summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * Cleaned up CryptoUtil.setClientCiphers(String).Endi S. Dewata2017-03-181-24/+17
| | | | | | | | | | The CryptoUtil.setClientCiphers(String) has been reformatted to simplify future refactoring.
| * pagure#2605 (add one missing method) CMC feature: id-cmc-identityProofV2 per ↵Christina Fu2017-03-171-0/+5
| | | | | | | | rfc5272 (part 1)
| * pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)Christina Fu2017-03-173-1/+220
| | | | | | | | | | | | This patch provides methods that can be shared between the CA and the ISharedToken plugins: 1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms. 2. The establishment of Issuance Protection Certificate
| * Moved default SSL configuration out of PKIConnection.Endi S. Dewata2017-03-172-6/+5
| | | | | | | | | | | | | | To prevent conflicts, the code that configures the default SSL version ranges and ciphers for all SSL sockets created afterwards has been moved out of PKIConnection into the main program (i.e. PKI CLI).
| * Default NSS database for PKI CLI.Endi S. Dewata2017-03-171-4/+24
| | | | | | | | | | | | The PKI CLI has been modified to create a default NSS database without a password if there is no existing database at the expected location.
| * Added missing Eclipse dependency.Endi S. Dewata2017-03-171-0/+1
| | | | | | | | | | The Eclipse .classpath file has been modified to include tomcat-coyote.jar to avoid build problem.
| * Cleaned up CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-171-19/+23
| | | | | | | | | | The CryptoUtil.setClientCiphers() has been reformatted to simplify future refactoring.
| * Removed duplicate code to configure SSL version ranges.Endi S. Dewata2017-03-174-75/+75
| | | | | | | | | | The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil.
| * Merge pull request #1 from amolkahat/pki_manEndi S. Dewata2017-03-161-1/+7
| |\ | | | | | | Added -t and --token information in pki man page.
| | * Added -t and --token information in pki man page.Amol Kahat2017-03-081-1/+7
| | |
| * | Exporting environment variables for PKI client.Endi S. Dewata2017-03-162-21/+13
| | | | | | | | | | | | | | | The default pki.conf has been modified to export the environment variables such that they can be used by PKI client.
| * | Add config options to allow storage wrappings to be setAde Lee2017-03-164-11/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
| * | Update ACLInterceptor to support external principalsFraser Tweedale2017-03-161-12/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359
| * | Update SessionContextInterceptor to handle external principalsFraser Tweedale2017-03-161-9/+10
| | | | | | | | | | | | Part of: https://pagure.io/dogtagpki/issue/1359
| * | Update AuthMethodInterceptor to handle external principalsFraser Tweedale2017-03-161-11/+16
| | | | | | | | | | | | | | | | | | | | | Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359
| * | Add IAuthToken implementation for external principalsFraser Tweedale2017-03-161-0/+154
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many parts of Dogtag expect an IAuthToken, which represents the authenticated user. The sole implementation, AuthToken, uses some concepts that do not carry across to externally authenticated principals, e.g. an external principal does not have an associated IAuthManager that was used to authenticate the principal. Therefore something different is needed. Implement ExternalAuthToken which wraps a GenericPrincipal and provides access to the data therein. Part of: https://pagure.io/dogtagpki/issue/1359
| * | Add groups and request attributes to external principalsFraser Tweedale2017-03-164-0/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ExternalAuthenticationValve valve, which, if an externally authenticated principal is available, reads the REMOTE_USER_GROUP information from the Coyote request and adds the groups ("roles" in Tomcat terminology) to the principal. It also saves a complete copy of the request attribute map in the princpial. The new class ExternalPrincipal is used to achieve this. Part of: https://pagure.io/dogtagpki/issue/1359
| * | CertProcessor: extract method setAuthTokenIntoRequestFraser Tweedale2017-03-161-34/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The "set auth token into request" logic is extensive and warrants extraction. It also has a separate concern mixed in with it: the self-assignment of the request if the authenticated user is a "Registration Manager Agent". Separate these concerns and extract the setAuthTokenIntoRequest method. Part of: https://pagure.io/dogtagpki/issue/1359
| * | Define AgentCertAuthentication token keys in IAuthTokenFraser Tweedale2017-03-162-12/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | Small refactor to define the auth token keys set by AgentCertAuthentication in IAuthToken, so that consumers do not need to import AgentCertAuthentication directly, or redefine the constants. Part of: https://pagure.io/dogtagpki/issue/1359
| * | Synced local source spec files with their upstream Koji counterparts.Matthew Harmsen2017-03-153-6/+22
| | |
* | | Merge "Add config options to allow storage wrappings to be set"Ade Lee2017-03-164-11/+70
|\ \ \ | |/ / |/| |
| * | Add config options to allow storage wrappings to be setAde Lee2017-03-154-11/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
* | | Merge branch 'master' of github.com:dogtagpki/pkiAde Lee2017-03-1563-1506/+5149
|\ \ \
| * | | Added cascading configuration for PKI CLI.Endi S. Dewata2017-03-154-228/+256
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PKI CLI has been modified to support cascading configuration files: default, system-wide, and user-specific configuration. The existing Python-based PKI CLI was moved into pki.cli.main module. A new shell script was added as a replacement which will read the configuration files and invoke the Python module.
| * | | Troubleshooting improvement for ClientCertValidateCLI.Endi S. Dewata2017-03-151-3/+6
| | | | | | | | | | | | | | | | | | | | The ClientCertValidateCLI has been modified to display the NSS error code and error message for invalid certificates.
