summaryrefslogtreecommitdiffstats
path: root/base/util
Commit message (Collapse)AuthorAgeFilesLines
* Fixed PKCS #12 export options.Endi S. Dewata2016-04-201-1/+5
| | | | | | | | The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
* Fixed exception handling in CertificateExtensions.Endi S. Dewata2016-04-128-32/+34
| | | | | | | The CertificateExtensions.parseExtension() and some extension classes have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in X509CertInfo.Endi S. Dewata2016-04-121-4/+4
| | | | | | | The methods in X509CertInfo have been modified to chain the original exception. https://fedorahosted.org/pki/ticket/1654
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-081-3/+14
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Fixed missing trust flags in certificate backup.Endi S. Dewata2016-04-041-45/+63
| | | | | | | | | | | | | | | | | | | | The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
* Add CRL dist points extension to OIDMap unconditionallyFraser Tweedale2016-03-222-8/+17
| | | | | | | | | | | | It is possible to encounter a case where the CRLDistributionPointsExtension static initialiser, which adds the class to the OIDMap, has not been invoked. This can cause a ClassCastException, e.g. in CRLDistributionPointsExtDefault. Update OIDMap to add CRLDistributionPointsExtension in its own static initialiser. Fixes: https://fedorahosted.org/pki/ticket/2237
* Remove unused 'toMIME64' methodsFraser Tweedale2016-03-221-14/+0
|
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-03-183-40/+66
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Move OCSP digest name lookup to CertID classFraser Tweedale2016-03-031-0/+19
| | | | | | | | | The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms.
* Fix pkcs12 exportAde Lee2016-03-032-7/+11
| | | | | | | | | | | | | | | | | | | | The utility for exporting certs and keys to a PKCS12 file did not handle the signing certificate correctly. This is because the signing certificate was imported multiple times during the export process - either with its key (and key id set) or as part of the cert chain for the other system certs (with no key set). Each import would override the previous import - so whether or not the key_id was set would depend on the order in which the certificates were imported. This becomes an issue for import into a clone certdb, because in the new mechanism, we rely on the cert attributes (ie. key_id) to determine if a key is to be imported or not. We fix this by specifying whether the entry in the export should be overwritten or not.
* Added workaround for JSS limitation in pki pkcs12-import.Endi S. Dewata2016-02-261-34/+31
| | | | | | | | | | | | | | | | Currently JSS is unable to import CA certificates while preserving their nicknames. As a workaround, the pki pkcs12-import has been modified such that it exports individual CA certificates from PKCS The remaining user certificates will continue to be imported using JSS. A new pki pkcs12-cert-export command has been added to export individual certificates from PKCS #12 file into PEM files. The pki pkcs12-import has been modified to take a list of nicknames of the certificates to be imported into NSS database. https://fedorahosted.org/pki/ticket/1742
* Updated PKCS12Util.Endi S. Dewata2016-02-242-29/+38
| | | | | | | | | | | | | | | | | | | | | | | The PKCSUtil has been updated to match the functionality provided by JSS. In order to import a certificate properly, the certificate needs to be exported with its private key and certificate chain, so the option to export without key or without the certificate chain has been removed. The option to export only the certificate chain has also been removed since it can be done by exporting the complete certificate chain, then remove the leaf certificate while keeping the chain. The pki pkcs12-cert-add has been modified to provide an option to create a new PKCS #12 file to store the certificate. The pki pkcs12-export has been modified to always overwrite existing file to match the behavior of PKCS12Export. It also has been modified to accept a list of nicknames of certificates to export. https://fedorahosted.org/pki/ticket/1742
