| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The index.html files in CA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
| |
To help troubleshooting the CertRequestService has been modified
to chain the original exceptions.
|
| |
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
| |
|
|
|
| |
To avoid redundancy the code that finds Jackson libraries has been
moved to the top level CMake script.
|
| |
|
|
|
|
| |
To improve consistency across platforms the code in RPM spec that
creates the links to subsystem library files has been converted
into CMake scripts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'CommonNameToSANDefault' profile default class. When used
on a profile, this will examine the (most-specific) Common Name in
the Subject DN, and if it looks like a DNS name, will add it to the
Subject Alternative Name extension, creating the extension if it
does not already exist.
Also add upgrade scriptlet to add the component to registry.cfg in
existing installations.
Fixes: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
| |
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type. If entryUSN value is too large to fit in
'int', NumberFormatException is raised.
Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.
Fixes: https://fedorahosted.org/pki/ticket/2579
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
|
| |
|
|
|
|
|
| |
Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
| |
The logging.properties files in CA and KRA folders are never
deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
| |
The deprecated ProxyParser has been replaced with DefaultParser.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created. It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.
If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values. This causes the
addition of a spurious host authority entry every time the server
starts.
Serialise DNs before comparing, to avoid these false negatives.
Fixes: https://fedorahosted.org/pki/ticket/2475
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.
Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).
Fixes: https://fedorahosted.org/pki/ticket/2466
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA and OCSP have been
modified to chain the original exceptions.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
| |
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
appropriate 'pki' man page
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
|
| |
|
|
|
|
|
| |
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.
Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.
Also do some drive-by exception chaining.
Fixes: https://fedorahosted.org/pki/ticket/2388
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| |
|
|
| |
This patch adds support for SHA384withRSA signing algorithm.
|
| | |
|
| |
|
|
|
|
|
|
| |
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from the server.
This patch removes the references and files associated with this auth method.
|
| |
|
|
|
|
|
|
|
|
| |
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.
Ticket #2340.
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/2363
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an authority entry is read with the authoritySerial attribute,
and the serial differs from the known serial or the serial was
previously unknown, Dogtag attempts to update the certificate in the
NSSDB. The procedure is carried out during initialisation, and if it
fails an exception is thrown, causing the CA to remain unknown.
If the signing key is not yet in the NSSDB, the update is certain to
fail. This can happen e.g. if CA is created on one clone while
another clone is down. When the other clone comes up, it will
immediately see the authoritySerial and trigger this scenario.
To avoid this scenario, only attempt to update the certificate if
the signing unit initialisation completed successfully, implying the
presence of the signing key.
Fixes: https://fedorahosted.org/pki/ticket/2359
|
| |
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte. Update the code to expect JSON instead.
No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.
Fixes: https://fedorahosted.org/pki/ticket/2351
|
