summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Added banner validation during server startup.Endi S. Dewata2017-06-164-0/+202
| | | | | | | | | | | | Some pki-server CLIs have been added to inspect and validate the content of the banner file. The PKI server startup script has been modified to validate the content of the banner file using the new CLI. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4
* Fix 3DES archivalAde Lee2017-06-161-8/+15
| | | | | | | | | | | | A previous commit mistakenly conflated the wrapping parameters for DES and DES3 cases, resulting in incorrect data being stored if the storage was successful at all. This broke ipa vault and probably also token key archival and recovery. This patch sets the right parameters for the 3DES case again. Part of BZ# 1458043 Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
* Fix regression in pkcs12 key bag creationFraser Tweedale2017-06-161-21/+37
| | | | | | | | | | | | | | | | | Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12 file handing to never deal with raw private key material. PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, or fail. This change missed this case where a PKCS #12 file is loaded from file, possibly modified, then written back to a file, without involving an NSSDB. One example is pkcs12-cert-del which deletes a certificate and associated key from a PKCS #12 file. Fix the PKCS12Util.addKeyBag() method to use the stored EncryptedPricateKeyInfo if available, otherwise export the PrivateKey handle. Fixes: https://pagure.io/dogtagpki/issue/2741 Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
* Ticket#2737 CMC: check HTTPS client authentication cert against CMC signerChristina Fu2017-06-157-84/+175
| | | | | This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. Some auditing adjustments are also done.
* Added default URL for OCSPProcessor.Endi S. Dewata2017-06-151-0/+13
| | | | | | | | | The OCSPProcessor has been modified to provide a default URL for all requests submitted using the processor. https://pagure.io/dogtagpki/issue/2652 Change-Id: I0175947d7d6a6a0284837e0d0464b139a5802444
* Fixed pki ca-cert-find and ca-cert-show output.Endi S. Dewata2017-06-151-7/+8
| | | | | | | | | The pki ca-cert-find and ca-cert-show output has been modified for consistency. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ieb3550f7c18904ef26bc9a31529e2fa9a87de519
* Fixed audit log signature problem due to rotation.Endi S. Dewata2017-06-151-19/+24
| | | | | | | | | | The LogFile has been modified to set up log signing during its initialization to ensure the signing works properly during log rotation. https://pagure.io/dogtagpki/issue/2561 Change-Id: I69d54a359ebe74557ca9b12ea7582f712fb31949
* Fixed initial audit log signature verification.Endi S. Dewata2017-06-151-15/+24
| | | | | | | | | | The AuditVerify has been modified to find the first signature properly and start the signature verification only after finding the first signature. https://pagure.io/dogtagpki/issue/2634 Change-Id: Ic35fc88e75173e65d8786bf7b62407fce0952f3e
* Fixed access banner encoding (part 2).Endi S. Dewata2017-06-143-7/+2
| | | | | | | | | | | | The code that reads the access banner from file has been modified to explicitly use UTF-8 encoding. The Info class and the PKI UI have been modified not to encode the access banner in Base64 since it is not necessary. https://pagure.io/dogtagpki/issue/2671 Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
* Fixed access banner encoding.Endi S. Dewata2017-06-143-0/+39
| | | | | | | | | | The Info service and client have been modified to transmit access banner in Base64-encoded form. The PKI UI has been modified to decode the access banner properly. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50
* Fixed access banner normalization.Endi S. Dewata2017-06-144-4/+4
| | | | | | | | | | The PKIService has been modified to trim whitespaces in access banner before returning the value to the client. The clients have been modified to no longer trim the banner. https://pagure.io/dogtagpki/issue/2671 Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
* Fixed PKI console build issue on RHEL.Endi S. Dewata2017-06-141-2/+2
| | | | | | | | | | The DefaultParser used in PKI console has been replaced with PosixParser for backward compatibility with Commons CLI 1.2 on RHEL. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ie36bfd4cbd83818cfc06f6a3f69e02214cff0db2
* Added verbose option for PKI console.Endi S. Dewata2017-06-133-2/+85
| | | | | | | | | The PKI console has been modified to provide a verbose option to help troubleshooting. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ib231a278a8d000bdbe43513149331bb0ea1f2752
