| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA and OCSP have been
modified to chain the original exceptions.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
| |
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
| |
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.
Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.
Also do some drive-by exception chaining.
Fixes: https://fedorahosted.org/pki/ticket/2388
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| |
|
|
|
|
|
|
|
|
| |
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.
Ticket #2340.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an authority entry is read with the authoritySerial attribute,
and the serial differs from the known serial or the serial was
previously unknown, Dogtag attempts to update the certificate in the
NSSDB. The procedure is carried out during initialisation, and if it
fails an exception is thrown, causing the CA to remain unknown.
If the signing key is not yet in the NSSDB, the update is certain to
fail. This can happen e.g. if CA is created on one clone while
another clone is down. When the other clone comes up, it will
immediately see the authoritySerial and trigger this scenario.
To avoid this scenario, only attempt to update the certificate if
the signing unit initialisation completed successfully, implying the
presence of the signing key.
Fixes: https://fedorahosted.org/pki/ticket/2359
|
| |
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte. Update the code to expect JSON instead.
No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.
Fixes: https://fedorahosted.org/pki/ticket/2351
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPACustodiaKeyRetriever doesn't really do anything specific to
IPA or Custodia; it merely executes a certain executable with a
particular behavioural contract.
Add support for passing configuration to KeyRetriever instances, and
rename IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
updating it to use the "executable" config property instead of a
hardcoded filename.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
If lightweight CA key retrieval fails, retry the retieval after a
delay of 10 seconds initially, increasing thereafter.
Fixes: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If additional LDAP events are processed for a lightweight CA while
key retrieval proceeds in another thread, when retrieval is
complete, the KeyRetrieverRunner reinitialises the signing unit of a
stale object.
Instead of holding onto a CertificateAuthority, hold onto the
AuthorityID and look it up afresh when ready to reinitialise its
SigningUnit.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
Before implementing lightweight CA key retrieval retry with
exponential backoff, ensure that only one key retriever thread can
execute at a time, for each CA.
Also make SigningUnit initialisation (initSigUnit) synchronised.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.
Catch the CANotFoundException and respond with status 410 Gone.
Fixes: https://fedorahosted.org/pki/ticket/2332
|
| |
|
|
|
|
|
| |
When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.
Fixes: https://fedorahosted.org/pki/ticket/2328
|
| |
|
|
|
|
|
|
|
| |
When deleting lightweight CAs, the call to
CryptoStore.deletePrivateKey() throws an exception because the
preceding call to CryptoStore.deleteCert() also deletes the key.
Remove the redundant call and add some commentary.
Fixes: https://fedorahosted.org/pki/ticket/1640
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
| |
Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA. This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
| |
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initialising a lightweight CA, if we do not have the signing
cert and key in the NSSDB yet, we do not initialise the DN. This
causes NPE in other code that expects getX500Name() to return a
value, e.g. REST API to list or show CA.
To work around this, when loading lightweight CAs set the DN based
on the 'authorityDN' value stored in its LDAP entry.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
| |
Implement a thread that performs an LDAP persistent search to keep a
running CA's view of lightweight CAs in sync with the database.
Signing key replication is not yet supported; this will be
implemented in a later patch and will not use the database to
propagate keys.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
LDAP code to add, modify and delete authority entries exists in
multiple places. Extract these methods to remove this duplication
and provide a cleaner basis for upcoming implementation of
replication handling.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
To reduce the amount of code that would be run in the persistent
search thread, extract the host authority entry creation out of the
'loadLightweightCAs' method, into 'CertificateAuthority.init'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
Use a static database connection factory that is initialised by the
host authority and used by all CertificateAuthority instances.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
| |
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
| |
Also drive-by refactor 'createProfileData' to use 'getProfile',
reducing code size.
|
| |
|
|
|
|
| |
If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
|
