summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com/netscape/kra
Commit message (Collapse)AuthorAgeFilesLines
* Added realm for archival and key generation through RESTAde Lee2016-04-203-0/+18
| | | | | | | | This will allow users to specify the realm when generating or archiving a request. No interface change is needed (yet) because the extra parameter is passed through the request. Part of Ticket #2041
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-131-0/+6
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Checking in under the one line trivial change rule.Matthew Harmsen2015-10-222-2/+2
|
* KRA: key archival/recovery via cli - should honor encryption/decryption flags.Jack Magne2015-09-252-30/+138
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ticket # 1597 Currently, KRA allows sites to opt for doing encryption/decryption instead of wrapping/unwrapping for key archival and recovery. The new cli code was later added without such support. We should honor the same flags when cli is called to do key archival and recovery. This feature was due to a specific customer request. Here is what is now supported: 1. When the pki cli tool is used to recover a asymmetric private key, support is there to do so with encrypt / decrypt. 2. The passphrase and generic data facility already uses encrypt / decrypt so nothing here was needed. Calling it out since this will possibly be a customer issue. 3. While under the hood, it made sense to add this functionality to the Symmetric key archival and recovery operations. 4. All tests in DRMTest.java worked successfully when the kra was configured to support this feature and configured to not observe this feature. What is missing: We have since added a method to do a server side key generation of an asymmetric key pair in the kra and also archive it there at the same time. In order to do encrypt / decrypt in this case we need to extract the key contents out of a key object that is used to generate this key. It proved problematic to extract said key. This should be ok since the customer only needs to recover an asymmetric key in their test cases. We could look into doing this later if a pressing need arises.
* Fixed NPE during key-retrieve.Endi S. Dewata2015-07-131-20/+47
| | | | | | | | | | | | Keys archived through the KRA connector in CA have null data type attribute which causes a NPE during retrieval using the key-retrieve CLI. The SecurityDataRecoveryService has been modified to consider null data type attribute as asymmetric key type. The KeyRetrieveCLI and KeyService have been modified to generate better debugging messages to help troubleshooting. https://fedorahosted.org/pki/ticket/1481
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-141-41/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Generate asymmetric keys in the DRM.Abhishek Koneru2014-08-277-33/+291
| | | | | | | | | | | | Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
* Fix identities for security data storage, retrieval and generationAde Lee2014-06-135-109/+47
| | | | | | | | | | | | For the new security data storage and retrieval, and for symmetric key generation, we need to store the identity of the agent that is requesting and approving each operation, both in the ldap record and in the audit logs. (Tickets 806 and 807) This patch also adds required logic to check that the owner of the recovery request is the same agent that retrieves the key. It also adds missing audit log constants for symmmetric key generation so that they will show up in the audit log.
* Reorganized REST service classes.Endi S. Dewata2014-02-284-87/+4
| | | | | | | | The REST service classes have been moved into org.dogtagpki.server namespace. A new upgrade script has been added to update existing instances. Ticket #114
* Fixes for coments from reviewAde Lee2014-02-261-7/+0
|
* Add ability to archive without sending pkiArchiveOptions object.Ade Lee2014-02-261-22/+59
| | | | | | With this patch, you can now either send a pkiArchiveOptions object or the exploded parameters. This reduces the processing required on the client side.
* Added error checking in python client callsAde Lee2014-02-261-1/+3
| | | | | | | | | 1) Added error checking in python client calls. 2) Allow symmetric key generation with default params. Fix bug for when usages is not defined. 3) Fix bug when requesting key recovery - must check if key exists. 4) Extend key gen to allow for providing trans_wrapped_session_key 5) added constants to python client for key status
* reame client_id to client_key_idAde Lee2014-02-262-22/+22
|
* Fix DRM archival, recovery and generation for non-DES3 keys.Ade Lee2014-02-044-7/+24
| | | | | | | | | | | In the archival, recovery and generation code for symmetric keys, we use functions that require knowledge of the symmetric keys algorithm and key size. These were hardcoded to DES3, and so only DES3 worked. We added those parameters to the archival request, save them in the KeyRecord and retrive them when recovering the key. Tests have been added to DRMTest for the relevant usages.
* Address review commentsAde Lee2014-02-043-2/+11
| | | | | | | | | 1. Remove Link attribute from ResourceMessage, 2. Rename KeyDataInfo and KeyDataInfoCollection. 3. Move KEYGEN_ALGORITHMS 4. Fix missing space in PKIException 5. Move properties to attributes in ResourceMessage 6. Add missing code to update the request and set IRequest.RESULT
* Rename KeyRequest to ResourceMessageAde Lee2014-02-042-4/+12
| | | | | | Refactor ResourceMessage to include classname instead of Request Type. Also changed PKIException.Data to extend ResourceMessage. Modifications to the server code to get the tests working.
* Added more client code for DRM testsAde Lee2014-02-041-20/+4
|
* Added SymKeyGen serviceAde Lee2014-02-041-0/+280
|
* External Registration feature merge (excluding TPS portion due to current ↵Christina Fu2014-01-231-1/+25
| | | | | | TPS-rewrite effort): http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
* Added ACL for TPS authenticators.Endi S. Dewata2013-11-141-4/+4
| | | | | | | | | | New ACL has been added to allow only the administrators to access TPS authenticators. The set of interceptors in each application has been modified to preserve the order. Ticket #652
* Fixed problems finding user and group sub-resources.Endi S. Dewata2013-10-251-6/+0
| | | | | | | Due to a regression RESTEasy is unable to find some sub-resources properly. As a workaround some resources need to be merged into the parent resource. The UserCertResource and UserMembershipResource have been merged into UserResource. The GroupMemberResource has been merged into GroupResource.