* Added RESTEasy paths into pki-console.spec.Endi S. Dewata2017-06-131-1/+17
| | | | | | | | | The pki-core.spec has been modified to define RESTEasy paths for different platforms. https://pagure.io/dogtagpki/issue/2671 Change-Id: I5519daf199e5c9d0b2c7f894a97e0158beaccb4d
* Refactored AuditVerify (part 3).Endi S. Dewata2017-06-132-7/+29
| | | | | | | | | The AuditVerify.verify() has been cleaned up and some debug messages have been added for clarity. https://pagure.io/dogtagpki/issue/2634 Change-Id: Id1c510dd0081e3abb4fb34da0737ea6a3a335ba4
* Refactored AuditVerify (part 2).Endi S. Dewata2017-06-131-98/+142
| | | | | | | | | The code that performs the audit log verification in AuditVerify has been moved into a new verify() method. https://pagure.io/dogtagpki/issue/2634 Change-Id: Ic6d0f08b754feaac8779d7051e591ea03726df65
* Refactored AuditVerify (part 1).Endi S. Dewata2017-06-131-36/+49
| | | | | | | | | The code that retrieves and verifies the signing certificate in AuditVerify has been moved into a new setSigningCert() method. https://pagure.io/dogtagpki/issue/2634 Change-Id: I37b9d73a2ff162735359d2eed222296bbb1fcd60
* KRA PKCS #12 export: add config to use 3DES PBE encryptionFraser Tweedale2017-06-091-11/+32
| | | | | | | | | | | Restore the 3DES PKCS #12 key recovery code path, alongside the new AES variant, which is broken on Thales nethsm. Add the 'kra.legacyPKCS12' config for selecting which version to use, with the default value of 'true' (i.e., use 3DES). Part of: https://pagure.io/dogtagpki/issue/2728 Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360
* Add one more possible keywrap algorithm to usageAde Lee2017-06-081-0/+1
| | | | | | | | | Added one more key wrap algorithms to the CRMFPopClient usage statement. Part of BZ #1458047 Change-Id: Ic52410a6a23f850944a6b96385b26a9bba12b51a
* Add possible keywrap algorithms to usageAde Lee2017-06-081-0/+2
| | | | | | | | | Added possible key wrap algorithms to the CRMFPopClient usage statement to make it clear what options are available. Part of BZ #1458047 Change-Id: Ie49ec9cd9bbb5c112668469f701363b967695ef3
* Ticket #2619 Allow CA to process user-signed CMC revocation requestsChristina Fu2017-06-0816-426/+769
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken). One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest. This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing. On the client side: CMCRequest - Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens. - removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert. - added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing. CMCRevoke - The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password. - The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways; - The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below) - This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now. On the server side. CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly. Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not. Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests. The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well. Previously missed signing cert validation is also added for more complete check. Some SHA1 are turned into SHA2 Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s).
* Stop using hardcoded IV in CMCAde Lee2017-06-083-17/+17
| | | | | | Bugzilla #BZ 1458055 Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82
* Updated source version number to 10.4.7-1.1Matthew Harmsen2017-06-084-4/+16
|
* Updated PKI console option parser.Endi S. Dewata2017-06-072-24/+62
| | | | | | | | | The PKI console option parser has been updated to use the Commons CLI library. https://pagure.io/dogtagpki/issue/2671 Change-Id: I77d185c83fec61e3dd126ccf9579fa2fba1e33a4
* Server side changes to correctly parse the new PKIArchiveOptionsAde Lee2017-06-076-25/+109
| | | | | | | The server is modified to read the new OIDs in the PKIArchiveOptions and handle them correctly. Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
* Refactor client to not use keysetsAde Lee2017-06-077-129/+206
| | | | | | | | | | | | | | | | | | It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
* Cleaned up PKI console options.Endi S. Dewata2017-06-072-76/+7
| | | | | | | | | Some PKI console options are not actually used or always given a fixed value so they have been removed for clarity. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ia691f90fa949ff07a7215f87385f08036bd71dd1
* Minor fix to already fixed issue:Jack Magne2017-06-061-5/+6
| | | | The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue.
