| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
The code that generates the CSR for external CA installation has
been moved into a new scriptlet.
The code that displays the external CA step one installation
summary has been moved into the configuration servlet.
https://fedorahosted.org/pki/ticket/2278
|
|
|
|
|
|
|
| |
The code that generates the client database has been moved into a
new scriptlet.
https://fedorahosted.org/pki/ticket/2278
|
|
|
|
|
|
|
|
| |
Instead of checking various installation scenarios (e.g. external
CA step 2, standalone step 2, configuration-only mode), the code to
generate or load the one-time PIN has been simplified as follows:
* if the PIN already exists (in CS.cfg), it will be reused
* if the PIN does not exist, the code will generate a new one
|
|
|
|
|
|
|
|
| |
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
|
|
|
|
|
|
|
|
| |
The unused rv instance variables in all deployment scriptlets have
been removed. The spawn() and destroy() are now returning None
instead of error code. If an error happens during execution the
scriptlet will throw an exception which will be caught by pkispawn
or pkidestroy and then displayed to the user.
|
|
|
|
|
|
|
|
|
| |
To avoid possible conflicts imported external certificates, the
self-signed SSL server certificate creation has been moved after
the external certificates have been imported into the NSS database
and before the server is started.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki_existing deployment property has been added to install
CA with existing CA certificate and key in a single step.
New certificate deployment properties have been added as aliases
for some external CA properties to allow them to be used in more
general cases:
- pki_ca_signing_csr_path -> pki_external_csr_path
- pki_ca_signing_cert_path -> pki_external_ca_cert_path
- pki_cert_chain_path -> pki_external_ca_cert_chain_path
- pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
| |
New PKCS #12 deployment properties have been added as aliases
for some external CA properties to allow them to be used in
more general cases:
- pki_pkcs12_path -> pki_external_pkcs12_path
- pki_pkcs12_password -> pki_external_pkcs12_password
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some variables in pkispawn and pkidestroy have been renamed for
clarity.
The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.
The constant pki_self_signed_token property has been moved into
default.cfg.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
| |
We do a check for the dnsdomainname, which fails in Openstack
CI because this is not set. Instead of exiting, default to
the hostname.
|
|
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
|
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.
With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.
https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
|
|
|
|
|
|
|
|
|
| |
A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.
Without unnecessary shebangs it's a bit easier to track Python 3
porting.
|
|
|
|
|
|
|
|
|
|
| |
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.
https://fedorahosted.org/pki/ticket/1703
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
|
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
|
|
|
|
|
|
| |
The default value for argparser's verbosity was None, but None can't be
compared to 2 in Python 3.
TypeError: unorderable types: NoneType() >= int()
|
|
|
|
|
|
|
|
|
| |
In Python 3 subprocess.Popen() and check_out() return bytes. The rest of
PKI expects text, so the output has to be decoded.
- ascii for dnsdomainname
- sys.getfilesystemencoding() for paths
- utf-8 for the rest
|
|
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
|
|
|
|
|
|
|
|
| |
Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject
package is available for Python 3 but can't be imported because it
depends on sepolgen.
The workaround makes it possible to test the Python 3 port on Fedora 22.
It can be removed later once Fedora 23 is out.
|
|
|
|
|
|
|
|
|
| |
In Python 3 dict methods like values(), items() and keys() return views
rather than lists. The iter equivalents are gone. Use six to use
iterators on Python 2 and 3.
In some places like setup.py a list is required. Use
list(somedict.values()) to get a list on all Python versions.
|
|
|
|
|
|
| |
Python 3 has a different syntax for meta classes. The old __metaclass__
attribute is no longer supported. six.with_metaclass() constructs a
suitable metaclass for us.
|
|
|
|
|
| |
In Python 3 range() returns an iterator and xrange() is gone. Use
six.moves to use an iterable range() on Python 2.
|
|
|
|
|
|
|
| |
In Python 3 raw_input() has been renamed to input() and the old,
insecure input() builtin is gone. six.moves simplifies the transition.
It provides the former raw_input() function under the same import name
on Python 2 and 3.
|
|
|
|
|
|
|
|
|
| |
Replace print statement with Python 3's print() function.
For Python 2 'from __future__ import print_function' turns the print
statement into Python 3 compatible print function.
See https://www.python.org/dev/peps/pep-3105/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
(cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
|
|
|
|
|
|
|
|
| |
Several methods except OSError before they except shutil.Error. In
Python 3 the second except clause will be ignored because in Python 3
shutil.Error is a subclass of OSError.
The body of the except clauses only differs in the logging message. A
single except clause with an isinstance() check has the same effect.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
| |
- PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating
ecc admin certificate
|
|
|
|
|
|
|
|
| |
Noise file does not actually need to have random data because
NSS does not actually use this data. Certutil still needs
the file though, so we will put dummy data in there. This
solves potential problems with the random() method used and also
issues like BZ 1244382
|
|
|
|
|
|
|
| |
The man pages for pkispawn and pki_default.cfg have been updated
to include TPS deployment parameters.
https://fedorahosted.org/pki/ticket/1277
|
|
|
|
|
| |
- PKI TRAC Ticket #1441 - Lack of Interactive Installation Support
(Cloning, Subordinates, Externals, HSMs, ECC)
|
|
|
|
| |
shared and nonshared tomcat instances
|
|
|
|
|
|
|
|
| |
Due to issues with HSM the Modutil.is_security_module_registered()
has been modified to the get the list of all registered modules
and then use it to check if a module is registered.
https://fedorahosted.org/pki/ticket/1444
|