summaryrefslogtreecommitdiffstats
path: root/base/common/src/com/netscape/certsrv
Commit message (Collapse)AuthorAgeFilesLines
* Moved REST services into separate URLs.Endi Sukma Dewata2012-08-034-14/+14
| | | | | | | | | | | To support different access control configurations the REST services have been separated by roles. Services that don't need authentication will be available under /rest. Services that require agent rights will be available under /rest/agent. Services that require admin rights will be available under /rest/admin. Ticket #107
* Refactored PKI JNDI realm.Endi Sukma Dewata2012-07-313-0/+22
| | | | | | | | | The PKI JNDI realm has been modified to utilize the authentication and authorization subsystems in PKI engine directly. It's no longer necessary to define the LDAP connection settings in Tomcat's configuration files. Ticket #126
* Cert CLI - cert-request-review and cert-request-approve implementationsAbhishek Koneru2012-07-301-0/+1
|
* Merged changes in com.netscape.certsrv.common.Endi Sukma Dewata2012-07-187-3/+14
| | | | | | | | | | Due to packaging issue the source code in com.netscape.certsrv.common were duplicated into common and console packages and over time they have become out-of-sync. This patch merges the changes such that they are now identical. When the packaging issue is fixed later the duplicate copy can be removed. Ticket #113
* NO_HASHCODE_OVERRIDDENAbhishek Koneru2012-07-122-22/+34
|
* Added cert revocation REST service.Endi Sukma Dewata2012-07-115-15/+61
| | | | | | | The cert revocation REST service is based on DoRevoke and DoUnrevoke servlets. It provides an interface to manage certificate revocation. Ticket #161
* Refactored RequestStatus.Endi Sukma Dewata2012-07-102-62/+92
| | | | | | | | | The RequestStatus has been modified to use a map to convert string into RequestStatus instance. The string constants in RequestStatus are no longer needed because instances can be compared using equal sign directly or equals(). Ticket #161
* SE_BAD_FIELD, MIGHT_IGNORE , STATIC_INNER_CLASSAbhishek Koneru2012-07-104-4/+12
|
* Coverity CATCH_REXCEPTION and UNREAD_FIELD_CASESAbhishek Koneru2012-07-061-53/+49
|
* Adding restful interface to create certificate requests and issue certificates.Ade Lee2012-07-033-0/+45
| | | | | | | | | | Refactored ProfileSubmitServlet to make the flow clearer. Both the legacy servlets and the new RESTful servlets use common ProfileProcessor objects that contain the main business logic, so that the amount of duplicated code is minimized. Refactored ProfileProcessServlet to use the new common classes. Addressed review comments. Removed an unneeded class and reverted some unneeded jaxb annotations. Added factory methods.
* Fixes for Guarded_By_Violation issues shown in CoverityAbhishek Koneru2012-07-021-1/+3
|
* Fixes for Coverity Issues of type Null Returns - Part 3Abhishek Koneru2012-06-201-2/+4
|
* Fixes for Coverity issues of type Stringbuffer, NO_EQUALS_METHOD , ↵Abhishek Koneru2012-06-151-4/+4
| | | | REVERSE_INULL,Wrong_Map_Iterators
* Fixes for NULL_RETURNS Coverity Issues - Part 2Abhishek Koneru2012-06-142-37/+29
|
* Fixes for NULL_RETURN cases review commentsAbhishek Koneru2012-06-051-5/+1
|
* Fixes for Null_Returns Cases - 1 For CommitAbhishek Koneru2012-06-051-19/+11
|
* Fixes for Coverity Issues CALL_SUPER,UNCONFIRMEDCAST,DEAD_STORE,TOSTRING_ARRAYAbhishek Koneru2012-06-011-2/+2
|
* Added group REST service.Endi Sukma Dewata2012-05-318-0/+473
| | | | | | | The group REST service is based on UsrGrpAdminServlet. It provides an interface to manage groups and group members. Ticket #160
* Added user REST service.Endi Sukma Dewata2012-05-317-0/+755
| | | | | | | The user REST service is based on UsrGrpAdminServlet. It provides an interface to manage users and user certificates. Ticket #160
* Added Auditor service.Endi Sukma Dewata2012-05-293-0/+100
| | | | | | | | | A new Auditor service has been added to replace the audit service that was previously only available to subclasses of AdminServlet. The new service can be used by other components including REST services. The AdminServlet will be modified to use the Auditor service separately. Ticket #160
* Patch for fixes for Review CommentsAbhishek Koneru2012-05-242-4/+2
|
* Fixes for Coverity Defects of Category : FB.SBSC_USE_STRINGBUFFER_CONCATENATIONAbhishek Koneru2012-05-242-11/+11
|
* Provide CA EE Restful interface and test client.Jack Magne2012-05-072-0/+171
| | | | | | | | | | | | | | | | | | Tickets #144 and #145 Providing the following: 1. Simple EE restful interface for certificates, printing, listing and searching. 2. Simple EE restful interface for certificate enrollment requests. 3. Simple EE restful interface for profiles and profile properties. 4. Simple Test client to exercise the functionality. 5. Created restful client base class inherited by CARestClient and DRMRestClient. 6. Provide simple restful implementations of new interfaces added. ToDO: Need some more refactoring to base classes for some of the new classes which are similar to classes in the DRM restful area. ToDO: Actual certificate enrollment code that will be refactored from existing ProfileSubmitServlet. Provide CA EE Restful interface and test client review fixes.
