summaryrefslogtreecommitdiffstats
path: root/base/common/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Bugzilla Bug #975939 - RHCS 8.1: "END CERTIFICATE" tag is not on it's own lineMatthew Harmsen2013-07-231-1/+1
|
* Bugzilla Bug #971561 - DRM - server-side key generation causesMatthew Harmsen2013-07-231-4/+5
| | | | NullPointerException if a parameter is not supplied by the caller (TPS) - cfu
* Fixed token authentication problem on RHEL.Endi S. Dewata2013-07-222-57/+10
| | | | | | | | The CryptoManager.initialize() and CryptoToken.login() invocation has been moved into the main program as a workaround for the authentication problem on RHEL and to ensure proper initialization in general. Bugzilla #985111
* Add interfaces for managing profilesAde Lee2013-07-2222-196/+1133
| | | | | This adds the initial framework for viewing and managing profiles. Also adds CLI code for viewing/adding/deleting and editing profiles.
* Fixed dependency issue on CMSRequest.Endi S. Dewata2013-07-2278-343/+439
| | | | | | | | | The CMSRequest is a server class but it's used by the ICommandQueue that belongs in the base package. To fix the dependency issue the CMSRequest has been refactored to implement a new interface ICMSRequest in the base package. Some constants in CMSRequest have also been moved into ICMSRequest. All code referencing CMSRequest has been adjusted accordingly.
* Make sure only the master keys and certs are imported.Ade Lee2013-06-261-5/+27
| | | | | | | | The key import code was written for when there was only one subsystem per tomcat instance, and only one subsystems certs and keys per p12 file. We need to ensure that only the master's subsystem keys and certs are imported. Otherwise, unpredictable behavior happens, like in Ticket 665.
* Added Tomcat-based TPS instance.Endi S. Dewata2013-06-101-0/+1
| | | | | | | | | The build and deployment tools have been modified to support creating a basic Tomcat instance to run TPS. New configuration and template files for TPS have been copied from another Tomcat subsystem. The TPS functionality itself will be added in future patches. Ticket #526
* Fix Bug #963073 - rhcs81 tps crash for CN over than 64 bytesJack Magne2013-06-041-0/+108
| | | | Add checking for sane lengths of the fields in the subject dn.
* Fixed hard-coded server certificate nickname.Endi Sukma Dewata2013-06-031-4/+2
| | | | | | | | | | | Previously the server certificate name was partially hard-coded as "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems it can be fully configured using pki_ssl_server_nickname parameter. In Apache-based subsystems it's left unchanged. Unused serverCertNick.conf files have been removed. Ticket #631
* Option to include nextUpdate as an offset to thisUpdateAndrew Wnuk2013-05-141-0/+1
| | | | | | This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset. Ticket #571
* Randomized validityAndrew Wnuk2013-05-143-0/+359
| | | | | | This patch provides plug-in randomizing validity Ticket #607
* Bug 952500 - CMCAuth fails with error "CMCAuth: ↵Christina Fu2013-05-101-2/+5
| | | | | | java.security.NoSuchAlgorithmException" when using NetHSM token - small patch to remove Eclipse warning
* Bug 952500 - CMCAuth fails with error "CMCAuth: ↵Christina Fu2013-05-021-1/+25
| | | | java.security.NoSuchAlgorithmException" when using NetHSM token
* Reverting to old CLI behavior on client database initialization.Endi Sukma Dewata2013-04-282-0/+61
| | | | | | | | | Recently the CLI was changed to initialize the default client database automatically which will create it if it did not exist before. This was causing a problem since the database was not created with a password. To create the database properly a separate command is needed. For now the CLI is reverted to the old behavior where it initializes the database only if it requires for SSL connection and/or client authentication.
* Added separate CLI option for client database password.Endi Sukma Dewata2013-04-281-0/+16
| | | | | | | | Previously the -w option is used to specify the password for either the username/password authentication or client database password to do client certificate authentication. Since the passwords now may be used at the same time, a new -c option has been added for the client database password.
