summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* fix bashismsMatthew Harmsen2016-04-2630-45/+45
| | | | | | - PKI TRAC Ticket #2249 - fix bashisms - changes 'source' to '.' - changes 'bash' to 'sh'
* Fixed activity logs for certificate revocations.Endi S. Dewata2016-04-262-38/+25
| | | | | | | | The TPSTokendb.shouldRevoke() has been modified such that it throws an exception instead of returning boolean. The method has also been renamed to checkShouldRevoke(). The revokeCert() and unrevokeCert() have been modified to catch the exception and log the failed operation.
* Added TPSTokendb.revokeCert() and unrevokeCert().Endi S. Dewata2016-04-261-55/+121
| | | | | | The code in TPSTokendb.revokeCertsByCUID() has been split into revokeCert() and unrevokeCert() to allow handling each operation separately.
* Moved TPSTokendb.tdbGetTokenEntry() invocations.Endi S. Dewata2016-04-261-11/+19
| | | | | The TPSTokendb.tdbGetTokenEntry() invocations in shouldRevoke() have been moved into revokeCertsByCUID().
* Added TPSCertRecord.getSerialNumberInBigInteger().Endi S. Dewata2016-04-262-18/+22
| | | | | The code that parses the token certificate serial number has been refactored into a new method in TPSCertRecord.
* Removed unused TPS user fields and group.Endi S. Dewata2016-04-254-15/+1
| | | | | | | | | The unused user status and type fields and the TPS Officers group have been removed from the TPS UI. https://fedorahosted.org/pki/ticket/2264 https://fedorahosted.org/pki/ticket/2265 https://fedorahosted.org/pki/ticket/2266
* Fixed TPS UI navigation.Endi S. Dewata2016-04-251-7/+14
| | | | | | | | The TPS UI home page and the status menu item been temporarily removed. The home links will now redirect to the tokens page. https://fedorahosted.org/pki/ticket/2261 https://fedorahosted.org/pki/ticket/2262
* Fix problem in creating certificate requestsAde Lee2016-04-221-2/+2
| | | | | | | | | | | | | | | Some incorrect code was added to request processing in the realm patches. In the request LDAP modification code, if the realm was not present, we added a modification to remove the realm attribute. Unfortunately, if the realm was not present to begin with, this resulted in LDAP returning a "No Such Attribute (16)" error, causing all kinds of requests - including certificate requests to fail to be submitted. At this point, we do not permit users to change the realm of a request. Therefore, there is no reason to remove the realm. If we ever need to do this in future, we'll have to be smarter about it.
* Replaced TPS OP_DO_TOKEN activity.Endi S. Dewata2016-04-223-11/+14
| | | | | | | | For clarity the TPS operatons that generate OP_DO_TOKEN activity has been modified to generate OP_TOKEN_MODIFY instead, except for the changeTokenStatus() which will generate OP_TOKEN_STATUS_CHANGE. https://fedorahosted.org/pki/ticket/2268
* Realm: allow auth instances to support multiple realmsAde Lee2016-04-205-18/+38
| | | | | | | | | | | | | | | | In practice, most folks will use something like DirAclAuthz to manage their realm. Rather than requiring a new authz plugin for each realm, we allow the authz plugin to support multiple realms (as a comma separated list). For the Acl plugins in particular, we expand the authorize call to allow the caller to pass in the realm as well as the resource and operation. The resource queried would then be constructed on the fly as realm.resource Examples will be provided in the wiki page. Trac Ticket 2041
* Realms - Address comments from reviewAde Lee2016-04-2012-75/+143
| | | | | | | | | | | | Review comments addressed: 1. when archiving or generating keys, realm is checked 2. when no plugin is found for a realm, access is denied. 3. rename mFoo to foo for new variables. 4. add chaining of exceptions 5. remove attributes from KeyArchivalRequest etc. when realm is null 6. Add more detail to denial in BasicGroupAuthz Part of Trac Ticket 2041
* Python client changes for realmAde Lee2016-04-201-19/+40
| | | | Part of Trac Ticket #2041
* Add authz checks for all operationsAde Lee2016-04-205-44/+156
| | | | | | | We add authz realm checks as appropriate for each operation. Part of Trac Ticket #2041
* Make recovery methods more consistentAde Lee2016-04-202-52/+52
| | | | | | | | | | | The async recovery request mechanism was implemented differently from other requests. This makes it difficult to add tings like authorization consisitently. We move the required methods to the KeyRequestDAO to be more consistent. Part of Ticket #2041
* Added realm to methods for listing requests and keysAde Lee2016-04-208-20/+85
| | | | | | | | | | | 1. Added query parameters for the realm. If a realm is specified, then only the key requests and keys associated with the realm are returned. If no realm is specified, then only those requests and keys without a realm are returned. 2. Added parameters to keyClient and the CLI Part of Trac Ticket #2041
* Added realm for archival and key generation through RESTAde Lee2016-04-2011-21/+184
| | | | | | | | This will allow users to specify the realm when generating or archiving a request. No interface change is needed (yet) because the extra parameter is passed through the request. Part of Ticket #2041
* Added new authz methods to check realmAde Lee2016-04-203-1/+244
| | | | | | | | | | | | * Added method to check realm. This method will look for an authz instance for a specified realm and invoke it to determine access. * Added a basic group based authz plugin mostly for testing. This plugin simply checks if the requestor is in the correct group. In practice, customers will probably want something more complex maybe subclassing BasicAclAuthz. Part of Trac Ticket #2041
* Add realm to the key recordAde Lee2016-04-206-9/+44
| | | | Part of Trac Ticket# 2041
* Add realm to the request recordAde Lee2016-04-208-20/+90
