| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
Coverity fix for Forward NULL cases in DogTag 10.
|
| |
|
|
| |
Addressed review coments.
|
| |
|
|
|
|
|
| |
A new getEntity() method has been added to obtain the entity from
a Response object and also map HTTP errors into exceptions.
Ticket #161
|
| |
|
|
|
|
|
|
|
|
| |
Generally the user LDAP entry does not contain a seeAlso attribute
unless it's a special database user. The UGSubsystem.removeUserCert()
would fail because it tried to remove the seeAlso attribute. Now the
code has been fixed to remove the seeAlso using a separate modify
operation and ignore the error if it fails due to missing attribute.
Ticket #182
|
| | |
|
| | |
|
| |
|
|
| |
REVERSE_INULL,Wrong_Map_Iterators
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This patch provides a tool to manage groups and group members via
command line.
Ticket #160
|
| |
|
|
|
|
|
| |
The group REST service is based on UsrGrpAdminServlet. It provides an interface
to manage groups and group members.
Ticket #160
|
| |
|
|
|
|
| |
The user CLI provides a tool to manage users and user certificates.
Ticket #160
|
| |
|
|
|
|
|
| |
The user REST service is based on UsrGrpAdminServlet. It provides an interface
to manage users and user certificates.
Ticket #160
|
| |
|
|
|
|
| |
The AdminServlet has been modified to use the new Auditor service.
Ticket #160
|
| |
|
|
|
|
|
|
|
| |
A new Auditor service has been added to replace the audit service that was
previously only available to subclasses of AdminServlet. The new service
can be used by other components including REST services. The AdminServlet
will be modified to use the Auditor service separately.
Ticket #160
|
| | |
|
| |
|
|
| |
FB.SBSC_USE_STRINGBUFFER_CONCATENATION --Remaining
|
| | |
|
| |
|
|
| |
FB.DM_STRING_CTOR, FB.DM_STRING_VOID_CTOR
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tickets #144 and #145
Providing the following:
1. Simple EE restful interface for certificates, printing, listing and searching.
2. Simple EE restful interface for certificate enrollment requests.
3. Simple EE restful interface for profiles and profile properties.
4. Simple Test client to exercise the functionality.
5. Created restful client base class inherited by CARestClient and DRMRestClient.
6. Provide simple restful implementations of new interfaces added.
ToDO: Need some more refactoring to base classes for some of the new classes which are similar to classes
in the DRM restful area.
ToDO: Actual certificate enrollment code that will be refactored from existing ProfileSubmitServlet.
Provide CA EE Restful interface and test client review fixes.
|
| |
|
|
| |
Added code to create container on master if it does not exist.
|
| |
|
|
|
|
| |
Currently the realm only returns the last acl result in a multiple entry ACL. Since most of them only have one entry, this is mistly ok. This simple fix allows the code to handle multiple entries correctly.
Ticket #123.
|
| | |
|
| |
|
|
| |
Ticket #156
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Installation code common to the panels and the installation servlet are extracted to a
ConfigurationUtils file. The panel code will be cleaned up to use the code in this
class in a later commit.
Contains restful client and test driver code. The test driver code should be modified
and placed in a junit/system test framework. Installation has been tested to work with
the following installations: master CA, clone CA, KRA, OCSP, TKS, subordinate CA, CA
signed by external CA (parts 1 and 2).
Ticket #155
|
| |
|
|
|
|
|
| |
The Thread.stop() is deprecated, so the key status update thread is now
implemented with executor service to allow stopping the task gracefully.
Ticket #3
|
| |
|
|
|
|
|
|
| |
Some exceptions used deprecated resource class names as the bundle name,
they have been replaced with string constants. The deprecated resource
classes are no longer used, so they have been removed.
Ticket #3
|
| |
|
|
|
|
|
| |
Most of unused private fields have been removed because they generate
warnings in Eclipse. Some are kept because it might be useful later.
Ticket #139
|
| |
|
|
|
|
| |
Unnecessary type casts have been removed using Eclipse Quick Fix.
Ticket #134
|
| |
|
|
|
|
|
|
| |
Whitespaces in Java code have been removed with the following command:
find . -not -path .git -name *.java -exec sed -i 's/[[:blank:]]\+$//' {} \;
Ticket #134
|
| |
|
|
|
|
|
| |
The VelocityServlet is deprecated but the replacement is not available
in Fedora, so the warnings are ignored for now.
Ticket #133
|
| |
|
|
|
|
|
| |
The IRequest.asIAttrSet() is necessary and there is no replacement
so it has been undeprecated.
Ticket #3
|
| |
|
|
|
|
|
| |
The VLV control can be obtained directly from the list of response
controls by checking its type.
Ticket #3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the ECC plan and the different phases, please refer to
http://pki.fedoraproject.org/wiki/ECC_in_Dogtag
Design for each phase is on the same wiki page.
