summaryrefslogtreecommitdiffstats
path: root/base/common
Commit message (Collapse)AuthorAgeFilesLines
...
* Add option to remove signing cert entryAde Lee2017-01-241-0/+32
| | | | | | | | | | | | | | | In the migration case, it is useful to delete the initially created signing certificate database record and have that be imported through the ldif data import instead. Therefore, we add an option to remove this entry. The user also needs to provide the serial number for the entry. This resolves the following tickets/BZs: BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed on CA website incorrect BZ# 1409946/Trac 2571 - Request ID undefined for CA signing certificate
* Replaced internal token full name literals.Endi S. Dewata2017-01-241-33/+33
| | | | | | | The internal token full name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME. https://fedorahosted.org/pki/ticket/2556
* Refactored ConfigurationRequest.TOKEN_DEFAULT.Endi S. Dewata2017-01-212-10/+12
| | | | | | | The ConfigurationRequest.TOKEN_DEFAULT has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_FULL_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-211-1/+0
| | | | | | | The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-211-2/+0
| | | | | | | The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN.Endi S. Dewata2017-01-211-1/+0
| | | | | | | The Constants.PR_INTERNAL_TOKEN has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Added upgrade script to update AJP loopback address.Endi S. Dewata2017-01-201-0/+4
| | | | | | | | An upgrade script has been added to replace IPv4- and IPv6-specific AJP loopback address with a more generic "localhost" in existing instances. https://fedorahosted.org/pki/ticket/2570
* Added global TCP Keep-Alive option.Endi S. Dewata2017-01-182-0/+13
| | | | | | | | | | | | | | | | A new tcp.keepAlive parameter has been added for CS.cfg to configure the TCP Keep-Alive option for all LDAP connections created by PKI server. By default the option is enabled. The LdapJssSSLSocketFactory has been modified to support both plain and secure sockets. For clarity, the socket factory has been renamed to PKISocketFactory. All codes that create LDAP connections have been modified to use PKISocketFactory such that the TCP Keep-Alive option can be applied globally. https://fedorahosted.org/pki/ticket/2564
* Ticket #2569: Token memory not wiped after key deletionJack Magne2017-01-112-1/+26
| | | | | This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.
* Refactored pki_copytree().Endi S. Dewata2016-12-211-0/+76
| | | | | | The pki_copytree() has been moved from pkihelper.py into pki/util.py such that it can be reused in non-deployment scenarios.
* Removed redundant find_file() for Tomcat libraries.Endi S. Dewata2016-12-181-22/+0
| | | | | | | The CMake scripts have been modified to remove redundant invocations of find_file() to find Tomcat libraries. https://fedorahosted.org/pki/ticket/2560
* Define "req_authority_id" IRequest extdata key in IRequestFraser Tweedale2016-12-121-0/+5
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Define "profileId" IRequest extdata key in one placeFraser Tweedale2016-12-121-0/+2
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Define "auth_token" IRequest extdata key prefix in one placeFraser Tweedale2016-12-121-0/+4
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Add getAuthzManagerNameByRealm to IAuthzSubsystemFraser Tweedale2016-12-121-0/+9
| | | | | | | | | The getAuthzManagerByRealm public method is defined in AuthzSubsystem but to support external principals we want to make this part of the IAuthzSubsystem interface, so other classes (e.g. ACLInterceptor) can use it. Part of: https://fedorahosted.org/pki/ticket/1359
* Move AuthToken key constants to IAuthTokenFraser Tweedale2016-12-122-34/+34
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Revert "Replaced deprecated DefaultHttpClient."Endi S. Dewata2016-12-021-6/+20
| | | | | | | Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted due to build issue on RHEL/CentOS. https://fedorahosted.org/pki/ticket/2531
* Revert "Replaced deprecated ProxyParser."Endi S. Dewata2016-12-021-4/+4
| | | | | | | Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted due to build issue on RHEL/CentOS. https://fedorahosted.org/pki/ticket/2535
* Fixed problem with pki user-cert-add.Endi S. Dewata2016-11-231-21/+7
| | | | | | | | | | Previously the pki user-cert-add fails to check whether the server has a CA subsystem when it's invoked over SSL. That is because the CLI tries to establish a new but improperly set up SSL connection. Now the CLI has been modified to use the existing server connection. https://fedorahosted.org/pki/ticket/1517
* Refactored PKIConnection.get().Endi S. Dewata2016-11-231-2/+6
| | | | | | | | | The PKIConnection has been modified to provide two get() methods: one returning a generic Response object wnd the other returning an object with the specified type. The ConfigurationUtils has been modified accordingly. https://fedorahosted.org/pki/ticket/1517
* Change lifecycle at end of enrollment if it is not already set.Jack Magne2016-11-222-1/+37
| | | | | | | | | | | | | | | TPS throws "err=6" when attempting to format and enroll G&D Cards. https://bugzilla.redhat.com/show_bug.cgi?id=1320283 This fix addresses this bug , but also: Fixes this issue: Applet upgrade during rekey operation results in formatted token. Also, it takes care of a related issue where the new apdu needed for the lifecycle state causes the testing tool "tpslcient" to seg fault. The fix here is a minimal fix to have tpsclient return an error when it gets this apdu it can't handle, instead of crashing.
