pki.git - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
...
*	Fixed hanging subordinate CA with HSM installation in FIPS mode.	Endi S. Dewata	2016-11-16	1	-13/+8
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When installing subordinate CA with HSM, the installer calls the pki CLI (which is implemented using JSS) to validate the imported CA certificate in HSM. Normally, the HSM password is specified as CLI parameter, but in FIPS mode JSS requires both the HSM and the internal token passwords. Since the CLI only takes one password, JSS will prompt for the missing one on the console causing the installation to hang. As a temporary solution, the pki-server subsystem-cert-validate command has been modified to validate certificates stored in the internal token only and it will use the internal token password, so only a single password is required. Further investigation in CLI/JSS/NSS is needed to support validating certificates in HSM without password prompts. https://fedorahosted.org/pki/ticket/2543
*	Fixed problem installing subordinate CA with HSM in FIPS mode.	Endi S. Dewata	2016-11-16	2	-12/+42
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM in FIPS mode. First, the certificate will be imported into the HSM using the HSM password without the trust attributes. Then, the certificate will be imported into the internal token using the internal token password with the trust attributes. https://fedorahosted.org/pki/ticket/2543
*	Moved policy framework classes to org.dogtagpki.legacy.	Endi S. Dewata	2016-11-11	79	-241/+296
\| \| \| \| \| \| \|	To discourage the use of policy framework, the framework classes have been moved into org.dogtagpki.legacy. https://fedorahosted.org/pki/ticket/6
*	Generalized list of files in CMakeLists.txt.	Endi S. Dewata	2016-11-11	16	-55/+15
\| \| \| \| \| \| \| \|	The list of source and class files in some CMake files have been generalized to allow renaming Java packages without changing the CMake files again. https://fedorahosted.org/pki/ticket/6
*	Reverted policy framework deprecation.	Endi S. Dewata	2016-11-11	74	-293/+208
\| \| \| \| \| \| \| \| \|	To reduce Eclipse warnings, classes and methods related to policy framework have been undeprecated. In the future the policy framework may be removed since it has already been replaced with the profile framework. https://fedorahosted.org/pki/ticket/6
*	Fix auditing and rename kra.ephemeral as per review comments	Ade Lee	2016-11-10	2	-35/+70
\|
*	Fix approvals for asynchronous requests	Ade Lee	2016-11-10	1	-1/+1
\| \| \| \| \| \| \|	A bug in the approval code for asynchronous requests results in the number of agents needed being calculated incorrectly for SECURITY DATA (REST based) requests. This one liner fixes this problem.
*	Add field to KeyData to allow request to be returned when non-synchronous	Ade Lee	2016-11-10	5	-11/+74
\| \| \| \| \|	If a retrieval is non-sychronous, we create a non-ephemeral recovery request and return this Request ID to the client.
*	Add option to pass existing request to retrieveKeyCLI	Ade Lee	2016-11-10	2	-3/+63
\| \| \| \| \| \|	Continuation of the previous patch. These are client changes to allow the client to pass through an approved recovery request to retrieveKey()
*	Modify retrieval and archival mechanisms in KRA REST	Ade Lee	2016-11-10	13	-241/+336
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When clients call retrieveKey(), three possible alternatives now obtain: 1. client passes in an approved request. Request is processed and the secret is retrieved. 2. client passes in key_id and wrapping parameters and either: a) request can be processed immediately and synchronously and request is created, and secret is returned. b) request cannot be processed immediately. Recovery request is created and request_id returned to the client Depending on server configuration, the requests in case (2a) will be stored in ldap or will be ephemeral (in memory only). More complicated realm based logic to determine if requests can be processed synchronously or ephemerally will be added in a later patch.
*	Refactor SecurityData archival and recovery code	Ade Lee	2016-11-10	3	-777/+769
\| \| \| \| \| \| \|	Put logic in a Processor, so that it can be reused for synchronous requests. The only differerence between synchronous and asynchronous requests will be that forsynchronous requests, the request will be triggered from and updated on the request queue.
