| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
The current profile inputs/outputs do not have meaningful IDs
(e.g. i1, i2, o1) and are not used by the client so they should
not be displayed in the CLI output.
In the future the IDs should be renamed into something meaningful
(e.g. keygen, sn, cert) and the inputs/outputs should be retrieved
by ID. New methods have been added to retrieve by ID.
https://fedorahosted.org/pki/ticket/1147
|
| |
|
|
| |
TLS v1.2
|
| | |
|
| |
|
|
|
|
|
| |
New CLI commands have been added to import/export certificates and
private keys into/from the client security database. The CLI can
also be used to generate the file needed by Python client library
for client certificate authentication.
|
| |
|
|
|
|
|
|
|
| |
Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain. This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.
Ticket 1132
|
| |
|
|
| |
subordinate certificate signing requests (CSR)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A new option has been added to the client-cert-import command to
import a certificate from CA by specifying the serial number.
The client-cert-import has also been modified to get the nickname
of the certificate to import from the CLI argument. For backward
compatibility, if no argument is specified the CLI will try to
get the nickname from the authentication option (-n).
Ticket #1152
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).
On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain. The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed. Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).
Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.
In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.
Ticket 1113
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Basic token key recovery functionality is there.
2. Tested with mostly the "damaged" scenerio. The low level
code that writes the recovered certs to the token works and has been
tested with a real token. Some of the other more obscure cases need
some more testing, for instance, the temporary on hold scenario.
3. Renewal has been tested with a real token to work.
4. Much of the complex code to write cert objects and key objects,
as well as importing recovered keys, has been centralized to a method.
This leaves the calling code simpler and easier to trouble shoot.
5. Added a method to check token operation transition states.
6. Fixed an issue with formatting a blank token I introduced.
7. Fixed a few issues with updating certificate records for a token that were discovered.
8. Added tps code to retrieve a certificate for the recovery case.
9. Minor Review fixes.
|
| |
|
|
|
|
| |
All the secrets/keys retrieved using the client API's using Java/python
clients will be of the type - byte array. This applies to output of the
retrieveKey method and the public key attribute of the KeyInfo object.
|
| |
|
|
|
| |
Addresses upstream issues in the pki key-* CLI commands.
Updates the man page in all the required cases.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds methods to key client to generate asymmetric keys using
algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096.
The generated keys are archived in the database.
Using the CLI, the public key(base64 encoded) can be retrieved by using
the key-show command.
The private key(base64 encoded) can be retrieved using the key-retrieve
command.
Ticket #1023
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously emptying a field in TPS UI could not be saved because
the change was not saved and sent to the server. The UI framework
now has been fixed to save and send the empty field to the server
such that the database can be updated properly.
Additional parameters have been added to the tps-token-mod command
to modify all editable fields.
Ticket #1085
|
| | |
|
| |
|
|
|
|
|
|
| |
The missing token policy attribute has been added to token database. The
REST services, CLI, and UI have been fixed accordingly. Other missing
attributes in tokenRecord object class are unused.
Ticket #1085
|
| |
|
|
|
|
|
| |
The new command allows users to view the information about
kra connectors registered with the CA.
Ticket #479
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following features implemented for enrollment.
1. Standard enrollment of a list of RSA certificates.
2. Certificates are only done with token side keygen.
3. Minimual enrollment based pin reset functionality implemented to create
a pin for the enrolled token.
4. Much work done to the PKCS11 object code, which allows us to write the
compressed object blob to the token, allowing coolkey to access it and use
the certs and keys on the token.
5. Tested with Bob Relyea's "smartcard" utility to prove that signing and encryption
operations worked as expected.
6. Some work done to get authentication working with esc.
7. Added stub for stand alone Pin Reset processor.
8. CFU review fixes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
| |
|
|
|
|
|
|
|
|
| |
The REST service and client library have been fixed to use the correct
delimiters for transport certificate.
The REST service was also modified to insert a new line between the
header and the certificate data.
