summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Add schema for LDAP-based profilesFraser Tweedale2015-04-071-0/+15
|
* Fixed missing port error during installation.Endi S. Dewata2015-04-071-0/+13
| | | | | | | | | The DBSubsystem has been modified to ignore the EPropertyNotDefined exception in pre-op mode and only display a notification instead of a stack trace since it's part of a normal operation. The missing port will be supplied in a later stage of installation. https://fedorahosted.org/pki/ticket/1293
* NISTSP8000 feature.Jack Magne2015-03-172-16/+19
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Store groups on AuthToken and update group evaluatorFraser Tweedale2015-03-164-35/+139
| | | | | | | | | | | | | Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-1310-14/+173
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* PKI TRAC Ticket #1284 - pkispawn URL redirect issue (simple fix)Matthew Harmsen2015-03-062-1/+7
|
* Fixed CMake issues on F22.Endi S. Dewata2015-03-051-1/+1
| | | | | | Some CMake scripts have been updated to work on both F21 and F22. https://fedorahosted.org/pki/ticket/1281
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-272-387/+1017
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Bugzilla 1134405 - CRL publishing fails after Java heap out of memory errorAde Lee2015-02-261-0/+24
| | | | Added fix from hot fix.
* ticket#822 creates root CA subject DN when renewing with empty params.name ↵Christina Fu2015-02-121-1/+1
| | | | in orig profile
* Refactored LDAPDatabase.createFilter().Endi S. Dewata2015-02-111-3/+23
| | | | | | | | | | The createFilter() method in LDAPDatabase has been changed to construct an LDAP filter based on a keyword and a set of attributes with their values. This will allow searching the database based on specific attribute values. The subclasses of LDAPDatabase have been updated accordingly. https://fedorahosted.org/pki/ticket/1164
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-103-2/+7
|
* Fixed pylint report.Endi S. Dewata2015-02-058-27/+27
| | | | | | | | | | | | | | | Previously pylint report was saved it into a file which may not be accessible on a build system. The pylint-build-scan.sh has been changed to display the report so it will appear in the build log. The pylint configuration has also been modified to disable C and R messages by default. This way when other errors or warnings occur the build will fail without having to check for specific codes. Some Python codes have been modified to reduce the number of pylint warnings. https://fedorahosted.org/pki/ticket/703
* Updated Resteasy and Jackson dependenciesEndi S. Dewata2015-02-035-72/+60
| | | | | | | | | | In Fedora 22 the Resteasy package has been split into several subpackages. The pki-core.spec has been modified to depend on more specific Resteasy packages which depend only on Jackson 1.x. The classpaths and various scripts have been modified to remove unused references to Jackson 2.x. https://fedorahosted.org/pki/ticket/1254
* Disabling subsystem on selftest failure.Endi S. Dewata2015-01-281-0/+19
| | | | | | | | | | | The SelfTestSubsystem has been modified such that if the selftest fails it will invoke the pki-server CLI to undeploy and disable the failing subsystem. The Tomcat instance and other subsystems not depending on this subsystem will continue to run. Once the problem is fixed, the admin can enable the subsystem again with the pki-server CLI. https://fedorahosted.org/pki/ticket/745
* Added server management CLI.Endi S. Dewata2015-01-286-1/+702
| | | | | | | | | | | | | A new pki-server CLI has been added to manage the instances and subsystems using the server management library. This CLI manages the system files directly, so it can only be run locally on the server by the system administrator. The autoDeploy setting in server.xml has been enabled by default. An upgrade script has been added to enable the autoDeploy setting in existing instances. https://fedorahosted.org/pki/ticket/1183
