| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
This patch fixes the issue that when an agent visit one of the CA's system cert request records, exception is thrown.
|
| |
|
|
| |
Trivial fix.
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the SystemConfigService has been modified
to chain the original exception and to log stack trace into the
debug log.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
| |
This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AuthInfoAccessExtDefault profile component constructs an OCSP
URI based on the current host and port, if no URI is explicitly
configured in the profile.
Update the component to look in CS.cfg for the "ca.defaultOcspUri"
config, and use its value if present. If not present, the old
behaviour prevails.
Also add the 'pki_default_ocsp_uri' pkispawn config to add the
config during instance creation, so that the value will be used for
the CA and system certificates.
Fixes: https://fedorahosted.org/pki/ticket/2387
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| |
|
|
|
|
|
| |
signing cert in case of external or existing CA
This patch implements validity check on the notAfter value of the certInfo
and adjusts it to that of the CA's notAfter if exceeding
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
|
| | |
|
| |
|
|
|
|
|
|
| |
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from the server.
This patch removes the references and files associated with this auth method.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
| |
|
|
|
|
| |
To simplify future enhancements the code that processes each
certificate in SystemConfigService.processCerts() has been moved
into a separate method.
|
| |
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
| |
When renewing a certificate, propagate the Authority ID from the
original request to the new request, to ensure that the new
certificate is issued by the same issuer as the original.
Part of: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simple fix will grab the subject info out of the cert
associated with either pending or complete recovery requests being
viewed in the KRA UI.
For example:
KeyOwner: UID=jmagne, O=Token Key User
Will be displayed.
This simple fix should be good enough for this round, despite the bug
asking about agent info and such.
Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request
|
| |
|
|
| |
for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests.
|
| |
|
|
|
|
|
|
|
| |
When manufacturing a CertRequestInfo, CertRequestInfoFactory
includes the serial number of issued certs, but does not show serial
numbers of revoked certs for completed revocation requests.
Include the serial number for this case.
Fixes: https://fedorahosted.org/pki/ticket/1073
|
| |
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.
No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The old KRA servlets to list and display keys do not go through
the same code paths as the REST API. Therefore, they do not
check the authz realm.
This patch adds the relevant code. No attempt is made to fix the
error handling of the old servlets. the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead. Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.getSerialNumberFromCert() has been modified
to throw an exception instead of returning null to pass the error
message to the client to help troubleshooting.
The code has also be modified to remove redundant null checking
and redundant decoding and re-encoding.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
| |
This patch handles Ticket 2298 non-TMS key archival/recovery, as well as
Ticket 2271 TMS recovery request ldap entries
Fields are zeroed out before being deleted in KRA request records
|
| |
|
|
| |
Ticket 2254
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously cert enrollment might fail after editing the profile
using the console. This is because the console added an empty
rangeUnit parameter, but the server rejected the empty value.
The convertRangeUnit() methods in several classes have been
modified to accept the empty value and convert it into the
default value (i.e. day).
https://fedorahosted.org/pki/ticket/2308
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage the
user certificates.
The UserService has been modified to provide better error messages.
https://fedorahosted.org/pki/ticket/1434
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #801 : Merge pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
|
| |
An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set. Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.
Fixes: https://fedorahosted.org/pki/ticket/2317
|
| |
|
|
|
|
|
| |
The ConfigurationUtils.handleCertRequest() has been modified
to throw an exception on error during CSR generation instead
of silently ignoring it. The method has also been renamed to
generateCertRequest() for clarity.
|
| |
|
|
|
|
| |
If the existing CA keys are in an HSM, the code fails to
load the keys becauseit does not take into account the full nickname.
This small fix addresses this bug.
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, add a
certificate search parameter for limiting searches to a particular
issuer.
Fixes: https://fedorahosted.org/pki/ticket/2321
|
| |
|
|
| |
Ticket 2041
|
| |
|
|
|
|
|
| |
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
| |
Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB. It falsely returns the parent of
the target cert, if the certs have the same serial number.
In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.
Update the method to check the Issuer DN.
Fixes: https://fedorahosted.org/pki/ticket/2301
|
| |
|
|
|
|
|
|
| |
When installing a standalone KRA the admin certificate is base-64
encoded and stored in the kra.admin.cert property in the CS.cfg.
Previously the encoded certificate contains EOL characters which
may cause uninstall to fail due to parsing error. The install code
has been fixed to normalize the encoded certificate properly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
| |
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
| |
The async recovery request mechanism was implemented differently
from other requests. This makes it difficult to add tings like
authorization consisitently.
We move the required methods to the KeyRequestDAO to be more
consistent.
Part of Ticket #2041
|
