| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
The tomcat, cms, and cmscore packages have been moved from base/common
into separate folders in base/server so that they can be built separately.
|
|
|
|
|
|
|
| |
Due to a regression RESTEasy is unable to find some sub-resources properly.
As a workaround some resources need to be merged into the parent resource.
The UserCertResource and UserMembershipResource have been merged into
UserResource. The GroupMemberResource has been merged into GroupResource.
|
|
|
|
|
| |
The PKIPrincipal is in cmscore package but it's needed by the REST
services in cms package so the class has been moved into cms package.
|
|
|
|
|
|
|
| |
The CertUserDBAuthentication and PasswdUserDBAuthentication are authentication
managers in cmscore package but they are needed by PKIRealm that is now in cms
package, so new interfaces have been refactored from these classes so they
can be used without causing dependency issue.
|
|
|
|
|
| |
PKIRealm has been moved from pki-cmscore into pki-cms package because
it's needed by CMSStartServlet which is in the pki-cms package.
|
|
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
|
|
|
| |
Ticket 727
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
|
|
|
| |
Ticket 97
|
|
|
|
|
|
|
| |
Previously the CLI authentication could fail because it's using a
fixed default subsystem which may not match the command it's trying
to execute. The CLI has now been modified to use the appropriate
default subsystem depending on the command to be executed.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute in submitted archival
request and validate transport certificate against DRM's transport key list
- 731 - DRM to provide handling for alternative transport key based on detected
and validated transport certificate arriving as a part of extended archival request
|
|
|
|
|
| |
Also changed permissions to allow admin users to delete a connector
and its associated shared secret.
|
| |
|
|
|
|
|
|
|
|
| |
The self tests and TokenServlet are modified to use the new shared secret
names. A parameter has been added to allow legacy systems to continue running
as-is. With a new system, the TKS self test will not fail on startup if
no shared secret keys are configured. It will fail, however, if the keys are
configured, but the ComputeSessionKey operation fails.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
|
|
|
|
|
| |
Up to now, only pkispawn with a config file worked for tomcat-tps
installation. This patch adds the functionality for the interactive
installation.
|
|
|
|
|
|
| |
Resteasy 3.0.1 is not populating the @Context parameters if they are
defined in a super class. This is a workaround until that problem is fixed.
See https://issues.jboss.org/browse/RESTEASY-952
|
|
|
|
|
| |
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
|
|
|
|
|
|
|
|
| |
RESTEasy 3.0.1 provides JAX-RS 2.0 interceptors. We need to either use these
or the proprietary ones in order to compile. These ones appear to be working just fine.
It does turn out that the change to getStringHeaders() is not yet implemented in 3.0.1
so we'll have to fix that.
|
|
|
|
|
|
| |
The ProfilePolicy is in the server package but it's used by IProfile
interface in the base package. The interface have been modified to use
IProfilePolicy instead.
|
| |
|
|
|
|
| |
interface
|
|
|
|
|
|
|
|
|
|
|
| |
This adds an API call to get a template which can be used to generate an
enrollment request which can be passed into the REST API. The template
is simply a CertRequest with the relevant inputs for that profile added in.
Per code review comments, have added the templates interface to
CertRequestResource instead. This patch now includes /certrequests/profiles
and /certrequests/profiles/{id}. In a subsequent patch, all calls in
ProfileResource will be restricted to admins and agents.
|
|
|
|
|
|
| |
This patch adds initial audit logging to the Profile interface.
A more complete review of audit logging will probably be done for
Common Criteria testing.
|
|
|
|
|
|
|
| |
Filter was incorrectly setting ldap query to revocationReason*
resulting in a reach for revocationReason 1 returning 1 and 10
Ticket 712
|
| |
|
|
|
|
|
|
| |
This patch provides new UserSubjectNameConstraint plug-in allowing to include user subject name with its original encoding into certificate.
Ticket #682
|
|
|
|
|
|
|
|
| |
The TPS client has been modified to include user client. The TPS CLI
has also been modified to provide user commands. New ACL entries have
been added to grant access rights to TPS administrators.
Ticket #652
|
| |
|
| |
|
|
|
|
|
|
| |
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
|
|
|
|
| |
cmscore classes should not depend on classes in cms.
|
|
|
|
|
| |
This code allows pkispawn to configure a tps in tomcat.
It does not include any config using the web UI panels.
|
|
|
|
| |
Simplified the inputs, outputs for ProfileData
|
| |
|
|
|
|
|
| |
1. Fixed REST API as per review.
2. Add output for profile-show and profile-find
|
|
|
|
|
|
|
|
|
| |
The authenticator configuration has been modified to store the authentication
info in the session so it can be used by the servlets. An upgrade script has
been added to update the configuration in existing instances.
The SSLAuthenticatorWithFalback was modified to propagate the configuration
to the actual authenticator handling the request.
|
| |
|
|
|
|
| |
NullPointerException if a parameter is not supplied by the caller (TPS) - cfu
|
|
|
|
|
| |
This adds the initial framework for viewing and managing profiles.
Also adds CLI code for viewing/adding/deleting and editing profiles.
|
|
|
|
|
|
|
|
|
| |
The CMSRequest is a server class but it's used by the ICommandQueue
that belongs in the base package. To fix the dependency issue the
CMSRequest has been refactored to implement a new interface
ICMSRequest in the base package. Some constants in CMSRequest have
also been moved into ICMSRequest. All code referencing CMSRequest
has been adjusted accordingly.
|
|
|
|
|
|
|
|
| |
The key import code was written for when there was only one
subsystem per tomcat instance, and only one subsystems certs
and keys per p12 file. We need to ensure that only the master's
subsystem keys and certs are imported. Otherwise, unpredictable
behavior happens, like in Ticket 665.
|
|
|
|
| |
Add checking for sane lengths of the fields in the subject dn.
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the server certificate name was partially hard-coded as
"Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems
it can be fully configured using pki_ssl_server_nickname parameter.
In Apache-based subsystems it's left unchanged.
Unused serverCertNick.conf files have been removed.
Ticket #631
|
|
|
|
|
|
| |
This patch provides plug-in randomizing validity
Ticket #607
|
|
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
- small patch to remove Eclipse warning
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
|
|
|
|
|
|
|
|
| |
The code used by pkispawn and pkidestroy has been modified to ignore
certificate validity warnings/errors that happens during installation.
The instanceCreationMode is now redundant and has been removed from
ClientConfig.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to import CA certificate has been moved from PKIConnection
into PKIClient to allow reuse.
The Client classes have been modified such that it uses a shared
PKIClient object instead of PKIConnection.
The return codes in CertFindCLI has been fixed to be more consistent
with other commands.
Ticket #491
|
|
|
|
|
|
| |
This patch corrects JavaScript inability to handle big numbers in key key recovery process.
Bug: 955784.
|