* Added server management library.Endi S. Dewata2015-01-282-28/+143
| | | | | | | | | | | | | | | The PKISubsystem and PKIInstance classes used by the upgrade framework have been converted into a server management library. They have been enhanced to provide the following functionalities: * starting and stopping instances * enabling and disabling subsystems * checking instance and subsystem statuses The validate() invocation has been moved out of the constructors into the upgrade framework such that these objects can be created to represent subsystems and instances that do not exist yet. https://fedorahosted.org/pki/ticket/1183
* Moved web application deployment locations.Endi S. Dewata2015-01-287-54/+221
| | | | | | | | | | | | | Currently web applications are deployed into Host's appBase (i.e. <instance>/webapps). To allow better control of individual subsystem deployments, the web applications have to be moved out of the appBase so that the autoDeploy can work properly later. This patch moves the common web applications to <instance>/ common/webapps and subsystem web applications to <instance>/ <subsystem>/webapps. An upgrade script has been added to update existing deployments. https://fedorahosted.org/pki/ticket/1183
* Fixed exception chains in ConfigurationUtils.Endi S. Dewata2015-01-211-16/+24
| | | | | | | The ConfigurationUtils has been modified such that if an exception is triggered by another exception the exceptions will be chained. https://fedorahosted.org/pki/ticket/915
* Added support for exception chains in EBaseException.Endi S. Dewata2015-01-213-16/+25
| | | | | | | | | | | The EBaseException has been modified to provide constructors that can be used to chain the cause of the exception. This way the root cause of the exception can be traced back to help troubleshooting. Some codes have been modified to utilize the proper exception chaining as examples. https://fedorahosted.org/pki/ticket/915
* Removed unnecessary EBaseException constructor.Endi S. Dewata2015-01-212-9/+1
| | | | | | | | | The EBaseException(String msgFormat, String param) constructor has been removed because it's only used once and can be substituted with another constructor. All subclasses of EBaseException have been updated accordingly. https://fedorahosted.org/pki/ticket/915
* Fixed bash syntax errorMatthew Harmsen2015-01-081-5/+5
| | | | | - Bugzilla Bug #1147924 - dogtag: syntax errors in /usr/share/pki/scripts/operations
* Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDFChristina Fu2014-12-194-103/+704
| | | | | - this patch does not include TPS side of changes: (#865 needs to be rewritten in Java)
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-166-6/+731
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Ticket 1180 RFE: show link to request record from cert displayChristina Fu2014-12-161-0/+1
|
* Ticket 1173 Directory-based renewal evaluator fails authorizationChristina Fu2014-12-161-10/+10
|
* Decode challengePassword attribute as DirectoryStringFraser Tweedale2014-12-161-1/+1
| | | | | | | | | | | The PKCS #9 challengePassword attribute has DirectoryString syntax. Dogtag currently attempts only to decode it as a PrintableString, causing failures when the attribute is encoded as a UTF8String. Add method DerValue.getDirectoryString() to decode any of the valid DirectoryString encodings and update ChallengePassword to use it. https://fedorahosted.org/pki/ticket/1221
* Added rangeUnit property to certificate profiles.Endi S. Dewata2014-12-1512-53/+210
| | | | | | | | | A new optional property has been added to certificate profiles to specify the range unit. The default range unit is 'day'. The code has been modified to use the Calendar API to calculate the end of validity range based on the range unit. https://fedorahosted.org/pki/ticket/1226
* Cleaned up clone installation code.Endi S. Dewata2014-12-121-107/+97
| | | | | The code in ConfigurationUtils has been cleaned up and reformatted to improve readability.
