summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fixes for Coverity Defects of Category : FB.DM_BOOLEAN_CTORAbhishek Koneru2012-05-2423-74/+69
|
* Fixes for Coverity Defects of Category : FB.BC_VACUOUS_INSTANCEOFAbhishek Koneru2012-05-247-30/+19
|
* Added script to link JSS library.Endi Sukma Dewata2012-05-242-1/+56
| | | | | | | | | | The JSS library uses different paths on 32-bit and 64-bit platforms. A script has been added to create a symbolic link such that Eclipse can use the library without changing the classpath file. The script could be extended further to simplify setting up the development environment such as installing the dependencies. Ticket #171
* PKI Deployment ScriptletsMatthew Harmsen2012-05-1821-472/+930
| | | | | | | | | | | | | | | | | * Introduced concept of "admin-domain" originally as a separate folder, and later incorporated this concept into an optional instance prefix * Revised definition of <pki_instance_id> to be identified as "[<pki_admin_domain_name>-]<pki_instance_name> * Changed NSS security database model from one shared database by BOTH a single Tomcat AND single Apache instance into one per Tomcat instance (shared by CA/KRA/OCSP/TKS) and one per Apache instance (shared by RA/TPS) * Altered Configuration 'scriptlet' to invoke Jython for access to new Java configuration servlet * Renamed various "scriptlets" to comply with this new layout * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment
* Fixed missing httpcore.jar.Endi Sukma Dewata2012-05-141-1/+8
| | | | | The base/common/src/CMakeLists.txt has been fixed to include httpcore.jar in the class path.
* Provide CA EE Restful interface and test client.Jack Magne2012-05-0750-349/+4959
| | | | | | | | | | | | | | | | | | Tickets #144 and #145 Providing the following: 1. Simple EE restful interface for certificates, printing, listing and searching. 2. Simple EE restful interface for certificate enrollment requests. 3. Simple EE restful interface for profiles and profile properties. 4. Simple Test client to exercise the functionality. 5. Created restful client base class inherited by CARestClient and DRMRestClient. 6. Provide simple restful implementations of new interfaces added. ToDO: Need some more refactoring to base classes for some of the new classes which are similar to classes in the DRM restful area. ToDO: Actual certificate enrollment code that will be refactored from existing ProfileSubmitServlet. Provide CA EE Restful interface and test client review fixes.
* PKI Deployment ScriptletsMatthew Harmsen2012-05-0726-396/+2159
| | | | | | | | | | | | | | | * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment * Massaged logic to comply with PKI subsystem running within a shared instance * Developed code to take advantage of a single shared NSS security database model * Completed the following two 'scriptlets': * Dogtag 10: Python 'slot_assignment.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/146) * Dogtag 10: Python 'security_databases.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/136) * Created several additional PKI deployment helper utilities.
* BZ 819111 - non existent container ou=cmsusers breaks replicationAde Lee2012-05-071-1/+21
| | | | Added code to create container on master if it does not exist.
* JNDI realm enhancement to handle multiple entry ACLs.Jack Magne2012-05-042-4/+11
| | | | | | Currently the realm only returns the last acl result in a multiple entry ACL. Since most of them only have one entry, this is mistly ok. This simple fix allows the code to handle multiple entries correctly. Ticket #123.
* Added dogtag doapAde Lee2012-05-041-0/+97
|
* Bug 744207 - Key archival fails when KRA is configured with lunasaChristina Fu2012-05-021-1/+15
| | | | - The real fix is in JSS alone; This patch only adds better error handling and non-static salt.
* Removed obsolete installation servletsAde Lee2012-05-0225-3351/+39
|
* Refactor installation servlets to use common code in ConfigurationUtilsAde Lee2012-05-0219-5604/+771
| | | | Ticket #156
* Bug 640046 - TPS installation wizard: unsupported module not logged in with ↵Christina Fu2012-05-011-1/+5
| | | | | | | password in password.conf The issue was missing code to log into unsupported token that was not loged in. The patch added the code to allow login to unsupported token.