* Fixed client cert auth in PKI console.Endi S. Dewata2017-06-063-11/+54
| | | | | | | | | | | | The changes in 70520762af91b5dab41415028b1a6bfe66d42628 have been reverted since it broke client cert auth in PKI console. The PKI console session timeout is now detected by checking for empty server response. https://pagure.io/dogtagpki/issue/2643 Change-Id: Id075556620bc72cabcca3f303af54570d3ca1009
* Updated 'selinux-policy-targeted' and 'tomcatjss' requirements.Matthew Harmsen2017-06-051-5/+7
|
* Ticket #2617 part2: add revocation check to signing certChristina Fu2017-06-052-1/+20
|
* Resolves: dogtag Pagure Issues ↵Matthew Harmsen2017-06-044-4/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | #1663,2556,2674,2676,2687,2707,2713,2714,2717,2721,2726 - Bump revision to 10.4.7 - dogtagpki Pagure Issue #1663 - Add SCP03 support (jmagne) - dogtagpki Pagure Issue #2556 - pkispawn fails to create PKI subsystem on FIPS enabled system (edewata) - dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance creation (edewata) - dogtagpki Pagure Issue #2676 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE (edewata) - dogtagpki Pagure Issue #2687 - Upgrade script for keepAliveTimeout parameter (edewata) - dogtagpki Pagure Issue #2707 - SubCA installation failure with 2 step installation in fips enabled mode (edewata) - dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues (cheimes) - dogtagpki Pagure Issue #2714 - Classpath problem while trying to run pki CLI (edewata) - dogtagpki Pagure Issue #2717 - Certificate import using pki client-cert-import is asking for password when already provided (edewata) - dogtagpki Pagure Issue #2721 - Key recovery using externalReg fails with java null pointer exception on KRA (vakwetu) - dogtagpki Pagure Issue #2726 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata)
* Revert "Fixed theme build script."Matthew Harmsen2017-06-041-9/+9
| | | | This reverts commit 0beb742bdf25bab0eed0354729794013e1e7090e.
* Improve exception message for null AuthorityKeyIdentifierFraser Tweedale2017-06-052-1/+5
| | | | | | | | | | | When the Authority Key Identifier extension cannot be instantiated, we currently fail with a generic "extension not found" error message. Throw a better exception for this case in particular, and improve the exception message for the general case of attempting to add a null exception. Fixes: https://pagure.io/dogtagpki/issue/2705 Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd
* Fixed default CA cert trust flags in pki CLI.Endi S. Dewata2017-06-033-3/+4
| | | | | | | | | The pki CLI has been modified to use CT,C,C as the default trust flags for CA certificate import operations. https://pagure.io/dogtagpki/issue/2726 Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
* Fixed pki client-cert-import CLI.Endi S. Dewata2017-06-031-28/+66
| | | | | | | | | The pki client-cert-import CLI has been modified to provide a password file when invoking the certutil -A command. https://pagure.io/dogtagpki/issue/2717 Change-Id: If32f9eeb39d140aaef38c9bc1933f3ae0f57a5a2
* Refactored CLI.runExternal().Endi S. Dewata2017-06-037-100/+65
| | | | | | | | | The methods for running external commands in various CLI classes have been merged into CLI.runExternal(). https://pagure.io/dogtagpki/issue/2717 Change-Id: I5b6d136db699d3bb48e4f36f7f187d0240bbbf62
* Refactored MainCLI.loadPassword() (part 3).Endi S. Dewata2017-06-031-12/+9
| | | | | | | | | The MainCLI.loadPassword() has been modified to use try-with- resources. Some log messages have been added for clarity. https://pagure.io/dogtagpki/issue/2717 Change-Id: Ic4950ba677613565f548b51d1f985177c6726510
* Refactored MainCLI.loadPassword() (part 2).Endi S. Dewata2017-06-031-24/+25
