summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Provided cleaner runtime dependency separationMatthew Harmsen2016-06-141-0/+21
|
* Fixed problem with headerless PKCS #7 data.Endi S. Dewata2016-06-141-0/+7
| | | | | | Due to a recently added validation code, the headerless PKCS #7 data generated by IPA needs to be joined into a single line before storing it in CS.cfg.
* Add man page and clarify CLI for kra-connectorAde Lee2016-06-1310-62/+255
|
* Fixed --help option for instance-show, instance-start, instance-stop, ↵Amol Kahat2016-06-131-41/+42
| | | | | | instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable. https://bugzilla.redhat.com/show_bug.cgi?id=1339263
* Updated 'tomcatjss' dependenciesMatthew Harmsen2016-06-131-6/+7
|
* Add man page entry for pki-server instance-cert-export commandAde Lee2016-06-101-0/+10
| | | | Ticket 2339
* Add man page info for number range parametersAde Lee2016-06-101-0/+13
| | | | Ticket 2318
* Fixed TPS VLV sort orders.Endi S. Dewata2016-06-108-61/+87
| | | | | | | | | | | | | | | The TPS VLVs for tokens and activities has been modified to sort the results by date in reverse order. The DBRegistry.getLDAPAttributes() was modified to support reverse sort order by recognizing the "-" prefix in the list of sort keys and pass it to LDAP. The DBVirtualList.setSortKey() was modified to ignore bubble up the exceptions that happen during LDAP attribute mapping. https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Fixed TPS VLV filters.Endi S. Dewata2016-06-104-5/+5
| | | | | | | | | | | | Previously TPS VLVs for tokens and activities were defined using presence filters of some optional attributes. If the optional attribute is missing the entry will not be included in the search result. The VLVs have now been modified to use object class matching filters to ensure they match all tokens and activities. https://fedorahosted.org/pki/ticket/2354
* Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.Matthew Harmsen2016-06-093-0/+17
| | | | Added temporary build dependency on tomcat (override tomcatjss dependency)
* Updated KRA VLV management CLI.Endi S. Dewata2016-06-081-25/+141
| | | | | | A new pki-server kra-db-vlv-find command has been added to list existing KRA VLV indexes. The pki-server kra-db-vlv-reindex has been modified to wait until the reindex is complete.
* Added TPS VLV management CLI.Endi S. Dewata2016-06-083-0/+518
| | | | | | | | | A set of pki-server commands has been added to simplify upgrading TPS VLV indexes. https://fedorahosted.org/pki/ticket/2354 https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Removed test cases for authentication pluginAsha Akkiangady2016-06-082-105/+0
| | | | | UdnPwdDirAuth since this plugin will be removed from dogtag, ticket 1579.
* back-ported changelog messagesMatthew Harmsen2016-06-083-0/+9
|
* Bumped 'java', 'java-headless', and 'java-devel' to 1:1.8.0.Matthew Harmsen2016-06-083-14/+14
|
* Fix name fields in man pages for correct man -k outputAde Lee2016-06-086-6/+6
| | | | Ticket 1563
* Updated tomcat version dependenciesMatthew Harmsen2016-06-071-6/+9
|
* Updated version number to 10.3.3-0.1Matthew Harmsen2016-06-077-11/+23
|
* Updated version number to 10.3.2-1Matthew Harmsen2016-06-074-4/+51
|
* Ticket #2335 Missing activity logs when formatting/enrolling unknown tokenChristina Fu2016-06-064-56/+48
| | | | This patch adds activity logs for adding unknown token during format or enrollment or pin reset.