* RESTful servlet to configure system in a single servlet.Ade Lee2012-05-0123-7/+7417
| | | | | | | | | | | | | Installation code common to the panels and the installation servlet are extracted to a ConfigurationUtils file. The panel code will be cleaned up to use the code in this class in a later commit. Contains restful client and test driver code. The test driver code should be modified and placed in a junit/system test framework. Installation has been tested to work with the following installations: master CA, clone CA, KRA, OCSP, TKS, subordinate CA, CA signed by external CA (parts 1 and 2). Ticket #155
* PKI Deployment ScriptletsMatthew Harmsen2012-04-2623-554/+2639
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Completed the following six 'scriptlets': * Dogtag 10: Python 'initialization.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/147) * Dogtag 10: Python 'instance_layout.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/75) * Dogtag 10: Python 'webserver_layout.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/140) * Dogtag 10: Python 'subsystem_layout.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/141) * Dogtag 10: Python 'war_explosion.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/76) * Dogtag 10: Python 'finalization.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/148) * Created numerous PKI deployment helper utilities. * Augmented logging to provide indentation. * Generated logic for installation 'manifest'. * Tested logic using '--dry_run' option and '-p' prefix options. * Per initial review, removed numerous "constants" and consolidated logic into "master" dictionary. * Corrected the following ticket: * Dogtag 10: Fix 'build_dogtag_pki' script to account for 'pki-deploy' RPM (https://fedorahosted.org/pki/ticket/138) Resolves Bugzilla Bug #810047 - build_dogtag_pki fails with requirements for pki-deploy (https://bugzilla.redhat.com/show_bug.cgi?id=810047) * Created the following three 'scriptlets' as 'NOT YET IMPLEMENTED' place-holders: * Dogtag 10: Python 'security_databases.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/136) * Dogtag 10: Python 'slot_assignment.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/146) * Dogtag 10: Python 'configuration.py' Configuration Scriptlet (https://fedorahosted.org/pki/ticket/137)
* Fix DRMRestClient SSL connection implementation.Jack Magne2012-04-251-44/+74
| | | | | Simple fix to get the DRMRestClient working under SSL again. Ticket #163.
* Replaced key status update thread with executor service.Endi Sukma Dewata2012-04-192-82/+95
| | | | | | | The Thread.stop() is deprecated, so the key status update thread is now implemented with executor service to allow stopping the task gracefully. Ticket #3
* BZ 813075 - added selinux rule for file size accessAde Lee2012-04-162-2/+41
|
* Configured Eclipse to clean up on save.Endi Sukma Dewata2012-04-161-1/+54
| | | | | | | | | | | | | Eclipse has been configured to do the followings on save: - organize imports - remove unused imports - remove unnecessary casts - remove trailing white spaces on all lines These settings can be configured in PKI Project -> Properties -> Java Editor -> Save Actions. Ticket #134
* Removed deprecated resources.Endi Sukma Dewata2012-04-1211-234/+5
| | | | | | | | Some exceptions used deprecated resource class names as the bundle name, they have been replaced with string constants. The deprecated resource classes are no longer used, so they have been removed. Ticket #3
* Removed unused private fields.Endi Sukma Dewata2012-04-12193-624/+134
| | | | | | | Most of unused private fields have been removed because they generate warnings in Eclipse. Some are kept because it might be useful later. Ticket #139
* Removed unnecessary type casts.Endi Sukma Dewata2012-04-09268-1124/+957
| | | | | | Unnecessary type casts have been removed using Eclipse Quick Fix. Ticket #134
* Removed whitespaces from Java code.Endi Sukma Dewata2012-04-091521-11973/+11973
| | | | | | | | Whitespaces in Java code have been removed with the following command: find . -not -path .git -name *.java -exec sed -i 's/[[:blank:]]\+$//' {} \; Ticket #134
* Removed deprecated Signer.Endi Sukma Dewata2012-04-091-10/+6
| | | | | | | The X500Signer has been modified to become an independent class. It's no longer a subclass of the deprecated Signer class. Ticket #3
* Ignored VelocityServlet deprecation warnings.Endi Sukma Dewata2012-04-093-0/+3
| | | | | | | The VelocityServlet is deprecated but the replacement is not available in Fedora, so the warnings are ignored for now. Ticket #133
* Undeprecated IRequest.asIAttrSet().Endi Sukma Dewata2012-04-091-7/+0
| | | | | | | The IRequest.asIAttrSet() is necessary and there is no replacement so it has been undeprecated. Ticket #3
* Replaced deprecated LDAPVirtualListResponse.parseResponse().Endi Sukma Dewata2012-04-091-19/+35