* Updated AccountInfo.Endi S. Dewata2016-11-222-5/+14
| | | | | | | | The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
* Add python-client code for key resource changesAde Lee2016-11-221-36/+52
|
* Update PKCS12Util to use SLF4J.Endi S. Dewata2016-11-181-0/+2
| | | | | | | | | The PKCS12Util class has been modified to use SLF4J logging framework. The CMake scripts has been modified to include SLF4J libraries in the classpath. The spec file has been modified to add SLF4J dependencies. https://fedorahosted.org/pki/ticket/195
* Added man pages for logging configuration.Endi S. Dewata2016-11-182-2/+94
| | | | | | | New man pages have been added for the common and server logging configurations. https://fedorahosted.org/pki/ticket/1897
* Updated logging.properties.Endi S. Dewata2016-11-181-0/+1
| | | | | | | | | | | | To reduce maintenance the logging.properties is no longer copied into the instance folder during deployment. Instead, a link will be created in /etc/pki/<instance> pointing to the default file in /usr/share/pki/server/conf. The default logging.properties has been updated to only log messages with level WARNING or higher on the console. https://fedorahosted.org/pki/ticket/1897
* Fixed problem installing subordinate CA with HSM in FIPS mode.Endi S. Dewata2016-11-161-11/+40
| | | | | | | | | | | | | | Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM in FIPS mode. First, the certificate will be imported into the HSM using the HSM password without the trust attributes. Then, the certificate will be imported into the internal token using the internal token password with the trust attributes. https://fedorahosted.org/pki/ticket/2543
* Moved policy framework classes to org.dogtagpki.legacy.Endi S. Dewata2016-11-1122-28/+29
| | | | | | | To discourage the use of policy framework, the framework classes have been moved into org.dogtagpki.legacy. https://fedorahosted.org/pki/ticket/6
* Generalized list of files in CMakeLists.txt.Endi S. Dewata2016-11-111-4/+0
| | | | | | | | The list of source and class files in some CMake files have been generalized to allow renaming Java packages without changing the CMake files again. https://fedorahosted.org/pki/ticket/6
* Reverted policy framework deprecation.Endi S. Dewata2016-11-1120-24/+4
| | | | | | | | | To reduce Eclipse warnings, classes and methods related to policy framework have been undeprecated. In the future the policy framework may be removed since it has already been replaced with the profile framework. https://fedorahosted.org/pki/ticket/6
* Add field to KeyData to allow request to be returned when non-synchronousAde Lee2016-11-103-5/+42
| | | | | If a retrieval is non-sychronous, we create a non-ephemeral recovery request and return this Request ID to the client.
* Add option to pass existing request to retrieveKeyCLIAde Lee2016-11-101-0/+40
| | | | | | Continuation of the previous patch. These are client changes to allow the client to pass through an approved recovery request to retrieveKey()
* Modify retrieval and archival mechanisms in KRA RESTAde Lee2016-11-105-11/+49
| | | | | | | | | | | | | | | | | | | When clients call retrieveKey(), three possible alternatives now obtain: 1. client passes in an approved request. Request is processed and the secret is retrieved. 2. client passes in key_id and wrapping parameters and either: a) request can be processed immediately and synchronously and request is created, and secret is returned. b) request cannot be processed immediately. Recovery request is created and request_id returned to the client Depending on server configuration, the requests in case (2a) will be stored in ldap or will be ephemeral (in memory only). More complicated realm based logic to determine if requests can be processed synchronously or ephemerally will be added in a later patch.