* Modify ExternalProcessKeyRetriever to read JSONFraser Tweedale2016-06-052-15/+37
| | | | | | | | | | | | The ExternalProcessKeyRetriever currently uses a hackish format where the certificate and PKIArchiveOptions data are separated by a null byte. Update the code to expect JSON instead. No backwards compatibility is provided because at time of writing the ExternalProcessKeyRetriever is only used in a FreeIPA feature still under development. Fixes: https://fedorahosted.org/pki/ticket/2351
* Lightweight CAs: add method to renew certificateFraser Tweedale2016-06-055-5/+168
| | | | | | | | | | | | | | | Add the CertificateAuthority.renewAuthority() method that creates and processes a renewal request for the lightweight CA's signing cert. The new certificate replaces the old certificate in the NSSDB and the serial number is stored in the 'authoritySerial' attribute. Clones observe when the 'authoritySerial' attribute has changed and update the certificate in their NSSDB, too. The renewal behaviour is available in the REST API as a POST to /ca/rest/authorities/<id>/renew. Fixes: https://fedorahosted.org/pki/ticket/2327
* Lightweight CAs: renew certs with same issuerFraser Tweedale2016-06-051-0/+7
| | | | | | | | When renewing a certificate, propagate the Authority ID from the original request to the new request, to ensure that the new certificate is issued by the same issuer as the original. Part of: https://fedorahosted.org/pki/ticket/2327
* Removed selftest interface from TPS UI.Endi S. Dewata2016-06-041-2/+6
| | | | | | | The selftest interface has been removed from TPS UI to avoid confusion due to its limited usefulness. https://fedorahosted.org/pki/ticket/2344
* Show KeyOwner info when viewing recovery requests.Jack Magne2016-06-031-2/+25
| | | | | | | | | | | | | | | | This simple fix will grab the subject info out of the cert associated with either pending or complete recovery requests being viewed in the KRA UI. For example: KeyOwner: UID=jmagne, O=Token Key User Will be displayed. This simple fix should be good enough for this round, despite the bug asking about agent info and such. Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request
* Fixed truncated token activity message in TPS UI.Endi S. Dewata2016-06-033-4/+7
| | | | | | | | | | | | The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299
* Ticket #2352 [TMS] missing netkeyKeyRecovery requests option in KRA agent ↵Christina Fu2016-06-032-3/+6
| | | | for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests.
* Add option to modify ajp_host to pkispawnAde Lee2016-06-036-2/+10
| | | | | | | | This allows IPA to handle the case of a pure ipv6 environment in which the ipv4 loopback interface is not available. Ticket 1717
* Add commands to db-server to help with DB related changesAde Lee2016-06-033-3/+449
| | | | | | | | | | | | | | Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319
* Lightweight CAs: remove pki-ipa-retrieve-key scriptFraser Tweedale2016-06-033-57/+0
| | | | | | | | | For the benefit of code locality and subsequent to the generalisation of IPACustodiaKeyRetriever to ExternalProcessKeyRetriever, the pki-ipa-retrieve-key script is being moved to the FreeIPA codebase. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: generalise subprocess-based key retrievalFraser Tweedale2016-06-032-12/+45
| | | | | | | | | | | | | The IPACustodiaKeyRetriever doesn't really do anything specific to IPA or Custodia; it merely executes a certain executable with a particular behavioural contract. Add support for passing configuration to KeyRetriever instances, and rename IPACustodiaKeyRetriever to ExternalProcessKeyRetriever, updating it to use the "executable" config property instead of a hardcoded filename. Part of: https://fedorahosted.org/pki/ticket/1625
* Retry failed key retrieval with backoffFraser Tweedale2016-06-031-14/+44
| | | | | | | If lightweight CA key retrieval fails, retry the retieval after a delay of 10 seconds initially, increasing thereafter. Fixes: https://fedorahosted.org/pki/ticket/2293
* Don't update obsolete CertificateAuthority after key retrievalFraser Tweedale2016-06-031-7/+24
| | | | | | | | | | | | | If additional LDAP events are processed for a lightweight CA while key retrieval proceeds in another thread, when retrieval is complete, the KeyRetrieverRunner reinitialises the signing unit of a stale object. Instead of holding onto a CertificateAuthority, hold onto the AuthorityID and look it up afresh when ready to reinitialise its SigningUnit. Part of: https://fedorahosted.org/pki/ticket/2293
* Limit key retrieval to a single thread per CAFraser Tweedale2016-06-031-6/+22
| | | | | | | | | | Before implementing lightweight CA key retrieval retry with exponential backoff, ensure that only one key retriever thread can execute at a time, for each CA. Also make SigningUnit initialisation (initSigUnit) synchronised. Part of: https://fedorahosted.org/pki/ticket/2293
* Include serial of revoked cert in CertRequestInfoFraser Tweedale2016-06-031-0/+8
| | | | | | | | | When manufacturing a CertRequestInfo, CertRequestInfoFactory includes the serial number of issued certs, but does not show serial numbers of revoked certs for completed revocation requests. Include the serial number for this case. Fixes: https://fedorahosted.org/pki/ticket/1073
* Return 410 Gone if target CA of request has been deletedFraser Tweedale2016-06-031-0/+7
