| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The code for creating and importing local cert into NSS database
has been moved into ConfigurationUtils.handleLocalCert().
https://pagure.io/dogtagpki/issue/2280
Change-Id: Idac7bc3e08e95f94fe50c417898ef12b2288d17c
|
|
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
|
|
|
|
|
|
| |
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.
Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CAInfoService returns CA configuration info, including
KRA-related values the CA clients may need to know (e.g. for
generating a CRMF cert request that will cause keys to be archived
in KRA). Currently that information is statically configured and
does not respect the actual configuration of the KRA.
Update the service to retrieve info from the KRA, which is queried
according to the KRA Connector configuration. After the KRA has
been successfully contacted, the recorded KRA-related settings are
regarded as authoritative.
The KRA is contacted ONLY if the current info is NOT authoritative,
otherwise the currently recorded values are used. This means that
any change to relevant KRA configuration (which should occur seldom
if ever) necessitates restart of the CA subsystem.
If this is unsuccessful (e.g. if the KRA is down or the connector is
misconfigured) we use the default values, which may be incorrect.
Fixes: https://pagure.io/dogtagpki/issue/2665
Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
|
|
|
|
|
|
|
|
|
| |
A new SignedAuditConfigRoleEvent class of has been added to
encapsulate the CONFIG_SIGNED_AUDIT events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
|
|
|
|
| |
Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
|
|
|
|
|
|
|
|
|
| |
A new ConfigRoleEvent class of has been added to encapsulate the
CONFIG_ROLE events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
|
|
|
|
|
|
|
|
|
| |
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
|
|
|
|
|
|
|
|
|
| |
A new AuthzSuccessEvent class of has been added to encapsulate the
AUTHZ_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CRMFPopClient and the pki cert client both can send a CRMF request
to a CA directly. Logic is added to check the CA for the required
KRA wrapping params and use those in place of any that have been
provided by the environment or command line.
Also, additional data for the supported KRA keyset has been added to
the CAInfoService. This will need to be managed by the admin. The
default is "1" which corresponds to AES.
Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
|
|
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been modified to use WeakHashMap
to store socket info that might not be available after the socket
has been closed.
https://pagure.io/dogtagpki/issue/2642
Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
|
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.
https://pagure.io/dogtagpki/issue/2602
Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
|
|
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
|
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
|
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
|
|
|
| |
Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
|
|
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
|
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /kra/rest/info)
will initially return the mechanism for archival or retrieval.
This is needed by clients to know how to package secrets when
archiving.
Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.
The log message has been modified to include the reason for the
termination.
https://pagure.io/dogtagpki/issue/2602
Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
|
|
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
|
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
|
|
|
|
|
|
|
|
|
|
| |
For external principal support, ACLInterceptor must handle
GenericPrincipal instances in addition to PKIPrincipal.
Specifically, if the principal is a GenericPrincipal, the auth token
is set to an ExternalAuthToken, and the authz manager is looked up
by the realm of the principal (it is assumed that the principal name
has the form "id@realm").
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
| |
Update AuthMethodInterceptor to handle externally authenticated
principals. For now, access is unconditionally granted.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
|
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
A new PKIApplication class has been added into /pki web application
to define common PKI REST services such as access banner.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
|
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
|
|
| |
nistp384 is specified in spawn config
Ticket #2552.
This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
|
|
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
|
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
|
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
|
|
|
|
|
|
|
| |
To help troubleshooting, the ConfigurationUtils.handleCerts()
has been modified to throw the exception instead of returning an
integer.
https://fedorahosted.org/pki/ticket/2463
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
|
|
|
|
|
|
|
| |
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
|
|
|
|
|
|
|
|
|
|
|
| |
Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.
https://fedorahosted.org/pki/ticket/2423
|
|
|
|
|
|
|
| |
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
|
|
|
|
|
|
|
| |
The dialog box for adding user certificate in TPS UI has been
modified to no longer mention PKCS #7. The REST service itself
still accepts PKCS #7, but it should be cleaned up in the future.
https://fedorahosted.org/pki/ticket/2437
|
|
|
|
|
|
|
|
| |
To help troubleshooting the SystemConfigService has been modified
to chain the original exception and to log stack trace into the
debug log.
https://fedorahosted.org/pki/ticket/2399
|
|
|
|
|
|
| |
To simplify future enhancements the code that processes each
certificate in SystemConfigService.processCerts() has been moved
into a separate method.
|
|
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|