2015 | 1.1 | License information added | | -| 02.04.2015 | 1.2 | "sdsb" changed to "xroad" | | -| 30.06.2015 | 1.3 | Minor corrections done | | -| 09.09.2015 | 2.0 | Editorial changes made | | -| 14.09.2015 | 2.1 | Audit log added | | -| 20.09.2015 | 2.2 | Editorial changes made | | -| 06.09.2015 | 2.3 | Added certificate request format argument | | -| 03.11.2015 | 2.4 | Added label parameter for key generation command | | -| 10.12.2015 | 2.5 | Editorial changes made | | -| 26.02.2021 | 2.6 | Convert documentation to markdown | Caro Hautamäki | -| 01.03.2021 | 2.7 | Added [2.4.19 update-software-token-pin](#2419-update-software-token-pin) | Caro Hautamäki | -| 25.08.2021 | 2.8 | Update X-Road references from version 6 to 7 | Caro Hautamäki | -| 01.06.2023 | 2.9 | Update references | Petteri Kivimäki | +| Date | Version | Description | Author | +|------------|---------|---------------------------------------------------------------------------|----------------------| +| 20.11.2014 | 0.1 | First draft | | +| 20.11.2014 | 0.2 | Some improvements done | | +| 01.12.2014 | 1.0 | Minor corrections done | | +| 19.01.2015 | 1.1 | License information added | | +| 02.04.2015 | 1.2 | "sdsb" changed to "xroad" | | +| 30.06.2015 | 1.3 | Minor corrections done | | +| 09.09.2015 | 2.0 | Editorial changes made | | +| 14.09.2015 | 2.1 | Audit log added | | +| 20.09.2015 | 2.2 | Editorial changes made | | +| 06.09.2015 | 2.3 | Added certificate request format argument | | +| 03.11.2015 | 2.4 | Added label parameter for key generation command | | +| 10.12.2015 | 2.5 | Editorial changes made | | +| 26.02.2021 | 2.6 | Convert documentation to markdown | Caro Hautamäki | +| 01.03.2021 | 2.7 | Added [2.4.19 update-software-token-pin](#2419-update-software-token-pin) | Caro Hautamäki | +| 25.08.2021 | 2.8 | Update X-Road references from version 6 to 7 | Caro Hautamäki | +| 01.06.2023 | 2.9 | Update references | Petteri Kivimäki | +| 06.11.2024 | 2.10 | Added key algorithm argument | Ovidijus Narkevicius | ## Table of Contents diff --git a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md index 4185e82037..cb62e50221 100644 --- a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md +++ b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md @@ -100,7 +100,7 @@ Doc. ID: UG-SYSPAR | 26.04.2024 | 2.87 | Added ACME related parameters | Mikk-Erik Bachmann | | 19.08.2024 | 2.88 | Added parameters for management requests sender | Justas Samuoslis | | 20.09.2024 | 2.89 | Acme automatic certificate renewal job related parameters | Mikk-Erik Bachmann | -| 21.10.2024 | 2.90 | Added new parameters *key-named-curve*, *default-key-algorithm* and *soft-token-pin-keystore-algorithm* to enable ECDSA support | Ovidijus Narkevicius | +| 21.10.2024 | 2.90 | Added new parameters *key-named-curve*, *soft-token-pin-keystore-algorithm*, *internal-key-algorithm* and *external-key-algorithm* to add ECDSA support for configuration signing keys | Ovidijus Narkevicius | ## Table of Contents @@ -330,7 +330,6 @@ Proxy-ui has been removed in version 6.24 and it's parameters are not used anymo | grpc-port | 5560 | | | | TCP port on which the signer gRPC services listens. | | key-length | 2048 | 3072 | 3072 | | Key length for generating authentication and signing keys (since version 6.7) | | key-named-curve | secp256r1 | | | | Named curve for generating authentication and signing keys in case EC algorithms are used (since version 7.6) | -| default-key-algorithm | RSA | | | | Key algorithm used for generating authentication and signing keys. Possible values are RSA and EC. (since version 7.6) | | csr-signature-digest-algorithm | SHA-256 | | | | Certificate Signing Request signature digest algorithm.
