summaryrefslogtreecommitdiffstats
path: root/base/ca
Commit message (Collapse)AuthorAgeFilesLines
* Refactored CertUtil.createLocalRequest().Endi S. Dewata2017-07-071-1/+1
| | | | | | | | | | | The code that sets the certificate request extra data has been moved into CertUtil.createLocalRequest(). The incorrect profile ID in subsystemCert.profile has been fixed. https://pagure.io/dogtagpki/issue/2280 Change-Id: Ic76ac3dfcbf0c4ab95abea0680697d87f00f292b
* Consolidated log() for audit events.Endi S. Dewata2017-06-274-21/+9
| | | | | | | | | Duplicate log() methods for audit events have been merged into the Logger class. https://pagure.io/dogtagpki/issue/2689 Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
* Refactored signed audit logger.Endi S. Dewata2017-06-242-32/+11
| | | | | | | | | | | | | | | Signed audit logger creation has been simplified into: Logger signedAuditLogger = SignedAuditLogger.getLogger(); The null checks on signed audit logger have been removed since it cannot be null. Audit messages can be logged as follows: signedAuditLogger.log(message); https://pagure.io/dogtagpki/issue/2689 Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
* Fixed OCSP service error handling.Endi S. Dewata2017-06-201-2/+7
| | | | | | | | | Some OCSP-related classes have been modified to detect errors and handle exceptions properly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
* Added log messages for OCSP service.Endi S. Dewata2017-06-201-11/+29
| | | | | | | | | Some log messages have been added into OCSP-related classes for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: I7eda806a3103ac235a5d3e073db8c60a9b3d482d
* Added search filter for pki ca-authority-find.Endi S. Dewata2017-06-171-3/+28
| | | | | | | | | | The pki ca-authority-find CLI has been modified to provide search filter based on the authority ID, parent ID, authority DN, and issuer DN. https://pagure.io/dogtagpki/issue/2652 Change-Id: I563a0b93eb7a00ae4771069812455ecc552f407c
* Ticket#2737 CMC: check HTTPS client authentication cert against CMC signerChristina Fu2017-06-151-2/+1
| | | | | This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. Some auditing adjustments are also done.
* Added SCHEDULE_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-2/+2
| | | | | | | | | A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
* Added FULL_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-262-10/+10
| | | | | | | | | A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
* Added FULL_CRL_GENERATION audit event.Endi S. Dewata2017-05-262-28/+12
| | | | | | | | | A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
* Added DELTA_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-262-7/+7
| | | | | | | | | A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
* Added DELTA_CRL_GENERATION audit event.Endi S. Dewata2017-05-262-20/+53
| | | | | | | | | A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
* Refactored CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-40/+40
| | | | | | | | | The code related to full CRL generation has been moved into generateFullCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
* Refactored CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-48/+54
| | | | | | | | | The code related to delta CRL generation has been moved into generateDeltaCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
* Added CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-120/+134
| | | | | | | | | | The code that generates full CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateFullCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
* Added CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-67/+93
| | | | | | | | | | The code that generates delta CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateDeltaCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
* Added CRLIssuingPoint.generateCRLExtensions().Endi S. Dewata2017-05-251-23/+22
| | | | | | | | | | The code that generates CRLExtensions in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateCRLExtensions() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
* Make sure archivalID is passed through archivalAde Lee2017-05-242-7/+19
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Encapsulate the archival audit logAde Lee2017-05-231-33/+12
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Ticket#2618 feature: pre-signed CMC renewal requestChristina Fu2017-05-221-1/+12
| | | | | | | This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
* Fixed hardcoded values in ca CS.cfgMatthew Harmsen2017-05-191-3/+3
| | | | | - Bugzilla Bug #1452123 - CA CS.cfg shows default port - dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
* Reformatted RevocationRequestListener.accept().Endi S. Dewata2017-05-171-71/+71
| | | | | | | | | The RevocationRequestListener.accept() has been reformatted to adjust the indentations after refactoring. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
* Refactored RevocationRequestListener.accept().Endi S. Dewata2017-05-171-3/+5
| | | | | | | | | The RevocationRequestListener.accept() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-173-4/+118
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause errorChristina Fu2017-05-021-0/+1
| | | | | This patch would fix the issue. It also adds the CMCUserSignedAuth authentication instance that was missed in the CS.cfg
* Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfgChristina Fu2017-04-281-1/+3
|
* Ticket #2717 CMC user-signed enrollment requestChristina Fu2017-04-284-4/+123
