summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Removed hard-coded version numbers from compose scripts.Endi S. Dewata2017-06-013-6/+6
| | | | | | | | | The compose scripts have been modified to use the version numbers defined in the spec files. https://pagure.io/dogtagpki/issue/2687 Change-Id: I9651e6239c34e38924fac1a3e7a1a1e6ad574b10
* Convert CMC code to use AESAde Lee2017-05-314-140/+113
| | | | | | | | | | | | | | | * Switched out CrytoUtil calls that use DES and replaced them with AES equivalents. Removed these now unneeded methods. * Added 16 byte constant IV for AES operations. This must be replaced by a randomly generated IV. Added TODOs where IVs should be replaced. * Corrected misspellings of "enreypted" in both request fields and variable names * Removed some code from null checks where the result could never be null. These cases were flagged in eclipse as dead code. Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
* Fixed missing build dependency on slf4j-jdk14.Endi S. Dewata2017-06-011-0/+3
| | | | | | | | | | Build dependency on slf4j-jdk14 has been added into pki-core.spec to ensure that the /usr/share/pki/lib/slf4j-jdk14.jar link is created properly at build time. https://pagure.io/dogtagpki/issue/2714 Change-Id: Icf32d013ff7d9065635cabdfdce3946bff6d2a9f
* Fixed two-step subordinate CA installation.Endi S. Dewata2017-05-311-3/+9
| | | | | | | | | | The initialization scriptlet has been fixed to verify the subsystem existence properly when running the second step of the two-step subordinate CA installation. https://pagure.io/dogtagpki/issue/2707 Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8
* Added pkispawn options for two-step installation.Endi S. Dewata2017-05-311-6/+34
| | | | | | | | | | | New --skip-configuration and --skip-installation options have been added to pkispawn to provide a mechanism to set the pki_skip_configuration and pki_skip_installation parameters without changing the deployment configuration file. https://pagure.io/dogtagpki/issue/2707 Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de
* synced compose scripts to 10.4.6Matthew Harmsen2017-05-303-3/+3
|
* Synced up local spec files with latest release (10.4.6)Matthew Harmsen2017-05-304-8/+30
|
* Updated minimum selinux-policy-targeted runtime requirement.Matthew Harmsen2017-05-301-6/+1
| | | | - Bugzilla Bug #1445519 - CA Server installation with HSM fails
* Added SCHEDULE_CRL_GENERATION audit event.Endi S. Dewata2017-05-264-5/+77
| | | | | | | | | A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
* Added FULL_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-264-10/+79
| | | | | | | | | A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
* Added FULL_CRL_GENERATION audit event.Endi S. Dewata2017-05-264-28/+104
| | | | | | | | | A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
* Added DELTA_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-264-7/+76
| | | | | | | | | A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
* Added DELTA_CRL_GENERATION audit event.Endi S. Dewata2017-05-264-20/+145
| | | | | | | | | A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
* Fix NPE in lightweight CA creationFraser Tweedale2017-05-261-1/+3
| | | | Fixes: https://pagure.io/dogtagpki/issue/2711
* Set encryption flag for generated keysAde Lee2017-05-263-3/+3
| | | | | | | | | | | The key record for keys generated in the keygen servlets was not updated to reflect whether or not the server was set up to do encryption/key wrapping. This patch corrects this oversight. Bugzilla BZ# 1455617 Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024
* Updated ECAException constructor.Endi S. Dewata2017-05-261-3/+3
| | | | | | | | | The ECAException constructor has been modified to accept a more generic Throwable instead of Exception. https://pagure.io/dogtagpki/issue/2651 Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee
* Refactored CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-40/+40
| | | | | | | | | The code related to full CRL generation has been moved into generateFullCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
* Refactored CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-48/+54
| | | | | | | | | The code related to delta CRL generation has been moved into generateDeltaCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
* Replaced SHA1-based random number generators.Endi S. Dewata2017-05-253-4/+13
| | | | | | | | | The SHA1-based random number generators in some classes have been replaced with the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514
* Encapsulate server side keygen audit eventsAde Lee2017-05-256-37/+113
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Encapsulate key status change audit logsAde Lee2017-05-254-13/+57
| | | | Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
* Added CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-120/+134
| | | | | | | | | | The code that generates full CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateFullCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
