summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Added PKCS #12 deployment properties.Endi S. Dewata2016-04-152-5/+8
| | | | | | | | | | New PKCS #12 deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_pkcs12_path -> pki_external_pkcs12_path - pki_pkcs12_password -> pki_external_pkcs12_password https://fedorahosted.org/pki/ticket/1736
* Lightweight CAs: indicate when CA does not yet have keysFraser Tweedale2016-04-1411-18/+79
| | | | | | | | | | When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: set DN based on data from LDAPFraser Tweedale2016-04-141-2/+9
| | | | | | | | | | | | When initialising a lightweight CA, if we do not have the signing cert and key in the NSSDB yet, we do not initialise the DN. This causes NPE in other code that expects getX500Name() to return a value, e.g. REST API to list or show CA. To work around this, when loading lightweight CAs set the DN based on the 'authorityDN' value stored in its LDAP entry. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: monitor database for changesFraser Tweedale2016-04-141-87/+342
| | | | | | | | | | | Implement a thread that performs an LDAP persistent search to keep a running CA's view of lightweight CAs in sync with the database. Signing key replication is not yet supported; this will be implemented in a later patch and will not use the database to propagate keys. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: extract LDAP commit/delete methodsFraser Tweedale2016-04-141-96/+116
| | | | | | | | | LDAP code to add, modify and delete authority entries exists in multiple places. Extract these methods to remove this duplication and provide a cleaner basis for upcoming implementation of replication handling. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: move host authority creation out of load methodFraser Tweedale2016-04-141-17/+25
| | | | | | | | To reduce the amount of code that would be run in the persistent search thread, extract the host authority entry creation out of the 'loadLightweightCAs' method, into 'CertificateAuthority.init'. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: avoid repeat definition of authorities DNFraser Tweedale2016-04-141-12/+11
| | | | Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: use static db connection factoryFraser Tweedale2016-04-141-15/+10
| | | | | | | Use a static database connection factory that is initialised by the host authority and used by all CertificateAuthority instances. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: add exceptions for missing signing key or certFraser Tweedale2016-04-144-7/+59
| | | | | | | | | | Add the CAMissingCertException and CAMissingKeyException classes and throw when signing unit initialisation fails due to a missing object. In CertificateAuthority, store the exception if it occurs for possible re-throwing later. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-136-22/+45
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Fixed exception handling in CertUtil.Endi S. Dewata2016-04-122-14/+18
| | | | | | | The CertUtil.createLocalCert() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateExtensions.Endi S. Dewata2016-04-128-32/+34
| | | | | | | The CertificateExtensions.parseExtension() and some extension classes have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in X509CertInfo.Endi S. Dewata2016-04-121-4/+4
| | | | | | | The methods in X509CertInfo have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateAuthority.Endi S. Dewata2016-04-1214-117/+137
| | | | | | | | The CertificateAuthority.getCACert() has been modified to re-throw the exception instead of ignoring it. All callers have been modified to bubble up the exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertInfoProfile.Endi S. Dewata2016-04-121-8/+9
| | | | | | | The CertInfoProfile.populate() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-084-12/+43
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Updated F24 (second alpha) build of pki-core.Matthew Harmsen2016-04-077-8/+20
|
* Updated file listMatthew Harmsen2016-04-071-1/+1
|
* Removed 'dogtag.pylintrc' and 'pylint-build-scan.py' from 'pki/scripts'Matthew Harmsen2016-04-072-398/+0
| | | | | directory, as they were moved to the top-level directory to promote easier use with patches.
* Restored 'dogtag.pylintrc' and 'pylint-build-scan.py' to top-level directoryMatthew Harmsen2016-04-072-0/+398
| | | | to promote easier use with patches.
* Ticket #1519 token format should delete certs from token recordChristina Fu2016-04-062-0/+13
| | | | This patch removes certs from token record when it is formatted.