| | | | | | | | | The MainCLI.loadPassword() has been modified to fix the code indentation. https://pagure.io/dogtagpki/issue/2717 Change-Id: I7d208f1f4568f2fb1323ab206f45af5c0338b53f
* Refactored MainCLI.loadPassword() (part 1).Endi S. Dewata2017-06-031-11/+13
| | | | | | | | | | The method that loads password from a file in MainCLI has been renamed into loadPassword() and modified to return early for clarity. https://pagure.io/dogtagpki/issue/2717 Change-Id: I9b031c31040c2d00f04d9997abcdae38163bf6d5
* Resolve #1663 Add SCP03 support .Jack Magne2017-06-022-3/+8
| | | | This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
* Excluded backslash from random password.Endi S. Dewata2017-06-021-3/+4
| | | | | | | | | The backslash is no longer used for generating random password since it's causing SSL hanshake failure. https://pagure.io/dogtagpki/issue/2676 Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411
* Fix NPE in audit log invocationAde Lee2017-06-023-4/+8
| | | | | | | | | | Some audit log objects take a RequestId or KeyId, on which we call toString(). In some cases, we were creating a KeyId or RequestId with null values, resulting in an NPE. We fix these in this patch. Bugzilla BZ# 1458043 Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db
* Fixed random password generator.Endi S. Dewata2017-06-021-3/+8
| | | | | | | | | | The equal sign is no longer used to generate random password since it's already used as token name and password delimiter in password.conf. https://pagure.io/dogtagpki/issue/2556 Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84
* Added version number on supported platforms into spec files.Endi S. Dewata2017-06-024-0/+20
| | | | | | | | | | | The spec files have been modified to include the latest PKI package version numbers on the supported platforms. This allows the upstream code to be built directly on these platforms to help troubleshooting. https://pagure.io/dogtagpki/issue/2687 Change-Id: I95bec3fed122792b25ca5e21714545204525240d
* Reorganized upgrade scripts.Endi S. Dewata2017-06-021-2/+29
| | | | | | | | | | | Since the PKI version may be different on different platforms, upgrade scripts that are newer than the latest available version on a particular platform have been moved to the folder matching the latest available version. https://pagure.io/dogtagpki/issue/2687 Change-Id: Iced8c27bdccab0764131ecf4b495251033dc20b1
* Added upgrade script for keepAliveTimeout.Endi S. Dewata2017-06-0210-0/+95
| | | | | | | | | An upgrade script has been added to set the keepAliveTimeout attribute for the Secure connector in the server.xml. https://pagure.io/dogtagpki/issue/2687 Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d
* Fixed pylint issuesMatthew Harmsen2017-06-0211-53/+50
| | | | - https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
* Removed superfluous deployment configuration backup.Endi S. Dewata2017-06-021-6/+1
| | | | | | | | | | | | The pkispawn has been modified to generate a temporary backup file (instead of permanent and timestamped backup files) of the deployment configuration file before normalizing its content. The temporary backup will be removed automatically when the normalization is complete. https://pagure.io/dogtagpki/issue/2674 Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047
* Fixed theme build script.Endi S. Dewata2017-06-011-9/+9
| | | | | | | | | | | The theme build script has been modified to use ln command instead of CMake create_symlink command to create links to theme files and folders. The ln command allows the link to be created even if the target does not exist. https://pagure.io/dogtagpki/issue/2687 Change-Id: Iff6f00af6a56bf4b5a6207b4fa4174103dbd5e73
generated by cgit (git 2.34.1) at 2026-01-06 21:48:47 +0000