| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
|
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
|
|
|
| |
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added method to check realm. This method will look for
an authz instance for a specified realm and invoke it to
determine access.
* Added a basic group based authz plugin mostly for testing.
This plugin simply checks if the requestor is in the correct
group. In practice, customers will probably want something more
complex maybe subclassing BasicAclAuthz.
Part of Trac Ticket #2041
|
|
|
|
| |
Part of Trac Ticket# 2041
|
|
|
|
| |
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
| |
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
| |
The CertInfoProfile.populate() has been modified to re-throw the
exception instead of ignoring it.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
|
|
|
|
|
|
| |
To help troubleshooting the EnrollProfile has been modified to
log the stack trace and chain the exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
|
|
|
| |
Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.
If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
| |
Commit 04214b3d3405750cbbda228554c0d9f087a59170 left some vestigal
imports behind; remove them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TokenService.setTokenStatus() has been modified to restore
the temporarily lost token back into either uninitialized or
active state based on whether the token has certificates.
The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use
only tokenID attribute to search for token certificates more
accurately. It also has been simplified to return the certificate
records collection object directly.
Some constructors were added to the TPSException to allow chaining
the exception cause.
https://fedorahosted.org/pki/ticket/1808
|
|
|
|
|
|
|
|
|
|
| |
Dogtag's Python code has been compatible with Python 3 for a while. A
new package pki-base-python3 provides the pki package for clients.
As of now pki.server is not packages for Python 3.
The pki-base package also provides pki-base-python2.
https://fedorahosted.org/pki/ticket/1739
|
|
|
|
|
|
|
|
|
| |
The OCSP digest name lookup is currently defined in IOCSPAuthority
and implemented by OCSPAuthority, but /any/ code that deals with
CertID might need to know the digest, so move the lookup there.
Also refactor the lookup to use a HashMap, and add mappings for SHA2
algorithms.
|
|
|
|
|
|
|
|
|
|
|
| |
* The cmake files now copy just *.py into the installation directory.
This ensures that no stale pyc files or __pycache__ directories are
copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and
RHEL.
* The pki-core.spec file uses python2 macros. In case of RHEL missing
macros are defined on the top of the file.
* A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't
like lines breaks.
|
|
|
|
|
|
| |
sphinx 1.1 doesn't have sphinx.version_info. All supported version have
sphinx.__version__ string. conf.py now parses the string for version
tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
|
|
|
|
|
| |
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
|
|
|
|
|
|
| |
sphinx-build used wrong search path for pki Python package. This caused
builds to fail on some machines. On systems with pki-base installed,
sphinx-build picked up the wrong files.
|
|
|
|
|
|
|
|
| |
Use html_theme = 'classic' on sphinx 1.3 to silence this warning:
WARNING: 'default' html theme has been renamed to 'classic'. Please
change your html_theme setting either to the new 'alabaster' default
theme, or to 'classic' to keep using the old default.
|
|
|
|
|
|
| |
************* Module pki.cli.pkcs12
E:160,43: Value 'cert_info' doesn't support membership test
(unsupported-membership-test)
|
|
|
|
|
|
|
|
|
| |
sphinx-builder just reports errors to stderr but doesn't signal build
failures in its return code. The -W option turns any warning into a
non-null exit code.
Comment out html_static_path. It doesn't exist, is not used but emits a
warning which is then turned into an error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Python wrapper module has been added for the pki pkcs12-import
command to provide a mechanism to implement a workaround for JSS
import limitation.
Additional fixes by cheimes have been merged into this patch:
setup.py:
We must track all sub-packages manually.
pylint-build-scan.py:
pylint confuses the 'pki' package with the 'pki' command. The
workaround symlinks the command and analysis the command under its
alternative name.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
Pylint 1.5 complains about additional issues. All issues are false
positives.
https://fedorahosted.org/pki/attachment/ticket/2223
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.
This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.
Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632
|
|
|
|
|
|
| |
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.
The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
|
|
|
|
|
|
|
|
|
| |
The DBSSession has been modified to attach the LDAPException
to the EDBException. The TokenService will catch the EDBException
and obtain the orignal LDAPException. This way the TokenService
can obtain the LDAP error code and throw the proper exception
the client.
https://fedorahosted.org/pki/ticket/1646
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS service has been modified to provide a list of allowed
state transitions based on the current token state. The TPS UI
was modified to display only the allowed state transitions when
changing the token status.
The allowed state transition list has been modified to remove
invalid token transitions including:
* UNINITIALIZED -> FOUND
* UNINITIALIZED -> TEMP_LOST_PERM_LOST
The token FOUND state has been renamed to ACTIVE for clarity.
The token TEMP_LOST_PERM_LOST state has been merged into
PERM_LOST since they are identical in the database.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
|
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.
With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.
https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
|