pki.git, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Fixed KRA install problem. 2016-04-02T06:24:57+00:00 Endi S. Dewata edewata@redhat.com 2016-03-30T15:23:06+00:00 7ea76edd0bf1af7607cae13c6ce6d60675c361a4 Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247 
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.

The PKIInstance class has been modified to allow loading partially
created instance to help the installation.

https://fedorahosted.org/pki/ticket/2247
Install tools clean-up. 2016-04-02T06:24:31+00:00 Endi S. Dewata edewata@redhat.com 2016-03-30T02:29:11+00:00 1bbb28fb2f0cbc023b7182d42b3def0891d34b47 Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247 
Some variables in pkispawn and pkidestroy have been renamed for
clarity.

The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.

The constant pki_self_signed_token property has been moved into
default.cfg.

https://fedorahosted.org/pki/ticket/2247
Fix escaping of password fields to prevent interpolation 2016-04-02T06:19:30+00:00 Christian Heimes cheimes@redhat.com 2015-11-23T11:01:45+00:00 e365df91b9f39e89bcff3f6e93cd43297e276374 Some password and pin fields are missing from the no_interpolation list. One entry is misspelled. A '%' in password field such as pki_clone_pkcs12_password causes an installation error. https://fedorahosted.org/pki/ticket/1703 Signed-off-by: Christian Heimes <cheimes@redhat.com> 
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.

https://fedorahosted.org/pki/ticket/1703

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Fixed certificate chain import problem. 2016-04-02T06:17:41+00:00 Endi S. Dewata edewata@redhat.com 2016-03-25T02:33:05+00:00 ee61c5561be94d3a24ad05643dca8338c47b3b84 In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022 
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.

The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.

https://fedorahosted.org/pki/ticket/2022
Added support for cloning 3rd-party CA certificates. 2016-04-02T05:48:58+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T14:23:34+00:00 9eba5f33f04348ee4b243d3fc0d095268f824115 The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742 
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.

The PKCS12Util has been modified to support multiple certificates
with the same nicknames.

The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.

The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.

The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.

https://fedorahosted.org/pki/ticket/1742
Additional clean-ups for PKCS #12 utilities. 2016-04-02T05:48:04+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T14:23:34+00:00 9bd9548d5c1718ad8159f2134f170649c092a581 The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742 
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.

A default pki_server_external_certs_path has been added to
default.cfg.

The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.

The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.

https://fedorahosted.org/pki/ticket/1742
Renamed PKCS #12 options for consistency. 2016-04-02T05:46:22+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T09:59:19+00:00 a1de52ab41d0b0c9d5df4163224525ce940e91a8 The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742 
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.

https://fedorahosted.org/pki/ticket/1742
Fix pkcs12 export 2016-04-02T05:36:51+00:00 Ade Lee alee@redhat.com 2016-03-03T19:36:52+00:00 d6ddbf86de31c4096ce816f9726e15e46f387f0f The utility for exporting certs and keys to a PKCS12 file did not handle the signing certificate correctly. This is because the signing certificate was imported multiple times during the export process - either with its key (and key id set) or as part of the cert chain for the other system certs (with no key set). Each import would override the previous import - so whether or not the key_id was set would depend on the order in which the certificates were imported. This becomes an issue for import into a clone certdb, because in the new mechanism, we rely on the cert attributes (ie. key_id) to determine if a key is to be imported or not. We fix this by specifying whether the entry in the export should be overwritten or not. 
The utility for exporting certs and keys to a PKCS12 file
did not handle the signing certificate correctly.  This is
because the signing certificate was imported multiple times
during the export process - either with its key (and key id set)
or as part of the cert chain for the other system certs (with
no key set).

Each import would override the previous import - so whether
or not the key_id was set would depend on the order in which
the certificates were imported.

This becomes an issue for import into a clone certdb, because in
the new mechanism, we rely on the cert attributes (ie. key_id) to
determine if a key is to be imported or not.

We fix this by specifying whether the entry in the export should
be overwritten or not.
Handle import and export of external certs 2016-04-02T05:36:42+00:00 Ade Lee alee@redhat.com 2016-02-27T07:32:14+00:00 574eb27a2db7be57e7e887f3a790cb6370044e5f Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists. 
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.

This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.

Then, when cloning:

1.  When the pk12 file is created by the pki-server ca-clone-prepare
    command, the external certs are automatically included.
2.  When creating the clone, the new pki_server_pk12_path and
    password must be provided.  Also, a copy of the
    external_certs.conf file must be provided.
3.  This copy will be read and merged with the existing
    external_certs.conf if one exists.
Implement total ordering for PKISubsystem and PKIInstance 2016-04-02T05:26:18+00:00 Christian Heimes cheimes@redhat.com 2016-02-26T16:18:57+00:00 a8d12675dbc3d77203efbe2f9f551d4d07a5cab2 In Python 3 subclasses no longer implement automatic ordering. To provide ordering for sort() and custom comparison, __eq__ and __lt__ are required. https://fedorahosted.org/pki/ticket/2216 
In Python 3 subclasses no longer implement automatic ordering. To
provide ordering for sort() and custom comparison, __eq__ and __lt__ are
required.

https://fedorahosted.org/pki/ticket/2216