| * | | Added exception chaining for EInvalidCredentials.Endi S. Dewata2017-03-153-8/+12
| | | | | | | | | | | | | | | | | | | | A new constructor has been added into EInvalidCredentials to support exception chaining.
| * | | Fixed typo.Matthew Harmsen2017-03-151-1/+1
| | | |
| * | | Synced changelog with Koji pki-core master.Matthew Harmsen2017-03-151-3/+178
| | | |
| * | | Upgraded remaining 10.3.3 references to 10.4.0.Matthew Harmsen2017-03-153-3/+3
| | | |
| * | | Re-base Dogtag pki packages to 10.4.xMatthew Harmsen2017-03-144-15/+130
| | | | | | | | | | | | | | | | https://pagure.io/dogtagpki/issue/2541
| * | | First cut of scp03 support. Supports the g&d smartcafe out of the box.Jack Magne2017-03-1419-163/+3347
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys.
| * | Continue to move more crypto into CryptoUtilAde Lee2017-03-149-123/+112
| | | | | | | | | | | | Change-Id: I6024ca5a32769b460d578dfad46598432381784c
| * | Refactor crypto codeAde Lee2017-03-1413-376/+244
| | | | | | | | | | | | | | | | | | Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
| * | Fix wrapping params on the security data recovery serviceAde Lee2017-03-147-47/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On the security data recovery service, the client can now specify the encryption and wrapping algorithms to be used when wrapping the key, rather than assuming DES. The server will use the specified wrapping algorithm (and key). If the algorithms are not specified, then the old mechanism is assumed. Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
| * | Change transport unit to create wrapping parameters based on incoming dataAde Lee2017-03-144-30/+69
| | | | | | | | | | | | | | | | | | | | | | | | The PKIArchiveOptions object contains an OID for the encryption algorithm. Use this to create the correct WrappingParam for the tranport unit instead of defaulting to DES3. Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
| * | Fix incorrect function in generating symmetric keys.Ade Lee2017-03-141-1/+1
| | | | | | | | | | | | | | | | | | This allows generating and storing symmetirc keys using AES. Change-Id: I62c03aeffd127afac626759b0d826c284e01af12
| * | Change internal wrapping to AESAde Lee2017-03-1417-598/+716
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are several changes in this patch: 1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the TransportUnit into those classes. This helps to determine which methods are called by which class (because in general they require different arguments). It may be possible to later simplify and reduce code repetition by pulling core functionality back into the EncryptionUnit. 2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values as part of the KeyRecord when the key is stored. On retrieval, this data is read and used to extract the data. If the data is not present, then use the old DES3 parameters. 3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then the old wrapping will be used instead. Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
| * | pki_default.cfg.5: fix ca_signing tag nameFraser Tweedale2017-03-141-1/+1
| | |
| * | pkispawn.8: fix setup-ds.pl command nameFraser Tweedale2017-03-141-1/+1
| | |
| * | Include revocation reason in REST cert dataFraser Tweedale2017-03-142-0/+28
| | | | | | | | | | | | Fixes: https://fedorahosted.org/pki/ticket/2601
| * | Refactor key recovery to centralize crypt functionsAde Lee2017-03-071-43/+49
| | | | | | | | | | | | | | | Refactor key recovery to put al crypto specific operations in a few fucntions, which are parameterized for algorithm types.
| * | Refactor exception handling in the EncryptionUnitAde Lee2017-03-0610-392/+380
| | | | | | | | | | | | | | | Exceptions should be bubbled up and not swallowed at the EncryptionUnit level. This will help in diagnosing issues.
| * | Cleanup exception handlingAde Lee2017-03-061-246/+13
| | | | | | | | | | | | | | | | | | The current exception handling really does nothing other than clutter up the file. Really, we should be passing up the exceptions, rather than catching them at this level. Subsequent patches will fix this.
| * | Parameterize crypto functions, part 3Ade Lee2017-03-066-34/+75
| | | | | | | | | | | | The crypto functions to unwrap the session key have been parameterized.
| * | Parametrize crypto methods part 2Ade Lee2017-03-061-30/+53
| | | | | | | | | | | | Most of the methods to unwrap the payload are parameterized.
| * | Parametrize the encryption functionsAde Lee2017-03-062-15/+125
| | | | | | | | | | | | | | | Theis patch parametrizes some of the encryption functions, for key wrapping and storage.
| * | Refactored EncryptionUnitAde Lee2017-03-066-211/+207
| | | | | | | | | | | | | | | | | | | | | EncryptionUnit is a bit of a mess right now. Refactored so that crypto specific code is in a few functions. These can now be parameterized to allow selection of parameters for wrapping method, algorithm etc.
| * | Remove unused methodAde Lee2017-03-062-18/+4
| | |
| * | Refactored PKIInstance.load().Endi S. Dewata2017-03-012-13/+34
| |/ | | | | | | | | | | The code that loads the password.conf in PKIInstance.load() has been converted into a general purpose load_properties() method. A corresponding store_properties() method has been added as well.
* | Refactor key recovery to centralize crypt functionsAde Lee2017-02-281-43/+49
| | | | | | | | | | Refactor key recovery to put al crypto specific operations in a few fucntions, which are parameterized for algorithm types.
generated by cgit (git 2.34.1) at 2025-09-27 16:56:46 +0000