| | | | | | | | | | When processing a request whose target CA has been deleted in between request submission and request approval, the server does not handle the CANotFoundException, resulting in response status 500. Catch the CANotFoundException and respond with status 410 Gone. Fixes: https://fedorahosted.org/pki/ticket/2332
* Lightweight CAs: remove NSSDB material when processing deletionFraser Tweedale2016-06-031-1/+17
| | | | | | | When processing a CA deletion that occurred on another clone, remove the CA's certificate and key from the local NSSDB. Fixes: https://fedorahosted.org/pki/ticket/2328
* Lightweight CAs: remove redundant deletePrivateKey invocationFraser Tweedale2016-06-031-14/+5
| | | | | | | | | When deleting lightweight CAs, the call to CryptoStore.deletePrivateKey() throws an exception because the preceding call to CryptoStore.deleteCert() also deletes the key. Remove the redundant call and add some commentary. Fixes: https://fedorahosted.org/pki/ticket/1640
* Ticket #2271 Part2:TMS:removing/reducing debug log printout of dataChristina Fu2016-06-0220-135/+233
| | | | | | | This patch comments out unneeded data in TMS debug logs (TPS&TKS); It reduces the size of the debug logs by a lot. Note that for ease of later development debugging, the debug lines are commented out instead of being removed
* Added TPS token state transition validation.Endi S. Dewata2016-06-036-82/+127
| | | | | | | | | The TPSSubsystem has been modified to load and validate the token state transition lists during initialization. If any of the lists is empty or any of the transitions is invalid, the initialization will fail and the subsystem will not start. https://fedorahosted.org/pki/ticket/2334
* New VLV indexes for KRA including realmAde Lee2016-06-021-13/+13
|
* Fix legacy servlets to check realm when requesting recoveryAde Lee2016-06-024-19/+51
|
* Change legacy requests servlet to check realmAde Lee2016-06-021-0/+26
| | | | | | | | | | The legacy KRA servlet has been modified to check the realm if present in the request, or only return non-realm requests if not present. No attempt is made to fix the error reporting of the servlet. As such, an authz failure due to the realm check is handled in the same way that other authz failures are handled.
* Fix old KRA servlets to check realmAde Lee2016-06-024-14/+96
| | | | | | | | | | | | The old KRA servlets to list and display keys do not go through the same code paths as the REST API. Therefore, they do not check the authz realm. This patch adds the relevant code. No attempt is made to fix the error handling of the old servlets. the long term solution for this is to deprecate the old servlets and make the UI use the REST API instead. Therefore, authz failures due to realm checks are handled in the same way as other authz changes.
* Fix unknown TKS host and port connector error during TPS removalMatthew Harmsen2016-06-021-10/+3
| | | | | - PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat throws error.
* Fixed invalid TPS VLV indexes.Endi S. Dewata2016-06-021-6/+4
| | | | | | | | The TPS VLV indexes have been fixed to use the correct vlvScope (i.e. one level). The unsupported minus sign in vlvSort and the redundant vlvEnabled have been removed. https://fedorahosted.org/pki/ticket/2342
* Fixed problem submitting renewal request.Endi S. Dewata2016-06-024-23/+89
| | | | | | | | | | | The RenewalProcessor.processRenewal() has been modified to get the serial number of the certificate to renew from the profile input in addition to the <SerialNumber> attribute and client certificate. The serialNum field in CertEnrollmentRequest has been modified to use CertId which accepts both decimal and hexadecimal value. https://fedorahosted.org/pki/ticket/999
* Fixed error reporting in RenewalProcessor.getSerialNumberFromCert().Endi S. Dewata2016-06-021-55/+43
| | | | | | | | | | | The RenewalProcessor.getSerialNumberFromCert() has been modified to throw an exception instead of returning null to pass the error message to the client to help troubleshooting. The code has also be modified to remove redundant null checking and redundant decoding and re-encoding. https://fedorahosted.org/pki/ticket/999
* Fix LDAP schema violation when instance name contains '_'Fraser Tweedale2016-05-302-2/+2
| | | | | | | | | | | | | | | The instance name is used in NSSDB key nicknames, which are stored in the authorityKeyNickname attribute for mapping lightweight CAs to their keys. The schema was PrintableString, which does not permit '_', causing LDAP syntax errors if the instance name contains '_'. To avoid this issue, change the attribute syntax to IA5String. Existing instances should be largely unaffected. The schema update can be successfully applied even for existing attributes, because PrintableString and IA5String share the same underlying representation in 389DS. Fixes: https://fedorahosted.org/pki/ticket/2343
* Updated system certificate selftests.Endi S. Dewata2016-05-281-6/+6
| | | | | | | | | The CertUtils.verifySystemCertByNickname() has been modified to call CryptoManager.verifyCertificate() to validate the system certificates which will provide better information (i.e. NSS error message and stack trace) to troubleshoot validation issues. https://fedorahosted.org/pki/ticket/850
generated by cgit (git 2.34.1) at 2025-09-30 12:13:27 +0000