| | | | | | | The VLV control can be obtained directly from the list of response controls by checking its type. Ticket #3
* pki-ui changes for Bug 745278 - [RFE] ECC encryption keys cannot be archivedChristina Fu2012-04-056-17/+30
|
* spec files for Bug 745278 - [RFE] ECC encryption keys cannot be archivedChristina Fu2012-04-053-18/+27
|
* Fix for Bug 745278 - [RFE] ECC encryption keys cannot be archived.Christina Fu2012-04-058-40/+254
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For the ECC plan and the different phases, please refer to http://pki.fedoraproject.org/wiki/ECC_in_Dogtag Design for each phase is on the same wiki page. Note: the designs beyond phase 2 were more like a brain dump. Although I said "Do Not Review," you are free to take a peak at what's intended down the road. I will go back and take a closer look and refine/adjust the designs when I begin implementation for each new phase. What you need to know: * Problem 1 - nethsm issue: On the server side, if you turn on FIPS mode, in addition to nethsm, you need to attach certicom as well to have ECC SSL working on the server side. This problem has already been reported to Thales last year and they said they'd look into putting the item on their next release. Recently through a different contact, we learned there might be a way to "turn it on" (still waiting for their further instruction) * Problem 2- Certicom issue: This is a show-stopper for deployment. Initially, on the client side, I used Kai's special version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF requests can be generated with key archival option. However, I encountered (or, re-encountered) an issue with certicom token. Certicom generates ECC keys with the wrong format (not PKCS7 conforming), which makes ECC key archival impossible on the server side if you use non-certicom token with DRM (but we expect an HSM in most product deployment). I have contacted Certicom for this issue, and they confirmed that they indeed have such issue. We are hoping they will fix it. But then you might ask, "I thought I saw some ECC enrollment profiles/javascripts being checked in? How were the tests done?" The tests for those profiles were done against this ECC key archival/recovery DRM prototype I implemented last year (needs to be turned on manually in 8.1), where I "cheated" (yeah, that's why it's called a prototype) by decrypting the private key in the CRMF on DRM, and then manipulating the byte array to strip off the offending bytes before archival. In the real, non-prototype implementation, which is what's in this patch, for security reasons, private keys are unwrapped directly onto the token during key archival, so there is no way to manipulate the keys in memory and bypass the Certicom issue. A word about Kai's special version of Xulrunner/Firefox. It is not yet publicly available (due out in Firefox 10.0.4 on RHEL 5.8). * Problem 3- Firefox with nethsm issue: Another option was to connect Kai's special version firefox with an HSM to test my DRM/JSS code. However, for whatever reason, I could not get SSL going between such Firefox and ECC CA ( I did not try very hard though, as I have one other option -- writing my own ECC CRMF generation tool. I might come back to try the nethsm Firefox idea later) My solution (how I work on this official implementation): * I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current releases), gutting out the RSA part of the code, and replacing it with ECC code. I call it CRMFPopClientEC. Two types of ECC key pairs could be generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I don't know if you can select which type to generate in the Javascript... maybe you can, I just don't know). I'm in no way condoning archival of signing keys!! This is just a test tool. This tool takes a curve name as option (along with others), generates an ECC key pair, crafts up an CRMF request with key archival option, and sends request directly to the specified CA. You will see a "Deferred" message in the HTML response (see attachment for example) Once CA agent approves the request, the archival request goes to DRM and the user private key is archived. For recovery, DRM agent selects key recovery, etc, and you get your pkcs12. I did some sanity test with the pkcs12 recovered: * Import the recovered pkcs12 into a certicom library: pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12 I also tested by retrieving a p12, importing it into a browser, and adding the user as an agent and the user could act as agent via ssl client auth to the CA. Finally, much of the RSA-centric code had been cleared out of the way at the time when I worked on the DRM ECC prototype, so you don't see much of that in this round. How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up with a nethsm (like I did), or write your own tool, you can't really test it until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to work with ceriticom, although you would run into the same issue I mentioned above)
