| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The code that sets the certificate request extra data has been
moved into CertUtil.createLocalRequest().
The incorrect profile ID in subsystemCert.profile has been fixed.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ic76ac3dfcbf0c4ab95abea0680697d87f00f292b
|
|
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
|
|
|
|
|
|
|
|
| |
Some OCSP-related classes have been modified to detect errors and
handle exceptions properly.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
|
|
|
|
|
|
|
|
|
| |
Some log messages have been added into OCSP-related classes for
clarity.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I7eda806a3103ac235a5d3e073db8c60a9b3d482d
|
|
|
|
|
|
|
|
|
|
| |
The pki ca-authority-find CLI has been modified to provide search
filter based on the authority ID, parent ID, authority DN, and
issuer DN.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I563a0b93eb7a00ae4771069812455ecc552f407c
|
|
|
|
|
| |
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.
|
|
|
|
|
|
|
|
|
| |
A new SCHEDULE_CRL_GENERATION audit event has been added which
will be generated when CRL generation is scheduled manually.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_PUBLISHING audit event has been added which will
be generated when full CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_GENERATION audit event has been added which will
be generated when full CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_PUBLISHING audit event has been added which will
be generated when delta CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_GENERATION audit event has been added which will
be generated when delta CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
|
|
|
|
|
|
|
|
|
| |
The code related to full CRL generation has been moved into
generateFullCRL().
https://pagure.io/dogtagpki/issue/2651
Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
|
|
|
|
|
|
|
|
|
| |
The code related to delta CRL generation has been moved into
generateDeltaCRL().
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
|
|
|
|
|
|
|
|
|
|
| |
The code that generates full CRL in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateFullCRL() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
|
|
|
|
|
|
|
|
|
|
| |
The code that generates delta CRL in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateDeltaCRL() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
|
|
|
|
|
|
|
|
|
|
| |
The code that generates CRLExtensions in updateCRLNow()
in CRLIssuingPoint has been refactored into a separate
generateCRLExtensions() method for clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was some confusion in the previous commit for archival
logging. The archivalID is the id provided by the CA for the archival
and is its requestID. This allows the cert request operation
to be tracked through the archival.
Made sure therefore, that we have two fields - one for the archivalID
and one for the requestId (which is the KRA archival request ID)
In addition, some of the archival events occur in the CA component
just before the request id sent to the KRA. These events will not
be displayed unless the audit event is added to the CA CS.cfg.
Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.
The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
SECURITY_DATA ones to simplify the whole structure. They
used to provide an archivalID parameter which was pretty much
meaningless as it was at best just the same as the request id
which is alreadty logged. So this is now dropped.
Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
|
|
|
|
|
|
|
| |
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
|
|
|
|
|
| |
- Bugzilla Bug #1452123 - CA CS.cfg shows default port
- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
|
|
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been reformatted to
adjust the indentations after refactoring.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
|
|
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been refactored to
reduce deeply nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
|
|
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
|
|
|
|
| |
This patch would fix the issue. It also adds the CMCUserSignedAuth
authentication instance that was missed in the CS.cfg
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
|
|
|
|
|
|
|
|
|
|
|
| |
When modifying a profile, attributes are not cleared. Attributes
that were removed in the updated profile configuration are not
actually removed.
When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear
the config store before loading the new configuration.
Fixes: https://fedorahosted.org/pki/ticket/2588
Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.
For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.
To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
|
| |
Add the ExternalProcessConstraint profile policy constraint class.
It can be configured to execute an arbitrary program that performs
additional request validation, rejecting the request if it
terminates with a nonzero exit status. Information about the
request is conveyed in the subprocess' environment.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
|
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
|
|
|
| |
Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
|
|
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
|
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
|
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
|
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
|
|
|
|
|
|
| |
A new PKIRESTProvider has been added to send and receive
StreamingOutput object through REST API.
Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
|
|
|
|
|
|
|
| |
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.
Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
|
|
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
|
|
|
| |
requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
|
|
|
|
|
| |
This patch provides methods that can be shared between the CA and the ISharedToken plugins:
1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms.
2. The establishment of Issuance Protection Certificate
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ExternalAuthenticationValve valve, which, if an externally
authenticated principal is available, reads the REMOTE_USER_GROUP
information from the Coyote request and adds the groups ("roles" in
Tomcat terminology) to the principal.
It also saves a complete copy of the request attribute map in the
princpial. The new class ExternalPrincipal is used to achieve this.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
|
|
| |
All pages in CA UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
| |
The CMake create_symlink commands do not work on RHEL if the
source does not exist yet, so they have been replaced with regular
ln commands.
|
|
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
|
|
| |
The index.html files in CA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
| |
To help troubleshooting the CertRequestService has been modified
to chain the original exceptions.
|