summaryrefslogtreecommitdiffstats
path: root/base/ca/shared
Commit message (Collapse)AuthorAgeFilesLines
* Refactored CertUtil.createLocalRequest().Endi S. Dewata2017-07-071-1/+1
| | | | | | | | | | | The code that sets the certificate request extra data has been moved into CertUtil.createLocalRequest(). The incorrect profile ID in subsystemCert.profile has been fixed. https://pagure.io/dogtagpki/issue/2280 Change-Id: Ic76ac3dfcbf0c4ab95abea0680697d87f00f292b
* Ticket#2737 CMC: check HTTPS client authentication cert against CMC signerChristina Fu2017-06-151-2/+1
| | | | | This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. Some auditing adjustments are also done.
* Added SCHEDULE_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
* Added FULL_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
* Added FULL_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
* Added DELTA_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
* Added DELTA_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
* Make sure archivalID is passed through archivalAde Lee2017-05-241-2/+2
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Ticket#2618 feature: pre-signed CMC renewal requestChristina Fu2017-05-221-1/+12
| | | | | | | This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
* Fixed hardcoded values in ca CS.cfgMatthew Harmsen2017-05-191-3/+3
| | | | | - Bugzilla Bug #1452123 - CA CS.cfg shows default port - dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-173-4/+118
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause errorChristina Fu2017-05-021-0/+1
| | | | | This patch would fix the issue. It also adds the CMCUserSignedAuth authentication instance that was missed in the CS.cfg
* Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfgChristina Fu2017-04-281-1/+3
|
* Ticket #2717 CMC user-signed enrollment requestChristina Fu2017-04-284-4/+123
| | | | | | | | | | | This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
* Add authn manager that reuses auth token from sessionFraser Tweedale2017-04-191-0/+2
| | | | | | | | | | | | | | | | | | To process a cert request immediately (rather than having it queued as pending), the user must be authenticated *by the profile*; auth tokens from the main authentication system are not used. For external authentication support it is possible that the external authentication is sufficient to authenticate use of a problem; especially when the profile uses componenets like ExternalProcessConstraint to perform validation of the cert request against external sources of information. To support this use case, add the SessionAuthentication profile authenticator, which merely reuses the IAuthToken from the session context, if present. Part of: https://pagure.io/dogtagpki/issue/1359
* Add ExternalProcessConstraint for request validationFraser Tweedale2017-04-191-1/+4
| | | | | | | | | | Add the ExternalProcessConstraint profile policy constraint class. It can be configured to execute an arbitrary program that performs additional request validation, rejecting the request if it terminates with a nonzero exit status. Information about the request is conveyed in the subprocess' environment. Part of: https://pagure.io/dogtagpki/issue/1359
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-043-0/+19
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert ↵Christina Fu2017-03-281-1/+1
| | | | requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Added access banner for CA UI.Endi S. Dewata2017-02-24162-33/+1040
| | | | | | | All pages in CA UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Renamed index.html to index.jsp in CA UI.Endi S. Dewata2017-02-2010-2/+2
| | | | | | | The index.html files in CA UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Add profile component that copies CN to SAN dNSNameFraser Tweedale2017-02-091-1/+4
| | | | | | | | | | | | | Add the 'CommonNameToSANDefault' profile default class. When used on a profile, this will examine the (most-specific) Common Name in the Subject DN, and if it looks like a DNS name, will add it to the Subject Alternative Name extension, creating the extension if it does not already exist. Also add upgrade scriptlet to add the component to registry.cfg in existing installations. Fixes: https://fedorahosted.org/pki/ticket/1710
* Removed all references to 'xenroll.dll'Matthew Harmsen2016-12-0923-578/+164
| | | | - PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
* Removed unused CA and KRA logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in CA and KRA folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* Add pkispawn option to disable Master CRLAde Lee2016-08-041-1/+1
|
* [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to ↵Jack Magne2016-07-144-2/+178
| | | | | | | | | | | | appropriate 'pki' man page This fix will involve the following changes to the source tree. 1. Fixes to the CS.cfg to add two new cert profiles. 2. Make the caDualCert.cfg profile invisible since it has little chance of working any more in Firefox. 3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI to have convenient profiles from which to enroll signing ONLY certificates.
* Ticket #2346 support SHA384withRSAChristina Fu2016-06-1744-48/+48
| | | | This patch adds support for SHA384withRSA signing algorithm.