*	Updated pki-core.spec.	Endi S. Dewata	2016-11-08	1	-0/+3
\| \| \| \| \| \| \|	The pki-core.spec has been updated to include the new man pages for PKCS #12 utilities. https://fedorahosted.org/pki/ticket/1920
*	Added man pages for PKCS #12 utilities.	Endi S. Dewata	2016-11-08	3	-0/+312
\| \| \| \| \| \| \|	New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and pki-pkcs12-key. https://fedorahosted.org/pki/ticket/1920
*	Replaced deprecated ProxyParser.	Endi S. Dewata	2016-11-04	7	-16/+16
\| \| \| \| \| \|	The deprecated ProxyParser has been replaced with DefaultParser. https://fedorahosted.org/pki/ticket/2535
*	Replaced deprecated DefaultHttpClient.	Endi S. Dewata	2016-11-04	3	-19/+15
\| \| \| \| \| \| \|	The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient, and OCSPProcessor has been replaced with HttpClientBuilder. https://fedorahosted.org/pki/ticket/2531
*	Fixed resource leak in InhibitAnyPolicyExtension.	Endi S. Dewata	2016-11-04	2	-10/+17
\| \| \| \| \| \| \| \| \| \|	The InhibitAnyPolicyExtension has been modified to always close the DerOutputStream instance. The InhibitAnyPolicyExtDefault has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530
*	Fixed resource leak in ExtendedKeyUsageExtension.	Endi S. Dewata	2016-11-03	2	-10/+16
\| \| \| \| \| \| \| \| \| \|	The ExtendedKeyUsageExtension has been modified to always close the DerOutputStream instance. The ExtendedKeyUsageExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530
*	Revert "Fixed TPS UI system menu."	Matthew Harmsen	2016-11-03	6	-163/+42
\| \| \| \|	This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
*	Revert "Fixed TPS UI for agent approval."	Matthew Harmsen	2016-11-03	3	-124/+97
\| \| \| \|	This reverts commit 3c4f9c7eb1aa9a71c0f5a943314d355d2fdeebb4.
*	Fixed resource leak in OCSPNoCheckExtension.	Endi S. Dewata	2016-11-03	2	-8/+14
\| \| \| \| \| \| \| \| \| \|	The OCSPNoCheckExtension has been modified to always close the DerOutputStream instance. The OCSPNoCheckExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530
*	Fixed resource leak in GenericASN1Extension.	Endi S. Dewata	2016-11-03	1	-3/+4
\| \| \| \| \| \| \|	The GenericASN1Extension has been modified to always close the DerOutputStream instance. https://fedorahosted.org/pki/ticket/2530
*	Fixed resource leak in OtherName.	Endi S. Dewata	2016-11-03	1	-3/+9
\| \| \| \| \| \| \|	The OtherName has been modified to always close the DerOutputStream instances. https://fedorahosted.org/pki/ticket/2530
*	Added constructors to chain EPropertyException.	Endi S. Dewata	2016-11-03	1	-0/+8
\| \| \| \| \| \| \|	To help troubleshooting, the EPropertyException has been modified to provide constructors to chain the original exception. https://fedorahosted.org/pki/ticket/2463
*	Fixed exception message in PKCS12Util.loadFromByteArray().	Endi S. Dewata	2016-11-02	1	-1/+1
\| \| \| \| \| \| \| \|	For clarity the PKCS12Util.loadFromByteArray() has been modified to generate a more accurate exception message on PKCS #12 verification failure. https://fedorahosted.org/pki/ticket/2476
*	Fixed default OCSP port in server.xml.	Endi S. Dewata	2016-11-02	2	-2/+2
\| \| \| \| \| \| \| \|	For consistency the server.xml templates for Tomcat 7 and 8 have been modified to use the same unsecure port used by the instance in the default OCSP responder URL. https://fedorahosted.org/pki/ticket/2476
*	Fixed KRA key recovery via CLI in FIPS mode.	Endi S. Dewata	2016-11-02	2	-1/+4
\| \| \| \| \| \| \| \| \|	Based on investigation and solution provided by cfu and jmagne, the SecurityDataRecoveryService.serviceRequest() has been modified to use EncryptionUnit.unwrap_temp() for key recovery via CLI in FIPS mode. https://fedorahosted.org/pki/ticket/2500
