| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
Dogtag's Python code has been compatible with Python 3 for a while. A
new package pki-base-python3 provides the pki package for clients.
As of now pki.server is not packages for Python 3.
The pki-base package also provides pki-base-python2.
https://fedorahosted.org/pki/ticket/1739
|
|
|
|
|
| |
0e35b64c1f751cc8a7a8a0fac25828a8eab24714 introduced an additional and
unwanted directory.
|
|
|
|
|
|
| |
If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
|
|
|
|
|
|
|
|
|
| |
The OCSP digest name lookup is currently defined in IOCSPAuthority
and implemented by OCSPAuthority, but /any/ code that deals with
CertID might need to know the digest, so move the lookup there.
Also refactor the lookup to use a HashMap, and add mappings for SHA2
algorithms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* The cmake files now copy just *.py into the installation directory.
This ensures that no stale pyc files or __pycache__ directories are
copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and
RHEL.
* The pki-core.spec file uses python2 macros. In case of RHEL missing
macros are defined on the top of the file.
* A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't
like lines breaks.
|
|
|
|
|
| |
The pki Python modules don't require python-ldap and python-lxml. The
dependencies are only used by the pki.server package.
|
|
|
|
|
|
| |
sphinx 1.1 doesn't have sphinx.version_info. All supported version have
sphinx.__version__ string. conf.py now parses the string for version
tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The utility for exporting certs and keys to a PKCS12 file
did not handle the signing certificate correctly. This is
because the signing certificate was imported multiple times
during the export process - either with its key (and key id set)
or as part of the cert chain for the other system certs (with
no key set).
Each import would override the previous import - so whether
or not the key_id was set would depend on the order in which
the certificates were imported.
This becomes an issue for import into a clone certdb, because in
the new mechanism, we rely on the cert attributes (ie. key_id) to
determine if a key is to be imported or not.
We fix this by specifying whether the entry in the export should
be overwritten or not.
|
|
|
|
|
|
|
|
|
|
|
|
| |
server.xml contains metadata read by pkidaemon which includes URLs,
in XML comments. If the hostname contains `--', the parse fails.
Instead of XML comments, put this information in XML Processing
instructions[1], which allows double-hyphens to be used.
[1] https://www.w3.org/TR/REC-xml/#NT-PI
Fixes: https://fedorahosted.org/pki/ticket/1260
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
|
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
sphinx-build used wrong search path for pki Python package. This caused
builds to fail on some machines. On systems with pki-base installed,
sphinx-build picked up the wrong files.
|
|
|
|
|
|
|
|
| |
Java components of pki-base have been moved to pki-base-java,
significantly reducing the expected footprint of pki-base for
python-only clients.
Ticket 1399
|
|
|
|
|
|
|
|
| |
Use html_theme = 'classic' on sphinx 1.3 to silence this warning:
WARNING: 'default' html theme has been renamed to 'classic'. Please
change your html_theme setting either to the new 'alabaster' default
theme, or to 'classic' to keep using the old default.
|
|
|
|
|
|
| |
************* Module pki.cli.pkcs12
E:160,43: Value 'cert_info' doesn't support membership test
(unsupported-membership-test)
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora 24 has Python 3.5 instead of Python 3.4. tox.ini now uses python3
to use any Python 3 interpreter.
Python 3.5 has unittest.mock in the stdlib. Tests must attempt to import
mock from unittest first.
Pylint 1.5 has deprecated a couple of old options. Dogtag doesn't use
the options anyway. I just removed them from dogtag.pylintrc.
|
|
|
|
|
|
|
|
|
| |
sphinx-builder just reports errors to stderr but doesn't signal build
failures in its return code. The -W option turns any warning into a
non-null exit code.
Comment out html_static_path. It doesn't exist, is not used but emits a
warning which is then turned into an error.
|
|
|
|
|
|
|
|
| |
In Python 3 subclasses no longer implement automatic ordering. To
provide ordering for sort() and custom comparison, __eq__ and __lt__ are
required.
https://fedorahosted.org/pki/ticket/2216
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Python wrapper module has been added for the pki pkcs12-import
command to provide a mechanism to implement a workaround for JSS
import limitation.
Additional fixes by cheimes have been merged into this patch:
setup.py:
We must track all sub-packages manually.
pylint-build-scan.py:
pylint confuses the 'pki' package with the 'pki' command. The
workaround symlinks the command and analysis the command under its
alternative name.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
Pylint 1.5 complains about additional issues. All issues are false
positives.
https://fedorahosted.org/pki/attachment/ticket/2223
|
|
|
|
|
|
|
|
| |
Tomcat 8.0.32 has moved org.apache.tomcat.ContextBind into
tomcat-api.jar. Add tomcat-api.jar to javac classpath to compile pki
with latest Tomcat.
https://fedorahosted.org/pki/attachment/ticket/2222
|
|
|
|
|
|
|
|
|
|
|
| |
GCC 6 is more strict than GCC 5 and earlier. It refuses to initialize a
char[] with 'int' initializers because char is signed while the its are
values from 0 to 255.
RA_Token.cpp:989:7: error: narrowing conversion of ‘194’ from ‘int’ to
‘char’ inside { }
https://fedorahosted.org/pki/attachment/ticket/2221
|
|
|
|
|
|
|
|
|
| |
--precheck can be used to run specific tests prior to ensure
that the installation parameters are sane, without actually
doing the installation.
There are also optional parameters to disable specific tests.
Trac Ticket #2042
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCSUtil has been updated to match the functionality provided
by JSS.
In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.
The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.
The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
| |
I forgot to decode the output of subprocess.check_call(). All other
places decode bytes to text properly.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.
This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.
Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1628
|
|
|
|
| |
- PKI TRAC Ticket #2040 - Determine supported javadoc options
|
|
|
|
|
|
|
| |
A new CLI has been added to remove a key from a PKCS #12 file
based on the key ID.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
New CLIs have been added to add a certificate from NSS database and
to remove a certificate from the PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Util has been modified such that it stores the certs and
keys in PKCS12 object instead of PFX object. The PKCS12 object can
be loaded either from NSS database or PKCS #12 file. The PKCS12
object can later be stored into NSS database or PKCS #12 file.
The pki pkcs12-cert-find and pkcs12-key-find commands were modified
to require PKCS #12 password.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
of PKCS12Util into separate classes.
The createLocalKeyID() has been modified to return BigInteger
instead of byte array.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
| |
We do a check for the dnsdomainname, which fails in Openstack
CI because this is not set. Instead of exiting, default to
the hostname.
|
|
|
|
|
|
|
|
|
| |
A new PKCS #12 attribute has been defined to store NSS certificate
trust flags in PKCS #12 file. The PKCS12Util has been modified to
store the trust flags during export and reset the trust flags in
NSS database during import.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import and pki pkcs12-export commands have been
added to import and export PKCS #12 file into and from NSS
database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
|
|
|
|
|
| |
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
|
|
|
|
|
|
|
|
|
|
| |
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL). Use the correct "PKCS7" label instead.
Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.
Fixes: https://fedorahosted.org/pki/ticket/1699
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1723
|
| |
|
|
|
|
|
|
|
|
| |
The REST profile service current responds 400 on conflicting
operations, indicating that the client sent a bad request when this
not the case. Respond with 409 Conflict instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1257518
|