summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Add script to enable USN pluginAde Lee2016-04-153-0/+22
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Moved self-signed SSL server certificate creation.Endi S. Dewata2016-04-152-41/+55
| | | | | | | | | To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736
* Updated pki pkcs12-export CLI.Endi S. Dewata2016-04-153-10/+30
| | | | | | | | | | | | For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736
* Simplified deployment properties for existing CA case.Endi S. Dewata2016-04-153-13/+45
| | | | | | | | | | | | | | | A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. New certificate deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736
* Added PKCS #12 deployment properties.Endi S. Dewata2016-04-152-5/+8
| | | | | | | | | | New PKCS #12 deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_pkcs12_path -> pki_external_pkcs12_path - pki_pkcs12_password -> pki_external_pkcs12_password https://fedorahosted.org/pki/ticket/1736
* Lightweight CAs: indicate when CA does not yet have keysFraser Tweedale2016-04-141-4/+1
| | | | | | | | | | When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-132-4/+22
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Fixed exception handling in CertUtil.Endi S. Dewata2016-04-122-14/+18
| | | | | | | The CertUtil.createLocalCert() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateAuthority.Endi S. Dewata2016-04-129-56/+71
| | | | | | | | The CertificateAuthority.getCACert() has been modified to re-throw the exception instead of ignoring it. All callers have been modified to bubble up the exception. https://fedorahosted.org/pki/ticket/1654
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-082-8/+23
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Fixed missing trust flags in certificate backup.Endi S. Dewata2016-04-041-22/+18
| | | | | | | | | | | | | | | | | | | | The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
* comment typosChristina Fu2016-03-311-9/+9
|
* Fixed KRA install problem.Endi S. Dewata2016-03-302-28/+44
| | | | | | | | | | | | | Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247
* Install tools clean-up.Endi S. Dewata2016-03-305-16/+13
| | | | | | | | | | | | Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247
* Fixed certificate chain import problem.Endi S. Dewata2016-03-291-11/+13
| | | | | | | | | | | | In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-284-22/+184
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Fixed exception handling in EnrollProfile.Endi S. Dewata2016-03-241-70/+87
| | | | | | | To help troubleshooting the EnrollProfile has been modified to log the stack trace and chain the exception. https://fedorahosted.org/pki/ticket/1654
* Allow multiple ACLs of same name (union of rules)Fraser Tweedale2016-03-221-1/+13
| | | | | | | | | | | Several lightweight CA ACLs share the 'certServer.ca.authorities' name, but when loading ACLs each load overwrites the previous. If multiple resourceACLS values have the same name, instead of replacing the existing ACL with the new one, add the rights and rules to the existing ACL. Part of: https://fedorahosted.org/pki/ticket/1625
* Remove unused 'toMIME64' methodsFraser Tweedale2016-03-221-10/+0
|
* Remove commented-out codeFraser Tweedale2016-03-222-18/+0
|
* Remove unused class 'RAEnrollProfile'Fraser Tweedale2016-03-221-128/+0
|
* Remove unused variables from profile classesFraser Tweedale2016-03-221-1/+0
| | | | | Also drive-by refactor 'createProfileData' to use 'getProfile', reducing code size.
* Removed unnecessary URL encoding for admin cert request.Endi S. Dewata2016-03-212-2/+8
| | | | | | | | | Due to changes in aaacd71a2f125501645885d3da1de18459782572, when pki_import_admin_cert is set to False the installation code performs an unnecessary URL encoding for the admin certificate request. The extra URL encoding has now been removed. https://fedorahosted.org/pki/ticket/1803
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-03-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Additional clean-ups for PKCS #12 utilities.Endi S. Dewata2016-03-185-22/+23
| | | | | | | | | | | | | | | | The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
* Renamed PKCS #12 options for consistency.Endi S. Dewata2016-03-186-41/+41
| | | | | | | The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
* Added TPS token filter dialog.Endi S. Dewata2016-03-171-6/+22
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-171-6/+52
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Make PKIInstance and PKISubsystem hashableChristian Heimes2016-03-041-2/+4
| | | | The upgrade uses instance and subsystem as keys for dicts.
* Package pki client library for Python 3Christian Heimes2016-03-041-2/+2
| | | | | | | | | | Dogtag's Python code has been compatible with Python 3 for a while. A new package pki-base-python3 provides the pki package for clients. As of now pki.server is not packages for Python 3. The pki-base package also provides pki-base-python2. https://fedorahosted.org/pki/ticket/1739
* Correct installation path for pki.serverChristian Heimes2016-03-031-1/+1
| | | | | 0e35b64c1f751cc8a7a8a0fac25828a8eab24714 introduced an additional and unwanted directory.
