summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Separated TPS does not automatically receive shared secret from remote TKS.Jack Magne2016-07-019-197/+435
| | | | | | | | | | | | | | | | | | | | | Support to allow the TPS to do the following: 1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS. 2. Have the TKS securely return the shared secret back to the TPS during the end of configuration. 3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and. 4. Given a name that is mapped to the TPS's id string. Additional fixes: 1. The TKS was modified to actually be able to use multiple shared secrets registered by multiple TPS instances. Caveat: At this point if the same remote TPS instance is created over and over again, the TPS's user in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret not functional. At this point we need to assume that the TPS user has ONE "userCert" registered at this time.
* Generting Symmetric key fails with key-generate when --usages verify is passedJack Magne2016-07-011-1/+3
| | | | | | | | | Ticket #1114 Minor adjustment to the man page for the key management commands to say which usages are appropriate for sym keys and those appropriate for asym keys. t
* Add HSM informationMatthew Harmsen2016-07-012-1/+180
| | | | | - PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages
* Updated notification message for DB subsystem commandAbhijeet Kasurde2016-07-011-5/+15
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TPS subsystem commandAbhijeet Kasurde2016-07-011-8/+26
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TKS subsystem commandAbhijeet Kasurde2016-07-011-0/+7
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for OCSP subsystem commandAbhijeet Kasurde2016-07-011-0/+6
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for kra-db-vlv* commandAbhijeet Kasurde2016-07-011-15/+23
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added instance and subsystem validation for pki-server ca-* commands.Endi S. Dewata2016-07-011-7/+37
| | | | | | | | | | | The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364
* Fixed pki-server subsystem-cert-update.Endi S. Dewata2016-07-013-96/+120
| | | | | | | | | | | | | | | | | | | | | | The pki-server subsystem-cert-update is supposed to restore the system certificate data and requests into CS.cfg. The command was broken since the CASubsystem class that contains the code to find the certificate requests from database was not loaded correctly. To fix the problem the CASubsystem class has been moved into the pki/server/__init__.py. All pki-server subsystem-* commands have been modified to check the validity of the instance. An option has been added to the pki-server subsystem-cert-show command to display the data and request of a particular system certificate. The redundant output of the pki-server subsystem-cert-update has been removed. The updated certificate data and request can be obtained using the pki-server subsystem-cert-show command. https://fedorahosted.org/pki/ticket/2385
* Removed excessive error message in pki CLI.Endi S. Dewata2016-07-011-1/+2
| | | | | | | A recent change in the pki CLI caused excessive error message in normal usage. The change has been reverted. https://fedorahosted.org/pki/ticket/2390
* Add profiles container to LDAP if missingFraser Tweedale2016-07-011-0/+19
| | | | | | | | | | | | | | | | | | CMS startup was changed a while back to wait for LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem initialisation waits for all known profiles to be loaded by the LDAP persistent search thread. If the ou=certificateProfiles container object does not exist, startup hangs. This can cause a race condition in FreeIPA upgrade. FreeIPA switches the Dogtag instance to the LDAPProfileSubsystem and restarts it. The restart fails because the container object does not get added until after the restart. Update LDAPProfileSubsystem to add the container object itself, if it is missing, before commencing the persistent search. Fixes: https://fedorahosted.org/pki/ticket/2285
* AuthInfoAccess: use default OCSP URI if configuredFraser Tweedale2016-07-013-2/+13
| | | | | | | | | | | | | | | | The AuthInfoAccessExtDefault profile component constructs an OCSP URI based on the current host and port, if no URI is explicitly configured in the profile. Update the component to look in CS.cfg for the "ca.defaultOcspUri" config, and use its value if present. If not present, the old behaviour prevails. Also add the 'pki_default_ocsp_uri' pkispawn config to add the config during instance creation, so that the value will be used for the CA and system certificates. Fixes: https://fedorahosted.org/pki/ticket/2387
* Respond 400 if lightweight CA cert issuance failsFraser Tweedale2016-07-012-4/+17
| | | | | | | | | | | | | | If certificate issuance fails during lightweight CA creation (e.g. due to a profile constraint violation such as Subject DN not matching pattern) the API responds with status 500. Raise BadRequestDataException if cert issuance fails in a way that indicates bad or invalid CSR data, and catch it to respond with status 400. Also do some drive-by exception chaining. Fixes: https://fedorahosted.org/pki/ticket/2388
* Fix build on Fedora 25Fraser Tweedale2016-07-0113-91/+10
| | | | | | | | Look for the right JAX-RS API JAR (it has moved in Fedora 25). Also remove a lot of redundant 'find_file' operations for this JAR. Fixes: https://fedorahosted.org/pki/ticket/2373
* Updated notification message for kra-db-vlv-del commandAbhijeet Kasurde2016-07-011-12/+16
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added condition for checking instance id in kra commandsAbhijeet Kasurde2016-07-014-7/+36
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added fix for checking ldapmodify return code in db-schema-upgradeAbhijeet Kasurde2016-07-011-5/+7
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
* Added condition to verify instance id in db-schema-upgradeAbhijeet Kasurde2016-07-011-0/+4
| | | | Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-303-9/+2
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Separate PKI Instances versus Shared PKI InstancesMatthew Harmsen2016-06-301-42/+318
| | | | | - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation
* Add ability to disallow TPS to enroll a single user on multiple tokens.Jack Magne2016-06-303-26/+80
| | | | | | | | | | | | | | | | This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: tokendb.nonExternalReg.allowMultiActiveTokensUser=false tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
* Ticket #1306 config params: Add granularity to token termination in TPSChristina Fu2016-06-301-4/+119
| | | | | | | This patch adds the missing configuration parameters that go with the original bug. The code would take on defaults when these parameters are missing, but putting them in the CS.cfg would make it easier for the administrators.
