| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
|
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
|
|
|
| |
The unused user status and type fields and the TPS Officers group
have been removed from the TPS UI.
https://fedorahosted.org/pki/ticket/2264
https://fedorahosted.org/pki/ticket/2265
https://fedorahosted.org/pki/ticket/2266
|
|
|
|
|
|
|
|
| |
The TPS UI home page and the status menu item been temporarily
removed. The home links will now redirect to the tokens page.
https://fedorahosted.org/pki/ticket/2261
https://fedorahosted.org/pki/ticket/2262
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS subsystem has been modified to generate the token state
transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically
depending on whether the token has certificates.
The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg.
Duplicate code that loads the allowed transitions list has been
merged and moved into TPSSubsystem.
https://fedorahosted.org/pki/ticket/1808
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that it will use an HTML-based
dialog instead of the browser's built-in dialog such that the
option to "prevent this page from creating additional dialogs"
will no longer appear.
https://fedorahosted.org/pki/ticket/1685
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
|
|
|
|
|
| |
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only user ID and
policy attributes when modifying a token.
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only token ID,
and optionally user ID and policy attributes when adding a token.
https://fedorahosted.org/pki/ticket/1477
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS service has been modified to provide a list of allowed
state transitions based on the current token state. The TPS UI
was modified to display only the allowed state transitions when
changing the token status.
The allowed state transition list has been modified to remove
invalid token transitions including:
* UNINITIALIZED -> FOUND
* UNINITIALIZED -> TEMP_LOST_PERM_LOST
The token FOUND state has been renamed to ACTIVE for clarity.
The token TEMP_LOST_PERM_LOST state has been merged into
PERM_LOST since they are identical in the database.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that if the browser does not
support logout operation it will show a message asking the user
to clear the Active Logins or close the browser.
https://fedorahosted.org/pki/ticket/1344
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to run the
selftests and display the results.
https://fedorahosted.org/pki/ticket/1502
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the accessible services
based on the user's roles. A TPS admin has access to all services.
A TPS agent has access to tokens, certificates, activities, and
profiles. A TPS operator has access to tokens, certificates, and
activities only.
https://fedorahosted.org/pki/ticket/1476
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
|
|
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
|
| |
It is true that his setting is not present.
The generic code that revokes certs for a format checks this value.
No harm in putting this value in the CS.cfg and setting it to false by
default for the externalRegAddToToken profile. No harm in giving the user
the way to use this feature , even if we decide it is not a good idea to revoke
certs associated with the external reg feature.
|
|
|
|
|
|
| |
Ticket # 1466 .
Also remove some needless copies of server.xml from the code.
|
|
|
|
|
|
|
| |
Ticket #1423 Pin reset operation using tpsclient fails.
Recently we had added a new way to resolve the profile. That new method was
not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
|
|
|
|
|
|
|
|
|
| |
Ticket # 793: Add support for Secure Channel Protocol 02
Properly select the coolkey applet in the "getAppletVersion" routine.
For some reason the gp211 applet revealed this issue.
Tested to work with both gp211 scp02 card and gp201 scp01 card.
|
|
|
|
| |
op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
|
| |
|
|
|
|
| |
the token db cert entry
|
|
|
|
| |
different cards for ExternalReg This patch adds support to keyset mapping
|
|
|
|
| |
cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
|
| |
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to edit
raw properties as in the configuration file. This also allows
editing multiple properties at once and also copy & pasting
the properties.
https://fedorahosted.org/pki/ticket/936
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the appropriate actions
menu based on the roles of the user. TPS agent can only enable
and disable profiles, and also approve or reject pending requests.
TPS admin can only edit disabled profiles, then submit it for
approval, or cancel the request.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
| |
The REST services have been modified to support submit and cancel
actions. The ACL has been fixed to allow admins and agents to
change the status.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to customize the navigation menu
based on the roles of the user currently logged in. TPS agents
do not have access to users, groups, config, authenticators,
connectors, profile mappings, audit, and self tests, so the
corresponding menu items will be hidden. TPS admins have
access to all menu items.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
|
|
|
|
|
|
|
| |
The "Subsystem Connections" link in the home.html has been fixed
to point to #connectors.
https://fedorahosted.org/pki/ticket/1274
|
|
|
|
|
|
|
| |
The TPS REST service, CLI, and UI have been modified to provide
an interface to search for certificates belonging to a token.
https://fedorahosted.org/pki/ticket/1164
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist dervication code is being called.
Review comments addressed
Cleanup of some input validation on the TKS.
Added some sanity checking on the TPS side for key versions and token cuid's and kdd's.
Final review comments.
Fixed issue with extracting the kdd from the AppletInfo class.
Fixed issue with sending the KDD to the encryptData TKS servlet.
Added requested entries to the CS.cfg .
|
|
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First cut of gp211 and scp protocol 02 for tokens.
Allow token operations using a GP211 token over secure channel protocol 02.
This patch supports the following:
1. Token operations with a GP211 card and SCP02 protocol, implementation 15.
2. Token still supports GP201 cards with SCP01.
3. SCP02 tested with SC650 gp211/scp02 card.
Things still to do:
1. Right now the SCP02 support has been tested with the current gp201 applet and
enrollment and formatting works just fine. We need to modify and compile the applet
against the GP211 spec and retest to see if any further changes are needed.
2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some
of the routines are self contained vs similar SCP01 ones. We have another ticket to
complete the nistSP800 support from end to end. This work will be done for that ticket.
3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism.
As of now this work is done by simple encryption, this can be done later.
4. The security APDU level of "RMAC" is not supported because the card does not support it.
It could have been done to the spec, but it having the card to test is more convenient and there
were more crucial issues to this point.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|