| | | | Part of Trac Ticket #2041
* Add realm schema changesAde Lee2016-04-202-2/+15
| | | | | Added realm attribute and index. Added to request and keyRecord. Part of Trac Ticket 2041
* Fixed PKCS #12 export options.Endi S. Dewata2016-04-205-4/+58
| | | | | | | | The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
* Added missing changelog message.Matthew Harmsen2016-04-181-0/+3
|
* Build for Fedora 24 beta.Matthew Harmsen2016-04-183-3/+3
|
* Build for F24 beta.Matthew Harmsen2016-04-184-4/+16
|
* Add new usn entry to other subsystemsAde Lee2016-04-154-0/+4
|
* Add script to enable USN pluginAde Lee2016-04-155-4/+32
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Moved self-signed SSL server certificate creation.Endi S. Dewata2016-04-152-41/+55
| | | | | | | | | To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736
* Updated pki pkcs12-export CLI.Endi S. Dewata2016-04-155-18/+46
| | | | | | | | | | | | For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736
* Simplified deployment properties for existing CA case.Endi S. Dewata2016-04-153-13/+45
| | | | | | | | | | | | | | | A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. New certificate deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736
* Added PKCS #12 deployment properties.Endi S. Dewata2016-04-152-5/+8
| | | | | | | | | | New PKCS #12 deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_pkcs12_path -> pki_external_pkcs12_path - pki_pkcs12_password -> pki_external_pkcs12_password https://fedorahosted.org/pki/ticket/1736
* Lightweight CAs: indicate when CA does not yet have keysFraser Tweedale2016-04-1411-18/+79
| | | | | | | | | | When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: set DN based on data from LDAPFraser Tweedale2016-04-141-2/+9
| | | | | | | | | | | | When initialising a lightweight CA, if we do not have the signing cert and key in the NSSDB yet, we do not initialise the DN. This causes NPE in other code that expects getX500Name() to return a value, e.g. REST API to list or show CA. To work around this, when loading lightweight CAs set the DN based on the 'authorityDN' value stored in its LDAP entry. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: monitor database for changesFraser Tweedale2016-04-141-87/+342
| | | | | | | | | | | Implement a thread that performs an LDAP persistent search to keep a running CA's view of lightweight CAs in sync with the database. Signing key replication is not yet supported; this will be implemented in a later patch and will not use the database to propagate keys. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: extract LDAP commit/delete methodsFraser Tweedale2016-04-141-96/+116
| | | | | | | | | LDAP code to add, modify and delete authority entries exists in multiple places. Extract these methods to remove this duplication and provide a cleaner basis for upcoming implementation of replication handling. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: move host authority creation out of load methodFraser Tweedale2016-04-141-17/+25
| | | | | | | | To reduce the amount of code that would be run in the persistent search thread, extract the host authority entry creation out of the 'loadLightweightCAs' method, into 'CertificateAuthority.init'. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: avoid repeat definition of authorities DNFraser Tweedale2016-04-141-12/+11
| | | | Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: use static db connection factoryFraser Tweedale2016-04-141-15/+10
| | | | | | | Use a static database connection factory that is initialised by the host authority and used by all CertificateAuthority instances. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: add exceptions for missing signing key or certFraser Tweedale2016-04-144-7/+59
| | | | | | | | | | Add the CAMissingCertException and CAMissingKeyException classes and throw when signing unit initialisation fails due to a missing object. In CertificateAuthority, store the exception if it occurs for possible re-throwing later. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-136-22/+45
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Fixed exception handling in CertUtil.Endi S. Dewata2016-04-122-14/+18
| | | | | | | The CertUtil.createLocalCert() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateExtensions.Endi S. Dewata2016-04-128-32/+34
| | | | | | | The CertificateExtensions.parseExtension() and some extension classes have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in X509CertInfo.Endi S. Dewata2016-04-121-4/+4
| | | | | | | The methods in X509CertInfo have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateAuthority.Endi S. Dewata2016-04-1214-117/+137
| | | | | | | | The CertificateAuthority.getCACert() has been modified to re-throw the exception instead of ignoring it. All callers have been modified to bubble up the exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertInfoProfile.Endi S. Dewata2016-04-121-8/+9
| | | | | | | The CertInfoProfile.populate() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-084-12/+43
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Updated F24 (second alpha) build of pki-core.Matthew Harmsen2016-04-077-8/+20
|
* Updated file listMatthew Harmsen2016-04-071-1/+1
|
* Removed 'dogtag.pylintrc' and 'pylint-build-scan.py' from 'pki/scripts'Matthew Harmsen2016-04-072-398/+0
| | | | | directory, as they were moved to the top-level directory to promote easier use with patches.
* Restored 'dogtag.pylintrc' and 'pylint-build-scan.py' to top-level directoryMatthew Harmsen2016-04-072-0/+398
| | | | to promote easier use with patches.
* Ticket #1519 token format should delete certs from token recordChristina Fu2016-04-062-0/+13
| | | | This patch removes certs from token record when it is formatted.