* Added CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-67/+93
| | | | | | | | | | The code that generates delta CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateDeltaCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
* Added CRLIssuingPoint.generateCRLExtensions().Endi S. Dewata2017-05-251-23/+22
| | | | | | | | | | The code that generates CRLExtensions in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateCRLExtensions() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
* Replaced random number generator in RequestQueue.Endi S. Dewata2017-05-251-3/+6
| | | | | | | | | The RequestQueue has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e
* Replaced random number generator in SecurityDataProcessor.Endi S. Dewata2017-05-251-6/+19
| | | | | | | | | The SecurityDataProcessor has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189
* Encapsulate symmetric and asymmetric keygen audit eventsAde Lee2017-05-249-41/+221
| | | | Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
* Now the program can create and import shared secret keys while under FIPS mode.Jack Magne2017-05-243-22/+87
|
* Updated OCSP log messages.Endi S. Dewata2017-05-243-12/+32
| | | | | | | | | Some log messages in OCSP-related code have been updated for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
* Cleaned up DefStore.processRequest() (part 3).Endi S. Dewata2017-05-241-9/+11
| | | | | | | | | Some nested if-statements in DefStore.processRequest() has been merged for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d
* Cleaned up DefStore.processRequest() (part 2).Endi S. Dewata2017-05-241-14/+17
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3
* Cleaned up DefStore.processRequest() (part 1).Endi S. Dewata2017-05-241-59/+62
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0
* Simplify recovery audit loggingAde Lee2017-05-243-38/+72
| | | | | | | | | | | | | | | | | Currently, when we use the retrieveKey() REST interface, there are two logs generated for the processing of a recovery request. To rectify this, logging has been removed from the lower level in the SecurityDataProcessor and is delegated to the higher level. This necessitated adding audit logging to the SecurityDataRecoveryService, which processes recovery events asynchronously. In addition, the logging in retrieveKey() has been pushed down to the retrieveKeyImpl, because there is at least one success exit point in retrieveKeyImpl where a recovery request is created, but no key is exported. Hence in this case, a KeyRetrieve success event is not warranted. Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87
* Make sure archivalID is passed through archivalAde Lee2017-05-2411-50/+104
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Fix failing audit logAde Lee2017-05-241-2/+2
| | | | | | | | | | | | As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
* Updated log messages in OCSPProcessor.Endi S. Dewata2017-05-231-3/+11
| | | | | | | | | The OCSPProcessor has been modified to log the OCSP response to help troubleshooting. https://pagure.io/dogtagpki/issue/2695 Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f
* Moved TokenServlet into pki-tks package.Endi S. Dewata2017-05-233-18/+22
| | | | | | | | | | | | The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
* Encapsulate recovery request approval audit logsAde Lee2017-05-235-62/+61
| | | | | | | | The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
* Fix auditing in retrieveKeyAde Lee2017-05-234-19/+132
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Enabling all subsystems on startup.Endi S. Dewata2017-05-233-19/+59
| | | | | | | | | | | The operations script has been modified to enable all subsystems on startup by default. If the selftest fails, the subsystem will be shutdown again automatically as before. A pki.conf option has been added to configure this behavior. https://pagure.io/dogtagpki/issue/2699 Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50
* Encapsulate key retrieval audit eventsAde Lee2017-05-238-72/+117
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-234-66/+34
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-237-207/+184
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-2311-46/+114
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-238-48/+86
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-2311-187/+132
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Always check FIPS mode at installation timeMatthew Harmsen2017-05-231-0/+2
| | | | - Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
* Updated source version number to 10.4.5-1.1Matthew Harmsen2017-05-224-8/+20
|
* Synced up local spec files with latest release (10.4.5)Matthew Harmsen2017-05-227-11/+46
|
* Added configurable random number generator in JssSubsystem.Endi S. Dewata2017-05-232-16/+43
| | | | | | | | | | | | | The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
generated by cgit (git 2.34.1) at 2025-09-26 00:03:43 +0000