| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS VLVs for tokens and activities has been modified to sort
the results by date in reverse order.
The DBRegistry.getLDAPAttributes() was modified to support reverse
sort order by recognizing the "-" prefix in the list of sort keys
and pass it to LDAP.
The DBVirtualList.setSortKey() was modified to ignore bubble up the
exceptions that happen during LDAP attribute mapping.
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
https://fedorahosted.org/pki/ticket/2287
|
| |
|
|
|
|
| |
The token status READY has been renamed to FORMATTED for clarity.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
| |
An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set. Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.
Fixes: https://fedorahosted.org/pki/ticket/2317
|
| |
|
|
|
|
|
|
| |
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, add a
certificate search parameter for limiting searches to a particular
issuer.
Fixes: https://fedorahosted.org/pki/ticket/2321
|
| |
|
|
|
|
|
| |
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
| |
The TokenStatus enumeration has been converted into a class to
allow overriding the TokenStatus.valueOf() to provide backward
compatibility.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Added method to check realm. This method will look for
an authz instance for a specified realm and invoke it to
determine access.
* Added a basic group based authz plugin mostly for testing.
This plugin simply checks if the requestor is in the correct
group. In practice, customers will probably want something more
complex maybe subclassing BasicAclAuthz.
Part of Trac Ticket #2041
|
| |
|
|
| |
Part of Trac Ticket# 2041
|
| |
|
|
| |
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
| |
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
| |
The CertInfoProfile.populate() has been modified to re-throw the
exception instead of ignoring it.
https://fedorahosted.org/pki/ticket/1654
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
| |
|
|
|
|
|
| |
To help troubleshooting the EnrollProfile has been modified to
log the stack trace and chain the exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
|
|
|
| |
Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.
If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
| |
Commit 04214b3d3405750cbbda228554c0d9f087a59170 left some vestigal
imports behind; remove them.
|
| |
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TokenService.setTokenStatus() has been modified to restore
the temporarily lost token back into either uninitialized or
active state based on whether the token has certificates.
The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use
only tokenID attribute to search for token certificates more
accurately. It also has been simplified to return the certificate
records collection object directly.
Some constructors were added to the TPSException to allow chaining
the exception cause.
https://fedorahosted.org/pki/ticket/1808
|
| |
|
|
|
|
|
|
|
| |
The OCSP digest name lookup is currently defined in IOCSPAuthority
and implemented by OCSPAuthority, but /any/ code that deals with
CertID might need to know the digest, so move the lookup there.
Also refactor the lookup to use a HashMap, and add mappings for SHA2
algorithms.
|
| |
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.
This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.
Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632
|
| |
|
|
|
|
| |
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