Possible values are
- SHA-256,
- SHA-384,
- SHA-512. | | ocsp-retry-delay | 60 | | | | OCSP retry delay for signer when fetching OCSP responses fail. After failing to fetch OCSP responses signer waits for the time period defined by "ocsp-retry-delay" before trying again. This is repeated until fetching OCSP responses succeeds. After successfully fetching OCSP responses signer returns to normal OCSP refresh schedule defined by "ocspFetchInterval". If the value of "ocsp-retry-delay" is higher than "ocspFetchInterval", the value of "ocspFetchInterval" is used as OCSP retry delay. | | module-manager-update-interval | 60 | | | | HSM module manager update interval in seconds. | @@ -480,14 +479,14 @@ and overridden / new properties needs to be a functional combination. Default values for the SSL properties are -| **SSL Property** | **Default value** | **Description** | -|--------------------------------------------------|--------------------------------------------|-----------------| -| server.ssl.key-store | /etc/xroad/ssl/proxy-ui-api.p12 | Path to the key store that holds the SSL certificate | -| server.ssl.key-store-password | proxy-ui-api | Password used to access the key store | -| server.ssl.enabled | true | Whether to enable SSL support | -| server.ssl.ciphers | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | Supported SSL ciphers | -| server.ssl.protocol | TLS | SSL protocol to use | -| server.ssl.enabled-protocols | TLSv1.2 | Enabled SSL protocols | +| **SSL Property** | **Default value** | **Description** | +|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------| +| server.ssl.key-store | /etc/xroad/ssl/proxy-ui-api.p12 | Path to the key store that holds the SSL certificate | +| server.ssl.key-store-password | proxy-ui-api | Password used to access the key store | +| server.ssl.enabled | true | Whether to enable SSL support | +| server.ssl.ciphers | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | Supported SSL ciphers | +| server.ssl.protocol | TLS | SSL protocol to use | +| server.ssl.enabled-protocols | TLSv1.2 | Enabled SSL protocols | Management REST API module uses `database-properties` configuration from the [proxy parameters](#32-proxy-parameters-proxy), with some additional limitations on configurability (see details in proxy chapter). @@ -546,6 +545,8 @@ For instructions on how to change the parameter values, see section [Changing th | request-size-limit-regular | 50KB | Maximum size of Management REST API requests | | request-size-limit-binary-upload | 10MB | Maximum size of Management REST API requests for file uploads | | complementary-user-role-mappings | | Configures additional UNIX groups mapped to X-Road user roles. This property is defined using a separate subsection `[admin-service.complementary-user-role-mappings]`, for example:

*[admin-service.complementary-user-role-mappings]
XROAD_SECURITY_OFFICER=group1,group2
XROAD_SYSTEM_ADMINISTRATOR=group3,group4*

**Note that following configurations are preconfigured and cannot be redefined:**
*XROAD_SECURITY_OFFICER=xroad-security-officer*
*XROAD_REGISTRATION_OFFICER=xroad-registration-officer*
*XROAD_SYSTEM_ADMINISTRATOR=xroad-system-administrator* | +| internal-key-algorithm | RSA | Key algorithm used for generating internal configuration signing keys. Possible values are RSA and EC. (since version 7.6) | +| external-key-algorithm | RSA | Key algorithm used for generating external configuration signing keys. Possible values are RSA and EC. (since version 7.6) | > **NOTE**: `strict-identifier-checks` default value is true for new installations starting from version 7.3.0. It is > set to `false` in `local.ini` during upgrade process if version installed before upgrade is less than 7.3.0. diff --git a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java index ffd99fc7d5..4902b00caa 100644 --- a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java +++ b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java @@ -25,6 +25,7 @@ */ package org.niis.xroad.cs.admin.api.facade; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; @@ -68,9 +69,9 @@ public interface SignerProxyFacade { void deactivateToken(String tokenId) throws Exception; /** - * {@link SignerProxy#generateKey(String, String)} + * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)} */ - KeyInfo generateKey(String tokenId, String keyLabel) throws Exception; + KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception; /** * {@link SignerProxy#generateSelfSignedCert(String, ClientId.Conf, KeyUsageInfo, String, Date, Date)} @@ -89,7 +90,7 @@ byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo SignMechanism getSignMechanism(String keyId) throws Exception; /** - * {@link SignerProxy#sign(String, String, byte[])} + * {@link SignerProxy#sign(String, SignAlgorithm, byte[])} */ byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws Exception; diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/AdminServiceProperties.