| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPACustodiaKeyRetriever doesn't really do anything specific to
IPA or Custodia; it merely executes a certain executable with a
particular behavioural contract.
Add support for passing configuration to KeyRetriever instances, and
rename IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
updating it to use the "executable" config property instead of a
hardcoded filename.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
If lightweight CA key retrieval fails, retry the retieval after a
delay of 10 seconds initially, increasing thereafter.
Fixes: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If additional LDAP events are processed for a lightweight CA while
key retrieval proceeds in another thread, when retrieval is
complete, the KeyRetrieverRunner reinitialises the signing unit of a
stale object.
Instead of holding onto a CertificateAuthority, hold onto the
AuthorityID and look it up afresh when ready to reinitialise its
SigningUnit.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
Before implementing lightweight CA key retrieval retry with
exponential backoff, ensure that only one key retriever thread can
execute at a time, for each CA.
Also make SigningUnit initialisation (initSigUnit) synchronised.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.
Catch the CANotFoundException and respond with status 410 Gone.
Fixes: https://fedorahosted.org/pki/ticket/2332
|
| |
|
|
|
|
|
| |
When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.
Fixes: https://fedorahosted.org/pki/ticket/2328
|
| |
|
|
|
|
|
|
|
| |
When deleting lightweight CAs, the call to
CryptoStore.deletePrivateKey() throws an exception because the
preceding call to CryptoStore.deleteCert() also deletes the key.
Remove the redundant call and add some commentary.
Fixes: https://fedorahosted.org/pki/ticket/1640
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
| |
- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
| |
- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
within Chrome
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
| |
The CS.cfg.in have been renamed to CS.cfg to clean up the CMake
scripts and for consistency. This change does not affect the actual
files shipped in the RPM packages.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
|
| |
Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA. This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
| |
- PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
succeeds but fails on import into browser
|
| |
|
|
|
|
|
|
| |
Some certificate profiles have been modified to remove the default
one minute validity delay, allowing the certificate issued with
those profiles to be used immediately.
https://fedorahosted.org/pki/ticket/2304
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
| |
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initialising a lightweight CA, if we do not have the signing
cert and key in the NSSDB yet, we do not initialise the DN. This
causes NPE in other code that expects getX500Name() to return a
value, e.g. REST API to list or show CA.
To work around this, when loading lightweight CAs set the DN based
on the 'authorityDN' value stored in its LDAP entry.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
| |
Implement a thread that performs an LDAP persistent search to keep a
running CA's view of lightweight CAs in sync with the database.
Signing key replication is not yet supported; this will be
implemented in a later patch and will not use the database to
propagate keys.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
LDAP code to add, modify and delete authority entries exists in
multiple places. Extract these methods to remove this duplication
and provide a cleaner basis for upcoming implementation of
replication handling.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
To reduce the amount of code that would be run in the persistent
search thread, extract the host authority entry creation out of the
'loadLightweightCAs' method, into 'CertificateAuthority.init'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
Use a static database connection factory that is initialised by the
host authority and used by all CertificateAuthority instances.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
| |
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
| |
Also drive-by refactor 'createProfileData' to use 'getProfile',
reducing code size.
|
| |
|
|
|
|
| |
If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
|
| |
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.
This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.
Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1628
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
| |
|
|
|
|
|
|
|
|
| |
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
| |
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL). Use the correct "PKCS7" label instead.
Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.
Fixes: https://fedorahosted.org/pki/ticket/1699
|
| |
|
|
|
|
|
|
| |
The REST profile service current responds 400 on conflicting
operations, indicating that the client sent a bad request when this
not the case. Respond with 409 Conflict instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1257518
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.
As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lightweight CAs mean that a single database can include certificates
from many issuers. Update CRLIssuingPoint to only include
certificates issued by its associated CA.
For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.
Fixes: https://fedorahosted.org/pki/ticket/1626
|
