| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only user ID and
policy attributes when modifying a token.
https://fedorahosted.org/pki/ticket/1687
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9.
The id is stored as a single ASCII byte in the object id. Previous libcoolkey patches exist to now support numbers
larger than 9, by the following:
0-9 is represented by the ascii chars for 0 through 9,.
10 - 35 represented by the ascii chars for 'A' through 'Z'.
36 - 61 represented by the ascii chars for 'a' through 'z'.
Once coolkey is updated it will be able to read these id's.
TPS with this patch will be able to both read number 0 - 62 and to set them when creating pkcs#11 objects to be stored on the token.
When the proper libcoolkey is installed, the coolkey driver will be able to read certs and keys with id's > 9. Thus, for instance a cert with an id of C6, with keys of k12, and k13, will be supported and viewable in the Firefox cert viewer. Also the certs will be usable for operations.
2. A fix to the routine that finds a free id number to assign to a soon to be recovered cert will now have the ability to find unused slots instead of just inrementing one over the highest currently used index.
3. Made a couple of minor cleanup fixes to externalReg functionality discovered during testing of this feature.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
| |
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only token ID,
and optionally user ID and policy attributes when adding a token.
https://fedorahosted.org/pki/ticket/1477
https://fedorahosted.org/pki/ticket/1687
|
| |
|
|
|
|
|
|
|
|
| |
The DBSSession has been modified to attach the LDAPException
to the EDBException. The TokenService will catch the EDBException
and obtain the orignal LDAPException. This way the TokenService
can obtain the LDAP error code and throw the proper exception
the client.
https://fedorahosted.org/pki/ticket/1646
|
| |
|
|
|
|
|
|
|
| |
The TokenService has been modified to re-throw the original
PKIException. This way on invalid token state transition the
client will receive the original BadRequestException. Other
types of exception will be wrapped with PKIException.
https://fedorahosted.org/pki/ticket/1684
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS service has been modified to provide a list of allowed
state transitions based on the current token state. The TPS UI
was modified to display only the allowed state transitions when
changing the token status.
The allowed state transition list has been modified to remove
invalid token transitions including:
* UNINITIALIZED -> FOUND
* UNINITIALIZED -> TEMP_LOST_PERM_LOST
The token FOUND state has been renamed to ACTIVE for clarity.
The token TEMP_LOST_PERM_LOST state has been merged into
PERM_LOST since they are identical in the database.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
https://fedorahosted.org/pki/ticket/1684
|
| |
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
| |
The TPS UI has been modified such that if the browser does not
support logout operation it will show a message asking the user
to clear the Active Logins or close the browser.
https://fedorahosted.org/pki/ticket/1344
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
| |
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
| |
Two Tomcat version-specific implementations of
SSLAuthenticatorWithFallback exist, with much duplicate code.
Extract an abstract base class 'AbstractPKIAuthenticator' and
implement just the unique bits in the concrete classes.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
|
| |
|
|
|
|
|
|
|
| |
It is possible for the CMS getStatus resource to indicate that CMS
is ready when the initial loading of profiles (which is performed by
another thread) is not complete. During startup, wait for the
initial loading of profiles to complete before continuing.
Fixes: https://fedorahosted.org/pki/ticket/1702
|
| |
|
|
|
|
|
|
| |
The file-based LDAP profile subsystem does not update profiles
correctly. Ensure that each commit of the underlying config store
refreshes the profile inputs, outputs and policy objects.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Deleting and then immediately recreating a profile can result in the
new profile temporarily going missing, if the DELETE
EntryChangeControl is processed after profile readdition.
Handle this case by tracking the nsUniqueId of entries that are
deleted by an LDAPProfileSubsystem and NOT (re-)forgetting the
profile when the subsequent EntryChangeControl gets processed.
Fixes: https://fedorahosted.org/pki/ticket/1700
|
| | |
|
| |
|
|
|
|
|
|
| |
For ticket #1007 TPS Audit Events, we need to add audit messages.
The existing parameter name "auditMsg" has been used broadly for
TPS logging, which could be confused for the actual audit messages.