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/AdminServiceProperties.java index 2ccd6469ea..69b0712063 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/AdminServiceProperties.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/config/AdminServiceProperties.java @@ -26,6 +26,8 @@ */ package org.niis.xroad.cs.admin.core.config; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; + import lombok.Getter; import lombok.Setter; import org.niis.xroad.common.api.throttle.IpThrottlingFilterConfig; @@ -161,6 +163,9 @@ public class AdminServiceProperties implements IpThrottlingFilterConfig, */ private EnumMap> complementaryUserRoleMappings; + private KeyAlgorithm externalKeyAlgorithm; + private KeyAlgorithm internalKeyAlgorithm; + @Override public EnumMap> getUserRoleMappings() { EnumMap> userRoleMappings = new EnumMap<>(Role.class); diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java index b21b4f38f7..dcaf00d4bc 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java @@ -25,6 +25,7 @@ */ package org.niis.xroad.cs.admin.core.facade; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; @@ -101,10 +102,10 @@ public void deactivateToken(String tokenId) throws Exception { } /** - * {@link SignerProxy#generateKey(String, String)} + * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)} */ - public KeyInfo generateKey(String tokenId, String keyLabel) throws Exception { - return SignerProxy.generateKey(tokenId, keyLabel); + public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception { + return SignerProxy.generateKey(tokenId, keyLabel, algorithm); } /** @@ -131,7 +132,7 @@ public SignMechanism getSignMechanism(String keyId) throws Exception { } /** - * {@link SignerProxy#sign(String, String, byte[])} + * {@link SignerProxy#sign(String, SignAlgorithm, byte[])} */ public byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws Exception { return SignerProxy.sign(keyId, signatureAlgorithmId, digest); diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java index 77223ce27c..c1ec538119 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java @@ -27,6 +27,7 @@ package org.niis.xroad.cs.admin.core.facade; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; @@ -150,7 +151,7 @@ public void deactivateToken(String tokenId) { } @Override - public KeyInfo generateKey(String tokenId, String keyLabel) { + public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) { throw new NotImplementedException("generateKey not implemented yet."); } diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java index f6ad67d440..a4820529bf 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java @@ -26,6 +26,7 @@ */ package org.niis.xroad.cs.admin.core.service; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.util.TimeUtils; @@ -46,6 +47,7 @@ import org.niis.xroad.cs.admin.api.service.ConfigurationSigningKeysService; import org.niis.xroad.cs.admin.api.service.SystemParameterService; import org.niis.xroad.cs.admin.api.service.TokenActionsResolver; +import org.niis.xroad.cs.admin.core.config.AdminServiceProperties; import org.niis.xroad.cs.admin.core.entity.ConfigurationSigningKeyEntity; import org.niis.xroad.cs.admin.core.entity.ConfigurationSourceEntity; import org.niis.xroad.cs.admin.core.entity.mapper.ConfigurationSigningKeyMapper; @@ -102,6 +104,7 @@ public class ConfigurationSigningKeysServiceImpl extends AbstractTokenConsumer i private final ConfigurationSourceRepository configurationSourceRepository; private final ConfigurationSigningKeyMapper configurationSigningKeyMapper; private final ConfigurationSigningKeyWithDetailsMapper configurationSigningKeyWithDetailsMapper; + private final AdminServiceProperties adminServiceProperties; private final SignerProxyFacade signerProxyFacade; private final TokenActionsResolver tokenActionsResolver; private final SigningKeyActionsResolver signingKeyActionsResolver; @@ -227,6 +230,10 @@ public ConfigurationSigningKeyWithDetails addKey(String sourceType, String token ? GENERATE_INTERNAL_KEY : GENERATE_EXTERNAL_KEY; + final KeyAlgorithm keyAlgorithm = INTERNAL.equals(configurationSourceType) + ? adminServiceProperties.getInternalKeyAlgorithm() + : adminServiceProperties.getExternalKeyAlgorithm(); + if (configurationSourceType == INTERNAL) { auditEventHelper.changeRequestScopedEvent(GENERATE_INTERNAL_CONFIGURATION_SIGNING_KEY); } else if (configurationSourceType == EXTERNAL) { @@ -240,7 +247,7 @@ public ConfigurationSigningKeyWithDetails addKey(String sourceType, String token KeyInfo keyInfo; try { - keyInfo = signerProxyFacade.generateKey(tokenId, keyLabel); + keyInfo = signerProxyFacade.generateKey(tokenId, keyLabel, keyAlgorithm); auditDataHelper.put(RestApiAuditProperty.KEY_ID, keyInfo.getId()); auditDataHelper.put(RestApiAuditProperty.KEY_FRIENDLY_NAME, keyInfo.getFriendlyName()); } catch (Exception e) { diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java