* Ignoring warnings/errors during installation.Endi Sukma Dewata2013-04-283-42/+43
| | | | | | | | The code used by pkispawn and pkidestroy has been modified to ignore certificate validity warnings/errors that happens during installation. The instanceCreationMode is now redundant and has been removed from ClientConfig.
* Added method to download CA cert chain from admin interface.Endi Sukma Dewata2013-04-262-4/+9
| | | | | | | | A new method has been added to the PKIClient to download the CA certificate chain from an alternative location including the admin interface. Ticket #491
* Updated default client database location for CLI.Endi Sukma Dewata2013-04-261-25/+0
| | | | | | | | The default client database location for CLI has been changed to ~/.dogtag/nssdb. The database will always be initialized regardless whether it is actually used. Ticket #491
* Refactored code to import CA certificate.Endi Sukma Dewata2013-04-2513-161/+231
| | | | | | | | | | | | | The code to import CA certificate has been moved from PKIConnection into PKIClient to allow reuse. The Client classes have been modified such that it uses a shared PKIClient object instead of PKIConnection. The return codes in CertFindCLI has been fixed to be more consistent with other commands. Ticket #491
* cloning improvementAndrew Wnuk2013-04-251-6/+11
| | | | | | This patch improves cloning in regards to configuration of random certificate serial numbers. Bug: 922121.
* correcting JavaScript inability to handle big numbersAndrew Wnuk2013-04-243-0/+11
| | | | | | This patch corrects JavaScript inability to handle big numbers in key key recovery process. Bug: 955784.
* Check the actual result of operations cert revoke/unrevoke.Abhishek Koneru2013-04-232-2/+37
| | | | | | | | Output the actual result of a revoke/unrevoke operation in CLI. Since the actual result of the operation can be different from the cert request status. Ticket #217
* corrected JavaScript issue with big numbersAndrew Wnuk2013-04-231-0/+3
| | | | | | This patch corrects key IDs miscalculated by JavaScript for key search results and key record views. Bug: 951501.
* Added options to reject/ignore cert validity statuses.Endi Sukma Dewata2013-04-221-14/+75
| | | | | | | | New options have been added to the CLI to reject or ignore certain cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN. The options can also be defined in pki.conf as a system-wide policy. Ticket #491
* Adding CLI functionality to import CA certificate.Endi Sukma Dewata2013-04-221-2/+74
| | | | | | | | | The CLI has been modified such that when it connects to an untrusted server it will ask the user whether to import the CA certificate and also ask for the location of the CA server from which to download the CA certificate. Ticket #491
* Minor fixes in a few configuration UI panels of RA and TPS.Abhishek Koneru2013-04-221-0/+1
| | | | | | | | Changed the status check and restart commands to systemctl. The text $errorString will not be seen when the security domain login panel is launched for the first time. Ticket #452
* Added servlet to return 501 for rest operations for d9 instancesAde Lee2013-04-221-0/+47
| | | | | | | | | | D9 instances run on tomcat6, which does not have support for the autheticator and realm. We are not supporting the REST operations on D9 style instances. They will need to be migrated. The migration framework has been modified to process d9 or d10 style instances, and a migration script has been added to add the new servlet to existing d9 instances.
* random certificate serial numbersAndrew Wnuk2013-04-1911-38/+623
| | | | | | This patch adds support for random certificate serial numbers. Bug 912554.