* Replaced deprecated ApacheHttpClientExecutor.Endi Sukma Dewata2012-03-302-16/+6
| | | | | | | The deprecated ApacheHttpClientExecutor class has been replaced with ApacheHttpClient4Executor. Ticket #3
* Added CMSException.Endi Sukma Dewata2012-03-3015-106/+394
| | | | | | | | | | The CMSException was added to simplify error handling in REST services. The exception may include an error message and some other attributes. When the server throws a CMSException (or its subclass), the exception will be marshalled into XML and unmarshalled by the client, then thrown again as a new exception which can be caught by the application. Ticket #100
* Replaced deprecated PK11PubKey.fromRaw().Endi Sukma Dewata2012-03-303-80/+38
| | | | | | | The deprecated fromRaw() method in PK11PubKey has been replaced with fromSPKI(). Ticket #3
* Replaced deprecated RevRequest constructor.Endi Sukma Dewata2012-03-301-9/+8
| | | | | | | The deprecated RevRequest constructor has been replaced with another constructor with null invalidity date. Ticket #3
* Replaced deprecated LDAPConnection.authenticate().Endi Sukma Dewata2012-03-301-23/+6
| | | | | | | The deprecated authenticate() method in LDAPConnection has been replaced with another authenticate() method with different signature. Ticket #3
* Replaced Candlepin with RESTEasy.Endi Sukma Dewata2012-03-298-53/+36
| | | | | | | | | Previously the code depends on the old RESTEasy libraries provided by Candlepin package. Now the Eclipse classpath, build/setup scripts, and the spec file have been updated to use the libraries provided by the new RESTEasy package. Ticket #29
* Replaced deprecated AlgorithmId.getAlgorithmId().Endi Sukma Dewata2012-03-289-143/+122
| | | | | | | The deprecated getAlgorithmId() method in AlgorithmId has been replaced with get(). Ticket #3
* Replaced deprecated JTable.createScrollPaneForTable().Endi Sukma Dewata2012-03-281-1/+1
| | | | | | | The deprecated createScrollPaneForTable() method in JTable() has been replaced with JScrollPane() constructor. Ticket #3
* Replaced deprecated Dialog.show().Endi Sukma Dewata2012-03-282-6/+6
| | | | | | The deprecated show() method in Dialog has been replaced with setVisible(). Ticket #3
* Replaced deprecated JPasswordField.getText().Endi Sukma Dewata2012-03-281-4/+1
| | | | | | | The deprecated getText() method in JPasswordField has been replaced with getPassword(). Ticket #3
* Replaced deprecated DataInputStream.readLine().Endi Sukma Dewata2012-03-283-35/+34
| | | | | | | The deprecated readLine() method in DataInputStream has been replaced by the same method in BufferedReader. Ticket #3
* Replaced deprecated XMLSerializer.Endi Sukma Dewata2012-03-273-16/+20
| | | | | | | | The deprecated XMLSerializer has been replaced with LSSerializer. The new API does not provide a way to control the indentation or line width. Ticket #3
* Added option to build without Javadoc.Endi Sukma Dewata2012-03-266-54/+90
| | | | | | | | | | The build scripts have been modified to provide an option to build without Javadoc to speed up development builds. The option can be used as follows: compose_pki_core_packages --without-javadoc hybrid_rpms Ticket #111
* Removed unnecessary pki folder.Endi Sukma Dewata2012-03-263806-5/+0
| | | | | | | | | Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131
* Added policy deprecationsAde Lee2012-03-2324-38/+83
| | | | | | | | | Many of the policy deprecation warnings come from classes that probably ought to be deprecated as part of the deprecated policy framework as well. Making these as deprecated removes the deprecation warnings - and we can really see where we make sure of deprecated policy code elsewhere. Also removed some URLEncoder, Decoder deprecations
* Removed unused variables (part 2).Endi Sukma Dewata2012-03-23177-738/+338
| | | | | | This patch brings down the warnings from 1943 to 1221. Ticket #103
* Allow clones to specify master and replica ports and security optionsAde Lee2012-03-237-185/+261
| | | | | | | | | Removed -clone_start_tls option and subsumed it into -replicationSecurity. Refactored DatabasePanel parameter verification code to allow it to be used in both update() and validate(). Added new parameters to pkisilent and databasepanel.vm. Also fixed cloning error when master uses localhost.
* Replace URLEncoder.encode with non-deprecated form in pkisilentAde Lee2012-03-2213-3078/+330
| | | | Removed some obsolete files.
* Removed unused SystemIdentity and SystemSigner.Endi Sukma Dewata2012-03-223-173/+0
| | | | | | | | The SystemIdentity and SystemSigner classes have been removed because they are based on deprecated classes and are not used anywhere in the code. Ticket #3