* Ticket #2298 Part3- trim down debug log in non-TMS crmf enrollmentsChristina Fu2016-06-171-1/+1
|
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-172-473/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Ticket #2298 exclude some ldap record attributes with key archival This is ↵Christina Fu2016-06-162-1/+171
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests (both CRMF, and CMC CRMF). The following are the highlights: * CRMF Manual approval profile is disabled: caDualCert.cfg - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false) are not written to ldap record for agents to act on * excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded * a new CRMF "auto approval" (directory based, needs to be setup) is provided * if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF: (note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out in excludedLdapAttrs.attrs if the admin chooses to override the default) "req_x509info", "publickey", "req_extensions", "cert_request", "req_archive_options", "req_key" * Because of the above (possible exclusion of cert requests in record, profiles that require agent manual approval will no longer function in the case that excludedLdapAttrs.enabled is true * a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose * code was fixed so that in KRA request will display subject name even though the x509info is missing from request * cmc requests did not have request type in records, so they had to be added for differentiation The following have been tested: * CRMF auto enroll * CRMF manual enroll/approval * CMC-CRMF enroll * both CA and KRA internal ldap are examined for correct data exclusion Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
* Detect inability to submit ECC CSR on ChromeMatthew Harmsen2016-05-131-0/+11
| | | | - PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
* Added Chrome keygen warningMatthew Harmsen2016-05-121-4/+109
| | | | | - PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from within Chrome
* Add realm to requests coming in from CAAde Lee2016-05-091-2/+8
| | | | | | | | | | | | | | | | Requests to the KRA through the CA-KRA connector use the Enrollment Service. This has been modified to read and store any realm passed in. The realm can be added to the request by havibg the admin add a AuthzRealmDefault and AuthzRealmConstraint in a profile. At this point, all the constraint does is verify that the realm is one of a specified list of realms. More verification will be added in a subsequent patch. No attempt is made yet to allow users to specify the realm. This would need to be added as a ProfileInput. Part of Ticket 2041
* Added deployment parameters for number ranges.Endi S. Dewata2016-05-091-6/+6
| | | | | | | | | | | New deployment parameters have been added to customize the serial number range, request number range, and replica number range in CS.cfg during installation. The code that generates the CS.cfg has been moved closer to the code that generates the subsystem configuration folder. https://fedorahosted.org/pki/ticket/2278
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-092-1/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Fixed adminEnroll servlet browser import issueMatthew Harmsen2016-05-042-5/+5
| | | | | - PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template succeeds but fails on import into browser
* Removed default certificate validity delay.Endi S. Dewata2016-05-034-4/+4
| | | | | | | | Some certificate profiles have been modified to remove the default one minute validity delay, allowing the certificate issued with those profiles to be used immediately. https://fedorahosted.org/pki/ticket/2304
* Add script to enable USN pluginAde Lee2016-04-151-0/+1
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Ticket #1963 CRL generation enters loop when CA loses connection to netHSM.Christina Fu2016-03-021-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This patch makes a low risk attempt to slow down the loop that could be caused by an unexpected exception caused by the unavailability of a dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update. New configuration parameters are: ca.crl.MasterCRL.unexpectedExceptionWaitTime - the wait time in minutes; default is 30 - normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval and ca.crl.MasterCRL.cacheUpdateInterval ca.crl.MasterCRL.unexpectedExceptionLoopMax - the max number of tries allowed before the slow down mechanism kicks in; default is 10 When such unexpected failure happens, a loop counter is kept and checked against the unexpectedExceptionLoopMax. If the loop counter exceeds the unexpectedExceptionLoopMax, then the current time is checked against the time of the failure, where the time lapse must exceed the unexpectedExceptionWaitTime to trigger a delay. This delay is the counter measure to mitigate the amount of log messages that could flood the log(s). The delay is calcuated like this: waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
* Lightweight CAs: add audit eventsFraser Tweedale2016-03-011-2/+2
| | | | | | Add audit events for lightweight CA administration. Fixes: https://fedorahosted.org/pki/ticket/1590
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-162-517/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Use correct textual encoding for PKCS #7 objectsFraser Tweedale2016-02-155-10/+10
| | | | | | | | | | | PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label which is invalid (RFC 7468) and unrecognised by many programs (including OpenSSL). Use the correct "PKCS7" label instead. Also do a drive-by refactor of the normalizeCertAndReq to remove some redundant code. Fixes: https://fedorahosted.org/pki/ticket/1699
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-271/+0
|
* Store issuer DN in certificate recordsFraser Tweedale2015-10-212-0/+10
| | | | | | | | Lightweight CAs mean that we may wish to filter certificates based on the issuer. Update X509CertImplMapper to store the issuer DN in each certificate record, using exiting schema. Also add indices for the 'issuerName' LDAP attribute.
* Lightweight CAs: implement deletion API and CLIFraser Tweedale2015-10-062-0/+2
| | | | | | | Implement lightweight authority deletion including CLI command. To be deleted an authority must be disabled and have no sub-CAs. Fixes: https://fedorahosted.org/pki/ticket/1324
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-011-0/+5
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Fixup for CS.cfg for authority featureAde Lee2015-09-281-1/+1
| | | | Set enable -> enabled
* Added Features REST API resourceAde Lee2015-09-271-0/+3
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
generated by cgit (git 2.34.1) at 2024-06-17 12:38:57 +0000