| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
|
|
|
| |
This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
|
|
|
|
|
|
| |
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
|
|
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
|
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
|
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
|
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
|
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The internal token short name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
| |
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
https://fedorahosted.org/pki/ticket/2523
|
|
|
|
|
|
| |
shows different certificate status
This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.
|
|
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
| |
|
|
|
|
|
|
| |
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.
Ticket #2510.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using
the "by cert" method.
Also this bug addresses:
Bug 1379379 - Unable to read an encrypted email using renewed tokens
The URL encoding problem was affecting the proper verification of this bug.
and
Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued
The URI encoding was also making this bug appear to fail more than it should have.
There is also a minor fix to the feature that makes sure it works.
This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
|
|
|
|
|
|
| |
op.format.externalRegAddToToken.revokeCert=true
This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
|
|
|
|
|
|
|
| |
multiple tokens. #1664
We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The default is YESk you have to explicitly set it to NO to turn it off.
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will be made.
junk
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
key id on the ldap user mismatches
Problem: There are two ways to recover the keys with
a. by cert
b. by keyId
When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped.
This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover.
Code summary for externalReg key recovery:
config default: externalReg.recover.byKeyID=false
Recover either by keyID or by cert
When recovering by keyid: externalReg.recover.byKeyID=true
- keyid in record indicates actual recovery;
- missing of which means retention;
When recovering by cert: externalReg.recover.byKeyID=false
- keyid field needs to be present
but the value is not relevant and will be ignored (a "0" would be fine)
- missing of keyid still means retention;
(In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
|
|
|
|
| |
This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.
|
|
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.
This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the system
has a chance to add this new token to the TPS tokendb.
The behavior will be configurable for the the external reg and not external reg scenarios
as follows:
tokendb.nonExternalReg.allowMultiActiveTokensUser=false
tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
|
|
|
|
|
|
|
|
|
| |
The TPS token and activity services have been modified to use VLV
only when the search filter matches the VLV, which is the default
filter when there is no search keyword/attributes specified by
the client. In other cases the services will use a normal search.
https://fedorahosted.org/pki/ticket/2342
|
|
|
|
|
|
|
| |
Some REST services have been fixed to return the response in XML
format by default.
https://fedorahosted.org/pki/ticket/1276
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS VLVs for tokens and activities has been modified to sort
the results by date in reverse order.
The DBRegistry.getLDAPAttributes() was modified to support reverse
sort order by recognizing the "-" prefix in the list of sort keys
and pass it to LDAP.
The DBVirtualList.setSortKey() was modified to ignore bubble up the
exceptions that happen during LDAP attribute mapping.
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously TPS VLVs for tokens and activities were defined using
presence filters of some optional attributes. If the optional
attribute is missing the entry will not be included in the search
result.
The VLVs have now been modified to use object class matching
filters to ensure they match all tokens and activities.
https://fedorahosted.org/pki/ticket/2354
|
|
|
|
| |
This patch adds activity logs for adding unknown token during format or enrollment or pin reset.
|
|
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
|
|
|
|
|
|
|
|
| |
The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.
https://fedorahosted.org/pki/ticket/2334
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vlv.ldif for TPS has been modified to remove the hard-coded
database name and to use customizable parameter instead.
The token and activity REST services have been modified to search
the database using VLV.
The existing database can be fixed using the following procedure:
http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes
https://fedorahosted.org/pki/ticket/2342
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #801 : Merge pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
to tokenKey, while enroll resolves to userKey.
-> now changed the userKey
d. if revocation fails during format, it was forgiving.
-> now changed so that error is logged in activity log and exception
thrown and bail out
|
| |
|
|
|
|
|
|
|
| |
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
https://fedorahosted.org/pki/ticket/2287
|
|
|
|
|
|
| |
The token status READY has been renamed to FORMATTED for clarity.
https://fedorahosted.org/pki/ticket/2288
|
|
|
|
| |
This patch adds the token prefix to connector nickName's when installed with HSM
|
|
|
|
|
|
|
|
|
| |
The LDAP attribute for token status has been modified to store the
same values displayed on the CLI. This way searching tokens with
specific status can be done correctly with simple LDAP filter such
as (tokenStatus=<status>).
https://fedorahosted.org/pki/ticket/2296
|
|
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
|
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
|
|
|
|
|
|
|
| |
The TokenStatus enumeration has been converted into a class to
allow overriding the TokenStatus.valueOf() to provide backward
compatibility.
https://fedorahosted.org/pki/ticket/2286
|