index 563b42eb04..8607183b37 100644 --- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java +++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java @@ -26,6 +26,7 @@ */ package org.niis.xroad.cs.admin.core.service; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.util.TimeUtils; @@ -48,6 +49,7 @@ import org.niis.xroad.cs.admin.api.dto.KeyLabel; import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade; import org.niis.xroad.cs.admin.api.service.SystemParameterService; +import org.niis.xroad.cs.admin.core.config.AdminServiceProperties; import org.niis.xroad.cs.admin.core.entity.ConfigurationSigningKeyEntity; import org.niis.xroad.cs.admin.core.entity.ConfigurationSourceEntity; import org.niis.xroad.cs.admin.core.entity.mapper.ConfigurationSigningKeyMapper; @@ -110,6 +112,8 @@ class ConfigurationSigningKeysServiceImplTest { private SignerProxyFacade signerProxyFacade; @Mock private SystemParameterService systemParameterService; + @Mock + private AdminServiceProperties adminServiceProperties; @Spy private final ConfigurationSigningKeyMapper configurationSigningKeyMapper = new ConfigurationSigningKeyMapperImpl(); @Spy @@ -125,6 +129,7 @@ void beforeEach() { configurationSourceRepository, configurationSigningKeyMapper, withDetailsMapper, + adminServiceProperties, signerProxyFacade, tokenActionsResolver, signingKeyActionsResolver, @@ -223,7 +228,7 @@ void shouldAddSigningKey() throws Exception { when(configurationSourceRepository.findBySourceTypeOrCreate(INTERNAL_CONFIGURATION, haConfigStatus)) .thenReturn(configurationSourceEntity); when(signerProxyFacade.getToken(TOKEN_ID)).thenReturn(createToken(List.of())); - when(signerProxyFacade.generateKey(TOKEN_ID, KEY_LABEL)).thenReturn(createKeyInfo("keyId")); + when(signerProxyFacade.generateKey(TOKEN_ID, KEY_LABEL, KeyAlgorithm.RSA)).thenReturn(createKeyInfo("keyId")); when(signerProxyFacade.generateSelfSignedCert(eq(KEY_ID), isA(ClientId.Conf.class), eq(KeyUsageInfo.SIGNING), eq("internalSigningKey"), @@ -231,6 +236,7 @@ void shouldAddSigningKey() throws Exception { eq(SIGNING_KEY_CERT_NOT_AFTER)) ).thenReturn(new byte[0]); when(systemParameterService.getInstanceIdentifier()).thenReturn(INSTANCE); + when(adminServiceProperties.getInternalKeyAlgorithm()).thenReturn(KeyAlgorithm.RSA); var result = configurationSigningKeysServiceImpl.addKey(INTERNAL_CONFIGURATION, TOKEN_ID, KEY_LABEL); diff --git a/src/common/common-admin-api/src/test/resources/application.yml b/src/common/common-admin-api/src/test/resources/application.yml index 8035fb811f..a2b2544210 100644 --- a/src/common/common-admin-api/src/test/resources/application.yml +++ b/src/common/common-admin-api/src/test/resources/application.yml @@ -23,6 +23,8 @@ xroad: admin-service: cache-default-ttl: 5 cache-api-key-ttl: 5 + internal-key-algorithm: RSA + external-key-algorithm: RSA file-upload-endpoints: endpoint-definitions: diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java index f33a1310ec..15be30a43b 100644 --- a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java +++ b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java @@ -43,6 +43,7 @@ private SystemProperties() { /** The prefix for all properties. */ public static final String PREFIX = "xroad."; private static final String SIGNER_PREFIX = PREFIX + "signer."; + private static final String CENTER_PREFIX = PREFIX + "center."; private static final String COMMA_SPLIT = "\\s*,\\s*"; @@ -70,7 +71,7 @@ private SystemProperties() { /** Minimum supported global conf version on central server **/ private static final String MINIMUM_CENTRAL_SERVER_GLOBAL_CONFIGURATION_VERSION = - PREFIX + "center.minimum-global-configuration-version"; + CENTER_PREFIX + "minimum-global-configuration-version"; /** Minimum supported global conf version on configuration proxy **/ private static final String MINIMUM_CONFIGURATION_PROXY_SERVER_GLOBAL_CONFIGURATION_VERSION = @@ -224,24 +225,19 @@ private SystemProperties() { PROXY_PREFIX + "ocsp-responder-client-read-timeout"; /** Property name of the flag to turn off proxy client SSL verification. */ - public static final String PROXY_VERIFY_CLIENT_CERT = - PROXY_PREFIX + "verify-client-cert"; + public static final String PROXY_VERIFY_CLIENT_CERT = PROXY_PREFIX + "verify-client-cert"; /** Property name of the flag to turn on proxy client SSL logging. */ - public static final String PROXY_LOG_CLIENT_CERT = - PROXY_PREFIX + "log-client-cert"; + public static final String PROXY_LOG_CLIENT_CERT = PROXY_PREFIX + "log-client-cert"; /** Property name of the ClientProxy Jetty server configuration file. */ - public static final String JETTY_CLIENTPROXY_CONFIGURATION_FILE = - PROXY_PREFIX + "jetty-clientproxy-configuration-file"; + public static final String JETTY_CLIENTPROXY_CONFIGURATION_FILE = PROXY_PREFIX + "jetty-clientproxy-configuration-file"; /** Property name of the ServerProxy Jetty server configuration file. */ - public static final String