| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified to use CT,C,C as the default trust
flags for CA certificate import operations.
https://pagure.io/dogtagpki/issue/2726
Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
|
|
|
|
|
|
|
|
|
| |
The backslash is no longer used for generating random password
since it's causing SSL hanshake failure.
https://pagure.io/dogtagpki/issue/2676
Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411
|
|
|
|
|
|
|
|
|
|
| |
The equal sign is no longer used to generate random password
since it's already used as token name and password delimiter in
password.conf.
https://pagure.io/dogtagpki/issue/2556
Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84
|
|
|
|
| |
- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
|
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified to parse the --ignore-banner option
properly and pass it only to Java-based CLI commands.
https://pagure.io/dogtagpki/issue/2683
Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5
|
|
|
|
|
|
|
|
| |
pki.authority was mistakenly sending headers as POST body instead of
sending an empty POST body with right headers.
Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
This is tested using Barbican as a client. We are simply
reverting to the same behavior we had before for the
NSS Crypto provider case.
Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
|
|
|
|
|
|
|
|
|
| |
Incorrect key size lead to errors when the client side
was set to use 3DES. Also deprecate not providing an
encryption algorithm OID explcitly in
archive_encrypted_data()
Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
|
|
|
|
|
|
|
| |
When no algorithm OID is provided, we used to default to 3DES.
We need to continue to do this to not break IPA.
Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
|
|
|
|
|
|
|
| |
subprocess returns bytes in Python 3. Make sure to
decode first when returning env variables.
Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
|
|
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added code to:
* Add an InfoClient to the KRAClient
* Check the server, client and crypto provider keyset levels and
select the highest possible level accordingly.
* Added new fields as returned by the server for retrieval.
* Added new fields to KeyRecoveryRequest as added in AES changes.
Changes to decode keywrapped symmetirc and asymmetric keys will
be added in subsequent patches. Right now, encrypt/decrypt works.
Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
|
|
|
|
|
|
|
|
|
|
|
| |
The python-cryptography provider is added. It will use AES
mechanisms by default. The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.
Added some methods to determine which crypto keyset levels are
supported by the crypto provider.
Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
|
| |
|
|
|
|
|
|
|
| |
This is needed to set the same environment as the pki CLI
and pick up any client specific changes.
Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add python client code to read from the InfoResource class and get
the server version. As the PKIConnection in the python client
currently requires a subsystem, it is difficult to add an infoclient
to an existing KRAClient (or any other client).
To get around this, I modified the PKIConnection to allow using the
rootURI.
Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
|
| |
|
|
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
|
|
|
|
|
| |
The pki.nssdb module has been modified to support operations
without NSS database password.
|
|
|
|
|
| |
The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
|
|
|
|
|
|
|
|
|
| |
The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.
The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.
|
|
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
|
|
|
|
|
| |
Currently, PKIConnection does not allow to have client certificate
and private key stored in different files. However, python-requests
library allows this separation so it should be made possible.
|
|
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
|
|
|
|
| |
The NSSDatabase.create_request() has been modified to remove
a superfluous argument when invoking certutil.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
|
|
|
|
|
|
|
|
|
|
| |
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
|
|
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import has been modified to suppress the output of
external command execution and display a completion message more
consistently.
https://fedorahosted.org/pki/ticket/2399
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been fixed such that when it calls
pki pkcs12-cert-find internally it does not add --no-trust-flags
option.
https://fedorahosted.org/pki/ticket/2399
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
|
|
|
|
|
|
| |
Due to a recently added validation code, the headerless PKCS #7
data generated by IPA needs to be joined into a single line before
storing it in CS.cfg.
|
|
|
|
|
|
|
|
|
| |
A set of pki-server commands has been added to simplify upgrading
TPS VLV indexes.
https://fedorahosted.org/pki/ticket/2354
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
|
|
|
| |
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
Dogtag's Python code has been compatible with Python 3 for a while. A
new package pki-base-python3 provides the pki package for clients.
As of now pki.server is not packages for Python 3.
The pki-base package also provides pki-base-python2.
https://fedorahosted.org/pki/ticket/1739
|
|
|
|
|
|
|
|
|
|
|
| |
* The cmake files now copy just *.py into the installation directory.
This ensures that no stale pyc files or __pycache__ directories are
copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and
RHEL.
* The pki-core.spec file uses python2 macros. In case of RHEL missing
macros are defined on the top of the file.
* A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't
like lines breaks.
|
|
|
|
|
|
| |
sphinx 1.1 doesn't have sphinx.version_info. All supported version have
sphinx.__version__ string. conf.py now parses the string for version
tests.
|