* Added CLI to manage certs in PKCS #12 file.Endi S. Dewata2016-02-191-8/+37
| | | | | | | New CLIs have been added to add a certificate from NSS database and to remove a certificate from the PKCS #12 file. https://fedorahosted.org/pki/ticket/1742
* Refactored PKCS12Util to use PKCS12 object.Endi S. Dewata2016-02-194-194/+232
| | | | | | | | | | | | The PKCS12Util has been modified such that it stores the certs and keys in PKCS12 object instead of PFX object. The PKCS12 object can be loaded either from NSS database or PKCS #12 file. The PKCS12 object can later be stored into NSS database or PKCS #12 file. The pki pkcs12-cert-find and pkcs12-key-find commands were modified to require PKCS #12 password. https://fedorahosted.org/pki/ticket/1742
* Refactored PKCS12CertInfo and PKCS12KeyInfo classes.Endi S. Dewata2016-02-193-22/+120
| | | | | | | | | | The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out of PKCS12Util into separate classes. The createLocalKeyID() has been modified to return BigInteger instead of byte array. https://fedorahosted.org/pki/ticket/1742
* Added PKCS #12 attribute to store certificate trust flags.Endi S. Dewata2016-02-172-49/+272
| | | | | | | | | A new PKCS #12 attribute has been defined to store NSS certificate trust flags in PKCS #12 file. The PKCS12Util has been modified to store the trust flags during export and reset the trust flags in NSS database during import. https://fedorahosted.org/pki/ticket/1742
* Added CLIs to import and export PKCS #12.Endi S. Dewata2016-02-171-0/+154
| | | | | | | | The pki pkcs12-import and pki pkcs12-export commands have been added to import and export PKCS #12 file into and from NSS database. https://fedorahosted.org/pki/ticket/1742
* Use correct textual encoding for PKCS #7 objectsFraser Tweedale2016-02-151-33/+2
| | | | | | | | | | | PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label which is invalid (RFC 7468) and unrecognised by many programs (including OpenSSL). Use the correct "PKCS7" label instead. Also do a drive-by refactor of the normalizeCertAndReq to remove some redundant code. Fixes: https://fedorahosted.org/pki/ticket/1699
* Added CLIs to inspect PKCS #12 file.Endi S. Dewata2016-02-121-0/+176
| | | | | | | The pki pkcs12-cert-find and pki pkcs12-key-find commands have been added to list the certificates and keys in a PKCS #12 file. https://fedorahosted.org/pki/ticket/1742
* Refactored PKCS12Export.Endi S. Dewata2016-02-121-0/+214
| | | | | | | | | | | | | The code to export NSS database into PKCS #12 file in PKCS12Export tool has been refactored into PKCS12Util class to simplify further enhancements. The PKCS12Export tool has also been modified to use Java Logging API. A default logging configuration file has been added. The command-line wrapper has been modified to get the path to the logging configuration file from pki.conf. https://fedorahosted.org/pki/ticket/1742
* Add LDAPPostReadControl classFraser Tweedale2016-01-191-0/+106
| | | | | | | | The LDAPPostReadControl can be used to read an entry after perfoming an add, modify or modrdn, giving atomic access to operational attributes. Part of: https://fedorahosted.org/pki/ticket/1700
* Extract LDAPControl search function to LDAPUtilFraser Tweedale2016-01-191-0/+18
|
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-202-0/+263
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Ticket 1459 Dogtag clients cannot connect when CS is configured with ECCChristina Fu2015-07-131-0/+44
| | | | clients are: cli, HttpClient, and java console
* Fixed fail-over in HttpConnection.Endi S. Dewata2015-07-023-42/+35
| | | | | | | | | | | The HttpConnection class has been modified to support fail-over and timeout more consistently. The targets are parsed into a list during initialization. All direct calls to HttpClient.connect() are replaced with a method that will connect to the first available target. All connections are now created with a timeout (which by default is 0). https://fedorahosted.org/pki/ticket/891
* Ticket 1410 Issue with Generic Extension being criticalChristina Fu2015-06-151-8/+3
| | | | - patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
* Patches to get nuxwdog working with systemdAde Lee2015-05-103-0/+17
