| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
| |
Creating or modifying a profile with bad profile data in the "raw"
format succeeds and saves the bad data. After restart, the profile
cannot be loaded and attempting to use, modify or delete or recreate
the profile will fail.
Verify raw profile data by instantiating a temporary profile and
attempting to initialise it with the received configuration.
Fixes: https://fedorahosted.org/pki/ticket/1462
|
|
|
|
|
|
|
|
|
|
|
| |
The HttpConnection class has been modified to support fail-over
and timeout more consistently. The targets are parsed into a list
during initialization. All direct calls to HttpClient.connect()
are replaced with a method that will connect to the first available
target. All connections are now created with a timeout (which by
default is 0).
https://fedorahosted.org/pki/ticket/891
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1446:
Without the crypto object, the user is now presented with a very bared bones
keygen tag powered UI. ONe can only select a key strength and only use RSA.
This fix adds simple UI to make better use of the keygen tag:
1. Allows the use of ECC.
2. Gives simple info on how the key strengths map to RSA key size and
ECC curves.
When the user selects High, they get RSA 2043, and ECC nistp384.
When the user selects Medium, they get RSA 1024, and ECC nistp256.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1442.
This fix gives the command line enrollment commands the ability to enroll a cert against a profile
that has been marked as not visible but "enabled".
With the simple fix the following scenarios tested to work:
The "caUserCert" Profile was marked as not visible, but enabled.
1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne
This is the simplest form of user cert enrollment.
2. pki ca-cert-request-profile-show caUserCert --output testuser.xml
pki ca-cert-request-submit testuser.xml
The first command gives us the profile's xml file, which after modification is used to enroll.
3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert
This one shows that we can view the contents of a non visible profile. Listing is not allowed.
We felt this appropiate to allow a command line user to get the details of a non visible profile that
they know aobut and want to use.
|
|
|
|
|
|
|
|
| |
Various codes have been modified to properly stop threads during
shutdown. A new ID attribute has been added to the LDAP connection
factory classes to help identify leaking threads.
https://fedorahosted.org/pki/ticket/1327
|
| |
|
|
|
|
|
|
| |
Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.
Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
|
|
|
|
|
|
|
| |
In modifyProfileState check the 'action' query paramter for NULL and
raise a BadRequestException when the paramater is not set.
https://fedorahosted.org/pki/ticket/1361
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
|
|
|
|
| |
The store() method of the 'Properties' class escapes '=' and ':' in
values, corrupting the profile data. Continue using 'Properties' to
read the input (unescaping values) then copy the properties into a
'SimpleProperties' object so that unwanted backslashes do not appear
in the output.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schedules.
Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change
was designed to only affect the specific scenario when we have a daily scedule that spans only one day.
More Info:
How to duplicate and test:
Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point.
Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL.
Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen.
When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry:
[CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873
Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry.
[CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873
That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like:
Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tickets #1294, #1058
The patch does the following:
1. Allows an OCSP clone to actually install and operate.
It also sets a param appropriate for an OCSP clone. Ticket #1058
The controversial part of this one is the fact that I have disabled
having OCSP clones register themselves to the CA as publishing target.
The master is already getting the updates and we rely upon replication
to keep the clones updated. The current downside is the master is on an
island with respect to updates and could be considered a single point of failure.
Thus my proposal for this simple patch is to get the OCSP clone working as in existing
functionality. Then we come back and propose a ticket to allow the installer OCSP clones
to set up the publishers in such a way that all clones and master are registered, but when
it is actually time to publish, the CRL publisher has the smarts to know that members of a
clone cluster are in a group and the first successfull publish should end the processing of
that group.
2. Allows the CA clone to set some params to disable certain things that a clone should not do.
This was listed as a set of misc post install tasks that we are trying to automate.
Code tested to work.
1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master.
2. The CA clone has been seen to have the required params and it looks to come up just fine.
Final review minor changes to tickets, 1294, and 1058.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy all subsystems
directly from the /usr/share/pki. This will simplify updating
the templates in the web applications.
https://fedorahosted.org/pki/ticket/499
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
| |
Add the `pki_profiles_in_ldap' pkispawn config to control whether
profiles are stored on the filesystem (old behaviour) or LDAP (new
behaviour). The default is file-based profiles.
|
|
|
|
|
|
|
|
| |
Update CLI commands for working with the (now LDAP-based)
profiles in the same format as was used by the files, by way of the
--raw option.
Also add the "edit" command to interactively edit a profile.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the LDAPProfileSubsystem as another IProfileSubsystem
implementation that can be used instead of ProfileSubsystem (which
stores profiles on the file system) to store files in LDAP so that
changes can be replicated.
Extract common behaviour in to new AbstractProfileSubsystem
superclass.
Also address the minor issue #1220.
|
| |
|
|
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 5280 states:
Conforming CRL issuers are REQUIRED to include the authority key
identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
extensions in all CRLs issued.
Accordingly, update CS.cfg so that the Authority Key Identifier
extension is enabled by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
| |
|
|
|
|
|
|
|
|
|
| |
A new optional property has been added to certificate profiles to
specify the range unit. The default range unit is 'day'. The code
has been modified to use the Calendar API to calculate the end of
validity range based on the range unit.
https://fedorahosted.org/pki/ticket/1226
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).
On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain. The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed. Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).
Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.
In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.
Ticket 1113
|
|
|
|
| |
- PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
|
|
|
|
| |
* PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
|
|
|
|
|
|
|
| |
The new command allows users to view the information about
kra connectors registered with the CA.
Ticket #479
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
|
|
|
| |
- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
|
|
|
|
| |
* PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
|
|
|
|
| |
Ticket 781
|
|
|
|
|
| |
* PKI TRAC Ticket #946 - Installation of IPA hangs up
when LANG is set to tr_TR.UTF8
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor was throwing NumberFormatException if the
renewal request contains an empty serial number. The code has been
modified to check for null and empty string.
If the serial number is unavailable, the code will try to get the
serial number from the client certificate. If that is unavailable
either, the code has been fixed to return a proper message.
Ticket #999
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seems to be no use of the requestID parameter in both revoke
and unrevoke request. Removed requestID attribute in CertRevokeRequest
remove the class CertUnrevokeRequest.
Also made changes in RevocationProcesor to use the requestID of the
request created in it.
The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets.
Removed the call and a function auditRequesterId in both the classes.
The auditRequestorId method tries to get a "requestID" stored as a INPUT field
in the reasonToRequest page. The ReasonToRevoke class which generates
this page does not set the value.
|
|
|
|
|
|
|
|
|
|
| |
Some REST services that accept search keywords have been modified to
require a minimum length of 3 characters.
The DEFAULT_SIZE constant has been moved into the base PKIService
class to reduce multiple declarations.
Ticket #920
|
|
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
|
|
|
|
|
|
| |
Subsystem-specific configuration codes have been moved from the
SystemConfigService into the subsystem-specific installer.
Ticket #890
|
|
|
|
|
|
|
|
|
| |
New subclasses of SystemConfigService have been added for each
subsystem to replace the base installer. Initially these classes
are blank, so they are identical to the base class. Later they will
store subsystem-specific installation code.
Ticket #890
|