| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
The OtherName has been modified to always close the
DerOutputStream instances.
https://fedorahosted.org/pki/ticket/2530
|
|
|
|
|
|
|
|
| |
For clarity the PKCS12Util.loadFromByteArray() has been modified
to generate a more accurate exception message on PKCS #12
verification failure.
https://fedorahosted.org/pki/ticket/2476
|
|
|
|
|
|
|
|
|
|
| |
The CryptoUtil.getTokenName() has been modified to check both the
short name and full name of the internal token.
The ConfigurationUtils.deleteCert() has also been modified to call
CryptoUtil.getTokenName().
https://fedorahosted.org/pki/ticket/2500
|
|
|
|
|
|
|
|
|
| |
To help troubleshooting build issues the pki-nsutil-classes
build target has been modified to depend on symkey-jar although
there is no actual code dependency. This way the targets will
be built sequentially and error messages will be easier to find.
https://fedorahosted.org/pki/ticket/2476
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
|
|
|
|
|
| |
This patch removes references to the ciphers currently unsupported by NSS:
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
|
|
|
|
| |
This patch adds support for SHA384withRSA signing algorithm.
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
| |
Add the method CryptoUtil.importPKIArchiveOptions for importing a
wrapped key from a PKIArchiveOptions object. Also add another
variant of the createPKIArchiveOptions method, with a narrower API.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
| |
The CertificateExtensions.parseExtension() and some extension
classes have been modified to chain the original exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
| |
The methods in X509CertInfo have been modified to chain the
original exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to encounter a case where the
CRLDistributionPointsExtension static initialiser, which adds the
class to the OIDMap, has not been invoked. This can cause a
ClassCastException, e.g. in CRLDistributionPointsExtDefault.
Update OIDMap to add CRLDistributionPointsExtension in its own
static initialiser.
Fixes: https://fedorahosted.org/pki/ticket/2237
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
| |
The OCSP digest name lookup is currently defined in IOCSPAuthority
and implemented by OCSPAuthority, but /any/ code that deals with
CertID might need to know the digest, so move the lookup there.
Also refactor the lookup to use a HashMap, and add mappings for SHA2
algorithms.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The utility for exporting certs and keys to a PKCS12 file
did not handle the signing certificate correctly. This is
because the signing certificate was imported multiple times
during the export process - either with its key (and key id set)
or as part of the cert chain for the other system certs (with
no key set).
Each import would override the previous import - so whether
or not the key_id was set would depend on the order in which
the certificates were imported.
This becomes an issue for import into a clone certdb, because in
the new mechanism, we rely on the cert attributes (ie. key_id) to
determine if a key is to be imported or not.
We fix this by specifying whether the entry in the export should
be overwritten or not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCSUtil has been updated to match the functionality provided
by JSS.
In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.
The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.
The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
New CLIs have been added to add a certificate from NSS database and
to remove a certificate from the PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Util has been modified such that it stores the certs and
keys in PKCS12 object instead of PFX object. The PKCS12 object can
be loaded either from NSS database or PKCS #12 file. The PKCS12
object can later be stored into NSS database or PKCS #12 file.
The pki pkcs12-cert-find and pkcs12-key-find commands were modified
to require PKCS #12 password.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
of PKCS12Util into separate classes.
The createLocalKeyID() has been modified to return BigInteger
instead of byte array.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
| |
A new PKCS #12 attribute has been defined to store NSS certificate
trust flags in PKCS #12 file. The PKCS12Util has been modified to
store the trust flags during export and reset the trust flags in
NSS database during import.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import and pki pkcs12-export commands have been
added to import and export PKCS #12 file into and from NSS
database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL). Use the correct "PKCS7" label instead.
Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.
Fixes: https://fedorahosted.org/pki/ticket/1699
|
|
|
|
|
|
|
| |
The pki pkcs12-cert-find and pki pkcs12-key-find commands have
been added to list the certificates and keys in a PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.
The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The LDAPPostReadControl can be used to read an entry after perfoming
an add, modify or modrdn, giving atomic access to operational
attributes.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
| |
client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
|
|
|
|
| |
clients are: cli, HttpClient, and java console
|
|
|
|
|
|
|
|
|
|
|
| |
The HttpConnection class has been modified to support fail-over
and timeout more consistently. The targets are parsed into a list
during initialization. All direct calls to HttpClient.connect()
are replaced with a method that will connect to the first available
target. All connections are now created with a timeout (which by
default is 0).
https://fedorahosted.org/pki/ticket/891
|
|
|
|
| |
- patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
| |
|
|
|
|
|
|
| |
Some CMake scripts have been updated to work on both F21 and F22.
https://fedorahosted.org/pki/ticket/1281
|
|
|
|
|
|
|
| |
The OCSPClient CLI has been refactored into an OCSPProcessor
utility class such that the functionality can be reused.
https://fedorahosted.org/pki/ticket/1202
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS #9 challengePassword attribute has DirectoryString syntax.
Dogtag currently attempts only to decode it as a PrintableString,
causing failures when the attribute is encoded as a UTF8String.
Add method DerValue.getDirectoryString() to decode any of the valid
DirectoryString encodings and update ChallengePassword to use it.
https://fedorahosted.org/pki/ticket/1221
|
|
|
|
| |
TLS v1.2
|
| |
|
|
|
|
| |
subordinate certificate signing requests (CSR)
|
|
|
|
|
|
| |
- Removed dependency on removed internal junit class
- moved cmake reference to junit4.jar to junit.jar
- Disambiguate a couple of references
|