JETTY_SERVERPROXY_CONFIGURATION_FILE = - PROXY_PREFIX + "jetty-serverproxy-configuration-file"; + public static final String JETTY_SERVERPROXY_CONFIGURATION_FILE = PROXY_PREFIX + "jetty-serverproxy-configuration-file"; /** Property name of the CertHashBasedOcspResponder Jetty server configuration file. */ - public static final String JETTY_OCSP_RESPONDER_CONFIGURATION_FILE = - PROXY_PREFIX + "jetty-ocsp-responder-configuration-file"; + public static final String JETTY_OCSP_RESPONDER_CONFIGURATION_FILE = PROXY_PREFIX + "jetty-ocsp-responder-configuration-file"; /** Property name of the ClientProxy HTTPS connector and ServerProxy HTTP client supported TLS protocols */ private static final String PROXY_CLIENT_TLS_PROTOCOLS = @@ -467,7 +463,6 @@ private SystemProperties() { public static final String SOFT_TOKEN_RSA_SIGN_MECHANISM = SIGNER_PREFIX + "soft-token-rsa-sign-mechanism"; public static final String SOFT_TOKEN_EC_SIGN_MECHANISM = SIGNER_PREFIX + "soft-token-ec-sign-mechanism"; public static final String SOFT_TOKEN_PIN_KEYSTORE_ALGORITHM = SIGNER_PREFIX + "soft-token-pin-keystore-algorithm"; - public static final String SIGNER_DEFAULT_KEY_ALGORITHM = SIGNER_PREFIX + "default-key-algorithm"; public static final String DEFAULT_SIGNER_MODULE_MANAGER_UPDATE_INTERVAL = "60"; public static final KeyAlgorithm DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM = KeyAlgorithm.RSA; @@ -529,54 +524,41 @@ public enum AllowedFederationMode { ALL, NONE, CUSTOM } // Center ----------------------------------------------------------------- - public static final String CENTER_DATABASE_PROPERTIES = - PREFIX + "center.database-properties"; + public static final String CENTER_DATABASE_PROPERTIES = CENTER_PREFIX + "database-properties"; - public static final String CENTER_TRUSTED_ANCHORS_ALLOWED = - PREFIX + "center.trusted-anchors-allowed"; + public static final String CENTER_TRUSTED_ANCHORS_ALLOWED = CENTER_PREFIX + "trusted-anchors-allowed"; - public static final String CENTER_INTERNAL_DIRECTORY = - PREFIX + "center.internal-directory"; + public static final String CENTER_INTERNAL_DIRECTORY = CENTER_PREFIX + "internal-directory"; - public static final String CENTER_EXTERNAL_DIRECTORY = - PREFIX + "center.external-directory"; + public static final String CENTER_EXTERNAL_DIRECTORY = CENTER_PREFIX + "external-directory"; - private static final String CENTER_GENERATED_CONF_DIR = - PREFIX + "center.generated-conf-dir"; + private static final String CENTER_GENERATED_CONF_DIR = CENTER_PREFIX + "generated-conf-dir"; /** Property name of the path where conf backups are created. */ - public static final String CONF_BACKUP_PATH = - PREFIX + "center.conf-backup-path"; + public static final String CONF_BACKUP_PATH = CENTER_PREFIX + "conf-backup-path"; /** Property name of enabling automatic approval of auth cert registration requests. */ - public static final String CENTER_AUTO_APPROVE_AUTH_CERT_REG_REQUESTS = - PREFIX + "center.auto-approve-auth-cert-reg-requests"; + public static final String CENTER_AUTO_APPROVE_AUTH_CERT_REG_REQUESTS = CENTER_PREFIX + "auto-approve-auth-cert-reg-requests"; /** Property name of enabling automatic approval of client registration requests. */ - public static final String CENTER_AUTO_APPROVE_CLIENT_REG_REQUESTS = - PREFIX + "center.auto-approve-client-reg-requests"; + public static final String CENTER_AUTO_APPROVE_CLIENT_REG_REQUESTS = CENTER_PREFIX + "auto-approve-client-reg-requests"; /** Property name of enabling automatic approval of owner change requests. */ - public static final String CENTER_AUTO_APPROVE_OWNER_CHANGE_REQUESTS = - PREFIX + "center.auto-approve-owner-change-requests"; + public static final String CENTER_AUTO_APPROVE_OWNER_CHANGE_REQUESTS = CENTER_PREFIX + "auto-approve-owner-change-requests"; // Misc ------------------------------------------------------------------- /** Property name of the configuration files path. */ - public static final String CONF_PATH = - PREFIX + "conf.path"; + public static final String CONF_PATH = PREFIX + "conf.path"; /** Property name of the log folder for Log Reader. */ - public static final String LOG_READER_PATH = - PREFIX + "logReader.path"; + public static final String LOG_READER_PATH = PREFIX + "logReader.path"; /** Property name of the application log file path. */ - public static final String LOG_PATH = - PREFIX + "appLog.path"; + public static final String LOG_PATH = PREFIX + "appLog.path"; /** Property name of the application log level of ee.ria.xroad. */ - public static final String XROAD_LOG_LEVEL = - PREFIX + "appLog.xroad.level"; + public static final String XROAD_LOG_LEVEL = PREFIX + "appLog.xroad.level"; // Proxy UI --------------------------------------------------------------- @@ -1205,15 +1187,6 @@ public static KeyAlgorithm getSofTokenPinKeystoreAlgorithm() { .orElse(DEFAULT_SOFT_TOKEN_PIN_KEYSTORE_ALGORITHM); } - /** - * @return software token keystore PIN file