| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
|
| |
|
|
|
|
|
| |
subprocess returns bytes in Python 3. Make sure to
decode first when returning env variables.
Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
|
| |
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added code to:
* Add an InfoClient to the KRAClient
* Check the server, client and crypto provider keyset levels and
select the highest possible level accordingly.
* Added new fields as returned by the server for retrieval.
* Added new fields to KeyRecoveryRequest as added in AES changes.
Changes to decode keywrapped symmetirc and asymmetric keys will
be added in subsequent patches. Right now, encrypt/decrypt works.
Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
|
| |
|
|
|
|
|
|
|
|
|
| |
The python-cryptography provider is added. It will use AES
mechanisms by default. The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.
Added some methods to determine which crypto keyset levels are
supported by the crypto provider.
Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
|
| | |
|
| |
|
|
|
|
|
| |
This is needed to set the same environment as the pki CLI
and pick up any client specific changes.
Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add python client code to read from the InfoResource class and get
the server version. As the PKIConnection in the python client
currently requires a subsystem, it is difficult to add an infoclient
to an existing KRAClient (or any other client).
To get around this, I modified the PKIConnection to allow using the
rootURI.
Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
|
| | |
|
| |
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
|
| |
|
|
|
| |
The pki.nssdb module has been modified to support operations
without NSS database password.
|
| |
|
|
|
| |
The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
|
| |
|
|
|
|
|
|
|
| |
The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.
The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.
|
| |
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
| |
|
|
|
|
| |
Currently, PKIConnection does not allow to have client certificate
and private key stored in different files. However, python-requests
library allows this separation so it should be made possible.
|
| |
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
| |
The NSSDatabase.create_request() has been modified to remove
a superfluous argument when invoking certutil.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
|
|
|
|
|
|
| |
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
|
| |
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
| | |
|
| |
|
|
|
|
|
|
| |
The pki pkcs12-import has been modified to suppress the output of
external command execution and display a completion message more
consistently.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been fixed such that when it calls
pki pkcs12-cert-find internally it does not add --no-trust-flags
option.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
|
| |
|
|
|
|
| |
Due to a recently added validation code, the headerless PKCS #7
data generated by IPA needs to be joined into a single line before
storing it in CS.cfg.
|
| |
|
|
|
|
|
|
|
| |
A set of pki-server commands has been added to simplify upgrading
TPS VLV indexes.
https://fedorahosted.org/pki/ticket/2354
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
| |
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
| |
Dogtag's Python code has been compatible with Python 3 for a while. A
new package pki-base-python3 provides the pki package for clients.
As of now pki.server is not packages for Python 3.
The pki-base package also provides pki-base-python2.
https://fedorahosted.org/pki/ticket/1739
|
| |
|
|
|
|
|
|
|
|
|
| |
* The cmake files now copy just *.py into the installation directory.
This ensures that no stale pyc files or __pycache__ directories are
copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and
RHEL.
* The pki-core.spec file uses python2 macros. In case of RHEL missing
macros are defined on the top of the file.
* A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't
like lines breaks.
|
| |
|
|
|
|
| |
sphinx 1.1 doesn't have sphinx.version_info. All supported version have
sphinx.__version__ string. conf.py now parses the string for version
tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
| |
|
|
|
|
| |
sphinx-build used wrong search path for pki Python package. This caused
builds to fail on some machines. On systems with pki-base installed,
sphinx-build picked up the wrong files.
|
| |
|
|
|
|
|
|
| |
Use html_theme = 'classic' on sphinx 1.3 to silence this warning:
WARNING: 'default' html theme has been renamed to 'classic'. Please
change your html_theme setting either to the new 'alabaster' default
theme, or to 'classic' to keep using the old default.
|
| |
|
|
|
|
| |
************* Module pki.cli.pkcs12
E:160,43: Value 'cert_info' doesn't support membership test
(unsupported-membership-test)
|
| |
|
|
|
|
|
|
|
| |
sphinx-builder just reports errors to stderr but doesn't signal build
failures in its return code. The -W option turns any warning into a
non-null exit code.
Comment out html_static_path. It doesn't exist, is not used but emits a
warning which is then turned into an error.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Python wrapper module has been added for the pki pkcs12-import
command to provide a mechanism to implement a workaround for JSS
import limitation.
Additional fixes by cheimes have been merged into this patch:
setup.py:
We must track all sub-packages manually.
pylint-build-scan.py:
pylint confuses the 'pki' package with the 'pki' command. The
workaround symlinks the command and analysis the command under its
alternative name.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
Pylint 1.5 complains about additional issues. All issues are false
positives.
https://fedorahosted.org/pki/attachment/ticket/2223
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