* Move OCSP digest name lookup to CertID classFraser Tweedale2016-03-032-4/+2
| | | | | | | | | The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms.
* Simplify Python package installationChristian Heimes2016-03-031-2/+4
| | | | | | | | | | | * The cmake files now copy just *.py into the installation directory. This ensures that no stale pyc files or __pycache__ directories are copied. rpmbuilder takes care of pyc/pyo compilation on Fedora and RHEL. * The pki-core.spec file uses python2 macros. In case of RHEL missing macros are defined on the top of the file. * A bug in the python_sitelib macros has been fixed. rpmbuilder doesn't like lines breaks.
* Avoid XML parse fail with double-hyphen in hostnameFraser Tweedale2016-03-032-20/+20
| | | | | | | | | | | | server.xml contains metadata read by pkidaemon which includes URLs, in XML comments. If the hostname contains `--', the parse fails. Instead of XML comments, put this information in XML Processing instructions[1], which allows double-hyphens to be used. [1] https://www.w3.org/TR/REC-xml/#NT-PI Fixes: https://fedorahosted.org/pki/ticket/1260
* Handle import and export of external certsAde Lee2016-03-019-14/+345
| | | | | | | | | | | | | | | | | | | | | | Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists.
* Lightweight CAs: add audit eventsFraser Tweedale2016-03-011-0/+8
| | | | | | Add audit events for lightweight CA administration. Fixes: https://fedorahosted.org/pki/ticket/1590
* Man page updates for new cloning optionsAde Lee2016-03-012-1/+88
|
* Man updates for pre-check modeAde Lee2016-03-012-1/+48
|
* Implement total ordering for PKISubsystem and PKIInstanceChristian Heimes2016-02-261-0/+45
| | | | | | | | In Python 3 subclasses no longer implement automatic ordering. To provide ordering for sort() and custom comparison, __eq__ and __lt__ are required. https://fedorahosted.org/pki/ticket/2216
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-02-266-75/+121
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* pki-tomcat8 needs tomcat-api.jar to compileChristian Heimes2016-02-261-1/+8
| | | | | | | | Tomcat 8.0.32 has moved org.apache.tomcat.ContextBind into tomcat-api.jar. Add tomcat-api.jar to javac classpath to compile pki with latest Tomcat. https://fedorahosted.org/pki/attachment/ticket/2222
* Add precheck option for pkispawn.Ade Lee2016-02-262-76/+103
| | | | | | | | | --precheck can be used to run specific tests prior to ensure that the installation parameters are sane, without actually doing the installation. There are also optional parameters to disable specific tests. Trac Ticket #2042
* Added pki-server commands to export system certificates.Endi S. Dewata2016-02-259-33/+1020
| | | | | | | | | | | | | | | | Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742
* Python 3 fix for Tomcat.get_major_version()Christian Heimes2016-02-231-0/+1
| | | | | I forgot to decode the output of subprocess.check_call(). All other places decode bytes to text properly.
* Lightweight CAs: enrol cert via profile subsystemFraser Tweedale2016-02-222-6/+24
| | | | | | | | | | | | Enrol new CA certs via the profile subsystem to ensure that the usual audit events are logged and to avoid the nasty ConfigStore hack used to generate the cert via CertUtil. This commit also fixes an issue where the new CA certificate does not have the correct Authority Key Identifier extension. Fixes: https://fedorahosted.org/pki/ticket/1624 Fixes: https://fedorahosted.org/pki/ticket/1632
* Modify dnsdomainname test in pkispawnAde Lee2016-02-173-3/+3
| | | | | | We do a check for the dnsdomainname, which fails in Openstack CI because this is not set. Instead of exiting, default to the hostname.
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-163-5/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-153-14/+86
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Weaken PKIPrincipal to superclass in several placesFraser Tweedale2016-02-152-5/+9
| | | | | | | | | | In several places we are casting a `Principal' to `PKIPrincpal', when `GenericPrincpal' or even no cast will suffice. In upcoming external authentication support externally authenticated principals will not be instances of `PKIPrincipal', so weaken assumptions about type of the principal where possible. Part of: https://fedorahosted.org/pki/ticket/1359
* Added resource bundle for token state labels.Endi S. Dewata2016-02-052-3/+60
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
generated by cgit (git 2.34.1) at 2025-09-27 15:58:09 +0000