Note: the designs beyond phase 2 were more like a brain dump. Although I said
"Do Not Review," you are free to take a peak at what's intended down the road.
I will go back and take a closer look and refine/adjust the designs when I
begin implementation for each new phase.
What you need to know:
* Problem 1 - nethsm issue:
On the server side, if you turn on FIPS mode, in addition to nethsm, you need
to attach certicom as well to have ECC SSL working on the server side. This
problem has already been reported to Thales last year and they said they'd look
into putting the item on their next release. Recently through a different
contact, we learned there might be a way to "turn it on" (still waiting for
their further instruction)
* Problem 2- Certicom issue:
This is a show-stopper for deployment. Initially, on the client side, I used Kai's special
version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF
requests can be generated with key archival option. However, I encountered
(or, re-encountered) an issue with certicom token. Certicom generates ECC keys
with the wrong format (not PKCS7 conforming), which makes ECC key archival
impossible on the server side if you use non-certicom token with DRM (but we
expect an HSM in most product deployment). I have contacted Certicom for this
issue, and they confirmed that they indeed have such issue. We are hoping they will fix it.
But then you might ask, "I thought I saw some ECC enrollment
profiles/javascripts being checked in? How were the tests done?" The tests for
those profiles were done against this ECC key archival/recovery DRM prototype I
implemented last year (needs to be turned on manually in 8.1), where I
"cheated" (yeah, that's why it's called a prototype) by decrypting the private
key in the CRMF on DRM, and then manipulating the byte array to strip off the
offending bytes before archival.
In the real, non-prototype implementation, which is what's in this patch, for
security reasons, private keys are unwrapped directly onto the token during key
archival, so there is no way to manipulate the keys in memory and bypass the
Certicom issue.
A word about Kai's special version of Xulrunner/Firefox. It is not yet
publicly available (due out in Firefox 10.0.4 on RHEL 5.8).
* Problem 3- Firefox with nethsm issue:
Another option was to connect Kai's special version firefox with an HSM to test
my DRM/JSS code. However, for whatever reason, I could not get SSL going
between such Firefox and ECC CA ( I did not try very hard though, as I have one
other option -- writing my own ECC CRMF generation tool. I might come back to
try the nethsm Firefox idea later)
My solution (how I work on this official implementation):
* I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current
releases), gutting out the RSA part of the code, and replacing it with ECC
code. I call it CRMFPopClientEC. Two types of ECC key pairs could be
generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I
don't know if you can select which type to generate in the Javascript... maybe
you can, I just don't know). I'm in no way condoning archival of signing
keys!! This is just a test tool.
This tool takes a curve name as option (along with others), generates an ECC
key pair, crafts up an CRMF request with key archival option, and sends request
directly to the specified CA. You will see a "Deferred" message in the HTML
response (see attachment for example)
Once CA agent approves the request, the archival request goes to DRM and the
user private key is archived.
For recovery, DRM agent selects key recovery, etc, and you get your pkcs12.
I did some sanity test with the pkcs12 recovered:
* Import the recovered pkcs12 into a certicom library:
pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12
I also tested by retrieving a p12, importing it into a browser, and adding the
user as an agent and the user could act as agent via ssl client auth to the CA.
Finally, much of the RSA-centric code had been cleared out of the way at the
time when I worked on the DRM ECC prototype, so you don't see much of that in
this round.
How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up
with a nethsm (like I did), or write your own tool, you can't really test it
until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to
work with ceriticom, although you would run into the same issue I mentioned
above)
|
| |
|
|
|
|
|
|
|
|
| |
The CMSException was added to simplify error handling in REST services.
The exception may include an error message and some other attributes.
When the server throws a CMSException (or its subclass), the exception
will be marshalled into XML and unmarshalled by the client, then thrown
again as a new exception which can be caught by the application.
Ticket #100
|
| |
|
|
|
|
|
| |
The deprecated fromRaw() method in PK11PubKey has been replaced
with fromSPKI().
Ticket #3
|
| |
|
|
|
|
|
| |
The deprecated authenticate() method in LDAPConnection has been
replaced with another authenticate() method with different signature.
Ticket #3
|
| |
|
|
|
|
|
| |
The deprecated getAlgorithmId() method in AlgorithmId has been replaced
with get().
Ticket #3
|
| |
|
|
|
|
|
| |
The deprecated createScrollPaneForTable() method in JTable() has been
replaced with JScrollPane() constructor.
Ticket #3
|
| |
|
|
|
|
| |
The deprecated show() method in Dialog has been replaced with setVisible().
Ticket #3
|
| |
|
|
|
|
|
| |
The deprecated getText() method in JPasswordField has been replaced
with getPassword().
Ticket #3
|
| |
|
|
|
|
|
| |
The deprecated readLine() method in DataInputStream has been replaced
by the same method in BufferedReader.
Ticket #3
|
|
|
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
|
