| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some incorrect code was added to request processing
in the realm patches. In the request LDAP modification code,
if the realm was not present, we added a modification to remove the
realm attribute.
Unfortunately, if the realm was not present to begin with, this resulted
in LDAP returning a "No Such Attribute (16)" error, causing all kinds
of requests - including certificate requests to fail to be submitted.
At this point, we do not permit users to change the realm of a request.
Therefore, there is no reason to remove the realm. If we ever need
to do this in future, we'll have to be smarter about it.
|
|
|
|
|
|
|
|
| |
For clarity the TPS operatons that generate OP_DO_TOKEN activity
has been modified to generate OP_TOKEN_MODIFY instead, except for
the changeTokenStatus() which will generate OP_TOKEN_STATUS_CHANGE.
https://fedorahosted.org/pki/ticket/2268
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
|
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
|
|
|
| |
Part of Trac Ticket #2041
|
|
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
| |
The async recovery request mechanism was implemented differently
from other requests. This makes it difficult to add tings like
authorization consisitently.
We move the required methods to the KeyRequestDAO to be more
consistent.
Part of Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added method to check realm. This method will look for
an authz instance for a specified realm and invoke it to
determine access.
* Added a basic group based authz plugin mostly for testing.
This plugin simply checks if the requestor is in the correct
group. In practice, customers will probably want something more
complex maybe subclassing BasicAclAuthz.
Part of Trac Ticket #2041
|
|
|
|
| |
Part of Trac Ticket# 2041
|
|
|
|
| |
Part of Trac Ticket #2041
|
|
|
|
|
| |
Added realm attribute and index. Added to request and keyRecord.
Part of Trac Ticket 2041
|
|
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
|
|
|
|
|
|
|
|
| |
To avoid possible conflicts imported external certificates, the
self-signed SSL server certificate creation has been moved after
the external certificates have been imported into the NSS database
and before the server is started.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki_existing deployment property has been added to install
CA with existing CA certificate and key in a single step.
New certificate deployment properties have been added as aliases
for some external CA properties to allow them to be used in more
general cases:
- pki_ca_signing_csr_path -> pki_external_csr_path
- pki_ca_signing_cert_path -> pki_external_ca_cert_path
- pki_cert_chain_path -> pki_external_ca_cert_chain_path
- pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
| |
New PKCS #12 deployment properties have been added as aliases
for some external CA properties to allow them to be used in
more general cases:
- pki_pkcs12_path -> pki_external_pkcs12_path
- pki_pkcs12_password -> pki_external_pkcs12_password
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
|
|
| |
When initialising a lightweight CA, if we do not have the signing
cert and key in the NSSDB yet, we do not initialise the DN. This
causes NPE in other code that expects getX500Name() to return a
value, e.g. REST API to list or show CA.
To work around this, when loading lightweight CAs set the DN based
on the 'authorityDN' value stored in its LDAP entry.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a thread that performs an LDAP persistent search to keep a
running CA's view of lightweight CAs in sync with the database.
Signing key replication is not yet supported; this will be
implemented in a later patch and will not use the database to
propagate keys.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
| |
LDAP code to add, modify and delete authority entries exists in
multiple places. Extract these methods to remove this duplication
and provide a cleaner basis for upcoming implementation of
replication handling.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
| |
To reduce the amount of code that would be run in the persistent
search thread, extract the host authority entry creation out of the
'loadLightweightCAs' method, into 'CertificateAuthority.init'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
| |
Use a static database connection factory that is initialised by the
host authority and used by all CertificateAuthority instances.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
| |
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
| |
This patch does the following:
* it adds in the kra request an extra field called "delayLDAPCommit"
* when the request comes in to be processed, it sets this field to "false"
* by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write
* once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap
* In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
|
|
|
|
|
|
|
| |
The CertUtil.createLocalCert() has been modified to re-throw the
exception instead of ignoring it.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
| |
The CertificateExtensions.parseExtension() and some extension
classes have been modified to chain the original exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
| |
The methods in X509CertInfo have been modified to chain the
original exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
| |
The CertInfoProfile.populate() has been modified to re-throw the
exception instead of ignoring it.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
| |
This patch removes certs from token record when it is formatted.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some variables in pkispawn and pkidestroy have been renamed for
clarity.
The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.
The constant pki_self_signed_token property has been moved into
default.cfg.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS subsystem has been modified to generate the token state
transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically
depending on whether the token has certificates.
The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg.
Duplicate code that loads the allowed transitions list has been
merged and moved into TPSSubsystem.
https://fedorahosted.org/pki/ticket/1808
|
|
|
|
|
|
|
| |
To help troubleshooting the EnrollProfile has been modified to
log the stack trace and chain the exception.
https://fedorahosted.org/pki/ticket/1654
|
|
|
|
|
|
|
|
|
|
|
| |
Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.
If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to encounter a case where the
CRLDistributionPointsExtension static initialiser, which adds the
class to the OIDMap, has not been invoked. This can cause a
ClassCastException, e.g. in CRLDistributionPointsExtDefault.
Update OIDMap to add CRLDistributionPointsExtension in its own
static initialiser.
Fixes: https://fedorahosted.org/pki/ticket/2237
|
| |
|
| |
|
| |
|