summaryrefslogtreecommitdiffstats
path: root/base/server/cmsbundle
Commit message (Collapse)AuthorAgeFilesLines
* Fixed error message on invalid log type.Endi S. Dewata2017-06-271-1/+1
| | | | | | | | | To help troubleshooting the error message on invalid log type has been modified to include the invalid value. https://pagure.io/dogtagpki/issue/2689 Change-Id: Ie245bd9e3a3925979af4708fa911697a9746e54b
* Ticket #2616 CMC: id-cmc-statusInfo ==> id-cmc-statusInfoV2Christina Fu2017-06-231-0/+1
| | | | | | | | | | | | | | This patch contains the following update: * Structurely, CMCStatusInfo to CMCStatusInfoV2 update; no extendedFailInfo has been added at this point * In case of EncryptedPOP, instead of returning with CMCStatus pending where PendInfo contains the requestID, it now returns CMCStatus failed whith responseInfo control contains the requestID. On the client side, CMCRequest now processes the responseInfo and returns the DecryptedPOP with requestID in the regInfo control. CMCResponse has been updated to handle the new controls as well. * A number of fail info codes are now being supported by the server to add clarity to CMC failed status, including: badMessageCheck, badRequest, unsuportedExt, badIdentity, popRequired, and popFailed.
* Ticket#2737 CMC: check HTTPS client authentication cert against CMC signerChristina Fu2017-06-151-2/+2
| | | | | This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. Some auditing adjustments are also done.
* Added SCHEDULE_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
* Added FULL_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
* Added FULL_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
* Added DELTA_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
* Added DELTA_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
* Encapsulate server side keygen audit eventsAde Lee2017-05-251-10/+4
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Encapsulate key status change audit logsAde Lee2017-05-251-1/+1
| | | | Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
* Encapsulate symmetric and asymmetric keygen audit eventsAde Lee2017-05-241-4/+4
| | | | Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
* Make sure archivalID is passed through archivalAde Lee2017-05-241-5/+11
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Encapsulate recovery request approval audit logsAde Lee2017-05-231-1/+1
| | | | | | | | The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
* Fix auditing in retrieveKeyAde Lee2017-05-231-1/+11
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Encapsulate key retrieval audit eventsAde Lee2017-05-231-22/+4
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-231-17/+0
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-231-10/+2
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-231-1/+1
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-231-9/+1
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-231-13/+1
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-171-3/+21
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Refactored CertRequestProcessedEvent to use AuditEvent attributes.Endi S. Dewata2017-05-161-1/+1
| | | | | | | | | | | | | | | | | The CertRequestProcessedEvent constructors have been modified to log the info attributes using the new AuditEvent attributes. The logging property for CERT_REQUEST_PROCESSED event has been modified to accept a list of attributes as a single string instead of individual info attributes. The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced with a constant in CertRequestProcessedEvent class which points to the new logging property. https://pagure.io/dogtagpki/issue/2655 Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c
* Ticket #2717 CMC user-signed enrollment requestChristina Fu2017-04-282-0/+3
| | | | | | | | | | | This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
* Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch ↵Christina Fu2017-04-131-0/+2
| | | | provides the feature for CMC on handling id-cmc-popLinkWitnessV2
* Fixed PKIServerSocketListener.Endi S. Dewata2017-04-051-1/+1
| | | | | | | | | | | | The PKIServerSocketListener.alertReceived() has been fixed to generate audit log when the SSL socket is closed by the client. The log message has been modified to include the reason for the termination. https://pagure.io/dogtagpki/issue/2602 Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-0/+27
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Added cert validation error message in selftest log.Endi S. Dewata2016-08-121-1/+1
| | | | | | | To help troubleshooting the selftest log has been modified to include the cert validation error message returned by JSS. https://fedorahosted.org/pki/ticket/2436
* Fix error output when request is rejectedAde Lee2016-05-091-1/+2
| | | | | | | With this fix, error messages are returned to the user when a request is rejected - either in the UI or from the pki CLI. Trac Ticket 1247 (amongst others)
* Add realm to requests coming in from CAAde Lee2016-05-091-0/+6
| | | | | | | | | | | | | | | | Requests to the KRA through the CA-KRA connector use the Enrollment Service. This has been modified to read and store any realm passed in. The realm can be added to the request by havibg the admin add a AuthzRealmDefault and AuthzRealmConstraint in a profile. At this point, all the constraint does is verify that the realm is one of a specified list of realms. More verification will be added in a subsequent patch. No attempt is made yet to allow users to specify the realm. This would need to be added as a ProfileInput. Part of Ticket 2041
* comment typosChristina Fu2016-03-311-9/+9
|
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-281-3/+52
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Lightweight CAs: add audit eventsFraser Tweedale2016-03-011-0/+8
| | | | | | Add audit events for lightweight CA administration. Fixes: https://fedorahosted.org/pki/ticket/1590
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-162-4/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-151-14/+74
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Improve 'authz manager not found' message stringFraser Tweedale2016-01-141-1/+1
|
* Fixed mismatching certificate validity calculation.Endi S. Dewata2016-01-081-1/+1
| | | | | | | | The CAValidityDefault has been modified to use Calendar API to calculate the certificate validity range to be consistent with the ValidityConstraint and ValidityDefault. https://fedorahosted.org/pki/ticket/1682
* Ticket 1160 audit needed for getKeyInfo; audit missing for auth/authz at ↵Christina Fu2015-05-141-1/+9
| | | | REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
* Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfoChristina Fu2015-05-131-0/+2
| | | | | | - (1) REST API auth/authz - this patch addresses the first part of this ticket where auditing is completely missing for authentication and authorization at the REST interface.
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-141-8/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-071-0/+1
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-101-0/+2
|
* Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDFChristina Fu2014-12-191-0/+80
| | | | | - this patch does not include TPS side of changes: (#865 needs to be rewritten in Java)
* Added rangeUnit property to certificate profiles.Endi S. Dewata2014-12-151-2/+4
| | | | | | | | | A new optional property has been added to certificate profiles to specify the range unit. The default range unit is 'day'. The code has been modified to use the Calendar API to calculate the end of validity range based on the range unit. https://fedorahosted.org/pki/ticket/1226
* Generate asymmetric keys in the DRM.Abhishek Koneru2014-08-271-0/+9
| | | | | | | | | | | | Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
* Remove ACL mapping to user from error messagesMatthew Harmsen2014-07-281-1/+1
| | | | - PKI TRAC Ticket #965 - Improve error message - remove ACL mapping to the user
* Trac ticket # 884 TPS Rewrite: Audit and other LoggingChristina Fu2014-04-111-0/+59
| | | | http://pki.fedoraproject.org/wiki/TPS_Rewrite#Audit_Messages
* reame client_id to client_key_idAde Lee2014-02-261-5/+5
|
* Rename KeyRequest to ResourceMessageAde Lee2014-02-041-0/+14
| | | | | | Refactor ResourceMessage to include classname instead of Request Type. Also changed PKIException.Data to extend ResourceMessage. Modifications to the server code to get the tests working.
* External Registration feature merge (excluding TPS portion due to current ↵Christina Fu2014-01-231-0/+2
| | | | | | TPS-rewrite effort): http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
* Moved cmsbundle into server folder.Endi S. Dewata2013-12-055-0/+3708
The pki-cmsbundle.jar is distributed in pki-server package so the files have been moved into the base/server folder.
generated by cgit (git 2.34.1) at 2025-10-01 07:27:29 +0000