| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Python wrapper module has been added for the pki pkcs12-import
command to provide a mechanism to implement a workaround for JSS
import limitation.
Additional fixes by cheimes have been merged into this patch:
setup.py:
We must track all sub-packages manually.
pylint-build-scan.py:
pylint confuses the 'pki' package with the 'pki' command. The
workaround symlinks the command and analysis the command under its
alternative name.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCSUtil has been updated to match the functionality provided
by JSS.
In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.
The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.
The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
A new CLI has been added to remove a key from a PKCS #12 file
based on the key ID.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
New CLIs have been added to add a certificate from NSS database and
to remove a certificate from the PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Util has been modified such that it stores the certs and
keys in PKCS12 object instead of PFX object. The PKCS12 object can
be loaded either from NSS database or PKCS #12 file. The PKCS12
object can later be stored into NSS database or PKCS #12 file.
The pki pkcs12-cert-find and pkcs12-key-find commands were modified
to require PKCS #12 password.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
of PKCS12Util into separate classes.
The createLocalKeyID() has been modified to return BigInteger
instead of byte array.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
| |
A new PKCS #12 attribute has been defined to store NSS certificate
trust flags in PKCS #12 file. The PKCS12Util has been modified to
store the trust flags during export and reset the trust flags in
NSS database during import.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import and pki pkcs12-export commands have been
added to import and export PKCS #12 file into and from NSS
database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki pkcs12-cert-find and pki pkcs12-key-find commands have
been added to list the certificates and keys in a PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.
The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The pki-cert and pki-server-subsystem man pages have been updated
to include recent changes.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 3294f5087997427d060bce85d033652f7a8431da)
|
|
|
|
|
|
|
|
|
|
|
| |
The pki ca-cert-request-submit command has been modified to
provide options to specify the profile name and the CSR which
will be used to create and populate the request object. This
way it's no longer necessary to download the request template
and insert the CSR manually.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit ec9c68d68eabff3784fcf6dabf2c6745734b3c9c)
|
|
|
|
|
|
|
|
|
| |
The pki client-cert-request CLI has been modified to generate a
default subject DN if it's not specified. The man page has been
updated accordingly.
https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 3292de07ed01f6230de34120bf9cd1b8d164610a)
|
|
|
|
|
|
|
|
|
| |
The pki cert-request-submit and client-cert-request CLIs have been
modified to provide options to specify the username and password
for directory-authenticated certificate enrollments.
https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit bb2861b5ee8c82bc5cfffa9a9a6f23bb4b3e4e80)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The certificate and the private key will be exported temporarily
into PEM files so python-ldap can use them.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247)
Conflicts:
base/server/upgrade/10.2.0/01-AddTLSRangeSupport
|
|
|
|
|
|
|
|
|
| |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
(cherry picked from commit 997c8ec32ed483f3af47d692039720e62fa65c94)
|
|
|
|
|
|
|
| |
The PKCS12Export has been fixed to handle ObjectNotFoundException
when exporting certificates without private keys.
https://fedorahosted.org/pki/ticket/1506
|
|
|
|
|
|
|
|
|
| |
A new man page has been added for the pki tps-profile CLI. The
CLI has been modified to refer to the new man page.
Some other man pages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1271
|
|
|
|
|
|
|
|
| |
A new man page has been added for the pki <subsystem>-audit CLI.
Due to database upgrade issue the command is currently only
available in TPS.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Export has been modified such that if an error occurs
in normal mode it will display the error message and in debug
mode it will display the full stack trace.
The code has also been refactored such that it can be reused as a
library in addition to command-line tool. The code will now throw
exceptions instead of exiting to the system.
https://fedorahosted.org/pki/ticket/1224
|
|
|
|
| |
clients are: cli, HttpClient, and java console
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys archived through the KRA connector in CA have null data type
attribute which causes a NPE during retrieval using the key-retrieve
CLI. The SecurityDataRecoveryService has been modified to consider
null data type attribute as asymmetric key type.
The KeyRetrieveCLI and KeyService have been modified to generate
better debugging messages to help troubleshooting.
https://fedorahosted.org/pki/ticket/1481
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The user-cert-add command has been modified to ask the user for
the CA server URI if the CA is not available locally.
A new SubsystemClient.exists() method has been added to check
whether a subsystem is deployed on the target instance.
The SubsystemCLI has been modified to call logout() only if
the operation is executed successfully.
The certificate approval callback class has been refactored out
of PKIConnection into a separate class to clean up circular
dependency with PKIClient.
https://fedorahosted.org/pki/ticket/1448
|
|
|
|
|
|
|
|
| |
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.
https://fedorahosted.org/pki/ticket/1449
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified such that if the security database
location (-d) is not specified, the config.certDatabase will be
initialized with the default value (i.e. ~/.dogtag/nssdb). The
config.certDatabase is needed by the CLI to prepare the client
library for key archival operations.
|
|
|
|
|
|
| |
A new findModules() method has been added to the CLI class to find
the list of modules handling a command. The list will be used by the
pki help CLI to find the proper man page for the specified command.
|
|
|
|
|
|
|
| |
The pki man page has been updated to describe results paging
parameters.
https://fedorahosted.org/pki/ticket/1122
|
|
|
|
|
|
|
| |
The man page for pki-cert has been modified to describe the file
format used to specify the search constraints.
https://fedorahosted.org/pki/ticket/995
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use the HttpClient library
to connect to the server, to show the HTTP status code if an error
occurs, and to show the NSS database directory in verbose mode.
|
|
|
|
| |
- PKI Trac Ticket #1392 - Remove i686/x86_64 architecture
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1064
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/849
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/835
|
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
|
|
|
|
|
| |
The key-show CLI has been modified to provide an option to find
the active key info using the client key ID.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
|
|
|
|
|
| |
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
|
|
|
|
|
|
| |
The TPS REST service, CLI, and UI have been modified to provide
an interface to search for certificates belonging to a token.
https://fedorahosted.org/pki/ticket/1164
|
|
|
|
|
|
|
|
| |
Update CLI commands for working with the (now LDAP-based)
profiles in the same format as was used by the files, by way of the
--raw option.
Also add the "edit" command to interactively edit a profile.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use Apache Commons CLI
library to handle the parameters. The help message has been
rewritten to make it more readable. The submitRequest() will
now display the error reason.
The options in ClientCertRequestCLI have been simplified. A new
option was added to generate CRMF request without POP.
https://fedorahosted.org/pki/ticket/1074
|
|
|
|
|
|
|
| |
The OCSPClient CLI has been refactored into an OCSPProcessor
utility class such that the functionality can be reused.
https://fedorahosted.org/pki/ticket/1202
|
|
|
|
|
|
|
| |
The pki CLI has been modified to remove additional pylint warnings
that appear on Fedora 22.
https://fedorahosted.org/pki/ticket/703
|
|
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been refactored such that it is easier
to understand and reuse. The code has been fixed such that it
can read a normal PEM transport certificate. It also has been
fixed to parse the request submission result properly.
The client-cert-request CLI command was modified to support CRMF
requests.
The MainCLI and ClientConfig were modified to accept a security
token name.
The pki_java_command_wrapper.in was modified to include the Apache
Commons IO library.
https://fedorahosted.org/pki/ticket/1074
|