* Fixed problem importing renewed system certificate.Endi S. Dewata2014-12-122-51/+144
| | | | | | | | | | | | Previously during clone installation if the PKCS12 file contains both expired and renewed certificates the code might incorrectly import the expired certificate instead of the renewed one, thus failing the installation. The code has been fixed to validate the certificates in the PKCS12 file such that only the valid ones will be imported into the clone. https://fedorahosted.org/pki/ticket/1093
* Fix BasicConstraints min/max path length checkFraser Tweedale2014-12-051-1/+1
| | | | | | | | | | | | The BasicConstraintsExtConstraint min/max path length validity check ensures that the max length is greater than the min length, however, when a negative value is used to represent "no max", the check fails. Only compare the min and max length if the max length is non-negative. Ticket #1035
* Remove legacy multilib JNI_JAR_DIR logicMatthew Harmsen2014-12-042-2/+3
| | | | | | | | | | | | | | | | * Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not found (cherry picked from commit d7a0807b7493fc3d86900ee4aaf8199efd824907) Conflicts: base/java-tools/templates/pki_java_command_wrapper.in base/java-tools/templates/pretty_print_cert_command_wrapper.in base/java-tools/templates/pretty_print_crl_command_wrapper.in base/server/python/pki/server/deployment/pkiparser.py base/server/scripts/operations (cherry picked from commit c8d73ade2c651fd5ca01226c89d5d19828bfc9b7)
* Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default ↵Christina Fu2014-11-244-3/+153
| | | | and upgrade
* bugzilla 871171 (client-side code) Provide Tomcat support for TLS v1.1 and ↵Christina Fu2014-11-211-4/+3
| | | | TLS v1.2
* Fix ECC curve name typosFraser Tweedale2014-10-301-2/+2
| | | | | "nistp512" appears in a few places, but the curve name is "nistp521". Fix these references.
* Updated version to 10.2.1-0.1.Endi S. Dewata2014-10-271-0/+4
| | | | https://fedorahosted.org/pki/ticket/1191
* Bug1151147 issuerDN encoding correctionChristina Fu2014-10-232-4/+28
|
* Incorrect status change in key-request-review.Abhishek Koneru2014-10-011-2/+2
| | | | | | Fix for ticket #1037. Corrected the issue caused due to incorrect operations performed for reject and cancel actions in key-request-review.
* Fix sub-CA installation with own security domainAde Lee2014-10-017-105/+201
| | | | | | | | | Installation code failed to anticipate installation of a subordinate CA that would host its own security domain. This patch includes changes to python installation code, java configuration servlet and changes to man pages. Ticket 1132
* ticket #1110 pkispawn (configuration) does not provide CA extensions in ↵Christina Fu2014-09-255-1/+119
| | | | subordinate certificate signing requests (CSR)
* Added idempotent 01-MoveWebApplicationContextFile migration scriptAde Lee2014-09-193-0/+108
| | | | Added to 10.1.1 to be consistent with 10.1 branch.
* Fix Debian specific paths to jackson jarsTimo Aaltonen2014-09-091-8/+8
|
* Fix manpage errorsBenjamin Drung2014-09-092-14/+14
| | | | | This patch fixes manpage-has-errors-from-man and hyphen-used-as-minus-sign found by lintian tool on Debian.
* Check for null values in GetConfigEntriesAde Lee2014-09-041-4/+7
| | | | Ticket 1142
* Remove Apache info from pkispawn and pkidestroyMatthew Harmsen2014-09-0216-276/+22
| | | | - PKI TRAC Ticket #1077 - Consider removing [Apache] section from 'default.cfg'
* Fix kra-connector-removeAde Lee2014-09-025-23/+76
| | | | | | | | | | | | | | | | | | | | The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113
* ticket 941 Renewal/Reenroll/Recovery/Renew policy 3rd cut; Renewal code; ↵Christina Fu2014-08-291-0/+3
| | | | RetrieveCert code
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-287-73/+4
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* Added missing upgrade folders.Endi S. Dewata2014-08-271-0/+4
| | | | | | The current upgrade framework requires that all supported versions to upgrade from to have corresponding upgrade folders even though they might be empty. New empty folders have been added for 10.1.1.
* Fixed problems in group operations.Endi S. Dewata2014-08-274-50/+91
| | | | | | | | | | | | | Previously modifying the description of an empty group failed because the server tried to delete a uniqueMember attribute that did not exist because the group was already empty. The servlets and group subsystem has been fixed to retrieve the existing group data first, perform the changes on it, then save it back to the database. Also adding a new group will no longer require a description because it's not required by the LDAP object class. Ticket #818
generated by cgit (git 2.34.1) at 2025-09-29 16:51:05 +0000