| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
| |
|
|
|
|
|
|
|
|
| |
The pki ca-authority-find CLI has been modified to provide search
filter based on the authority ID, parent ID, authority DN, and
issuer DN.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I563a0b93eb7a00ae4771069812455ecc552f407c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When modifying a profile, attributes are not cleared. Attributes
that were removed in the updated profile configuration are not
actually removed.
When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear
the config store before loading the new configuration.
Fixes: https://fedorahosted.org/pki/ticket/2588
Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
|
| |
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
| |
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
| |
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
| |
|
|
|
|
|
| |
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.
Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
|
| |
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/2601
|
| |
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
| |
|
|
|
| |
To help troubleshooting the CertRequestService has been modified
to chain the original exceptions.
|
| |
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
| |
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.
Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.
Also do some drive-by exception chaining.
Fixes: https://fedorahosted.org/pki/ticket/2388
|
| |
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
|
|
| |
When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.
Catch the CANotFoundException and respond with status 410 Gone.
Fixes: https://fedorahosted.org/pki/ticket/2332
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
|
| |
Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA. This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
| |
Also drive-by refactor 'createProfileData' to use 'getProfile',
reducing code size.
|
| |
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.
This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.
Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1628
|
| |
|
|
|
|
|
|
|
|
| |
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
| |
The REST profile service current responds 400 on conflicting
operations, indicating that the client sent a bad request when this
not the case. Respond with 409 Conflict instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1257518
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.
As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
| |
Implement lightweight authority deletion including CLI command. To
be deleted an authority must be disabled and have no sub-CAs.
Fixes: https://fedorahosted.org/pki/ticket/1324
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|
| |
|
|
|
|
|
|
| |
Add the optional "ca" query parameter for REST cert request
submission. Also update the ca-cert-request-submit CLI command with
an option to provide an AuthorityID.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.
An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.
https://fedorahosted.org/pki/ticket/1535
|
| |
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
| |
|
|
|
|
|
|
| |
The CertService.searchCerts() has been modified to use the VLV
properly to retrieve just the entries in the requested page, thus
reducing the response time and memory requirement.
Some classes have been modified to clean up the debugging logs.
|
| |
|
|
|
|
|
|
| |
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.
https://fedorahosted.org/pki/ticket/1449
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Creating or modifying a profile with bad profile data in the "raw"
format succeeds and saves the bad data. After restart, the profile
cannot be loaded and attempting to use, modify or delete or recreate
the profile will fail.
Verify raw profile data by instantiating a temporary profile and
attempting to initialise it with the received configuration.
Fixes: https://fedorahosted.org/pki/ticket/1462
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1442.
This fix gives the command line enrollment commands the ability to enroll a cert against a profile
that has been marked as not visible but "enabled".
With the simple fix the following scenarios tested to work:
The "caUserCert" Profile was marked as not visible, but enabled.
1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne
This is the simplest form of user cert enrollment.
2. pki ca-cert-request-profile-show caUserCert --output testuser.xml
pki ca-cert-request-submit testuser.xml
The first command gives us the profile's xml file, which after modification is used to enroll.
3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert
This one shows that we can view the contents of a non visible profile. Listing is not allowed.
We felt this appropiate to allow a command line user to get the details of a non visible profile that
they know aobut and want to use.
|