* Tracking upgrade using existing config files.Endi Sukma Dewata2013-04-171-1/+1
| | | | | | | | | | | The upgrade framework has been modified to use pki.conf to track system upgrade, tomcat.conf to track instance upgrade, and CS.cfg to track subsystem upgrade. The preop.product.version in CS.cfg has been renamed into cms.product.version and is now used to track upgrade. Ticket #544
* Added tokenAuthenticate to admin interfaceAde Lee2013-04-161-20/+50
| | | | | | | Modified code to use this interface by default. Added required migration script code. Ticket 546
* Bug 929043 - updated serverCert.profile with SAN results in ↵Christina Fu2013-04-033-3/+10
| | | | | | SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
* Bug 824920 - NSCertTypeExtDefault.java incorrectly encodes ↵Christina Fu2013-03-261-3/+4
| | | | NSCertTypeExtension bits (patch from mpoole)
* Bug 904289 - Add ECC Support to Certificate ProfilesChristina Fu2013-03-251-1/+4
|
* Added CLI option to capture HTTP messages.Endi Sukma Dewata2013-03-221-2/+106
| | | | | | | A new option has been added to the CLI to capture HTTP requests and responses and store them in the specified folder. Ticket #523
* Refactor installation code to remove dependency on jythonAde Lee2013-03-213-14/+13
| | | | | | | | | | | | | Connection is now made to the installation servlet through a python client using JSON. The code to construct the ConfgurationRequest and parse the results has been moved to pkihelper.py, and configuration.py no longer calls a separate jython process to create the Configuration object and parse the results. The jython code has therefore been removed. Also added status servlet to other java subsystems, to be tested prior to starting configuration. Trac Ticket 532
* Plug resource leaksAde Lee2013-03-0810-77/+53
|
* Clean up various eclipse warningsAde Lee2013-03-0719-85/+1
|
* Added cert-request-show command.Endi Sukma Dewata2013-03-073-25/+34
| | | | | | | A new cert-request-show command has been added to allow EE users to check certificate request status. Ticket #511
* Added authentication method validation.Endi Sukma Dewata2013-02-1915-21/+260
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Added CLI to manage user membership.Endi Sukma Dewata2013-02-1812-310/+920
| | | | | | | | New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190
* Added certificate status option for cert-find.Endi Sukma Dewata2013-02-122-0/+25
| | | | | | | The cert-find command has been modified to provide an option to search by certificate status. Ticket #501
* Add updateDomainXML to admin interfaceAde Lee2013-02-111-22/+77
|
* move updateNumberRange to admin interfaceAde Lee2013-02-111-47/+57
|
* Fix get cert chain to use admin port onlyAde Lee2013-02-112-3/+11
|
* Additional output attributes for cert-find.Endi Sukma Dewata2013-02-072-7/+169
| | | | | | | | The cert-find command has been modified to include some additional attributes including certificate type and version, key algorithm name and length, validity dates, creation time and issuer. Ticket #498
* Fixed validity duration options for cert-find.Endi Sukma Dewata2013-02-072-27/+20
| | | | | | | | | The cert-find command has been fixed to show better error messages on missing validity duration options. The validity duration unit has been changed to take "day", "week", "month", or "year" and convert it into milliseconds. Ticket #291, #500
* Fixed conflicting security domain hosts.Endi Sukma Dewata2013-02-074-45/+69
| | | | | | | | The SecurityDomainProcessor has been modified to generate the host ID from the subsystem type, hostname, and secure port instead of relying on the user-configurable SubsystemName attribute. Ticket #503
* Fixed date format for cert-find parameters.Endi Sukma Dewata2013-02-071-6/+1
| | | | | | | | All date parameters for cert-find have been modified to use the YYYY-MM-DD date format. Date parsing code in FilterBuilder has been modified not to ignore parsing errors. Ticket #497
* Fixed getInstallToken() invocation.Endi Sukma Dewata2013-02-043-6/+8
| | | | | | | The configuration code has been modified to use the REST interface to get the installation token and ignore CA cert validation errors. Ticket #476
* Session-based nonces.Endi Sukma Dewata2013-02-0414-230/+215
| | | | | | | | | | | | | | | | | | | | | | | Previously nonces were stored in a global map which might not scale well due to some issues: 1. The map uses the nonces as map keys. There were possible nonce collisions which required special handling. 2. The collision handling code was not thread safe. There were possible race conditions during concurrent modifications. 3. The map was shared and size limited. If there were a lot of users using the system, valid nonces could get pruned. 4. The map maps the nonces to client certificates. This limits the possible authentication methods that can be supported. Now the code has been modified such that each user has a private map in the user's session to store the nonces. Additional locking has been implemented to protect against concurrent modifications. The map now uses the target of the operation as the map key, eliminating possible collisions and allowing the use of other authentication methods. Since this is a private map, it's not affected by the number of users using the system. Ticket #474
generated by cgit (git 2.34.1) at 2025-09-28 23:03:20 +0000