* Stand-alone DRMMatthew Harmsen2013-10-151-0/+16
| | | | * TRAC Ticket #667 - provide option for ca-less drm install
* Added audit resource.Endi S. Dewata2013-10-081-0/+4
| | | | | | | A new REST service and clients have been added to manage the audit configuration in all subsystems. Ticket #652
* Added selftest resource.Endi S. Dewata2013-10-081-0/+4
| | | | | | | New REST service and clients have been added for managing selftests in all subsystems. Ticket #652
* Add audit logging for new security data operations in kraAde Lee2013-10-072-11/+139
| | | | Ticket 97
* DRM Transport Key RotationAndrew Wnuk2013-09-305-12/+136
| | | | | | | | | | | | This patch provides basic support for DRM Transport Key Rotation described in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation This patch provides implementation for tickets: - 729 - CA to include transport certificate when submitting archival request to DRM - 730 - DRM to detect presence of transport certificate attribute in submitted archival request and validate transport certificate against DRM's transport key list - 731 - DRM to provide handling for alternative transport key based on detected and validated transport certificate arriving as a part of extended archival request
* Reorganized interceptors.Endi S. Dewata2013-08-201-2/+2
| | | | | | The ACLInterceptor and AuthMethodInterceptor interceptors only run on the server, so they have been moved from the base package into the server package.
* Plug resource leaksAde Lee2013-03-083-32/+26
|
* Clean up various eclipse warningsAde Lee2013-03-071-7/+4
|
* Added authentication method validation.Endi Sukma Dewata2013-02-191-1/+3
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Added CLI to manage user membership.Endi Sukma Dewata2013-02-181-0/+2
| | | | | | | | New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190
* Bug 903401 - TMS: RSA token enrollment failed : public key decode errorChristina Fu2013-01-261-3/+7
|
* Added ACLInterceptor.Endi Sukma Dewata2012-11-081-0/+3
| | | | | | | | | Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287
* Added REST account service.Endi Sukma Dewata2012-10-221-0/+5
| | | | | | | | | A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
* https://fedorahosted.org/pki/ticket/252 - TMS - ECC Key RecoveryChristina Fu2012-09-301-5/+5
|
* TMS key recovery part of - Bug 737122 - DRM: during archiving and ↵Christina Fu2012-09-281-36/+115
| | | | recovering, wrapping unwrapping keys should be done in the token
* https://fedorahosted.org/pki/ticket/304Christina Fu2012-09-181-61/+174
| | | | TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
* Fixed exceptions during shutdown.Endi Sukma Dewata2012-08-281-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | The shutdown() methods in several classes have been fixed to allow more graceful shutdown and clean restart. There are two types of object attributes that need to be handled differently. Attributes that are initialized by the constructor should not be nulled during shutdown because they won't be reinitialized during restart. If they require a cleanup (e.g. emptying collections, closing LDAP connections) it's not necessary to check for null before calling the cleanup method because they're never null. For attributes that are initialized during init(), it may not be necessary to do a cleanup or null the attribute since they might still be used by other threads and they will be reinitialized during restart so the old objects will be garbage collected. If they do need a cleanup they should be checked for null because they might still be null due to init() failure or initialization conditionals. If the attributes are initialized conditionally, the logic has been modified to ensure the attributes are either initialized or set to null. Ticket #247
* Reorganized REST common classes.Endi Sukma Dewata2012-08-153-3/+4
| | | | | | | The common classes used by REST client and services have been moved into the com.netscape.certsrv.<component> packages. Ticket #215
* Cleaned up REST common class names.Endi Sukma Dewata2012-08-151-2/+2
| | | | | | | The REST common classes have been renamed for better clarity and consistency. Ticket #259
* Cleaned up REST server class names.Endi Sukma Dewata2012-08-151-16/+16
| | | | | | | The REST server classes have been renamed for better clarity and consistency. Ticket #259
* Patch 25 - Misc FixesAbhishek Koneru2012-07-251-3/+9
|
* Use only pluralized REST interface URLsAde Lee2012-07-241-4/+0
|
* Misc Fixes Remaining part of the code.Abhishek Koneru2012-07-181-1/+1
|
* Added CMSExceptionMapper class to the Application classesAde Lee2012-07-101-0/+5
|
* Add Application files to list REST resourcesAde Lee2012-07-101-0/+52
|
* Coverity CATCH_REXCEPTION and UNREAD_FIELD_CASESAbhishek Koneru2012-07-061-0/+1
|
* LeftOver Cases in Resource Leaks and NULL_RETURNSAbhishek Koneru2012-07-021-5/+10
|
* Fixes for Guarded_By_Violation issues shown in CoverityAbhishek Koneru2012-07-021-1/+1
|
* Fixes for Coverity issues of type Resource Leaks - RemainingAbhishek Koneru2012-06-251-2/+11
|
generated by cgit (git 2.34.1) at 2024-06-14 05:07:45 +0000