Ticket #1063
|
| |
|
|
| |
* PKI TRAC Ticket #898 - Giant /var/log/pki-ca/debug
|
| |
|
|
|
|
|
|
| |
The ActivityService has been fixed to return the missing TPS activity
attributes including IP, operation, result, and message. The TPS CLI
and UI has been fixed to display the activity date in UTC format.
Ticket #1050
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously if a key archival failed, the REST service would return
an invalid key URL, which would cause an exception when the CLI tried
to parse it. The service has been fixed to return a null URL which
can be detected to avoid parsing invalid value.
The Python library has been modified to handle missing key URL.
Ticket #1043
|
| |
|
|
| |
revoke/unrevoke processor
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For the new security data storage and retrieval, and for symmetric
key generation, we need to store the identity of the agent that is
requesting and approving each operation, both in the ldap record
and in the audit logs. (Tickets 806 and 807)
This patch also adds required logic to check that the owner of the
recovery request is the same agent that retrieves the key. It also
adds missing audit log constants for symmmetric key generation so that
they will show up in the audit log.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. Changed the names of some message classes.
2. Did some minor refactoring of methods needed by both the enroll and tps processor.
3. Created classes to handle the parsing and archival of PKCS#11 token data.
4. Created prep code for enrollment that reads in a bunch of config params and creates
convenience objects to carry the data instead of lengthy parameter lists we have had before.
5. Code to generate key on token, tested tpsclient so far.
6. Additional review changes, and merging.
Review changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seems to be no use of the requestID parameter in both revoke
and unrevoke request. Removed requestID attribute in CertRevokeRequest
remove the class CertUnrevokeRequest.
Also made changes in RevocationProcesor to use the requestID of the
request created in it.
The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets.
Removed the call and a function auditRequesterId in both the classes.
The auditRequestorId method tries to get a "requestID" stored as a INPUT field
in the reasonToRequest page. The ReasonToRevoke class which generates
this page does not set the value.
|
| |
|
|
|
|
|
|
|
| |
This patch provides the framework that allows people to
1. write their own authentication plugins using the authentication
plugin framework
2. map the authenticaiton credential from client side (e.g. ESC or alike)
in both display language characters and numbers of credential parameters
to the specified authentication plugin required parameters.
|
| |
|
|
|
|
| |
The TPS connection REST service has been renamed to TPS connector.
Ticket #977
|
| |
|
|
|
|
| |
The TPS connection client library has been renamed to TPS connector.
Ticket #977
|
| |
|
|
|
|
|
|
| |
The UserService.findUserMemberships() has been modified to accept
an additional parameter to filter the groups in which the user
is a member. The CLI has been updated accordingly.
Ticket #920
|
| |
|
|
|
|
|
|
| |
The GroupService.findGroupMembers() has been modified to accept an
additional parameter to filter the group members to be returned.
The CLI has been modified accordingly.
Ticket #920
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
| |
|
|
|
|
|
|
|
|
| |
Previously the getUser() method in UGSubsystem was using findUsers()
which uses a subtree search to find users. It has been replaced with
a base search which is more accurate since the user DN is known. The
code has also been simplified to merge the two cases where the input
parameter could be a user ID or a DN.
Ticket #920
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following changes have been done:
1. Applet Upgrade for real token. The applet is written and an instance of applet created.
2. 95% of the format operation done. This includes proper status update progreass bar
for esc and writing the phone home url to the token. Once this operation is complete,
the token can be entered into esc and esc will be able to phone home and point to TPS
for further operations such as enrollment and pin reset when they are implemented.
3. The phoneHome xml file changed slightly to prevent esc from reading exttraneous line
feeds when phoning home.
4. The CS.cfg has been changed to correctly reflect the phone home url we want to write to
the token.
The following to be done to fully finish format, later tickets.
1.Updating the tokendb with tne newly formatted token. Future ticket.
2.Revoking tokens current certificates, if any. Future ticket.
3.Symmetric Key changeover. Future ticket.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that configures the TPS connectors during installation
has been modified to use the ConnectionDatabase, which is also
used by the CLI/UI after the installation.
The code has also been fixed to configure the correct properties
as defined in CS.cfg. The static properties have been removed
from CS.cfg because now they will be generated dynamically by
the ConnectionDatabase.