* Removed deprecated resources.Endi Sukma Dewata2012-04-1210-229/+5
| | | | | | | | Some exceptions used deprecated resource class names as the bundle name, they have been replaced with string constants. The deprecated resource classes are no longer used, so they have been removed. Ticket #3
* Removed unused private fields.Endi Sukma Dewata2012-04-122-1/+1
| | | | | | | Most of unused private fields have been removed because they generate warnings in Eclipse. Some are kept because it might be useful later. Ticket #139
* Removed unnecessary type casts.Endi Sukma Dewata2012-04-0913-41/+37
| | | | | | Unnecessary type casts have been removed using Eclipse Quick Fix. Ticket #134
* Removed whitespaces from Java code.Endi Sukma Dewata2012-04-09317-2409/+2409
| | | | | | | | Whitespaces in Java code have been removed with the following command: find . -not -path .git -name *.java -exec sed -i 's/[[:blank:]]\+$//' {} \; Ticket #134
* Undeprecated IRequest.asIAttrSet().Endi Sukma Dewata2012-04-091-7/+0
| | | | | | | The IRequest.asIAttrSet() is necessary and there is no replacement so it has been undeprecated. Ticket #3
* Fix for Bug 745278 - [RFE] ECC encryption keys cannot be archived.Christina Fu2012-04-051-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For the ECC plan and the different phases, please refer to http://pki.fedoraproject.org/wiki/ECC_in_Dogtag Design for each phase is on the same wiki page. Note: the designs beyond phase 2 were more like a brain dump. Although I said "Do Not Review," you are free to take a peak at what's intended down the road. I will go back and take a closer look and refine/adjust the designs when I begin implementation for each new phase. What you need to know: * Problem 1 - nethsm issue: On the server side, if you turn on FIPS mode, in addition to nethsm, you need to attach certicom as well to have ECC SSL working on the server side. This problem has already been reported to Thales last year and they said they'd look into putting the item on their next release. Recently through a different contact, we learned there might be a way to "turn it on" (still waiting for their further instruction) * Problem 2- Certicom issue: This is a show-stopper for deployment. Initially, on the client side, I used Kai's special version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF requests can be generated with key archival option. However, I encountered (or, re-encountered) an issue with certicom token. Certicom generates ECC keys with the wrong format (not PKCS7 conforming), which makes ECC key archival impossible on the server side if you use non-certicom token with DRM (but we expect an HSM in most product deployment). I have contacted Certicom for this issue, and they confirmed that they indeed have such issue. We are hoping they will fix it. But then you might ask, "I thought I saw some ECC enrollment profiles/javascripts being checked in? How were the tests done?" The tests for those profiles were done against this ECC key archival/recovery DRM prototype I implemented last year (needs to be turned on manually in 8.1), where I "cheated" (yeah, that's why it's called a prototype) by decrypting the private key in the CRMF on DRM, and then manipulating the byte array to strip off the offending bytes before archival. In the real, non-prototype implementation, which is what's in this patch, for security reasons, private keys are unwrapped directly onto the token during key archival, so there is no way to manipulate the keys in memory and bypass the Certicom issue. A word about Kai's special version of Xulrunner/Firefox. It is not yet publicly available (due out in Firefox 10.0.4 on RHEL 5.8). * Problem 3- Firefox with nethsm issue: Another option was to connect Kai's special version firefox with an HSM to test my DRM/JSS code. However, for whatever reason, I could not get SSL going between such Firefox and ECC CA ( I did not try very hard though, as I have one other option -- writing my own ECC CRMF generation tool. I might come back to try the nethsm Firefox idea later) My solution (how I work on this official implementation): * I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current releases), gutting out the RSA part of the code, and replacing it with ECC code. I call it CRMFPopClientEC. Two types of ECC key pairs could be generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I don't know if you can select which type to generate in the Javascript... maybe you can, I just don't know). I'm in no way condoning archival of signing keys!! This is just a test tool. This tool takes a curve name as option (along with others), generates an ECC key pair, crafts up an CRMF request with key archival option, and sends request directly to the specified CA. You will see a "Deferred" message in the HTML response (see attachment for example) Once CA agent approves the request, the archival request goes to DRM and the user private key is archived. For recovery, DRM agent selects key recovery, etc, and you get your pkcs12. I did some sanity test with the pkcs12 recovered: * Import the recovered pkcs12 into a certicom library: pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12 I also tested by retrieving a p12, importing it into a browser, and adding the user as an agent and the user could act as agent via ssl client auth to the CA. Finally, much of the RSA-centric code had been cleared out of the way at the time when I worked on the DRM ECC prototype, so you don't see much of that in this round. How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up with a nethsm (like I did), or write your own tool, you can't really test it until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to work with ceriticom, although you would run into the same issue I mentioned above)
* Added CMSException.Endi Sukma Dewata2012-03-302-0/+22
| | | | | | | | | | The CMSException was added to simplify error handling in REST services. The exception may include an error message and some other attributes. When the server throws a CMSException (or its subclass), the exception will be marshalled into XML and unmarshalled by the client, then thrown again as a new exception which can be caught by the application. Ticket #100
* Removed unnecessary pki folder.Endi Sukma Dewata2012-03-26325-0/+37067
Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131