summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/org
Commit message (Collapse)AuthorAgeFilesLines
* Refactored ConfigurationUtils.handleLocalCert().Endi S. Dewata2017-07-071-3/+6
| | | | | | | | | The code for creating and importing local cert into NSS database has been moved into ConfigurationUtils.handleLocalCert(). https://pagure.io/dogtagpki/issue/2280 Change-Id: Idac7bc3e08e95f94fe50c417898ef12b2288d17c
* Consolidated log() for audit events.Endi S. Dewata2017-06-275-23/+12
| | | | | | | | | Duplicate log() methods for audit events have been merged into the Logger class. https://pagure.io/dogtagpki/issue/2689 Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
* Refactored signed audit logger.Endi S. Dewata2017-06-241-13/+6
| | | | | | | | | | | | | | | Signed audit logger creation has been simplified into: Logger signedAuditLogger = SignedAuditLogger.getLogger(); The null checks on signed audit logger have been removed since it cannot be null. Audit messages can be logged as follows: signedAuditLogger.log(message); https://pagure.io/dogtagpki/issue/2689 Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
* Server side changes to correctly parse the new PKIArchiveOptionsAde Lee2017-06-071-1/+1
| | | | | | | The server is modified to read the new OIDs in the PKIArchiveOptions and handle them correctly. Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
* Refactor client to not use keysetsAde Lee2017-06-072-9/+49
| | | | | | | | | | | | | | | | | | It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
* CAInfoService: retrieve info from KRAFraser Tweedale2017-05-051-17/+126
| | | | | | | | | | | | | | | | | | | | | | | | The CAInfoService returns CA configuration info, including KRA-related values the CA clients may need to know (e.g. for generating a CRMF cert request that will cause keys to be archived in KRA). Currently that information is statically configured and does not respect the actual configuration of the KRA. Update the service to retrieve info from the KRA, which is queried according to the KRA Connector configuration. After the KRA has been successfully contacted, the recorded KRA-related settings are regarded as authoritative. The KRA is contacted ONLY if the current info is NOT authoritative, otherwise the currently recorded values are used. This means that any change to relevant KRA configuration (which should occur seldom if ever) necessitates restart of the CA subsystem. If this is unsuccessful (e.g. if the KRA is down or the connector is misconfigured) we use the default values, which may be incorrect. Fixes: https://pagure.io/dogtagpki/issue/2665 Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
* Added ConfigSignedAuditEvent.Endi S. Dewata2017-04-251-6/+3
| | | | | | | | | A new SignedAuditConfigRoleEvent class of has been added to encapsulate the CONFIG_SIGNED_AUDIT events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
* Updated debug logs in SystemConfigService.Endi S. Dewata2017-04-251-2/+9
| | | | Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
* Added ConfigRoleEvent.Endi S. Dewata2017-04-242-5/+23
| | | | | | | | | A new ConfigRoleEvent class of has been added to encapsulate the CONFIG_ROLE events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
* Added AuthzFailEvent.Endi S. Dewata2017-04-241-30/+22
| | | | | | | | | A new AuthzFailEvent class of has been added to encapsulate the AUTHZ_FAIL events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
* Added AuthzSuccessEvent.Endi S. Dewata2017-04-241-14/+13
| | | | | | | | | A new AuthzSuccessEvent class of has been added to encapsulate the AUTHZ_SUCCESS events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
* Modify cert clients to check server for wrapping paramsAde Lee2017-04-191-0/+10
| | | | | | | | | | | | | CRMFPopClient and the pki cert client both can send a CRMF request to a CA directly. Logic is added to check the CA for the required KRA wrapping params and use those in place of any that have been provided by the environment or command line. Also, additional data for the supported KRA keyset has been added to the CAInfoService. This will need to be managed by the admin. The default is "1" which corresponds to AES. Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
* Fixed missing IP addresses and subject ID in audit log.Endi S. Dewata2017-04-181-38/+66