* Fixed missing trust flags in certificate backup.Endi S. Dewata2016-04-045-72/+98
| | | | | | | | | | | | | | | | | | | | The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
* comment typosChristina Fu2016-03-311-9/+9
|
* doc: fix an incorrect method descriptionFraser Tweedale2016-03-311-1/+1
|
* Fixed KRA install problem.Endi S. Dewata2016-03-302-28/+44
| | | | | | | | | | | | | Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247
* Install tools clean-up.Endi S. Dewata2016-03-305-16/+13
| | | | | | | | | | | | Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247
* Fixed certificate chain import problem.Endi S. Dewata2016-03-291-11/+13
| | | | | | | | | | | | In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-2812-209/+1030
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.Endi S. Dewata2016-03-286-130/+98
| | | | | | | | | | | | | The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg. Duplicate code that loads the allowed transitions list has been merged and moved into TPSSubsystem. https://fedorahosted.org/pki/ticket/1808
* Fixed exception handling in EnrollProfile.Endi S. Dewata2016-03-242-70/+91
| | | | | | | To help troubleshooting the EnrollProfile has been modified to log the stack trace and chain the exception. https://fedorahosted.org/pki/ticket/1654
* Updated F24 (alpha) build of pki-core.Matthew Harmsen2016-03-231-1/+14
|
* Allow multiple ACLs of same name (union of rules)Fraser Tweedale2016-03-222-7/+22
| | | | | | | | | | | Several lightweight CA ACLs share the 'certServer.ca.authorities' name, but when loading ACLs each load overwrites the previous. If multiple resourceACLS values have the same name, instead of replacing the existing ACL with the new one, add the rights and rules to the existing ACL. Part of: https://fedorahosted.org/pki/ticket/1625
* Add CRL dist points extension to OIDMap unconditionallyFraser Tweedale2016-03-222-8/+17
| | | | | | | | | | | | It is possible to encounter a case where the CRLDistributionPointsExtension static initialiser, which adds the class to the OIDMap, has not been invoked. This can cause a ClassCastException, e.g. in CRLDistributionPointsExtDefault. Update OIDMap to add CRLDistributionPointsExtension in its own static initialiser. Fixes: https://fedorahosted.org/pki/ticket/2237
* Remove unused 'toMIME64' methodsFraser Tweedale2016-03-222-24/+0
|
* Remove commented-out codeFraser Tweedale2016-03-222-18/+0
|
* Remove unused class 'RAEnrollProfile'Fraser Tweedale2016-03-221-128/+0
|
* Remove unused variables from profile classesFraser Tweedale2016-03-222-13/+1
| | | | | Also drive-by refactor 'createProfileData' to use 'getProfile', reducing code size.
* Remove unused imports from OCSP authority classesFraser Tweedale2016-03-222-2/+0
| | | | | Commit 04214b3d3405750cbbda228554c0d9f087a59170 left some vestigal imports behind; remove them.
* Removed unnecessary URL encoding for admin cert request.Endi S. Dewata2016-03-212-2/+8
| | | | | | | | | Due to changes in aaacd71a2f125501645885d3da1de18459782572, when pki_import_admin_cert is set to False the installation code performs an unnecessary URL encoding for the admin certificate request. The extra URL encoding has now been removed. https://fedorahosted.org/pki/ticket/1803
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-03-189-128/+270
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Additional clean-ups for PKCS #12 utilities.Endi S. Dewata2016-03-188-27/+41
| | | | | | | | | | | | | | | | The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
* Renamed PKCS #12 options for consistency.Endi S. Dewata2016-03-1816-72/+72
| | | | | | | The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
* Added TPS token filter dialog.Endi S. Dewata2016-03-177-13/+200
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Fixed illegal token state transition via TEMP_LOST.Endi S. Dewata2016-03-175-28/+60
| | | | | | | | | | | | | | | | The TokenService.setTokenStatus() has been modified to restore the temporarily lost token back into either uninitialized or active state based on whether the token has certificates. The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use only tokenID attribute to search for token certificates more accurately. It also has been simplified to return the certificate records collection object directly. Some constructors were added to the TPSException to allow chaining the exception cause. https://fedorahosted.org/pki/ticket/1808
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-174-142/+79
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Miscellaneous cleanup of spec filesMatthew Harmsen2016-03-074-33/+21
| | | | | - PKI TRAC Ticket #1701 - Removed javadocs from 'meta' package - PKI TRAC Ticket #1099 - Rename DRM nomenclature to KRA nomenclature
* Change 'pki-base' --> 'pki-base-java' for build and runtime dependenciesMatthew Harmsen2016-03-071-2/+2
| | | | PKI TRAC Ticket #1399 - Split pki-base into Java and Python client packages
* Rebase to 10.3.xMatthew Harmsen2016-03-048-13/+46
| | | | - PKI TRAC Ticket #1724 - Rebase pki-core to 10.3.x
* Make PKIInstance and PKISubsystem hashableChristian Heimes2016-03-042-6/+15
| | | | The upgrade uses instance and subsystem as keys for dicts.
* Only build Python 3 packages on Fedora 24+Christian Heimes2016-03-041-1/+1
| | | | | | Fedora 23 doesn't have NSS and LDAP packages for Python 3. RHEL 7.2 doesn't ship Python 3.
generated by cgit (git 2.34.1) at 2024-04-26 06:55:44 +0000