*	Reformatted SecurityDataRecoveryService.serviceRequest().	Endi S. Dewata	2016-11-02	1	-5/+25
\| \| \| \| \| \| \|	The code in SecurityDataRecoveryService.serviceRequest() has been reformatted for clarity. https://fedorahosted.org/pki/ticket/2500
*	Troubleshooting improvement for ConfigurationUtils.handleCerts().	Endi S. Dewata	2016-10-28	2	-12/+7
\| \| \| \| \| \| \| \|	To help troubleshooting, the ConfigurationUtils.handleCerts() has been modified to throw the exception instead of returning an integer. https://fedorahosted.org/pki/ticket/2463
*	a few simple debugging messages in TPS that will make debugging easier.	Christina Fu	2016-10-24	2	-6/+18
\|
*	Fixed typo in UserPwdDirAuthentication.	Endi S. Dewata	2016-10-24	1	-1/+1
\| \| \| \|	https://fedorahosted.org/pki/ticket/2460
*	TPS token enrollment fails to setupSecureChannel when TPS and TKS security ↵	Jack Magne	2016-10-21	1	-1/+3
\| \| \| \| \| \| \| \|	db is on fips mode. Ticket #2513. Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
*	PIN_RESET policy is not giving expected results when set on a token.	Jack Magne	2016-10-21	1	-9/+25
\| \| \| \| \| \|	Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token. Ticket #2510.
*	Fixed TPS UI for agent approval.	Endi S. Dewata	2016-10-21	3	-97/+124
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The TPS UI has been updated to support TPS agent approval process for changes in authenticators, connectors, and profile mappings in addition to profiles. The ConfigEntryPage has been updated to display the action links consistently in the above components for all possible role and status combinations. The ProfilePage has been removed since the code has been merged into its super class. https://fedorahosted.org/pki/ticket/2523
*	Fixed TPS UI system menu.	Endi S. Dewata	2016-10-21	6	-42/+163
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The TPS UI has been modified to adjust the system menu based on the list of accessible components obtained during login. The TPSApplication has been modified to use TPSAccountService which returns the list of accessible components based on the following properties in the CS.cfg: * admin: target.configure.list * agent: target.agent_approve.list The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
*	Fix for flake8 errors on Fedora 26 (cheimes)	Matthew Harmsen	2016-10-19	1	-4/+6
\|
*	Cert/Key recovery is successful when the cert serial number and key id on ↵	Jack Magne	2016-10-19	3	-37/+50
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
*	Fixed CryptoUtil.getTokenName().	Endi S. Dewata	2016-10-14	2	-10/+15
\| \| \| \| \| \| \| \| \| \|	The CryptoUtil.getTokenName() has been modified to check both the short name and full name of the internal token. The ConfigurationUtils.deleteCert() has also been modified to call CryptoUtil.getTokenName(). https://fedorahosted.org/pki/ticket/2500
*	Fixed pki-nsutil build order.	Endi S. Dewata	2016-10-12	1	-0/+2
\| \| \| \| \| \| \| \| \|	To help troubleshooting build issues the pki-nsutil-classes build target has been modified to depend on symkey-jar although there is no actual code dependency. This way the targets will be built sequentially and error messages will be easier to find. https://fedorahosted.org/pki/ticket/2476
*	Fixed installation error message.	Endi S. Dewata	2016-10-12	1	-1/+1
\| \| \| \| \| \| \| \|	The verify_subsystem_does_not_exist() has been modified to display the proper error message when the subsystem to be installed already exists. https://fedorahosted.org/pki/ticket/2476
*	Fixed Eclipse classpath for Fedora 23.	Endi S. Dewata	2016-10-11	1	-1/+3
\| \| \| \|	The Eclipse classpath has been updated to work on Fedora 23.