| | | | | | | | | | The PKIServerSocketListener has been modified to use WeakHashMap to store socket info that might not be available after the socket has been closed. https://pagure.io/dogtagpki/issue/2642 Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
* Fixed ClientIP field in SSL session audit log.Endi S. Dewata2017-04-131-8/+3
| | | | | | | | | The PKIServerSocketListener has been fixed to obtain the correct client IP address from SSL socket. https://pagure.io/dogtagpki/issue/2602 Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
* Added methods to log AuditEvent object.Endi S. Dewata2017-04-131-0/+10
| | | | | | | New audit(AuditEvent) methods have been added alongside the existing audit(String) methods. Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
* Reorganized audit event constants for configuration.Endi S. Dewata2017-04-123-6/+7
| | | | Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
* Reorganized audit event constants for authentication.Endi S. Dewata2017-04-121-14/+10
| | | | Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
* Added audit event constants for SSL session.Endi S. Dewata2017-04-121-4/+5
| | | | Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
* Add CAInfo resourceAde Lee2017-04-111-0/+64
| | | | | | | | | | This resource (which will be accessed at /ca/rest/info) will initially return the mechanism for archival. This is needed by clients to know how to package secrets when archiving. We may add the transport cert later. Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
* Add KRAInfo resourceAde Lee2017-04-111-0/+67
| | | | | | | | | | This resource (which will be accessed at /kra/rest/info) will initially return the mechanism for archival or retrieval. This is needed by clients to know how to package secrets when archiving. Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
* Fixed PKIServerSocketListener.Endi S. Dewata2017-04-051-1/+38
| | | | | | | | | | | | The PKIServerSocketListener.alertReceived() has been fixed to generate audit log when the SSL socket is closed by the client. The log message has been modified to include the reason for the termination. https://pagure.io/dogtagpki/issue/2602 Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+107
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Removed redundant Context attributes.Endi S. Dewata2017-03-316-102/+0
| | | | | | | All subclasses of PKIService have been modified to remove the Context attribute since they have been declared in the base class. Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-0/+134
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Update ACLInterceptor to support external principalsFraser Tweedale2017-03-161-12/+29
| | | | | | | | | | | For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359
* Update SessionContextInterceptor to handle external principalsFraser Tweedale2017-03-161-9/+10
| | | | Part of: https://pagure.io/dogtagpki/issue/1359
* Update AuthMethodInterceptor to handle external principalsFraser Tweedale2017-03-161-11/+16
| | | | | | | Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359
* First cut of scp03 support. Supports the g&d smartcafe out of the box.Jack Magne2017-03-141-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys.
* Added InfoService and LoginService.Endi S. Dewata2017-02-243-0/+108
| | | | | | | | | | | New REST services classes have been added to PKIApplication. The InfoService provides general information about the server including version number and access banner. The LoginService provides a way to notify the server that the banner has been displayed on the client, which in that case the InfoService will no longer return the banner again in the same session. https://fedorahosted.org/pki/ticket/2582
* Added PKIApplication.Endi S. Dewata2017-02-231-0/+50
| | | | | | | A new PKIApplication class has been added into /pki web application to define common PKI REST services such as access banner. https://fedorahosted.org/pki/ticket/2582
* Refactored PKIService class.Endi S. Dewata2017-02-153-6/+6
| | | | | | | | | The subsystem-based methods and fields in PKIService class have been moved into a new SubsystemService class to allow creating more generic non-subsystem-based services. The classes that use these methods and fields have been updated accordingly.
