summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Refactor client to not use keysetsAde Lee2017-06-072-9/+49
| | | | | | | | | | | | | | | | | | It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
* Ticket #2617 part2: add revocation check to signing certChristina Fu2017-06-052-1/+20
|
* Improve exception message for null AuthorityKeyIdentifierFraser Tweedale2017-06-052-1/+5
| | | | | | | | | | | When the Authority Key Identifier extension cannot be instantiated, we currently fail with a generic "extension not found" error message. Throw a better exception for this case in particular, and improve the exception message for the general case of attempting to add a null exception. Fixes: https://pagure.io/dogtagpki/issue/2705 Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd
* Fixed default CA cert trust flags in pki CLI.Endi S. Dewata2017-06-031-0/+1
| | | | | | | | | The pki CLI has been modified to use CT,C,C as the default trust flags for CA certificate import operations. https://pagure.io/dogtagpki/issue/2726 Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
* Added upgrade script for keepAliveTimeout.Endi S. Dewata2017-06-024-0/+71
| | | | | | | | | An upgrade script has been added to set the keepAliveTimeout attribute for the Secure connector in the server.xml. https://pagure.io/dogtagpki/issue/2687 Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d
* Fixed pylint issuesMatthew Harmsen2017-06-029-45/+42
| | | | - https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
* Removed superfluous deployment configuration backup.Endi S. Dewata2017-06-021-6/+1
| | | | | | | | | | | | The pkispawn has been modified to generate a temporary backup file (instead of permanent and timestamped backup files) of the deployment configuration file before normalizing its content. The temporary backup will be removed automatically when the normalization is complete. https://pagure.io/dogtagpki/issue/2674 Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047
* Convert CMC code to use AESAde Lee2017-05-312-61/+90
| | | | | | | | | | | | | | | * Switched out CrytoUtil calls that use DES and replaced them with AES equivalents. Removed these now unneeded methods. * Added 16 byte constant IV for AES operations. This must be replaced by a randomly generated IV. Added TODOs where IVs should be replaced. * Corrected misspellings of "enreypted" in both request fields and variable names * Removed some code from null checks where the result could never be null. These cases were flagged in eclipse as dead code. Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
* Fixed two-step subordinate CA installation.Endi S. Dewata2017-05-311-3/+9
| | | | | | | | | | The initialization scriptlet has been fixed to verify the subsystem existence properly when running the second step of the two-step subordinate CA installation. https://pagure.io/dogtagpki/issue/2707 Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8
* Added pkispawn options for two-step installation.Endi S. Dewata2017-05-311-6/+34
| | | | | | | | | | | New --skip-configuration and --skip-installation options have been added to pkispawn to provide a mechanism to set the pki_skip_configuration and pki_skip_installation parameters without changing the deployment configuration file. https://pagure.io/dogtagpki/issue/2707 Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de
* Added SCHEDULE_CRL_GENERATION audit event.Endi S. Dewata2017-05-262-3/+19
| | | | | | | | | A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
* Added FULL_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
* Added FULL_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
* Added DELTA_CRL_PUBLISHING audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
* Added DELTA_CRL_GENERATION audit event.Endi S. Dewata2017-05-261-0/+6
| | | | | | | | | A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
* Fix NPE in lightweight CA creationFraser Tweedale2017-05-261-1/+3
| | | | Fixes: https://pagure.io/dogtagpki/issue/2711
* Encapsulate server side keygen audit eventsAde Lee2017-05-251-10/+4
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Encapsulate key status change audit logsAde Lee2017-05-251-1/+1
| | | | Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
* Replaced random number generator in RequestQueue.Endi S. Dewata2017-05-251-3/+6
| | | | | | | | | The RequestQueue has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e
* Encapsulate symmetric and asymmetric keygen audit eventsAde Lee2017-05-241-4/+4
| | | | Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
* Updated OCSP log messages.Endi S. Dewata2017-05-242-9/+25
| | | | | | | | | Some log messages in OCSP-related code have been updated for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
* Cleaned up DefStore.processRequest() (part 3).Endi S. Dewata2017-05-241-9/+11
| | | | | | | | | Some nested if-statements in DefStore.processRequest() has been merged for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d
* Cleaned up DefStore.processRequest() (part 2).Endi S. Dewata2017-05-241-14/+17
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3
* Cleaned up DefStore.processRequest() (part 1).Endi S. Dewata2017-05-241-59/+62
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0
* Make sure archivalID is passed through archivalAde Lee2017-05-242-12/+27
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Moved TokenServlet into pki-tks package.Endi S. Dewata2017-05-232-3236/+14
| | | | | | | | | | | | The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
* Encapsulate recovery request approval audit logsAde Lee2017-05-232-55/+12
| | | | | | | | The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
* Fix auditing in retrieveKeyAde Lee2017-05-231-1/+11
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Enabling all subsystems on startup.Endi S. Dewata2017-05-232-19/+53
| | | | | | | | | | | The operations script has been modified to enable all subsystems on startup by default. If the selftest fails, the subsystem will be shutdown again automatically as before. A pki.conf option has been added to configure this behavior. https://pagure.io/dogtagpki/issue/2699 Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50
* Encapsulate key retrieval audit eventsAde Lee2017-05-233-49/+28
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-231-17/+0
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-231-10/+2
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-231-1/+1
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-231-9/+1
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-233-43/+21
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Always check FIPS mode at installation timeMatthew Harmsen2017-05-231-0/+2
| | | | - Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
* Added configurable random number generator in JssSubsystem.Endi S. Dewata2017-05-232-16/+43
| | | | | | | | | | | | | The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
* Ticket#2618 feature: pre-signed CMC renewal requestChristina Fu2017-05-222-37/+112
| | | | | | | This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
* Added debug logs for JssSubsystem.Endi S. Dewata2017-05-201-11/+20
| | | | | | | | | Some debug logs have been added into JssSubsystem to improve code clarity. https://pagure.io/dogtagpki/issue/2695 Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc
* Added debug logs for UpdateCRL servlet.Endi S. Dewata2017-05-191-3/+43
| | | | | | | | | Some debug logs have been added into UpdateCRL servlet to improve code clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839
* Correct section headings in user deployment configuration fileMatthew Harmsen2017-05-171-0/+39
| | | | | | Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance creation
* Added CertStatusChangeRequestProcessedEvent.Endi S. Dewata2017-05-174-67/+46
| | | | | | | | | A new CertStatusChangeRequestProcessedEvent class has been added to encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events. https://pagure.io/dogtagpki/issue/2636 Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
* Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.Endi S. Dewata2017-05-171-14/+5
| | | | | | | | | | | | | | | | | The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers. https://pagure.io/dogtagpki/issue/2690 Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-179-305/+658
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Reformatted UpdateCRL.process().Endi S. Dewata2017-05-171-174/+174
| | | | | | | | | The UpdateCRL.process() has been reformatted to adjust the indentations after refactoring. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c
* Refactored UpdateCRL.process() (part 3).Endi S. Dewata2017-05-171-2/+4
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47
* Refactored UpdateCRL.process() (part 2).Endi S. Dewata2017-05-171-16/+16
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5
* Refactored UpdateCRL.process() (part 1).Endi S. Dewata2017-05-171-3/+5
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198
* Fixed audit event outcome for agent-canceled cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is canceled by an agent. https://pagure.io/dogtagpki/issue/2694 Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a
* Fixed audit event outcome for agent-rejected cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is rejected by an agent. https://pagure.io/dogtagpki/issue/2693 Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40
generated by cgit (git 2.34.1) at 2025-09-26 06:41:53 +0000