Due to class dependency issue, the methods for configuring the TPS
connectors have been moved from ConfigurationUtils into a new
TPSInstaller class.
The URI's in ConfigurationRequest have been converted from String
into URI to simplify validation.
Ticket #890
|
| |
|
|
|
|
|
| |
The REST interface for security domain has been modified to return
Response objects to allow better handling of server responses.
Ticket #554
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows the current secure channel functionality to work with
both tpsclient and esc. In order to get esc to work the following changes
were needed.
1. It turns out the server has been been forcing chunked encoding format upon the
outgoing data. Turns out that the system already knows how to do this so we were
getting double chunk size values and getting twice the amount of CRLF chars.
2. There was a minor error where I was not attempting to select the card manager
applet but the coolkey applet, which does not exist yet.
|
| |
|
|
|
|
|
|
|
|
| |
A new table has been added to the group page in TPS UI for managing
the group members.
The addGroupMember() method in group REST interface has been fixed
to accept JSON request properly.
Ticket #654
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the user's name displayed in the top right corner of the
TPS UI was hardcoded to Administrator. It has been fixed to display
the full name of the authenticated user obtained from the server.
The login() method in the account REST service has been modified to
return the account information about the user and the roles in which
the user belongs. This information can later be used to further
customize the behavior of the UI based on the authorization data.
The PKIRealm has been modified to store the authenticated user info
in the PKI principal.
Ticket #654
|
| | |
|
| |
|
|
|
| |
key-archive, key-retrieve, key-recover, key-generate,
key-request-review, key-template-show, key-template-find
|
| |
|
|
|
| |
This patch adds three new CLI commands -
KeyShowCLI, KeyRequestShowCLI, KeyModifyCLI
|
| |
|
|
|
|
|
|
|
| |
A new method has been added to TPS audit REST service to enable or
disable audit logging. The CLI and UI have been modified to provide
a way to acces this functionality. Also, new ACL entries have been
added for audit.
Ticket #955
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new dialog has been added to change the token status. The status
can be changed by clicking the Status value in the tokens table.
Initially the status is Uninitialized. The status can be changed
according to the allowed status transitions defined in the CS.cfg.
The status and reason fields in TokenRecord is now translated into
a single status field in TokenData. This way the UI only needs to
handle a single status field.
A new field has also been added to the database for token type.
Some issues displaying and updating some token attributes have been
fixed as well.
Ticket #654
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. Read applet into memory to prepare to write to token.
2. With tpsclient create secure channel by implementing Initialize Update and ExternalAuthenticate messages.
3. Support for MAC and encryption for messages going on after secure channel has been created.
4. Implemented method to remove an aid file or instance from the token.
5. Added some symkey methods to allow TPS to manipulate session keys.
6. Performed some cfu feedback fixes such as changing al the names of APDU classes to have APDU in the name.
Have not tried this with real token as of yet. The tpsclient does verify of the MAC coming from the server and decrypts encrypted messages. Decrypted messages have to be correct for the MAC verification to work.
Next step will be to add the phone home servlet to the TPS and give it a try with a real token and esc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new page has been added to manage general TPS configuration
properties. The properties are read-only by default. In edit
mode the property name will become a link which will show a
dialog to edit the property value.
The config REST service has been updated to use PATCH for
update operation and handle possible null collection of
properties.
Fixed a bug in TableItem.reset() where the code didn't clear
the table cell properly.
Fixed a bug in ConfigDatabase.getProperties() where the code
didn't handle null property key properly.
Ticket #654
|
| |
|
|
|
|
|
|
|
|
| |
A new page has been added to the TPS UI to manage audit configuration.
The audit REST service has been modified to use PATCH like the other
services. The audit events will now have 3 possible values: mandatory,
enabled, disabled. Mandatory events cannot be edited. Optional events
can be edited in edit mode.
Ticket #654
|
| |
|
|
|
|
|
|
| |
A new profile mapping page has been added to TPS UI. The page is fully
functional like other existing pages. The REST service for profile
mappings has been updated to be more consistent with other resources.
Ticket #654
|