* Replaced CryptoManager.getTokenByName().Endi S. Dewata2017-01-271-2/+1
| | | | | | | | | Direct invocations of CryptoManager.getTokenByName() have been replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken() to ensure that internal token names are handled consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Fixed inconsistent internal token detection.Endi S. Dewata2017-01-261-10/+14
| | | | | | | | The codes that detect internal token name have been modified to use CryptoUtil.isInternalToken() such that the comparison can be done consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Replaced internal token full name literals.Endi S. Dewata2017-01-241-1/+1
| | | | | | | The internal token full name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME. https://fedorahosted.org/pki/ticket/2556
* Refactored ConfigurationRequest.TOKEN_DEFAULT.Endi S. Dewata2017-01-211-5/+5
| | | | | | | The ConfigurationRequest.TOKEN_DEFAULT has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Resolve: pkispawn does not change default ecc key size from nistp256 when ↵Jack Magne2016-12-091-4/+4
| | | | | | | | | nistp384 is specified in spawn config Ticket #2552. This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the "keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
* Updated AccountInfo.Endi S. Dewata2016-11-221-29/+17
| | | | | | | | The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
* Moved policy framework classes to org.dogtagpki.legacy.Endi S. Dewata2016-11-1141-0/+12806
| | | | | | | To discourage the use of policy framework, the framework classes have been moved into org.dogtagpki.legacy. https://fedorahosted.org/pki/ticket/6
* Revert "Fixed TPS UI system menu."Matthew Harmsen2016-11-031-17/+29
| | | | This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
* Troubleshooting improvement for ConfigurationUtils.handleCerts().Endi S. Dewata2016-10-281-6/+2
| | | | | | | | To help troubleshooting, the ConfigurationUtils.handleCerts() has been modified to throw the exception instead of returning an integer. https://fedorahosted.org/pki/ticket/2463
* Fixed TPS UI system menu.Endi S. Dewata2016-10-211-29/+17
| | | | | | | | | | | | | | | | | The TPS UI has been modified to adjust the system menu based on the list of accessible components obtained during login. The TPSApplication has been modified to use TPSAccountService which returns the list of accessible components based on the following properties in the CS.cfg: * admin: target.configure.list * agent: target.agent_approve.list The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
* Removed support for creating system certificates in different tokens.Endi S. Dewata2016-09-081-3/+6
| | | | | | | | The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted. https://fedorahosted.org/pki/ticket/2449
* Added support to create system certificates in different tokens.Endi S. Dewata2016-09-021-6/+3
| | | | | | | | | | | | | | | | Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449
* Moved subsystem initialization after database initialization.Endi S. Dewata2016-08-301-1/+2
| | | | | | | | | | | Previously issues with system certificates that happen during subsystem initialization were reported as database initialization error. Database initialization actually does not depend on subsystem initialization, so to avoid confusion and to simplify the code the reInitSubsystem() in SystemConfigService is now invoked after the initializeDatabase() is complete. https://fedorahosted.org/pki/ticket/2423
* Fixed SelfTestService.findSelfTests().Endi S. Dewata2016-08-161-1/+1
| | | | | | | The SelfTestService.findSelfTests() has been modified to return all selftests defined in the CS.cfg. https://fedorahosted.org/pki/ticket/2432
* Removed PKCS #7 from add user cert dialog in TPS UI.Endi S. Dewata2016-08-121-0/+2
| | | | | | | | The dialog box for adding user certificate in TPS UI has been modified to no longer mention PKCS #7. The REST service itself still accepts PKCS #7, but it should be cleaned up in the future. https://fedorahosted.org/pki/ticket/2437
* Fixed error handling in SystemConfigService.Endi S. Dewata2016-07-201-6/+6
| | | | | | | | To help troubleshooting the SystemConfigService has been modified to chain the original exception and to log stack trace into the debug log. https://fedorahosted.org/pki/ticket/2399
* Refactored SystemConfigService.processCerts().Endi S. Dewata2016-06-151-128/+148
| | | | | | To simplify future enhancements the code that processes each certificate in SystemConfigService.processCerts() has been moved into a separate method.
* Fixed REST response format.Endi S. Dewata2016-06-141-1/+1
| | | | | | | Some REST services have been fixed to return the response in XML format by default. https://fedorahosted.org/pki/ticket/1276
* Fixed support for generic CSR extensions.Endi S. Dewata2016-05-251-17/+2
| | | | | | | | The deployment tool has been modified to support adding Subordinate CA extension into the CSR for Microsoft CA, and also adding generic extensions to any system certificate. https://fedorahosted.org/pki/ticket/2312
generated by cgit (git 2.34.1) at 2024-06-22 19:08:08 +0000