| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
| |
|
|
|
| |
The SubsystemClient.login() method has been modified to return
the AccountInfo obtained from AccountClient.login().
|
| |
|
|
|
|
|
|
| |
The serverURI field in ClientConfig has been replaced with
serverURL since it actually stores the location of the server.
New methods have been added to access the serverURL field.
Existing methods for serverURI are retained for backward
compatibility.
|
| |
|
|
|
| |
KEY_USAGE was accidentally added and verify usage was left off.
This results in BZ#1238684
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
| |
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
| |
The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
|
|
|
|
|
|
| |
Previously the pki user-cert-add fails to check whether the server
has a CA subsystem when it's invoked over SSL. That is because the
CLI tries to establish a new but improperly set up SSL connection.
Now the CLI has been modified to use the existing server
connection.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
| |
If a retrieval is non-sychronous, we create a non-ephemeral recovery
request and return this Request ID to the client.
|
| |
|
|
|
|
| |
Continuation of the previous patch. These are client changes
to allow the client to pass through an approved recovery request
to retrieveKey()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
| |
|
|
|
|
|
| |
The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient,
and OCSPProcessor has been replaced with HttpClientBuilder.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
| |
|
|
|
|
|
| |
To help troubleshooting, the EPropertyException has been modified
to provide constructors to chain the original exception.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
|
| |
Based on investigation and solution provided by cfu and jmagne,
the SecurityDataRecoveryService.serviceRequest() has been modified
to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
FIPS mode.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem
to drop all its profiles and reload them. If a profile is read
during this time, e.g. to issue a certificate, it might not have
been reloaded thus causing the operation to fail.
Introduce the AsyncLoader class which allows a consumer to await the
completion of a (re)load, if one is happening. Update the
getProfile and getProfileIds method to use it.
The existing 'initialLoadDone' CountDownLatch for blocking
LDAPProfileSubsystem init until the inital load of profiles is
completed was subsumed by AsyncLoader.
Fixes: https://fedorahosted.org/pki/ticket/2453
NOTE: This patch is ONLY intended for Dogtag 10.4.0 versions and later;
it is NOT intended to be back-ported to Dogtag 10.3.x versions.
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
| |
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
| |
The LDAPExceptionConverter has been modified to wrap LDAPException
for invalid attribute syntax with BadRequestException.
https://fedorahosted.org/pki/ticket/833
|
| | |
|
| |
|
|
|
|
|
| |
To help troubleshooting the PKIClient class has been modified to
log the certificate chain retrieved from the CA.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
| |
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS VLVs for tokens and activities has been modified to sort
the results by date in reverse order.
The DBRegistry.getLDAPAttributes() was modified to support reverse
sort order by recognizing the "-" prefix in the list of sort keys
and pass it to LDAP.
The DBVirtualList.setSortKey() was modified to ignore bubble up the
exceptions that happen during LDAP attribute mapping.
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
https://fedorahosted.org/pki/ticket/2287
|
