| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
The DBSSession has been modified to attach the LDAPException
to the EDBException. The TokenService will catch the EDBException
and obtain the orignal LDAPException. This way the TokenService
can obtain the LDAP error code and throw the proper exception
the client.
https://fedorahosted.org/pki/ticket/1646
|
| |
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
| |
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
| |
Two Tomcat version-specific implementations of
SSLAuthenticatorWithFallback exist, with much duplicate code.
Extract an abstract base class 'AbstractPKIAuthenticator' and
implement just the unique bits in the concrete classes.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
|
| |
|
|
|
|
|
|
|
| |
It is possible for the CMS getStatus resource to indicate that CMS
is ready when the initial loading of profiles (which is performed by
another thread) is not complete. During startup, wait for the
initial loading of profiles to complete before continuing.
Fixes: https://fedorahosted.org/pki/ticket/1702
|
| |
|
|
|
|
|
|
| |
The file-based LDAP profile subsystem does not update profiles
correctly. Ensure that each commit of the underlying config store
refreshes the profile inputs, outputs and policy objects.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Deleting and then immediately recreating a profile can result in the
new profile temporarily going missing, if the DELETE
EntryChangeControl is processed after profile readdition.
Handle this case by tracking the nsUniqueId of entries that are
deleted by an LDAPProfileSubsystem and NOT (re-)forgetting the
profile when the subsequent EntryChangeControl gets processed.
Fixes: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.
With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.
https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
|
| |
|
|
|
|
|
|
|
| |
A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.
Without unnecessary shebangs it's a bit easier to track Python 3
porting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.
As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| | |
|
| |
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to run the
selftests and display the results.
https://fedorahosted.org/pki/ticket/1502
|
| |
|
|
|
|
|
|
|
| |
The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.
https://fedorahosted.org/pki/ticket/1502
|
| |
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box
This patch provides the cert/key retention feature for externalReg.
If the certsToAdd field contains (serial,ca#) instead of the full
(serial, ca#, keyId, kra#), then it is expecting the cert/keys to be
retained from token without having to do a full retrieval (recovery);
If an exisiting cert (and its keys) on the token is not explicitly
retained then it is deleted.
This patch also fixes the issues reported in #1514 and #1587 as testing
of #1375 is easier with those two issues addressed.
An issue was found during development where Coolkey puts limits on the
cert/key ids on the token and make it impossible to inject cert ID higher
than 4, as it would then result in key ids into two digits.
Another issue that adds to running into the limit is that the function
that gets the next free certid number does not make any attempt to search
for "holes" to reuse.
The cert/key id assignment/limit issue will be filed as a separte ticket
and addressed separately. More complicated testing will be conducted then.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.
https://fedorahosted.org/pki/ticket/1703
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
| |
The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.
https://fedorahosted.org/pki/ticket/1682
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
|
| | |
|
| |
|
|
|
|
|
|
| |
The selftest has been modified to throw an exception and provide
more specific error message if a test fails in order to help
troubleshoot the problem.
https://fedorahosted.org/pki/ticket/1328
|
| |
|
|
|
|
|
| |
The pki-cert and pki-server-subsystem man pages have been updated
to include recent changes.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
| |
A new command has been added to export a system certificate, the
CSR, and the key. This command can be used to migrate a system
certificate into another instance.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-core.spec has been modified to execute pki-server migrate
when the package is installed. This way when upgrading from F22 to
F23 all PKI instances will be migrated automatically to Tomcat 8.
The pki-server migrate command has been modified such that if there
is no specific Tomcat version specified it will use the current
Tomcat version.
The top attribute in the CLI class was not functioning properly,
so it has been replaced with get_top_module() method.
The getopt() invocations in pki-server subcommands have been
replaced with gnu_getopt() to allow intermixing options and
arguments.
https://fedorahosted.org/pki/ticket/1310
|
| |
|
|
|
|
|
| |
The LDAPSecurityDomainSessionTable has been modified to throw
an exception if there is a failure.
https://fedorahosted.org/pki/ticket/1633
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.
The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.
https://fedorahosted.org/pki/ticket/342
|
| |
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
|
| |
|
|
|
|
|
|
| |
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
Also add indices for the 'issuerName' LDAP attribute.
|
| |
|
|
| |
client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
|
| |
|
|
|
|
|
|
|
|
| |
The SecurityDomainProcessor.getEnterpriseGroupName() has been
added to simplify ConfigurationUtils.getGroupName().
The SecurityDomainProcessor.getInstallToken() has been modified
to validate the user role and to generate safer session ID.
https://fedorahosted.org/pki/ticket/1633
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.
(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
|
|
|
| |
The EnrollmentProcessor.processEnrollment() and RenewalProcessor.
processRenewal() methods that take CMSRequest object have been
moved into ProfileSubmitServlet because they are only used by
the legacy servlet.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
| |
Includes python code (and unit tests!) to list, get
and create subCAs. Also fixed a couple of PEP 8 violations that
crept in.
|
| |
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|
| |
|
|
|
|
|
|
| |
Add the optional "ca" query parameter for REST cert request
submission. Also update the ca-cert-request-submit CLI command with
an option to provide an AuthorityID.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.
https://fedorahosted.org/pki/ticket/1595
|
| |
|
|
|
|
|
|
|
| |
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
|
| |
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
| |
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
| |
|
|
|
|
|
| |
The default value for argparser's verbosity was None, but None can't be
compared to 2 in Python 3.
TypeError: unorderable types: NoneType() >= int()
|
