| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.
https://fedorahosted.org/pki/ticket/1595
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
|
| |
|
|
|
|
|
|
|
|
| |
different cards for ExternalReg
The patch fixes an issue that the CUID comes in from the client has a different
format than that of the config cuid range strings. With the right conversion,
the cuid range would then be evaluated correctly. The issue may only be
discovered with certain cuid data, as it was not reproduceable in the dev
environment.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
|
| |
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
| |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
(cherry picked from commit 997c8ec32ed483f3af47d692039720e62fa65c94)
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
|
| |/
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page.
This patch will only do the following:
Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox.
Detect IE11 specifically and warn the user that there is no support.
This ticket will live to se we can fix this properly by porting the current
VBS script to Javascript to support cert enrollment on IE 11.
|
| |
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
| |
|
|
|
|
|
|
|
| |
The routine that sets the password of the "pinmanager" user was
not working. A very simple one character fix takes care of it.
Ticket # 1546 - Setpin utility doesn't set the pin for users.
Checking in under the one line trivial change rule.
|
| | |
|
| |
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
| |
|
|
|
|
|
|
| |
Some types implement __eq__ but don't provide a __hash__ function. Mark
these types as non-hashable with __hash__ = None. This fixes:
DeprecationWarning:
Overriding __eq__ blocks inheritance of __hash__ in 3.x
|
| |
|
|
|
|
|
| |
The default value for argparser's verbosity was None, but None can't be
compared to 2 in Python 3.
TypeError: unorderable types: NoneType() >= int()
|
| |
|
|
|
|
|
|
|
| |
In Python 3 subprocess.Popen() and check_out() return bytes. The rest of
PKI expects text, so the output has to be decoded.
- ascii for dnsdomainname
- sys.getfilesystemencoding() for paths
- utf-8 for the rest
|
| |
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
| |
|
|
|
|
|
|
|
| |
Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject
package is available for Python 3 but can't be imported because it
depends on sepolgen.
The workaround makes it possible to test the Python 3 port on Fedora 22.
It can be removed later once Fedora 23 is out.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In Python 3 dict methods like values(), items() and keys() return views
rather than lists. The iter equivalents are gone. Use six to use
iterators on Python 2 and 3.
In some places like setup.py a list is required. Use
list(somedict.values()) to get a list on all Python versions.
|
| |
|
|
|
| |
The unicode type has been renamed to str. six.text_type is unicode
in Python 2 and str in Python 3.
|
| |
|
|
|
|
| |
Python 3 has a different syntax for meta classes. The old __metaclass__
attribute is no longer supported. six.with_metaclass() constructs a
suitable metaclass for us.
|
| |
|
|
|
| |
execfile has been removed from Python 3. The upgrade importer now reads,
compiles and executed the upgrade scripts manually.
|
| |
|
|
|
| |
In Python 3 range() returns an iterator and xrange() is gone. Use
six.moves to use an iterable range() on Python 2.
|
| |
|
|
|
|
|
| |
In Python 3 raw_input() has been renamed to input() and the old,
insecure input() builtin is gone. six.moves simplifies the transition.
It provides the former raw_input() function under the same import name
on Python 2 and 3.
|
| |
|
|
|
|
|
|
|
| |
Replace print statement with Python 3's print() function.
For Python 2 'from __future__ import print_function' turns the print
statement into Python 3 compatible print function.
See https://www.python.org/dev/peps/pep-3105/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
(cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
| |
|
|
|
|
| |
Move internal helper and its configuration out of the project's root
directory into scripts/. Also use re instead of fnmatch to find the
upgrade scriptlets.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were some things wrong with the setpin utility.
1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.
2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'
3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.
Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.
4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Console
It appears that the PortalEnroll plugin was never converted to work in the
Profile Framework.
This patch takes out the following line from CS.cfg:
auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
so that it cannot be instantiated from the console, nor manually in CS.cfg,
unless explicitly put back in.
While in CS.cfg.in, I found the NSSAuth auths.impl line having no real
implementation, so I remove that too.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The ListCerts servlet and the templates have been fixed to pass
the skipRevoked and skipNonValid parameters to the subsequent page.
Some debugging messages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1538
|
| |
|
|
|
|
| |
This patch changes the relevant CA enrollment admin profiles so that they accept
requests for EC certs. The issue actually not just affected KRA, it also affected
other non-CA subsystems.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently disable the cert status maintenance thread on
clone CAs because CRL processing should only be done on the
master CA. Currently, the maintenance thread also performs
other checks on serial number ranges and settings. By disabling
the maintenance thread, we disable these checks too.
To fix this, we have separated the serial number checks into a
different maintenance thread, so that these tasks will occur
even if the cert status thread is disabled.
Bugzilla # 1251606
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3 has deprecated and remove Exception.message. Instead we should
simply use string formatting to print the message of an Exception.
>>> import pki
>>> pki.PKIException('msg')
PKIException('msg',)
>>> pki.PKIException('msg').message
'msg'
>>> str(pki.PKIException('msg'))
'msg'
>>> '%s' % pki.PKIException('msg')
'msg'
|
| |
|
|
|
|
|
|
|
| |
Several methods except OSError before they except shutil.Error. In
Python 3 the second except clause will be ignored because in Python 3
shutil.Error is a subclass of OSError.
The body of the except clauses only differs in the logging message. A
single except clause with an isinstance() check has the same effect.
|
| |
|
|
|
| |
The exceptions module is obsolete. All builtin exception classes are
globals.
|
| |
|
|
|
| |
Since Python 2.2 most types in the types module refer to builtin type
objects, e.g. types.ListType is list.
|
| |
|
|
|
|
| |
iteritems() is the preferred way to iterate over key, value pairs.
Python-modernize can convert iteritems() to efficient code on Python 2
and 3.
|
| |
|
|
|
|
|
| |
The upgrade scripts don't have a .py file extension. For this reason
they are not picked up by pylint in tox.ini. Tox doesn't support shell
scripting. In order to check all files I rewrote the
pylint-build-scan.sh script as Python script.
|
| | |
|
| |
|
|
|
| |
- PKI TRAC Ticket #1530 - Client pki-tools missing tomcat-servlet dependency
- PKI TRAC Ticket #1542 - Update tomcatjss dependency on Fedora 23 and later
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1253
|
