| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
| |
|
|
|
|
|
|
|
| |
Some OCSP-related classes have been modified to detect errors and
handle exceptions properly.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
|
| |
|
|
|
|
|
|
|
| |
Some log messages have been added into OCSP-related classes for
clarity.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I7eda806a3103ac235a5d3e073db8c60a9b3d482d
|
| |
|
|
|
|
|
|
|
| |
A new FULL_CRL_PUBLISHING audit event has been added which will
be generated when full CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
|
| |
|
|
|
|
|
|
|
| |
A new FULL_CRL_GENERATION audit event has been added which will
be generated when full CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
|
| |
|
|
|
|
|
|
|
| |
A new DELTA_CRL_PUBLISHING audit event has been added which will
be generated when delta CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
|
| |
|
|
|
|
|
|
|
| |
A new DELTA_CRL_GENERATION audit event has been added which will
be generated when delta CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
|
| |
|
|
|
|
|
|
|
| |
The code related to full CRL generation has been moved into
generateFullCRL().
https://pagure.io/dogtagpki/issue/2651
Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
|
| |
|
|
|
|
|
|
|
| |
The code related to delta CRL generation has been moved into
generateDeltaCRL().
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
|
| |
|
|
|
|
|
|
|
|
| |
The code that generates full CRL in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateFullCRL() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
|
| |
|
|
|
|
|
|
|
|
| |
The code that generates delta CRL in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateDeltaCRL() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
|
| |
|
|
|
|
|
|
|
|
| |
The code that generates CRLExtensions in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateCRLExtensions() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was some confusion in the previous commit for archival
logging. The archivalID is the id provided by the CA for the archival
and is its requestID. This allows the cert request operation
to be tracked through the archival.
Made sure therefore, that we have two fields - one for the archivalID
and one for the requestId (which is the KRA archival request ID)
In addition, some of the archival events occur in the CA component
just before the request id sent to the KRA. These events will not
be displayed unless the audit event is added to the CA CS.cfg.
Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.
The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
SECURITY_DATA ones to simplify the whole structure. They
used to provide an archivalID parameter which was pretty much
meaningless as it was at best just the same as the request id
which is alreadty logged. So this is now dropped.
Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
|
| |
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been reformatted to
adjust the indentations after refactoring.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
|
| |
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been refactored to
reduce deeply nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
|
| |
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
| |
|
|
| |
Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
|
| |
|
|
|
|
| |
This patch provides methods that can be shared between the CA and the ISharedToken plugins:
1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms.
2. The establishment of Issuance Protection Certificate
|
| |
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type. If entryUSN value is too large to fit in
'int', NumberFormatException is raised.
Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.
Fixes: https://fedorahosted.org/pki/ticket/2579
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created. It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.
If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values. This causes the
addition of a spurious host authority entry every time the server
starts.
Serialise DNs before comparing, to avoid these false negatives.
Fixes: https://fedorahosted.org/pki/ticket/2475
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.
Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).
Fixes: https://fedorahosted.org/pki/ticket/2466
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA and OCSP have been
modified to chain the original exceptions.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
| |
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.
Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.
Also do some drive-by exception chaining.
Fixes: https://fedorahosted.org/pki/ticket/2388
|
| |
|
|
|
|
|
|
|
|
| |
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.
Ticket #2340.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an authority entry is read with the authoritySerial attribute,
and the serial differs from the known serial or the serial was
previously unknown, Dogtag attempts to update the certificate in the
NSSDB. The procedure is carried out during initialisation, and if it
fails an exception is thrown, causing the CA to remain unknown.
If the signing key is not yet in the NSSDB, the update is certain to
fail. This can happen e.g. if CA is created on one clone while
another clone is down. When the other clone comes up, it will
immediately see the authoritySerial and trigger this scenario.
To avoid this scenario, only attempt to update the certificate if
the signing unit initialisation completed successfully, implying the
presence of the signing key.
Fixes: https://fedorahosted.org/pki/ticket/2359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte. Update the code to expect JSON instead.
No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.
Fixes: https://fedorahosted.org/pki/ticket/2351
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPACustodiaKeyRetriever doesn't really do anything specific to
IPA or Custodia; it merely executes a certain executable with a
particular behavioural contract.
Add support for passing configuration to KeyRetriever instances, and
rename IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
updating it to use the "executable" config property instead of a
hardcoded filename.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
If lightweight CA key retrieval fails, retry the retieval after a
delay of 10 seconds initially, increasing thereafter.
Fixes: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If additional LDAP events are processed for a lightweight CA while
key retrieval proceeds in another thread, when retrieval is
complete, the KeyRetrieverRunner reinitialises the signing unit of a
stale object.
Instead of holding onto a CertificateAuthority, hold onto the
AuthorityID and look it up afresh when ready to reinitialise its
SigningUnit.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
Before implementing lightweight CA key retrieval retry with
exponential backoff, ensure that only one key retriever thread can
execute at a time, for each CA.
Also make SigningUnit initialisation (initSigUnit) synchronised.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
| |
When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.
Fixes: https://fedorahosted.org/pki/ticket/2328
|
