| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The code that sets the certificate request extra data has been
moved into CertUtil.createLocalRequest().
The incorrect profile ID in subsystemCert.profile has been fixed.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ic76ac3dfcbf0c4ab95abea0680697d87f00f292b
|
|
|
|
|
| |
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.
|
|
|
|
|
|
|
|
|
| |
A new SCHEDULE_CRL_GENERATION audit event has been added which
will be generated when CRL generation is scheduled manually.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_PUBLISHING audit event has been added which will
be generated when full CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_GENERATION audit event has been added which will
be generated when full CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_PUBLISHING audit event has been added which will
be generated when delta CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_GENERATION audit event has been added which will
be generated when delta CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was some confusion in the previous commit for archival
logging. The archivalID is the id provided by the CA for the archival
and is its requestID. This allows the cert request operation
to be tracked through the archival.
Made sure therefore, that we have two fields - one for the archivalID
and one for the requestId (which is the KRA archival request ID)
In addition, some of the archival events occur in the CA component
just before the request id sent to the KRA. These events will not
be displayed unless the audit event is added to the CA CS.cfg.
Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
|
|
|
|
|
|
|
| |
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
|
|
|
|
|
| |
- Bugzilla Bug #1452123 - CA CS.cfg shows default port
- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
|
|
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
|
|
|
|
| |
This patch would fix the issue. It also adds the CMCUserSignedAuth
authentication instance that was missed in the CS.cfg
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.
For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.
To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
|
| |
Add the ExternalProcessConstraint profile policy constraint class.
It can be configured to execute an arbitrary program that performs
additional request validation, rejecting the request if it
terminates with a nonzero exit status. Information about the
request is conveyed in the subprocess' environment.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
|
|
|
|
|
|
| |
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.
Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
|
|
|
|
| |
requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
|
|
|
|
|
|
| |
All pages in CA UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
The index.html files in CA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'CommonNameToSANDefault' profile default class. When used
on a profile, this will examine the (most-specific) Common Name in
the Subject DN, and if it looks like a DNS name, will add it to the
Subject Alternative Name extension, creating the extension if it
does not already exist.
Also add upgrade scriptlet to add the component to registry.cfg in
existing installations.
Fixes: https://fedorahosted.org/pki/ticket/1710
|
|
|
|
| |
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
|
|
|
|
|
|
|
| |
The logging.properties files in CA and KRA folders are never
deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
appropriate 'pki' man page
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
|
|
|
|
| |
This patch adds support for SHA384withRSA signing algorithm.
|
| |
|
|
|
|
|
|
|
|
| |
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from the server.
This patch removes the references and files associated with this auth method.
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/2363
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
|
|
|
| |
- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
|
|
|
|
|
| |
- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
within Chrome
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
|
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
|
|
|
|
|
|
|
| |
The CS.cfg.in have been renamed to CS.cfg to clean up the CMake
scripts and for consistency. This change does not affect the actual
files shipped in the RPM packages.
https://fedorahosted.org/pki/ticket/2278
|
|
|
|
|
| |
- PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
succeeds but fails on import into browser
|
|
|
|
|
|
|
|
| |
Some certificate profiles have been modified to remove the default
one minute validity delay, allowing the certificate issued with
those profiles to be used immediately.
https://fedorahosted.org/pki/ticket/2304
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
|
|
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL). Use the correct "PKCS7" label instead.
Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.
Fixes: https://fedorahosted.org/pki/ticket/1699
|
| |
|
|
|
|
|
|
|
|
| |
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
Also add indices for the 'issuerName' LDAP attribute.
|
|
|
|
|
|
|
| |
Implement lightweight authority deletion including CLI command. To
be deleted an authority must be disabled and have no sub-CAs.
Fixes: https://fedorahosted.org/pki/ticket/1324
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.
(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
|
|
|
|
| |
Set enable -> enabled
|
|
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|