| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
|
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
|
|
|
|
|
|
|
| |
The TokenStatus enumeration has been converted into a class to
allow overriding the TokenStatus.valueOf() to provide backward
compatibility.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
|
|
| |
The TPSTokendb.shouldRevoke() has been modified such that it
throws an exception instead of returning boolean. The method
has also been renamed to checkShouldRevoke(). The revokeCert()
and unrevokeCert() have been modified to catch the exception
and log the failed operation.
|
|
|
|
|
|
| |
The code in TPSTokendb.revokeCertsByCUID() has been split into
revokeCert() and unrevokeCert() to allow handling each operation
separately.
|
|
|
|
|
| |
The TPSTokendb.tdbGetTokenEntry() invocations in shouldRevoke()
have been moved into revokeCertsByCUID().
|
|
|
|
|
| |
The code that parses the token certificate serial number has been
refactored into a new method in TPSCertRecord.
|
|
|
|
|
|
|
|
|
| |
The unused user status and type fields and the TPS Officers group
have been removed from the TPS UI.
https://fedorahosted.org/pki/ticket/2264
https://fedorahosted.org/pki/ticket/2265
https://fedorahosted.org/pki/ticket/2266
|
|
|
|
|
|
|
|
| |
The TPS UI home page and the status menu item been temporarily
removed. The home links will now redirect to the tokens page.
https://fedorahosted.org/pki/ticket/2261
https://fedorahosted.org/pki/ticket/2262
|
|
|
|
|
|
|
|
| |
For clarity the TPS operatons that generate OP_DO_TOKEN activity
has been modified to generate OP_TOKEN_MODIFY instead, except for
the changeTokenStatus() which will generate OP_TOKEN_STATUS_CHANGE.
https://fedorahosted.org/pki/ticket/2268
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch does the following:
* it adds in the kra request an extra field called "delayLDAPCommit"
* when the request comes in to be processed, it sets this field to "false"
* by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write
* once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap
* In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
|
|
|
|
| |
This patch removes certs from token record when it is formatted.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS subsystem has been modified to generate the token state
transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically
depending on whether the token has certificates.
The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg.
Duplicate code that loads the allowed transitions list has been
merged and moved into TPSSubsystem.
https://fedorahosted.org/pki/ticket/1808
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TokenService.setTokenStatus() has been modified to restore
the temporarily lost token back into either uninitialized or
active state based on whether the token has certificates.
The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use
only tokenID attribute to search for token certificates more
accurately. It also has been simplified to return the certificate
records collection object directly.
Some constructors were added to the TPSException to allow chaining
the exception cause.
https://fedorahosted.org/pki/ticket/1808
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that it will use an HTML-based
dialog instead of the browser's built-in dialog such that the
option to "prevent this page from creating additional dialogs"
will no longer appear.
https://fedorahosted.org/pki/ticket/1685
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
|
|
|
|
|
| |
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
|
|
|
|
|
|
|
| |
The TokenService has been modified to ignore token change status
operation if the status is unchanged.
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only user ID and
policy attributes when modifying a token.
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9.
The id is stored as a single ASCII byte in the object id. Previous libcoolkey patches exist to now support numbers
larger than 9, by the following:
0-9 is represented by the ascii chars for 0 through 9,.
10 - 35 represented by the ascii chars for 'A' through 'Z'.
36 - 61 represented by the ascii chars for 'a' through 'z'.
Once coolkey is updated it will be able to read these id's.
TPS with this patch will be able to both read number 0 - 62 and to set them when creating pkcs#11 objects to be stored on the token.
When the proper libcoolkey is installed, the coolkey driver will be able to read certs and keys with id's > 9. Thus, for instance a cert with an id of C6, with keys of k12, and k13, will be supported and viewable in the Firefox cert viewer. Also the certs will be usable for operations.
2. A fix to the routine that finds a free id number to assign to a soon to be recovered cert will now have the ability to find unused slots instead of just inrementing one over the highest currently used index.
3. Made a couple of minor cleanup fixes to externalReg functionality discovered during testing of this feature.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only token ID,
and optionally user ID and policy attributes when adding a token.
https://fedorahosted.org/pki/ticket/1477
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
| |
The DBSSession has been modified to attach the LDAPException
to the EDBException. The TokenService will catch the EDBException
and obtain the orignal LDAPException. This way the TokenService
can obtain the LDAP error code and throw the proper exception
the client.
https://fedorahosted.org/pki/ticket/1646
|
|
|
|
|
|
|
|
|
| |
The TokenService has been modified to re-throw the original
PKIException. This way on invalid token state transition the
client will receive the original BadRequestException. Other
types of exception will be wrapped with PKIException.
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS service has been modified to provide a list of allowed
state transitions based on the current token state. The TPS UI
was modified to display only the allowed state transitions when
changing the token status.
The allowed state transition list has been modified to remove
invalid token transitions including:
* UNINITIALIZED -> FOUND
* UNINITIALIZED -> TEMP_LOST_PERM_LOST
The token FOUND state has been renamed to ACTIVE for clarity.
The token TEMP_LOST_PERM_LOST state has been merged into
PERM_LOST since they are identical in the database.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that if the browser does not
support logout operation it will show a message asking the user
to clear the Active Logins or close the browser.
https://fedorahosted.org/pki/ticket/1344
|
| |
|
|
|
|
|
|
|
|
| |
For ticket #1007 TPS Audit Events, we need to add audit messages.
The existing parameter name "auditMsg" has been used broadly for
TPS logging, which could be confused for the actual audit messages.
This patch is to replace all the existing "auditMsg" parameters with
"logMsg" instead.
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to run the
selftests and display the results.
https://fedorahosted.org/pki/ticket/1502
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the accessible services
based on the user's roles. A TPS admin has access to all services.
A TPS agent has access to tokens, certificates, activities, and
profiles. A TPS operator has access to tokens, certificates, and
activities only.
https://fedorahosted.org/pki/ticket/1476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box
This patch provides the cert/key retention feature for externalReg.
If the certsToAdd field contains (serial,ca#) instead of the full
(serial, ca#, keyId, kra#), then it is expecting the cert/keys to be
retained from token without having to do a full retrieval (recovery);
If an exisiting cert (and its keys) on the token is not explicitly
retained then it is deleted.
This patch also fixes the issues reported in #1514 and #1587 as testing
of #1375 is easier with those two issues addressed.
An issue was found during development where Coolkey puts limits on the
cert/key ids on the token and make it impossible to inject cert ID higher
than 4, as it would then result in key ids into two digits.
Another issue that adds to running into the limit is that the function
that gets the next free certid number does not make any attempt to search
for "holes" to reuse.
The cert/key id assignment/limit issue will be filed as a separte ticket
and addressed separately. More complicated testing will be conducted then.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
|
|
|
|
| |
client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
|
|
|
|
|
|
|
|
|
|
| |
different cards for ExternalReg
The patch fixes an issue that the CUID comes in from the client has a different
format than that of the config cuid range strings. With the right conversion,
the cuid range would then be evaluated correctly. The issue may only be
discovered with certain cuid data, as it was not reproduceable in the dev
environment.
|
|
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
|
|
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
|
| |
It is true that his setting is not present.
The generic code that revokes certs for a format checks this value.
No harm in putting this value in the CS.cfg and setting it to false by
default for the externalRegAddToToken profile. No harm in giving the user
the way to use this feature , even if we decide it is not a good idea to revoke
certs associated with the external reg feature.
|
| |
|
|
|
|
|
|
|
| |
still shows old key
Simple matter of not updating the token record at the end of the pin reset operation.
Also, make sure the activity log is correct.
|