pki.git/base/common, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Added support for cloning 3rd-party CA certificates. 2016-04-02T05:48:58+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T14:23:34+00:00 9eba5f33f04348ee4b243d3fc0d095268f824115 The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742 
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.

The PKCS12Util has been modified to support multiple certificates
with the same nicknames.

The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.

The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.

The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.

https://fedorahosted.org/pki/ticket/1742
Additional clean-ups for PKCS #12 utilities. 2016-04-02T05:48:04+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T14:23:34+00:00 9bd9548d5c1718ad8159f2134f170649c092a581 The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742 
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.

A default pki_server_external_certs_path has been added to
default.cfg.

The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.

The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.

https://fedorahosted.org/pki/ticket/1742
Renamed PKCS #12 options for consistency. 2016-04-02T05:46:22+00:00 Endi S. Dewata edewata@redhat.com 2016-03-17T09:59:19+00:00 a1de52ab41d0b0c9d5df4163224525ce940e91a8 The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742 
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.

https://fedorahosted.org/pki/ticket/1742
Handle import and export of external certs 2016-04-02T05:36:42+00:00 Ade Lee alee@redhat.com 2016-02-27T07:32:14+00:00 574eb27a2db7be57e7e887f3a790cb6370044e5f Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists. 
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.

This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.

Then, when cloning:

1.  When the pk12 file is created by the pki-server ca-clone-prepare
    command, the external certs are automatically included.
2.  When creating the clone, the new pki_server_pk12_path and
    password must be provided.  Also, a copy of the
    external_certs.conf file must be provided.
3.  This copy will be read and merged with the existing
    external_certs.conf if one exists.
Added workaround for JSS limitation in pki pkcs12-import. 2016-04-02T05:06:17+00:00 Endi S. Dewata edewata@redhat.com 2016-02-25T20:31:24+00:00 489fb993aeadf6f21f6a4a9655c2af2dc13eebcf Currently JSS is unable to import CA certificates while preserving their nicknames. As a workaround, the pki pkcs12-import has been modified such that it exports individual CA certificates from PKCS The remaining user certificates will continue to be imported using JSS. A new pki pkcs12-cert-export command has been added to export individual certificates from PKCS #12 file into PEM files. The pki pkcs12-import has been modified to take a list of nicknames of the certificates to be imported into NSS database. https://fedorahosted.org/pki/ticket/1742 
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.

A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.

The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.

https://fedorahosted.org/pki/ticket/1742
Py3 modernization: libmodernize.fixes.fix_import 2016-04-02T05:05:46+00:00 Christian Heimes cheimes@redhat.com 2015-08-16T17:00:00+00:00 8627174e5bcc03616ba2185503fc6b6a6cf87527 Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/ 
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use

    from . import module

The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.

See https://www.python.org/dev/peps/pep-0328/
Added Python wrapper for pki pkcs12-import. 2016-04-02T04:51:18+00:00 Endi S. Dewata edewata@redhat.com 2016-02-24T21:22:10+00:00 bd99e5bb6a0d286b2e83115a85cdcc95a52b654d A Python wrapper module has been added for the pki pkcs12-import command to provide a mechanism to implement a workaround for JSS import limitation. Additional fixes by cheimes have been merged into this patch: setup.py: We must track all sub-packages manually. pylint-build-scan.py: pylint confuses the 'pki' package with the 'pki' command. The workaround symlinks the command and analysis the command under its alternative name. https://fedorahosted.org/pki/ticket/1742 
A Python wrapper module has been added for the pki pkcs12-import
command to provide a mechanism to implement a workaround for JSS
import limitation.

Additional fixes by cheimes have been merged into this patch:

setup.py:
We must track all sub-packages manually.

pylint-build-scan.py:
pylint confuses the 'pki' package with the 'pki' command. The
workaround symlinks the command and analysis the command under its
alternative name.

https://fedorahosted.org/pki/ticket/1742
Added mechanism to import system certs via PKCS #12 file. 2016-04-02T04:22:41+00:00 Endi S. Dewata edewata@redhat.com 2016-02-19T07:42:30+00:00 58406095925cd3d26ab8eab0c7c7e99cdddf21ea The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742 
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742
Added pki-server commands to export system certificates. 2016-04-02T04:10:24+00:00 Endi S. Dewata edewata@redhat.com 2016-02-19T14:09:49+00:00 9667921a5a2489a3fccc6f4f7f7af88f60eadbd2 Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742 
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.

The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.

The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.

https://fedorahosted.org/pki/ticket/1742
Refactored PKCS12Export. 2016-04-01T23:02:26+00:00 Endi S. Dewata edewata@redhat.com 2016-02-09T17:41:40+00:00 78b9c16cbf4db6fe07d7fcc051e3d6ee656ac10a The code to export NSS database into PKCS #12 file in PKCS12Export tool has been refactored into PKCS12Util class to simplify further enhancements. The PKCS12Export tool has also been modified to use Java Logging API. A default logging configuration file has been added. The command-line wrapper has been modified to get the path to the logging configuration file from pki.conf. https://fedorahosted.org/pki/ticket/1742 
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.

The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.

https://fedorahosted.org/pki/ticket/1742