| | | | | | | | | | | This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
* ProfileService: clear profile attributes when modifyingFraser Tweedale2017-04-261-0/+1
| | | | | | | | | | | | When modifying a profile, attributes are not cleared. Attributes that were removed in the updated profile configuration are not actually removed. When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear the config store before loading the new configuration. Fixes: https://fedorahosted.org/pki/ticket/2588 Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
* Add authn manager that reuses auth token from sessionFraser Tweedale2017-04-191-0/+2
| | | | | | | | | | | | | | | | | | To process a cert request immediately (rather than having it queued as pending), the user must be authenticated *by the profile*; auth tokens from the main authentication system are not used. For external authentication support it is possible that the external authentication is sufficient to authenticate use of a problem; especially when the profile uses componenets like ExternalProcessConstraint to perform validation of the cert request against external sources of information. To support this use case, add the SessionAuthentication profile authenticator, which merely reuses the IAuthToken from the session context, if present. Part of: https://pagure.io/dogtagpki/issue/1359
* Add ExternalProcessConstraint for request validationFraser Tweedale2017-04-191-1/+4
| | | | | | | | | | Add the ExternalProcessConstraint profile policy constraint class. It can be configured to execute an arbitrary program that performs additional request validation, rejecting the request if it terminates with a nonzero exit status. Information about the request is conveyed in the subprocess' environment. Part of: https://pagure.io/dogtagpki/issue/1359
* Added methods to log AuditEvent object.Endi S. Dewata2017-04-131-0/+10
| | | | | | | New audit(AuditEvent) methods have been added alongside the existing audit(String) methods. Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
* Reorganized audit event constants for configuration.Endi S. Dewata2017-04-121-4/+1
| | | | Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
* Reorganized additional audit event constants for KRA.Endi S. Dewata2017-04-121-34/+33
| | | | Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
* Reorganized audit event constants for authentication.Endi S. Dewata2017-04-121-3/+2
| | | | Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
* Added audit event constants for TPS.Endi S. Dewata2017-04-121-5/+2
| | | | Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
* Add CAInfo resourceAde Lee2017-04-111-0/+4
| | | | | | | | | | This resource (which will be accessed at /ca/rest/info) will initially return the mechanism for archival. This is needed by clients to know how to package secrets when archiving. We may add the transport cert later. Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added PKIRESTProvider.Endi S. Dewata2017-04-041-7/+0
| | | | | | | A new PKIRESTProvider has been added to send and receive StreamingOutput object through REST API. Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-044-0/+23
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Removed redundant Context attributes.Endi S. Dewata2017-03-315-84/+0
| | | | | | | All subclasses of PKIService have been modified to remove the Context attribute since they have been declared in the base class. Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
* Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert ↵Christina Fu2017-03-281-1/+1
| | | | requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)Christina Fu2017-03-171-1/+60
| | | | | | This patch provides methods that can be shared between the CA and the ISharedToken plugins: 1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms. 2. The establishment of Issuance Protection Certificate
* Add groups and request attributes to external principalsFraser Tweedale2017-03-161-0/+2
| | | | | | | | | | | | Add the ExternalAuthenticationValve valve, which, if an externally authenticated principal is available, reads the REMOTE_USER_GROUP information from the Coyote request and adds the groups ("roles" in Tomcat terminology) to the principal. It also saves a complete copy of the request attribute map in the princpial. The new class ExternalPrincipal is used to achieve this. Part of: https://pagure.io/dogtagpki/issue/1359
* Include revocation reason in REST cert dataFraser Tweedale2017-03-141-0/+18
| | | | Fixes: https://fedorahosted.org/pki/ticket/2601
* Added access banner for CA UI.Endi S. Dewata2017-02-24162-33/+1040
| | | | | | | All pages in CA UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Fixed build problem on RHEL.Endi S. Dewata2017-02-231-9/+9
| | | | | | The CMake create_symlink commands do not work on RHEL if the source does not exist yet, so they have been replaced with regular ln commands.
* Refactor CertRetrievalRequest constructionFraser Tweedale2017-02-221-2/+1
| | | | | | | Remove an unused constructor from CertRetrievalRequest, and add a constructor that receives the CertId, simplifying usage. Part of: https://fedorahosted.org/pki/ticket/2601
* Renamed index.html to index.jsp in CA UI.Endi S. Dewata2017-02-2010-2/+2
| | | | | | | The index.html files in CA UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Troubleshooting improvements for CertRequestService.Endi S. Dewata2017-02-171-27/+26
| | | | | To help troubleshooting the CertRequestService has been modified to chain the original exceptions.
generated by cgit (git 2.34.1) at 2024-05-28 13:04:44 +0000