| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.
Ticket #96
|
| | |
|
| |
|
|
|
|
|
|
| |
This patch fixes incorrect implementation of getElement() in
some subclasses of IAttrSet. The method is supposed return the
attribute names as an enumeration of strings.
Ticket #42
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initial attempt at 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Updated top-level instance directory.
Streamlined parsing and enhanced logging.
Added "--dry_run" option.
Added umask and default permissions; sanitized use of '+' and '\'.
Aliased 'pkiconfig' as 'config'
Created a single master PKI dictionary from the sectional dictionaries
|
| |
|
|
| |
ca_external variable
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a Realm that provides the following:
1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.
2. Allows simple PKI ACL checking like we have in the current server.
This is accomplished with the help of a simple file that maps URLs
to ACL resourceIDs and operations.
3. DRMRestClient now support SSL Client authentication to test the feature.
How to test this:
Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml
In running DRMTest.java in eclipse do the following:
Change the arguments to support SSL Client auth such as:
-h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
where the new flags are -s = true for SSL and -c = <client auth cert name>
Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
Import this cert into ~/archive-test by using "pk12util" utility.
Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.
|
| |
|
|
|
|
|
|
|
| |
The NameValuePairs class has been modified to extend the Linked-
HashMap which preserves the order of elements as in the original
code. Some methods are renamed to match Java Map interface. The
NameValuePair class is no longer needed and has been removed.
Ticket #78
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The certificate status update and retrieving modifications tasks
have been modified to use the executor service. Unlike daemon
threads, the service will allow existing task to exit gracefully
before shutting down. An abandon operation is used terminate the
persistent search used for retrieving modifications. Some methods
have been moved to CertificateRepository class to simplify
synchronizations.
Ticket #73
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The JobsScheduler has been modified to stop all jobs on shutdown.
This is done by setting a flag in each job instead of stopping the
job thread abruptly. Long running jobs should check this flag
periodically and then exit gracefully. None of the existing jobs
need to do this since they do not run very long.
Other threads that run background services have been converted into
daemons such that they will terminate automatically when the JVM
exits.
Ticket #73
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mechanism for getting an ldap connection to the internaldb was incorrect,
both in the Security Domain Session Table and the DatabasePanel. As a result,
connections to the internaldb failed for accessing the security domain session
table and when trying to clone a master which connects to its database using
client auth.
The thread that handles reading the security domain session table is now only
instantiated when running on a configured security domain master.
Additionally, needed acls for the client auth certificate ldap user have been
moved to manager.ldif. This includes acls to allow creation and management of
replication agreements and replication users (now being created under
ou=csusers, cn=config)
Added logs to show when ldif import errors occur. Also made sure to write and
remove master ldap password for use in replication.
Ticket #5
|
| |
|
|
| |
Bugzilla Bug #767800 - Firefox Launcher on Panel being modified for all users.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'."
This reverts commit b5219f534cf0b60452346b31a84b9eddd881f614.
This patch was accidently committed to origin as part of a previous push.
Conflicts:
pki/specs/pki-core.spec
|
| |
|
|
|
|
| |
Configuration wizard should provide option to issue ECC credentials for admin during ECC CA configuration.
Bug #784387.
|
| | |
|
| |
|
|
|
|
|
|
| |
The DRM REST interface previously uses strings for key ID and request ID.
It has been modified to use KeyId and RequestId classes which can accept
decimal or hex numbers and internally store it as BigInteger.
Ticket #94
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Updated top-level instance directory.
Streamlined parsing and enhanced logging.
Added "--dry_run" option.
Added umask and default permissions; sanitized use of '+' and '\'.
|
| |
|
|
|
|
| |
RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented.
Bug #787806.
|
| |
|
|
|
|
|
|
| |
The KeyDAO and KeyRequestDAO have been changed to remove hard-coded
paths and use annotation reflection to get the paths from the REST
interface definitions.
Ticket #95
|
| |
|
|
|
|
|
| |
The OSUtil is no longer used by the code. It has been removed from
build scripts and tools.
Ticket #90
|
| |
|
|
|
|
|
|
| |
Some subsystems could not be created using a shared port because it
would generate a web.xml with invalid nested comment. The web.xml
templates has been fixed to remove the nested comment.