algorithm, RSA by default - */ - public static KeyAlgorithm getSignerDefaultKeyAlgorithm() { - return Optional.ofNullable(System.getProperty(SIGNER_DEFAULT_KEY_ALGORITHM)) - .map(KeyAlgorithm::valueOf) - .orElse(DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM); - } - /** * @return the ACME certificate renewal toggle */ diff --git a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilAddSigningKey.java b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilAddSigningKey.java index b7bd188287..a9ef9879f5 100644 --- a/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilAddSigningKey.java +++ b/src/configuration-proxy/src/main/java/ee/ria/xroad/confproxy/commandline/ConfProxyUtilAddSigningKey.java @@ -25,11 +25,13 @@ */ package ee.ria.xroad.confproxy.commandline; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.confproxy.ConfProxyProperties; import ee.ria.xroad.signer.SignerProxy; import ee.ria.xroad.signer.protocol.dto.KeyInfo; import org.apache.commons.cli.CommandLine; +import org.apache.commons.lang3.StringUtils; import java.util.Date; @@ -49,8 +51,8 @@ public class ConfProxyUtilAddSigningKey extends ConfProxyUtil { getOptions() .addOption(PROXY_INSTANCE) .addOption("k", "key-id", true, "Id of the key to be added") - .addOption("t", "token-id", true, - "Id of the token to generate a new key"); + .addOption("t", "token-id", true, "Id of the token to generate a new key") + .addOption("a", "algorithm", true, "Key algorithm used by new key (RSA/EC), default RSA"); } @Override @@ -64,7 +66,9 @@ final void execute(final CommandLine commandLine) addSigningKey(conf, keyId); } else if (commandLine.hasOption("token-id")) { String tokenId = commandLine.getOptionValue("t"); - KeyInfo keyInfo = SignerProxy.generateKey(tokenId, "key-" + System.currentTimeMillis()); + String alg = commandLine.getOptionValue("a", KeyAlgorithm.RSA.name()); + KeyAlgorithm keyAlgorithm = StringUtils.equalsIgnoreCase(KeyAlgorithm.EC.name(), alg) ? KeyAlgorithm.EC : KeyAlgorithm.RSA; + KeyInfo keyInfo = SignerProxy.generateKey(tokenId, "key-" + System.currentTimeMillis(), keyAlgorithm); System.out.println("Generated key with ID " + keyInfo.getId()); addSigningKey(conf, keyInfo.getId()); } else { diff --git a/src/packages/src/xroad/default-configuration/signer.ini b/src/packages/src/xroad/default-configuration/signer.ini index 2e684b8ca1..cbb9db864d 100644 --- a/src/packages/src/xroad/default-configuration/signer.ini +++ b/src/packages/src/xroad/default-configuration/signer.ini @@ -14,9 +14,6 @@ client-timeout=50000 ; Full class name of module instance provider ;module-instance-provider=com.foo.barImpl -; Key algorithm for generating new keys (RSA/EC) -;default-key-algorithm = RSA - ; Auth and sign key length (2048/3072/4096 bits) for RSA key-length=2048 diff --git a/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java b/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java index 98afbdce9f..ac69ab77eb 100644 --- a/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java +++ b/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java @@ -30,6 +30,7 @@ import ee.ria.xroad.common.conf.globalconf.TestGlobalConfImpl; import ee.ria.xroad.common.conf.serverconf.ServerConfImpl; import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.hashchain.HashChainReferenceResolver; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.signature.MessagePart; @@ -95,7 +96,7 @@ public void tokenIsActivatedWithPin(String tokenId, String pin) throws Exception @Step("new key {string} generated for token with id {string}") public void newKeyGeneratedForToken(String keyLabel, String tokenId) throws Exception { - final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel); + final KeyInfo keyInfo = SignerProxy.generateKey(tokenId, keyLabel, KeyAlgorithm.RSA); scenarioKeyId = keyInfo.getId(); testReportService.attachJson("keyInfo", keyInfo); diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java index 08df4989ff..19f45d7b26 100644 --- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java +++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java @@ -25,6 +25,7 @@ */ package org.niis.xroad.securityserver.restapi.facade; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.identifier.SecurityServerId; import ee.ria.xroad.signer.SignerProxy; @@ -118,10 +119,10 @@ public void setKeyFriendlyName(String keyId, String friendlyName) throws Excepti } /** - * {@link SignerProxy#generateKey(String, String)} + * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)} */ - public KeyInfo generateKey(String tokenId, String keyLabel) throws Exception { - return SignerProxy.generateKey(tokenId, keyLabel); + public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm keyAlgorithm) throws Exception { + return SignerProxy.generateKey(tokenId, keyLabel, keyAlgorithm); } /** diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java index 1229fc08ad..5e4fe8a1e5 100644 --- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java +++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java @@ -29,6 +29,7 @@ import ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo; import ee.ria.xroad.common.conf.globalconf.GlobalConfProvider; import ee.ria.xroad.common.conf.serverconf.model.ServerConfType; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.identifier.SecurityServerId; import ee.ria.xroad.signer.SignerProxy; @@ -285,7 +286,8 @@ private X509Certificate renewCertificate(ClientId memberId, ApprovedCAInfo appro log.info("Starting to renew certificate '{}'", oldX509Certificate.getSerialNumber()); TokenInfoAndKeyId tokenAndOldKeyId = signerProxyFacade.getTokenAndKeyIdForCertHash(calculateCertHexHash(oldX509Certificate)); String tokenId = tokenAndOldKeyId.getTokenInfo().getId(); - KeyInfo newKeyInfo = signerProxyFacade.generateKey(tokenId, tokenAndOldKeyId.getKeyInfo().getLabel()); + //TODO #EC + KeyInfo newKeyInfo = signerProxyFacade.generateKey(tokenId, tokenAndOldKeyId.getKeyInfo().getLabel(), KeyAlgorithm.RSA); X509Certificate newX509Certificate; try { diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java index c8c1a77228..3bd6a3abd7 100644 --- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java +++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java @@ -26,6 +26,7 @@ package org.niis.xroad.securityserver.restapi.service; import ee.ria.xroad.common.CodedException; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.signer.protocol.dto.CertificateInfo; import ee.ria.xroad.signer.protocol.dto.KeyInfo; import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo; @@ -161,7 +162,8 @@ public KeyInfo addKey(String tokenId, String keyLabel) throws TokenNotFoundExcep KeyInfo keyInfo = null; try { - keyInfo = signerProxyFacade.generateKey(tokenId, keyLabel); + //TODO #EC + keyInfo = signerProxyFacade.generateKey(tokenId, keyLabel, KeyAlgorithm.RSA); } catch (CodedException e) { throw e; } catch (Exception other) { diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java index c4e6de716e..43a97089bb 100644 --- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java +++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokensApiControllerTest.java @@ -131,7 +131,7 @@ public void setUp() throws Exception { throw new CodedException.Fault(SIGNER_X + "." + X_TOKEN_NOT_FOUND, null); } throw new RuntimeException("given tokenId not supported in mocked method SignerProxyFacade#generateKey"); - }).when(signerProxyFacade).generateKey(any(), any()); + }).when(signerProxyFacade).generateKey(any(), any(), any()); } @Test diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorkerTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorkerTest.java index bc811a06e6..ac8321e6fe 100644 --- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorkerTest.java +++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorkerTest.java @@ -131,7 +131,7 @@ public void setUp() throws Exception { .id("new_key_id") .build(); - when(signerProxyFacade.generateKey(any(), any())).thenReturn(newKey); + when(signerProxyFacade.generateKey(any(), any(), any())).thenReturn(newKey); when(signerProxyFacade.generateCertRequest(any(), any(), any(), any(), any(), any(), any())) .thenReturn(new SignerProxy.GeneratedCertRequestInfo(null, getMockSignCsrBytes(), null, null, null)); diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java index 56aa2cb3f1..925709aa63 100644 --- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java +++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java @@ -27,6 +27,7 @@ import ee.ria.xroad.common.CodedException; import ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.identifier.SecurityServerId; import ee.ria.xroad.signer.SignerProxy; @@ -85,7 +86,7 @@ public void setup() throws Exception { when(signerProxyFacade.getTokens()).thenAnswer(i -> new ArrayList<>(tokens.values())); when(signerProxyFacade.getToken(any())).thenAnswer( invocation -> tokens.get(invocation.getArguments()[0])); - when(signerProxyFacade.generateKey(any(), any())).thenAnswer(invocation -> { + when(signerProxyFacade.generateKey(any(), any(), any())).thenAnswer(invocation -> { String tokenId = (String) invocation.getArguments()[0]; String label = (String) invocation.getArguments()[1]; // new keys start with usage = null @@ -172,7 +173,7 @@ public void addKeyAndCertSuccess() throws Exception { KeyUsageInfo.SIGNING, MOCK_CA, dnParams, CertificateRequestFormat.PEM, false); verify(signerProxyFacade, times(1)) - .generateKey(SOFTWARE_TOKEN_ID, "keylabel"); + .generateKey(SOFTWARE_TOKEN_ID, "keylabel", KeyAlgorithm.RSA); verify(signerProxyFacade, times(1)) .generateCertRequest(any(), any(), any(), any(), any(), any(), any()); } diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java index 4aa5e67584..444e7ce693 100644 --- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java +++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java @@ -29,6 +29,7 @@ import ee.ria.xroad.common.SystemProperties; import ee.ria.xroad.common.SystemPropertiesLoader; import ee.ria.xroad.common.Version; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.common.identifier.SecurityServerId; @@ -645,17 +646,21 @@ public void signBenchmark(@Param(name = "keyId", description = "Key ID") String * * @param tokenId token id * @param label label + * @param algorithm algorithm * @throws Exception if an error occurs */ @Command(description = "Generate key on token") public void generateKey(@Param(name = "tokenId", description = "Token ID") String tokenId, - @Param(name = "label", description = "Key label") String label) throws Exception { + @Param(name = "label", description = "Key label") String label, + @Param(name = "algorithm", description = "Key algorithm (RSA/EC)") String algorithm) throws Exception { Map logData = new LinkedHashMap<>(); logData.put(TOKEN_ID_PARAM, tokenId); logData.put(KEY_LABEL_PARAM, label); + var keyALgorithm = StringUtils.equalsIgnoreCase(KeyAlgorithm.EC.name(), algorithm) ? KeyAlgorithm.EC : KeyAlgorithm.RSA; + try { - KeyInfo response = SignerProxy.generateKey(tokenId, label); + KeyInfo response = SignerProxy.generateKey(tokenId, label, keyALgorithm); logData.put(KEY_ID_PARAM, response.getId()); AuditLogger.log(GENERATE_A_KEY_ON_THE_TOKEN_EVENT, XROAD_USER, null, logData); diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/Utils.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/Utils.java index da9536547a..0b5c5e9c8e 100644 --- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/Utils.java +++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/Utils.java @@ -25,6 +25,8 @@ */ package ee.ria.xroad.signer.console; +import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; +import ee.ria.xroad.common.crypto.identifier.SignMechanism; import ee.ria.xroad.common.identifier.ClientId; import ee.ria.xroad.signer.protocol.dto.CertificateInfo; import ee.ria.xroad.signer.protocol.dto.KeyInfo; @@ -92,11 +94,13 @@ static void printKeyInfo(KeyInfo key, boolean verbose, String padding) { System.out.println(padding + ""); } } else { - String format = padding + "Key: %s (%s, %s)"; + String format = padding + "Key: %s (%s, %s, %s)"; String available = key.isAvailable() ? "available" : "unavailable"; + KeyAlgorithm keyAlgorithm = SignMechanism.valueOf(key.getSignMechanismName()).keyAlgorithm(); - System.out.println(String.format(format, key.getId(), key.getUsage(), available)); + System.out.printf(format, key.getId(), key.getUsage(), keyAlgorithm, available); + System.out.println(); } } diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java index 6d4aa12a8c..420a921262 100644 --- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java +++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java @@ -269,18 +269,6 @@ public static KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm return keyInfo; } - /** - * Generate a new RSA key for the token with the given ID. - * - * @param tokenId ID of the token - * @param keyLabel label of the key - * @return generated key KeyInfo object - * @throws Exception if any errors occur - */ - public static KeyInfo generateKey(String tokenId, String keyLabel) throws Exception { - return generateKey(tokenId, keyLabel, null); - } - /** * Generate a self-signed certificate for the key with the given ID. * diff --git a/src/signer-protocol/src/main/proto/key_service.proto b/src/signer-protocol/src/main/proto/key_service.proto index b2fa59c06c..42dd3201d0 100644 --- a/src/signer-protocol/src/main/proto/key_service.proto +++ b/src/signer-protocol/src/main/proto/key_service.proto @@ -52,7 +52,7 @@ service KeyService { } enum Algorithm { - UNKNOWN = 0; + ALGORITHM_UNKNOWN = 0; RSA = 1; EC = 2; } @@ -109,7 +109,7 @@ message DeleteKeyReq { message GenerateKeyReq { string token_id = 1; string key_label = 2; - optional Algorithm algorithm = 3; + Algorithm algorithm = 3; } message GetAuthKeyReq { diff --git a/src/signer/core/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/core/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java index 747c67f8ab..c1ac34da3b 100644 --- a/src/signer/core/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java +++ b/src/signer/core/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java @@ -25,7 +25,6 @@ */ package ee.ria.xroad.signer.tokenmanager.token; -import ee.ria.xroad.common.SystemProperties; import ee.ria.xroad.common.crypto.KeyManagers; import ee.ria.xroad.common.crypto.SignDataPreparer; import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm; @@ -219,9 +218,8 @@ protected void assertKeyAvailable(String keyId) { protected KeyAlgorithm mapAlgorithm(Algorithm algorithm) { return switch (algorithm) { - case RSA -> KeyAlgorithm.RSA; + case RSA, ALGORITHM_UNKNOWN, UNRECOGNIZED -> KeyAlgorithm.RSA; case EC -> KeyAlgorithm.EC; - case UNKNOWN, UNRECOGNIZED -> SystemProperties.getSignerDefaultKeyAlgorithm(); }; }