| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user renews its certificate using pki client-cert-request
the CLI will authenticate using the certificate and send an empty
request message. The server is supposed to use the certificate's
serial number to process the renewal request.
Currently the request fails if the serial number is missing from
the request message. The server has been fixed such that it
ignores the missing serial number and use the certificate's serial
number instead.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
| |
Just a small drive-by refactor.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
| |
When request was approved and retrieved through the rest
interface, the corresponding volatile requests object was not
created due to the new flow. This makes sure the volatile request
is created.
|
| |
|
|
|
|
|
|
|
| |
The PKCS12Util class has been modified to use SLF4J logging
framework. The CMake scripts has been modified to include SLF4J
libraries in the classpath. The spec file has been modified to
add SLF4J dependencies.
https://fedorahosted.org/pki/ticket/195
|
| |
|
|
|
|
|
| |
New man pages have been added for the common and server logging
configurations.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
| |
|
|
|
|
|
|
|
|
| |
The InhibitAnyPolicyExtension has been modified to always close
the DerOutputStream instance.
The InhibitAnyPolicyExtDefault has been modified to wrap the
original exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
|
|
| |
The ExtendedKeyUsageExtension has been modified to always close
the DerOutputStream instance.
The ExtendedKeyUsageExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
| |
|
|
|
|
|
|
|
|
| |
The OCSPNoCheckExtension has been modified to always close the
DerOutputStream instance.
The OCSPNoCheckExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
| |
For consistency the server.xml templates for Tomcat 7 and 8 have
been modified to use the same unsecure port used by the instance
in the default OCSP responder URL.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
| |
To help troubleshooting, the ConfigurationUtils.handleCerts()
has been modified to throw the exception instead of returning an
integer.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/2460
|
| |
|
|
|
|
|
|
| |
db is on fips mode.
Ticket #2513.
Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The CryptoUtil.getTokenName() has been modified to check both the
short name and full name of the internal token.
The ConfigurationUtils.deleteCert() has also been modified to call
CryptoUtil.getTokenName().
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
| |
The verify_subsystem_does_not_exist() has been modified to display
the proper error message when the subsystem to be installed already
exists.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
| |
The ConfigurationUtils.importCertChain() has been modified to
ignore UNKNOWN_ISSUER error when connecting to a server that
does not have the complete certificate chain.
https://fedorahosted.org/pki/ticket/2497
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the GetCertChain servlet has been modified
to log the certificate chain being returned. The ConfigurationUtils
has also been modified to log the certificate chain received.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem
to drop all its profiles and reload them. If a profile is read
during this time, e.g. to issue a certificate, it might not have
been reloaded thus causing the operation to fail.
Introduce the AsyncLoader class which allows a consumer to await the
completion of a (re)load, if one is happening. Update the
getProfile and getProfileIds method to use it.
The existing 'initialLoadDone' CountDownLatch for blocking
LDAPProfileSubsystem init until the inital load of profiles is
completed was subsumed by AsyncLoader.
Fixes: https://fedorahosted.org/pki/ticket/2453
NOTE: This patch is ONLY intended for Dogtag 10.4.0 versions and later;
it is NOT intended to be back-ported to Dogtag 10.3.x versions.
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the ConfigurationUtils has been modified
to chain the original exceptions and to show additional log
messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
|
| |
|
|
|
|
|
|
|
|
| |
The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.
The FixDeploymentDescriptor script number has been changed
accordingly.
https://fedorahosted.org/pki/ticket/2452
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
|
| |
|
|
|
|
|
| |
(for shared HSM)
When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist. This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file.
This patch changes default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component: ou=%(pki_instance_name)s
|
| |
|
|
|
|
|
| |
To help troubleshooting the debug log in UpdateNumberRange servlet
has been modified to show the exception stack trace.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.
https://fedorahosted.org/pki/ticket/2423
|
| |
|
|
|
|
|
|
|
| |
Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.
https://fedorahosted.org/pki/ticket/2423
|
| |
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to fix missing deployment
descriptors or deployment descriptors that are pointing to
non-existent or empty folders.
https://fedorahosted.org/pki/ticket/2439
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
Previously we simply manually set the desired client auth cert nickname, which is provided
by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.
Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
cert name, established by the console.
This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
an external authentication directory.
2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.
3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CA signing CSR is already stored in request record which will
be imported as part of migration process, so it's not necessary to
export and reimport the CSR file again for migration.
To allow optional CSR, the pki-server subsystem-cert-validate
CLI has been modified to no longer check the CSR in CS.cfg. The
ConfigurationUtils.loadCertRequest() has been modified to ignore
the missing CSR in CS.cfg.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
|
|
| |
To help troubleshooting some debug messages have been added into
ConfigurationUtils.handleCerts().
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
| |
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