This patch is to replace all the existing "auditMsg" parameters with
"logMsg" instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.
With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.
https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
|
| |
|
|
|
|
|
|
|
| |
A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.
Without unnecessary shebangs it's a bit easier to track Python 3
porting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.
As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
| |
The LDAPPostReadControl can be used to read an entry after perfoming
an add, modify or modrdn, giving atomic access to operational
attributes.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| | |
|
| |
|
|
|
|
| |
With the latest TPS the ESC auth dialog has displayed the password field before the UID field.
This patch addresses this in the simplest fashion by modifying the class that presents the field
data to the client to make sure that UID field is encountered first.
|
| |
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to run the
selftests and display the results.
https://fedorahosted.org/pki/ticket/1502
|
| |
|
|
|
|
|
|
|
| |
The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.
https://fedorahosted.org/pki/ticket/1502
|
| |
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
| |
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the accessible services
based on the user's roles. A TPS admin has access to all services.
A TPS agent has access to tokens, certificates, activities, and
profiles. A TPS operator has access to tokens, certificates, and
activities only.
https://fedorahosted.org/pki/ticket/1476
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box
This patch provides the cert/key retention feature for externalReg.
If the certsToAdd field contains (serial,ca#) instead of the full
(serial, ca#, keyId, kra#), then it is expecting the cert/keys to be
retained from token without having to do a full retrieval (recovery);
If an exisiting cert (and its keys) on the token is not explicitly
retained then it is deleted.
This patch also fixes the issues reported in #1514 and #1587 as testing
of #1375 is easier with those two issues addressed.
An issue was found during development where Coolkey puts limits on the
cert/key ids on the token and make it impossible to inject cert ID higher
than 4, as it would then result in key ids into two digits.
Another issue that adds to running into the limit is that the function
that gets the next free certid number does not make any attempt to search
for "holes" to reuse.
The cert/key id assignment/limit issue will be filed as a separte ticket
and addressed separately. More complicated testing will be conducted then.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.
https://fedorahosted.org/pki/ticket/1703
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
| |
The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.
https://fedorahosted.org/pki/ticket/1682
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sslget tool sends a TLS SNI header. Apache doesn't like server name
indication without a matching HTTP header. Requests without a Host
header are refused with
HTTP/1.1 400 Bad Request
Hostname example.org provided via SNI, but no hostname provided in HTTP request
sslget now sets a Host HTTP header for all requests.
https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
| |
The selftest has been modified to throw an exception and provide
more specific error message if a test fails in order to help
troubleshoot the problem.
https://fedorahosted.org/pki/ticket/1328
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
| |
The pki-cert and pki-server-subsystem man pages have been updated
to include recent changes.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
| |
The pki ca-cert-request-submit command has been modified to
provide options to specify the profile name and the CSR which
will be used to create and populate the request object. This
way it's no longer necessary to download the request template
and insert the CSR manually.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
| |
A new command has been added to export a system certificate, the
CSR, and the key. This command can be used to migrate a system
certificate into another instance.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-core.spec has been modified to execute pki-server migrate
when the package is installed. This way when upgrading from F22 to
F23 all PKI instances will be migrated automatically to Tomcat 8.
The pki-server migrate command has been modified such that if there
is no specific Tomcat version specified it will use the current
Tomcat version.
The top attribute in the CLI class was not functioning properly,
so it has been replaced with get_top_module() method.
The getopt() invocations in pki-server subcommands have been
replaced with gnu_getopt() to allow intermixing options and
arguments.
https://fedorahosted.org/pki/ticket/1310
|
| |
|
|
|
|
|
| |
The LDAPSecurityDomainSessionTable has been modified to throw
an exception if there is a failure.
https://fedorahosted.org/pki/ticket/1633
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.
The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.
https://fedorahosted.org/pki/ticket/342
|
| |
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lightweight CAs mean that a single database can include certificates
from many issuers. Update CRLIssuingPoint to only include
certificates issued by its associated CA.
For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.
Fixes: https://fedorahosted.org/pki/ticket/1626
|
| |
|
|
|
|
|
|
| |
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
Also add indices for the 'issuerName' LDAP attribute.
|