*	Ticket #2498 Token format with external reg fails when ↵	Christina Fu	2016-10-10	3	-8/+14
\| \| \| \| \| \|	op.format.externalRegAddToToken.revokeCert=true This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
*	Another Fix for: Add ability to disallow TPS to enroll a single user on ↵	Jack Magne	2016-10-10	2	-9/+50
\| \| \| \| \| \| \|	multiple tokens. #1664 We just found out the code doesn't account for if the user has an active token which IS the token currently being worked on.
*	Fix for: Add ability to disallow TPS to enroll a single user on multiple ↵	Jack Magne	2016-10-10	4	-2/+107
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	tokens. #1664 This bug was previously not completely fixed where we left a loophole to allow a user to end up with 2 active tokens. This fix closes that loophole. Also: Fix for: Unable to read an encrypted email using renewed tokens. #2483 This fix provides for a new optional renewal based token policy, that allows the user to retain or recover old encryption certs for that profile, that get overwritten by the renewal process. An example is: RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES The default is YESk you have to explicitly set it to NO to turn it off. The second part of the policy is new. When this is set to "YES", the system will make sure the old enc cert will remain on the token. If it's missing or "NO", no such attempt will be made. junk
*	Ticket #2496 Cert/Key recovery is successful when the cert serial number and ↵	Christina Fu	2016-10-10	3	-34/+98
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	key id on the ldap user mismatches Problem: There are two ways to recover the keys with a. by cert b. by keyId When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped. This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover. Code summary for externalReg key recovery: config default: externalReg.recover.byKeyID=false Recover either by keyID or by cert When recovering by keyid: externalReg.recover.byKeyID=true - keyid in record indicates actual recovery; - missing of which means retention; When recovering by cert: externalReg.recover.byKeyID=false - keyid field needs to be present but the value is not relevant and will be ignored (a "0" would be fine) - missing of keyid still means retention; (In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
*	Added openssl runtime dependency for support of External CA.	Matthew Harmsen	2016-10-10	1	-0/+1
\| \| \| \|	- PKI TRAC Ticket #2478
*	Fixed ConfigurationUtils.importCertChain().	Endi S. Dewata	2016-10-10	1	-1/+2
\| \| \| \| \| \| \| \|	The ConfigurationUtils.importCertChain() has been modified to ignore UNKNOWN_ISSUER error when connecting to a server that does not have the complete certificate chain. https://fedorahosted.org/pki/ticket/2497
*	Fixed NSSDatabase.create_request().	Endi S. Dewata	2016-10-10	1	-1/+1
\| \| \| \| \|	The NSSDatabase.create_request() has been modified to remove a superfluous argument when invoking certutil.
*	Troubleshooting improvements for GetCertChain.	Endi S. Dewata	2016-10-10	2	-6/+30
\| \| \| \| \| \| \| \|	To help troubleshooting the GetCertChain servlet has been modified to log the certificate chain being returned. The ConfigurationUtils has also been modified to log the certificate chain received. https://fedorahosted.org/pki/ticket/2463
*	Removed duplicate classes.	Endi S. Dewata	2016-10-10	14	-29/+27
\| \| \| \| \| \| \|	The CMake scripts have been modified to store compiled Java classes in separate folders for each JAR files to avoid duplicates. https://fedorahosted.org/pki/ticket/2505
*	Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix)	Christina Fu	2016-10-10	1	-10/+38
\| \| \| \|	This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.