* Replaced deprecated ProxyParser.Endi S. Dewata2016-11-041-4/+4
| | | | | | The deprecated ProxyParser has been replaced with DefaultParser. https://fedorahosted.org/pki/ticket/2535
* Replaced deprecated DefaultHttpClient.Endi S. Dewata2016-11-041-3/+3
| | | | | | | The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient, and OCSPProcessor has been replaced with HttpClientBuilder. https://fedorahosted.org/pki/ticket/2531
* Revert "Fixed TPS UI system menu."Matthew Harmsen2016-11-032-14/+5
| | | | This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
* Added constructors to chain EPropertyException.Endi S. Dewata2016-11-031-0/+8
| | | | | | | To help troubleshooting, the EPropertyException has been modified to provide constructors to chain the original exception. https://fedorahosted.org/pki/ticket/2463
* Fixed KRA key recovery via CLI in FIPS mode.Endi S. Dewata2016-11-021-0/+3
| | | | | | | | | Based on investigation and solution provided by cfu and jmagne, the SecurityDataRecoveryService.serviceRequest() has been modified to use EncryptionUnit.unwrap_temp() for key recovery via CLI in FIPS mode. https://fedorahosted.org/pki/ticket/2500
* Fixed TPS UI system menu.Endi S. Dewata2016-10-212-5/+14
| | | | | | | | | | | | | | | | | The TPS UI has been modified to adjust the system menu based on the list of accessible components obtained during login. The TPSApplication has been modified to use TPSAccountService which returns the list of accessible components based on the following properties in the CS.cfg: * admin: target.configure.list * agent: target.agent_approve.list The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
* Fixed NSSDatabase.create_request().Endi S. Dewata2016-10-101-1/+1
| | | | | The NSSDatabase.create_request() has been modified to remove a superfluous argument when invoking certutil.
* Removed duplicate classes.Endi S. Dewata2016-10-101-2/+2
| | | | | | | The CMake scripts have been modified to store compiled Java classes in separate folders for each JAR files to avoid duplicates. https://fedorahosted.org/pki/ticket/2505
* Block reads during reload of LDAP-based profilesFraser Tweedale2016-10-101-0/+86
| | | | | | | | | | | | | | | | | | | | LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem to drop all its profiles and reload them. If a profile is read during this time, e.g. to issue a certificate, it might not have been reloaded thus causing the operation to fail. Introduce the AsyncLoader class which allows a consumer to await the completion of a (re)load, if one is happening. Update the getProfile and getProfileIds method to use it. The existing 'initialLoadDone' CountDownLatch for blocking LDAPProfileSubsystem init until the inital load of profiles is completed was subsumed by AsyncLoader. Fixes: https://fedorahosted.org/pki/ticket/2453 NOTE: This patch is ONLY intended for Dogtag 10.4.0 versions and later; it is NOT intended to be back-ported to Dogtag 10.3.x versions.
* Revoke lightweight CA certificate on deletionFraser Tweedale2016-09-061-1/+1
| | | | Fixes: https://fedorahosted.org/pki/ticket/1638
* Updated pki-server subsystem-cert-update CLI.Endi S. Dewata2016-08-221-2/+9
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440
* Fixed SelfTestService.findSelfTests().Endi S. Dewata2016-08-161-0/+4
| | | | | | | The SelfTestService.findSelfTests() has been modified to return all selftests defined in the CS.cfg. https://fedorahosted.org/pki/ticket/2432
* Added exception wrapper for invalid LDAP attribute syntax.Endi S. Dewata2016-08-121-2/+4
| | | | | | | The LDAPExceptionConverter has been modified to wrap LDAPException for invalid attribute syntax with BadRequestException. https://fedorahosted.org/pki/ticket/833
* Improve setup.py for standalone Dogtag client releasesChristian Heimes2016-08-082-22/+63
| | | | | | | | | | | PyPI requires a different spelling of LGPLv3+ classifier. The correct name for installation requirements is 'install_requires', not 'requirements'. Add a new version_info command that rewrites setup.py in place to include the current version. This fixes a problem with source distributions of the client package.
* Added log messages for certificate import during cloning.Endi S. Dewata2016-08-052-0/+83
| | | | | | | | To help troubleshooting cloning issues the security_databases.py has been modified to log the content of the PKCS #12 file before import and the NSS database after import. https://fedorahosted.org/pki/ticket/2424
* Fix to sort the output of a cert search by serialno.Jack Magne2016-08-052-2/+60
|
* Fixed problem creating links to PKI JAR files.Endi S. Dewata2016-08-031-4/+4
| | | | | | | | | | The CMake create_symlink command fails if the link target does not exist already. Since PKI JAR files may not exist at build time, the commands to create the links to those files have been replaced with the ln -sf command which will create the links regardless of the targets' existence. https://fedorahosted.org/pki/ticket/2403
generated by cgit (git 2.34.1) at 2025-09-25 22:36:15 +0000