* Ticket 2389 Installation: subsystem certs could have notAfter beyond CA ↵Christina Fu2016-06-292-0/+26
| | | | | | | signing cert in case of external or existing CA This patch implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding
* Added gcc-c++ as a build requirement.Matthew Harmsen2016-06-281-0/+1
| | | | - PKI TRAC Ticket #2228 - RHEL 7.2: Could NOT find Threads
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixed KRA cloning issue.Endi S. Dewata2016-06-296-24/+91
| | | | | | | | | | | | | The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
* Ticket #1308 [RFE] Provide ability to perform off-card key generation for ↵Christina Fu2016-06-281-8/+35
| | | | non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
* Fixes: Invalid instance exception issue.Amol Kahat2016-06-281-3/+37
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
* Fixes pki-server subsystem-* --help options.Amol Kahat2016-06-281-74/+81
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
* Fixed problem reading HSM password from password file.Endi S. Dewata2016-06-283-24/+50
| | | | | | | | | | | | | A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.conf. If the token is an internal token, it will read the 'internal' password. If it is an HSM it will read the password for 'hardware-<token>'. The codes that call the get_password() to get token password have been modified to use get_token_password() instead. https://fedorahosted.org/pki/ticket/2384
* Updated version number to 10.3.4-0.1Matthew Harmsen2016-06-217-11/+23
|
* Updated resteasy packages for Fedora 25 and laterMatthew Harmsen2016-06-201-0/+16
|
* date typoMatthew Harmsen2016-06-201-1/+1
|
* Updated pki-core-rhel-version.Matthew Harmsen2016-06-203-3/+3
|
* Updated release number to 10.3.3-1Matthew Harmsen2016-06-204-24/+26
|
* Ticket #2346 support SHA384withRSAChristina Fu2016-06-1748-50/+81
| | | | This patch adds support for SHA384withRSA signing algorithm.
* Ticket #2298 Part3- trim down debug log in non-TMS crmf enrollmentsChristina Fu2016-06-1711-42/+61
|
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-1711-685/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Fix coverity warnings for 'tkstool'Jack Magne2016-06-171-5/+16
| | | | | | Issues listed in the ticket addressed by this patch. Ticket #1199 : Fix coverity warnings for 'tkstool'.
* Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUESTJack Magne2016-06-171-91/+81
| | | | | | | | | | The fix here is to make sure no archive related audits get issued for doing things other than key archivals. Other operations such as revoking and unrevoking cert in the code path laready have audit logs issued separately for success or failure. Ticket #2340.
* Added upgrade script to fix JAVA_HOME.Endi S. Dewata2016-06-176-0/+119
| | | | https://fedorahosted.org/pki/ticket/2363
* Fixed Java dependency.Endi S. Dewata2016-06-1715-41/+79
| | | | | | | | | | The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path for the pki.conf. https://fedorahosted.org/pki/ticket/2363
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-175-290/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Ticket #2298 exclude some ldap record attributes with key archival This is ↵Christina Fu2016-06-1611-32/+388
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests (both CRMF, and CMC CRMF). The following are the highlights: * CRMF Manual approval profile is disabled: caDualCert.cfg - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false) are not written to ldap record for agents to act on * excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded * a new CRMF "auto approval" (directory based, needs to be setup) is provided * if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF: (note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out in excludedLdapAttrs.attrs if the admin chooses to override the default) "req_x509info", "publickey", "req_extensions", "cert_request", "req_archive_options", "req_key" * Because of the above (possible exclusion of cert requests in record, profiles that require agent manual approval will no longer function in the case that excludedLdapAttrs.enabled is true * a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose * code was fixed so that in KRA request will display subject name even though the x509info is missing from request * cmc requests did not have request type in records, so they had to be added for differentiation The following have been tested: * CRMF auto enroll * CRMF manual enroll/approval * CMC-CRMF enroll * both CA and KRA internal ldap are examined for correct data exclusion Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
* Enableocsp checking on KRA with CA's secure port shows self test failure.Jack Magne2016-06-162-0/+5
| | | | | Here we will address this by putting a comment in the server.xml, around the area where the ocsp settings are document.
* Added debugging log in ClientCertImportCLI.Endi S. Dewata2016-06-161-0/+5
|
* Updated instructions to customize TPS token lifecycle.Endi S. Dewata2016-06-163-12/+26
| | | | | | | | The TPS's CS.cfg and token-states.properties have been updated to include instructions to customize token state transitions and labels. https://fedorahosted.org/pki/ticket/2300
* Added pki pkcs12-cert-mod command.Endi S. Dewata2016-06-162-0/+175
| | | | | A new CLI has been added to update the certificate trust flags in PKCS #12 file which will be useful to import OpenSSL certificates.
* Fixed VLV usage in TPS token and activity services.Endi S. Dewata2016-06-162-35/+128
| | | | | | | | | The TPS token and activity services have been modified to use VLV only when the search filter matches the VLV, which is the default filter when there is no search keyword/attributes specified by the client. In other cases the services will use a normal search. https://fedorahosted.org/pki/ticket/2342
generated by cgit (git 2.34.1) at 2025-09-28 01:03:25 +0000