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Add nuxwdog functionality to DogtagAde Lee2015-04-225-5/+115
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Chain InvocationTargetException thrown during PKCS10Attribute decodingFraser Tweedale2015-04-161-1/+1
|
* Fixed CMake issues on F22.Endi S. Dewata2015-03-051-1/+1
| | | | | | Some CMake scripts have been updated to work on both F21 and F22. https://fedorahosted.org/pki/ticket/1281
* Refactored OCSPClient.Endi S. Dewata2015-02-162-1/+186
| | | | | | | The OCSPClient CLI has been refactored into an OCSPProcessor utility class such that the functionality can be reused. https://fedorahosted.org/pki/ticket/1202
* Decode challengePassword attribute as DirectoryStringFraser Tweedale2014-12-162-0/+26
| | | | | | | | | | | The PKCS #9 challengePassword attribute has DirectoryString syntax. Dogtag currently attempts only to decode it as a PrintableString, causing failures when the attribute is encoded as a UTF8String. Add method DerValue.getDirectoryString() to decode any of the valid DirectoryString encodings and update ChallengePassword to use it. https://fedorahosted.org/pki/ticket/1221
* bugzilla 871171 (client-side code) Provide Tomcat support for TLS v1.1 and ↵Christina Fu2014-11-211-59/+3
| | | | TLS v1.2
* Bug1151147 issuerDN encoding correctionChristina Fu2014-10-233-2/+32
|
* ticket #1110 pkispawn (configuration) does not provide CA extensions in ↵Christina Fu2014-09-251-1/+48
| | | | subordinate certificate signing requests (CSR)
* Changes to fix rawhide buildAde Lee2014-07-012-3/+4
| | | | | | - Removed dependency on removed internal junit class - moved cmake reference to junit4.jar to junit.jar - Disambiguate a couple of references
* Refactoring KeyClient class and crypto classes.Abhishek Koneru2014-03-311-11/+27
|
* Changes to KeyClient on the java side.Abhishek Koneru2014-03-191-4/+22
| | | | | The KeyClient class on the java side is modified to have a similar design as the KeyClient class on the python side.
* Fix some errors flagged by eclipseAde Lee2014-02-042-8/+10
|
* Stand-alone DRMMatthew Harmsen2013-10-151-0/+8
| | | | * TRAC Ticket #667 - provide option for ca-less drm install
* Add service to generate and retrieve a shared secretAde Lee2013-09-301-1/+77
| | | | | | | | | | | | | | | | A new REST service has been added to the TKS to manage shared secrets. The shared secret is tied to the TKS-TPS connector, and is created at the end of the TPS configuration. At this point, the TPS contacts the TKS and requests that the shared secret be generated. The secret is returned to the TPS, wrapped using the subsystem certificate of the TPS. The TPS should then decrypt the shared secret and store it in its certificate database. This operations requires JSS changes, though, and so will be deferred to a later patch. For now, though, if the TPS and TKS share the same certdb, then it is sufficient to generate the shared secret. Clients and CLI are also provided. The CLI in particular is used to remove the TPSConnector entries and the shared secret when the TPS is pkidestroyed.
* Patch to get rid of introduced warnings.Jack Magne2013-09-101-4/+4
|
* Bug 1005025 - Unable to view Curve details of ECC Cert request from Agent ↵Christina Fu2013-09-101-3/+334
| | | | interface
* Added UTF8 to default encoding order.Andrew Wnuk2013-06-241-0/+1
| | | | Ticket 448.
* Plug resource leaksAde Lee2013-03-0848-557/+583
|
* https://fedorahosted.org/pki/ticket/362 RFE: CMC ECCChristina Fu2013-01-152-1/+16
|
* Change cmake projects from Java to NONEAde Lee2012-11-203-3/+3
|
* Fixed problem finding SHA-256 message digest.Endi Sukma Dewata2012-10-311-1/+1
| | | | | | | | The CertPrettyPrint has been modified to use the standard names for message digests so that it will work with standard security provider. Ticket #392
* Removal of version numbers from jar file namesMatthew Harmsen2012-10-292-24/+4
| | | | * TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .
* Reverted to old interface and httpclient to get installation token.Ade Lee2012-10-121-0/+9
| | | | | This is a workaround until we can get the new interface working on IPA clones.
generated by cgit (git 2.34.1) at 2024-05-29 21:46:27 +0000