| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
(cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
|
|
|
|
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
(cherry picked from commit ee93ca05ec3a52fcf6239c48c167d8d5566b81cd)
|
|
|
|
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
(cherry picked from commit 3158e1279b210d9f409918b24180bf20b0774614)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
|
| |
It is true that his setting is not present.
The generic code that revokes certs for a format checks this value.
No harm in putting this value in the CS.cfg and setting it to false by
default for the externalRegAddToToken profile. No harm in giving the user
the way to use this feature , even if we decide it is not a good idea to revoke
certs associated with the external reg feature.
|
| |
|
|
|
|
|
|
|
| |
still shows old key
Simple matter of not updating the token record at the end of the pin reset operation.
Also, make sure the activity log is correct.
|
|
|
|
|
|
|
|
|
| |
A new man page has been added for the pki tps-profile CLI. The
CLI has been modified to refer to the new man page.
Some other man pages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1271
|
|
|
|
|
|
| |
Ticket # 1466 .
Also remove some needless copies of server.xml from the code.
|
|
|
|
|
|
|
| |
Ticket #1423 Pin reset operation using tpsclient fails.
Recently we had added a new way to resolve the profile. That new method was
not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
|
|
|
|
|
|
|
|
|
| |
Ticket # 793: Add support for Secure Channel Protocol 02
Properly select the coolkey applet in the "getAppletVersion" routine.
For some reason the gp211 applet revealed this issue.
Tested to work with both gp211 scp02 card and gp201 scp01 card.
|
|
|
|
|
|
| |
The getCloningData() in SystemConfigService has been renamed to
configureClone(). Redundant try-catch blocks have been removed.
Some exception messages have been modified to include more info.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SelfTestSubsystem has been modified to display a 'successful'
message only if all tests have passed. If a test fails, it will
log a failure, subsequent tests will not be executed, and the
subsystem will shutdown immediately.
The runSelfTest() in various tests have been cleaned up to throw
the original exception to help troubleshooting. The unused
RAPresence test has been removed.
https://fedorahosted.org/pki/ticket/1249
|
|
|
|
|
| |
This patch addressed the issue that TPS on independent Tomcat is missing
symlink to symkey.jar and causes all symkey method reference to fail
|
|
|
|
| |
op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
|
| |
|
|
|
|
| |
the token db cert entry
|
|
|
|
| |
different cards for ExternalReg This patch adds support to keyset mapping
|
|
|
|
| |
cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|
| |
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to edit
raw properties as in the configuration file. This also allows
editing multiple properties at once and also copy & pasting
the properties.
https://fedorahosted.org/pki/ticket/936
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the appropriate actions
menu based on the roles of the user. TPS agent can only enable
and disable profiles, and also approve or reject pending requests.
TPS admin can only edit disabled profiles, then submit it for
approval, or cancel the request.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
| |
The REST services have been modified to support submit and cancel
actions. The ACL has been fixed to allow admins and agents to
change the status.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to customize the navigation menu
based on the roles of the user currently logged in. TPS agents
do not have access to users, groups, config, authenticators,
connectors, profile mappings, audit, and self tests, so the
corresponding menu items will be hidden. TPS admins have
access to all menu items.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
|
|
|
|
|
|
|
|
|
| |
All TPS services have been fixed to set the default status of a
new record to Disabled if the client does not provide the initial
status. This will ensure a newly created profile to always have a
status so it can be deleted normally.
https://fedorahosted.org/pki/ticket/1273
|
|
|
|
|
|
|
|
|
|
| |
The base class of ProfileDatabase (i.e. CSCfgDatabase) has been
modified to return the correct default value (i.e. Enabled) if the
status parameter doesn't exist. The TPSProcessor has been modified
to use ProfileDatabase and other TPS codes have also been changed
to use constants instead of string literals to ensure consistency.
https://fedorahosted.org/pki/ticket/1270
|
|
|
|
|
|
|
| |
The "Subsystem Connections" link in the home.html has been fixed
to point to #connectors.
https://fedorahosted.org/pki/ticket/1274
|
|
|
|
|
|
|
| |
The TPS REST service, CLI, and UI have been modified to provide
an interface to search for certificates belonging to a token.
https://fedorahosted.org/pki/ticket/1164
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist dervication code is being called.
Review comments addressed
Cleanup of some input validation on the TKS.
Added some sanity checking on the TPS side for key versions and token cuid's and kdd's.
Final review comments.
Fixed issue with extracting the kdd from the AppletInfo class.
Fixed issue with sending the KDD to the encryptData TKS servlet.
Added requested entries to the CS.cfg .
|
|
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First cut of gp211 and scp protocol 02 for tokens.
Allow token operations using a GP211 token over secure channel protocol 02.
This patch supports the following:
1. Token operations with a GP211 card and SCP02 protocol, implementation 15.
2. Token still supports GP201 cards with SCP01.
3. SCP02 tested with SC650 gp211/scp02 card.
Things still to do:
1. Right now the SCP02 support has been tested with the current gp201 applet and
enrollment and formatting works just fine. We need to modify and compile the applet
against the GP211 spec and retest to see if any further changes are needed.
2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some
of the routines are self contained vs similar SCP01 ones. We have another ticket to
complete the nistSP800 support from end to end. This work will be done for that ticket.
3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism.
As of now this work is done by simple encryption, this can be done later.
4. The security APDU level of "RMAC" is not supported because the card does not support it.
It could have been done to the spec, but it having the card to test is more convenient and there
were more crucial issues to this point.
|
|
|
|
|
|
| |
BZ 1163987. Added revocation checks to optionally revoke
expired certs, and handle cases where certs are shared on multiple
tokens.
|
|
|
|
|
|
|
|
|
|
| |
The createFilter() method in LDAPDatabase has been changed to
construct an LDAP filter based on a keyword and a set of
attributes with their values. This will allow searching the
database based on specific attribute values. The subclasses of
LDAPDatabase have been updated accordingly.
https://fedorahosted.org/pki/ticket/1164
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
|
|
|
|
|
|
| |
Now an enrolled token can have its pin changed with esc without doing another enrollment.
Actually call authentication for this pin reset operation now.
Review fix.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 223d15539b7bcc0df025025036af2935726e52e3.
The patch does not work for subsystems installed on separate
instance since it will require additional OCSP setup.
|
|
|
|
| |
* PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Make sure the new TPS packages all the applet files, like the old TPS has done.
2. Create a small new package called "pki-tps-client", which will hold ONLY the
command line utility "tpsclient" and all of its supporting libraries.
3. Move the directory pki/base/tps to pki/base/tps-client
We will do this until we can rewrite "tpclien" on the new Java TPS system.
Add package pki-tps-client.
|
|
|
|
|
| |
* PKI TRAC Ticket #946 - Installation of IPA hangs up
when LANG is set to tr_TR.UTF8
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Read applet into memory to prepare to write to token.
2. With tpsclient create secure channel by implementing Initialize Update and ExternalAuthenticate messages.
3. Support for MAC and encryption for messages going on after secure channel has been created.
4. Implemented method to remove an aid file or instance from the token.
5. Added some symkey methods to allow TPS to manipulate session keys.
6. Performed some cfu feedback fixes such as changing al the names of APDU classes to have APDU in the name.
Have not tried this with real token as of yet. The tpsclient does verify of the MAC coming from the server and decrypts encrypted messages. Decrypted messages have to be correct for the MAC verification to work.
Next step will be to add the phone home servlet to the TPS and give it a try with a real token and esc.
|