| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some variables in pkispawn and pkidestroy have been renamed for
clarity.
The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.
The constant pki_self_signed_token property has been moved into
default.cfg.
https://fedorahosted.org/pki/ticket/2247
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS subsystem has been modified to generate the token state
transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically
depending on whether the token has certificates.
The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg.
Duplicate code that loads the allowed transitions list has been
merged and moved into TPSSubsystem.
https://fedorahosted.org/pki/ticket/1808
|
| |
|
|
|
|
|
| |
To help troubleshooting the EnrollProfile has been modified to
log the stack trace and chain the exception.
https://fedorahosted.org/pki/ticket/1654
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.
If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is possible to encounter a case where the
CRLDistributionPointsExtension static initialiser, which adds the
class to the OIDMap, has not been invoked. This can cause a
ClassCastException, e.g. in CRLDistributionPointsExtDefault.
Update OIDMap to add CRLDistributionPointsExtension in its own
static initialiser.
Fixes: https://fedorahosted.org/pki/ticket/2237
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Also drive-by refactor 'createProfileData' to use 'getProfile',
reducing code size.
|
| |
|
|
|
| |
Commit 04214b3d3405750cbbda228554c0d9f087a59170 left some vestigal
imports behind; remove them.
|
| |
|
|
|
|
|
|
|
| |
Due to changes in aaacd71a2f125501645885d3da1de18459782572, when
pki_import_admin_cert is set to False the installation code
performs an unnecessary URL encoding for the admin certificate
request. The extra URL encoding has now been removed.
https://fedorahosted.org/pki/ticket/1803
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TokenService.setTokenStatus() has been modified to restore
the temporarily lost token back into either uninitialized or
active state based on whether the token has certificates.
The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use
only tokenID attribute to search for token certificates more
accurately. It also has been simplified to return the certificate
records collection object directly.
Some constructors were added to the TPSException to allow chaining
the exception cause.
https://fedorahosted.org/pki/ticket/1808
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that it will use an HTML-based
dialog instead of the browser's built-in dialog such that the
option to "prevent this page from creating additional dialogs"
will no longer appear.
https://fedorahosted.org/pki/ticket/1685
|
| |
|
|
|
| |
- PKI TRAC Ticket #1701 - Removed javadocs from 'meta' package
- PKI TRAC Ticket #1099 - Rename DRM nomenclature to KRA nomenclature
|
| |
|
|
| |
PKI TRAC Ticket #1399 - Split pki-base into Java and Python client packages
|
| |
|
|
| |
- PKI TRAC Ticket #1724 - Rebase pki-core to 10.3.x
|
| |
|
|
| |
The upgrade uses instance and subsystem as keys for dicts.
|
| |
|
|
|
|
| |
Fedora 23 doesn't have NSS and LDAP packages for Python 3.
RHEL 7.2 doesn't ship Python 3.
|
| |
|
|
|
|
|
|
|
|
| |
Dogtag's Python code has been compatible with Python 3 for a while. A
new package pki-base-python3 provides the pki package for clients.
As of now pki.server is not packages for Python 3.
The pki-base package also provides pki-base-python2.
https://fedorahosted.org/pki/ticket/1739
|
| |
|
|
|
| |
0e35b64c1f751cc8a7a8a0fac25828a8eab24714 introduced an additional and
unwanted directory.
|
| |
|
|
|
|
| |
If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
|
| |
|
|
|
|
|
|
|
| |
The OCSP digest name lookup is currently defined in IOCSPAuthority
and implemented by OCSPAuthority, but /any/ code that deals with
CertID might need to know the digest, so move the lookup there.
Also refactor the lookup to use a HashMap, and add mappings for SHA2
algorithms.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* The cmake files now copy just *.py into the installation directory.
This ensures that no stale pyc files or __pycache__ directories are
copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and
RHEL.
* The pki-core.spec file uses python2 macros. In case of RHEL missing
macros are defined on the top of the file.
* A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't
like lines breaks.
|
| |
|
|
|
| |
The pki Python modules don't require python-ldap and python-lxml. The
dependencies are only used by the pki.server package.
|
| |
|
|
|
|
| |
sphinx 1.1 doesn't have sphinx.version_info. All supported version have
sphinx.__version__ string. conf.py now parses the string for version
tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The utility for exporting certs and keys to a PKCS12 file
did not handle the signing certificate correctly. This is
because the signing certificate was imported multiple times
during the export process - either with its key (and key id set)
or as part of the cert chain for the other system certs (with
no key set).
Each import would override the previous import - so whether
or not the key_id was set would depend on the order in which
the certificates were imported.
This becomes an issue for import into a clone certdb, because in
the new mechanism, we rely on the cert attributes (ie. key_id) to
determine if a key is to be imported or not.
We fix this by specifying whether the entry in the export should
be overwritten or not.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
server.xml contains metadata read by pkidaemon which includes URLs,
in XML comments. If the hostname contains `--', the parse fails.
Instead of XML comments, put this information in XML Processing
instructions[1], which allows double-hyphens to be used.
[1] https://www.w3.org/TR/REC-xml/#NT-PI
Fixes: https://fedorahosted.org/pki/ticket/1260
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
| |
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
sphinx-build used wrong search path for pki Python package. This caused
builds to fail on some machines. On systems with pki-base installed,
sphinx-build picked up the wrong files.
|
| |
|
|
|
|
|
|
| |
Java components of pki-base have been moved to pki-base-java,
significantly reducing the expected footprint of pki-base for
python-only clients.
Ticket 1399
|
| |
|
|
|
|
|
|
| |
Use html_theme = 'classic' on sphinx 1.3 to silence this warning:
WARNING: 'default' html theme has been renamed to 'classic'. Please
change your html_theme setting either to the new 'alabaster' default
theme, or to 'classic' to keep using the old default.
|
| |
|
|
|
|
| |
************* Module pki.cli.pkcs12
E:160,43: Value 'cert_info' doesn't support membership test
(unsupported-membership-test)
|
| |
|
|
|
|
|
|
|
|
|
| |
Fedora 24 has Python 3.5 instead of Python 3.4. tox.ini now uses python3
to use any Python 3 interpreter.
Python 3.5 has unittest.mock in the stdlib. Tests must attempt to import
mock from unittest first.
Pylint 1.5 has deprecated a couple of old options. Dogtag doesn't use
the options anyway. I just removed them from dogtag.pylintrc.
|