Ticket #112
|
| |
|
|
|
|
| |
Added platform-dependent patches for SELinux component
Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16)
Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)
|
| |
|
|
|
|
|
|
|
|
| |
The OS subsystem was previously used to get the PID and to handle
shutdown signals using the OSUtil. It has been removed because the
functionalities can be obtained without using native code. The PID
will now be read from an external PID file created by the wrapper
script. The shutdown signals will now be handled by shutdown hook.
Ticket #90
|
| |
|
|
|
|
|
|
| |
The OSUtil's BtoA() and AtoB() have been replaced by Base64
codec from Apache Commons library. The codec is configured to
use 64-byte line width as defined in RFC 1421.
Ticket #90
|
| |
|
|
|
|
|
|
| |
The OSUtil's BtoA() and AtoB() have been replaced with wrapper
methods in com.netscape.cmsutil.util.Utils to simplify transition
into Base64 codec from Apache Commons library.
Ticket #90
|
| |
|
|
|
|
|
|
|
| |
The Utils classes in com.netscape.cms.publish.publishers
and com.netscape.cms.servlet.common packages have been renamed
to PublisherUtils and ServletUtils to avoid conflicts with
com.netscape.cmsutil.util.Utils.
Ticket #90
|
| |
|
|
|
| |
PKI TRAC Ticket #104 - exclude the java-based junit testing infrastructure
from non-java components in order to build within a 'mock' environment
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a subsystem is configured, a user is created to facilitate communication
between subsystems. This user is created on the security domain ca, and is
has the subsystem certificate in its user record.
This user will be reused as a user that can talk to the database using the
subsystem certificate for client auth. To do this, this patch does the following:
1. If not the security domain master CA, adds this user to the subsystem, and
adds the subsystem cert.
2. Adds the subsystem cert subject dn to the user's record in the seeAlso attribute
3. Adds acis for this user for the $basedn and for cn=config (for VLV searches)
By default, this user and acls will be added when the system is configured.
To actually use the user and client auth, more config steps are required. They
will be doc'ed in https://fedorahosted.org/pki/ticket/5
|
| | |
|
| |
|
|
| |
(see https://fedorahosted.org/pki/ticket/104)
|
| |
|
|
| |
Addresses java_exec_t issue in BZ 795966
|
| |
|
|
|
|
| |
This patch provides two sample ECC certificate profiles.
Bug: 223358.
|
| | |
|
| |
|
|
|
|
| |
This patch brings down the warnings from 2917 to 2406.
Ticket #103
|
| |
|
|
|
|
| |
This patch provides an option for certificate profiles to allow them to automatically create enrollment pages which are used to generate new signing and encryption certificate requests.
Bug: 703608.
|
| |
|
|
|
|
| |
This patch brings down the warnings from 3427 to 2917.
Ticket #2
|
| |
|
|
|
|
|
| |
Fix whitespace issues - replace tabs
Added readme file for drmclient.py
Add arguments to allow drmclient.py to be configured.
Flatten code in GeneratePKIArchiveOptions
|
| | |
|
| |
|
|
|
|
| |
Changes to make the cmake build of this feature work.
Change to the .classpath to allow the DRMTest.java test client to run under Eclipse,
by adding additional jar paths to allow the client to run.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ticket #66 and #68.
Add ability to archive and recover symmetric keys and passphrases using rest interface.
Enhanced test client to test out new functionality.
Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob.
DRM symmetric key support cleanup changes.
Consists of suggested cleanup measures based on review comments.
|
| | |
|
| |
|
|
|
|
|
| |
Added ClientResponse annotation to SystemCertificateResource.
Added Consumes annotation to KeyResource, KeyRequestResource
Added checks for empty search results to test client, as well as stripping header, trailer
from transport cert.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When sending a passphrase in the recovery request, we need to wrap it
in a session key and store it in sessionWrappedPassphrase. We also
then wrap the session key in transWrappedSessionKey.
The server needs to do PBE if the sessionWrappedPassphrase
is present, and symkey based encryption otherwise.
Also changed the DRM test to reflect these changes, and fixed some errors.
|
| |
|
|
| |
Added new interfaces for each Resource, and renamed old Resource service classes.
|
| |
|
|
|
|
| |
This patch brings down the warnings from 3992 to 3500.
Ticket #2
|
| |
|
|
| |
Contributed by Josh Roys.
|
| | |
|
