| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
|
| |
The PKISubsystem.load() and PKIInstance.load() have been modified
to ignore blank and comment lines in CS.cfg and password.conf. If
the code fails to parse a line it will throw an exception showing
the location of the invalid line.
https://fedorahosted.org/pki/ticket/2314
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage the
user certificates.
The UserService has been modified to provide better error messages.
https://fedorahosted.org/pki/ticket/1434
|
| |
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage
the user roles.
The ErrorDialog was modified to handle both text and JSON error
responses.
https://fedorahosted.org/pki/ticket/2267
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #801 : Merge pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The pki-server ca-db-upgrade command has been renamed to db-upgrade
to be more general. In the future the command can be refactored to
handle additional upgrade scripts. Additional log messages have
been added to show the upgrade activities in verbose mode.
https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
| |
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.
Additional checks have been added to validate the certificate
parameters in CS.cfg.
The output of the command has been modified to be more consistent
with other pki-server commands.
The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password in a file.
https://fedorahosted.org/pki/ticket/2043
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
|
| |
An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set. Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.
Fixes: https://fedorahosted.org/pki/ticket/2317
|
| |
|
|
|
|
|
| |
Ticket #1921
Trivial fix to add or up this connectionTimeout value to 80000 or 80 secs.
Fix already tested informally in the field by QE.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
| |
The ConfigurationUtils.handleCertRequest() has been modified
to throw an exception on error during CSR generation instead
of silently ignoring it. The method has also been renamed to
generateCertRequest() for clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, in external CA case if pkispawn was executed with
pki_skip_configuration=True, it would stop the execution before
the step 1 was fully completed (i.e. generating CSR), but it would
incorrectly show a message indicating the CSR has been generated.
The code that displays the installation summary has been fixed to
check for pki_skip_configuration first before checking for external
CA case to ensure that it displays the appropriate message for each
step.
The code that generates the Tomcat instance systemd service link
was moved into instance_layout.py to avoid redundant executions.
The pkispawn and pkidestroy have also be modified to remove
redundant log of deployment parameters in master dictionary.
|
| |
|
|
|
|
| |
If the existing CA keys are in an HSM, the code fails to
load the keys becauseit does not take into account the full nickname.
This small fix addresses this bug.
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, add a
certificate search parameter for limiting searches to a particular
issuer.
Fixes: https://fedorahosted.org/pki/ticket/2321
|
| |
|
|
| |
Part of Ticket 2041
|
| |
|
|
| |
Ticket 2041
|
| |
|
|
|
|
|
| |
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
|
| |
Previously a deployment parameter has to be added to pkislots.cfg
before it can be used in copy_with_slot_substitution(). The method
has been modified to support substitutions using the deployment
parameters directly, which simplifies the development.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the 'authorityKeyHost' attribute which will contain names of
hosts that possess the authority's signing keys.
Add the 'authoritySerial' attribute which may contain the serial
number of the certificate most recently issued for the authority.
Change other attributes to be single-valued.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB. It falsely returns the parent of
the target cert, if the certs have the same serial number.
In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.
Update the method to check the Issuer DN.
Fixes: https://fedorahosted.org/pki/ticket/2301
|
| |
|
|
|
|
|
|
| |
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
|
| |
|
|
|
|
|
|
| |
The print_existing_ca_step_one_information() has been removed from
pkispawn since existing CA installation no longer requires two-step
operation.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
| |
When installing a standalone KRA the admin certificate is base-64
encoded and stored in the kra.admin.cert property in the CS.cfg.
Previously the encoded certificate contains EOL characters which
may cause uninstall to fail due to parsing error. The install code
has been fixed to normalize the encoded certificate properly.
|
| |
|
|
| |
- PKI TRAC Ticket #856 - Incorrect clone installation summary
|
| |
|
|
|
|
| |
The StringUtils.equals() invocation in AuthzSubsystem has been
replaced with regular String.equals() since it's unavailable in
apache-commons-codec 1.8.
|
| |
|
|
|
|
|
|
| |
The unused rv instance variables in all deployment scriptlets have
been removed. The spawn() and destroy() are now returning None
instead of error code. If an error happens during execution the
scriptlet will throw an exception which will be caught by pkispawn
or pkidestroy and then displayed to the user.
|
| |
|
|
| |
- PKI TRAC Ticket #2248 - support only tomcat instances
|
| |
|
|
|
|
| |
- PKI TRAC Ticket #2249 - fix bashisms
- changes 'source' to '.'
- changes 'bash' to 'sh'
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some incorrect code was added to request processing
in the realm patches. In the request LDAP modification code,
if the realm was not present, we added a modification to remove the
realm attribute.
Unfortunately, if the realm was not present to begin with, this resulted
in LDAP returning a "No Such Attribute (16)" error, causing all kinds
of requests - including certificate requests to fail to be submitted.
At this point, we do not permit users to change the realm of a request.
Therefore, there is no reason to remove the realm. If we ever need
to do this in future, we'll have to be smarter about it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
| |
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
| |
The async recovery request mechanism was implemented differently
from other requests. This makes it difficult to add tings like
authorization consisitently.
We move the required methods to the KeyRequestDAO to be more
consistent.
Part of Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Added method to check realm. This method will look for
an authz instance for a specified realm and invoke it to
determine access.
* Added a basic group based authz plugin mostly for testing.
This plugin simply checks if the requestor is in the correct
group. In practice, customers will probably want something more
complex maybe subclassing BasicAclAuthz.
Part of Trac Ticket #2041
|
| |
|
|
| |
Part of Trac Ticket# 2041
|
| |
|
|
| |
Part of Trac Ticket #2041
|
| |
|
|
|
| |
Added realm attribute and index. Added to request and keyRecord.
Part of Trac Ticket 2041
|
| |
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
