| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
For clarity the non-UI code in the pki-ui.js has been moved into
pki.js.
|
| |
|
|
|
|
|
| |
The index.html files in TPS UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
The index.html files in TKS UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
The index.html files in OCSP UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
The index.html files in KRA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
The index.html files in CA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
| |
If server startup fails, the shutdown() routine tries to shut down
the logger instance, which may not have been initialised. This
raises a NullPointerException which can mask the original exception.
Only attempt to shut down the logger instance if it is non-null.
|
| |
|
|
|
| |
To help troubleshooting the CertRequestService has been modified
to chain the original exceptions.
|
| |
|
|
|
| |
To help troubleshooting the CMCAuth has been modified to log a
message when the CMC is missing.
|
| |
|
|
|
|
| |
A sample program has been added to show how to use CertClient.
https://fedorahosted.org/pki/ticket/2584
|
| |
|
|
|
|
| |
A sample program has been added to show how to use CAClient.
https://fedorahosted.org/pki/ticket/2584
|
| |
|
|
|
| |
The SubsystemClient.login() method has been modified to return
the AccountInfo obtained from AccountClient.login().
|
| |
|
|
|
|
|
|
| |
The serverURI field in ClientConfig has been replaced with
serverURL since it actually stores the location of the server.
New methods have been added to access the serverURL field.
Existing methods for serverURI are retained for backward
compatibility.
|
| |
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
| |
|
|
|
| |
To avoid redundancy the code that finds Jackson libraries has been
moved to the top level CMake script.
|
| |
|
|
|
|
| |
To improve consistency across platforms the code in RPM spec that
creates the links to subsystem library files has been converted
into CMake scripts.
|
| |
|
|
|
|
|
|
|
|
| |
Add the `searchBase' parameter for DirAclAuthz instances. If
specified, it prepends the searchBase to the baseDN. This allows
reusing an existing LDAP connection config (e.g. "internaldb")
whilst changing where the instances loads the ACLs from.
Part of: https://fedorahosted.org/pki/ticket/1359
Fixes: https://fedorahosted.org/pki/ticket/2525
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'CommonNameToSANDefault' profile default class. When used
on a profile, this will examine the (most-specific) Common Name in
the Subject DN, and if it looks like a DNS name, will add it to the
Subject Alternative Name extension, creating the extension if it
does not already exist.
Also add upgrade scriptlet to add the component to registry.cfg in
existing installations.
Fixes: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies the CN to a SAN dNSName,
we need to examine the CN values present in the Subject DN.
Specifically, we want to look at the "most specific" CN value. The
'getCommonName' method returns the "least specific" value in the
name, thus is not suitable.
Add the 'getAttributesForOid(ObjectIdentifier)' method, which
returns an ordered list of values of the given name attribute type,
from least specific to most specific.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to read and set the 'GeneralNames' of the extension. This can
be done via the 'get' and 'set' methods but this interface is
awkward and requires the caller to deal with exceptions that aren't
fundamental to the get/set actions.
Add the 'setGeneralNames' and 'getGeneralNames' methods.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'GeneralNameInterface' interface represents a single X.509
General Name value. Various types are supported. The 'GeneralName'
class (which also implements 'GeneralNameInterface') is a singleton
container for another 'GeneralNameInterface' value.
To implement a profile component that copies CN to a SAN dNSName, we
need to examine existing General Names in the SAN extension (if
present), to avoid duplicate values. We can iterate 'GeneralNames',
but if the value is of type 'GeneralName' we need a way to "unwrap"
the value, down to the innermost value which will be of a specific
General Name type.
Add the 'unwrap' method to 'GeneralName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to examine existing dNSName values. To support this, add the
'getValue()' method to 'DNSName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
| |
The TPS CLIs have been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
| |
The system, logging, and selftest CLIs have been modified to use
Exceptions instead of System.exit() such that errors can be
handled consistently.
|
| | |
|
| |
|
|
|
|
| |
The feature and authority CLIs have been modified to use
Exceptions instead of System.exit() such that errors can be
handled consistently.
|
| |
|
|
|
|
|
| |
The MergePKIWebapps upgrade script has been modified to ensure
that the old deployment descriptors exist before deleting them.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
| |
The client and PKCS12 CLIs have been modified to use Exceptions
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
| |
A new parameter has been added to set the serial number field in
CertEnrollmentRequest and in profile input if available.
|
| |
|
|
|
| |
A new parameter has been added to set the renewal field in
CertEnrollmentRequest.
|
| |
|
|
|
| |
KEY_USAGE was accidentally added and verify usage was left off.
This results in BZ#1238684
|
| |
|
|
|
| |
To help troubleshooting the CAEnrollProfile class has been modified
to chain the original exceptions.
|
| | |
|
| |
|
|
|
|
| |
Currently, PKIConnection does not allow to have client certificate
and private key stored in different files. However, python-requests
library allows this separation so it should be made possible.
|
| |
|
|
|
| |
The PKI CLI has been modified to catch KeyboardInterrupt and exit
cleanly without displaying the stack trace.
|
| |
|
|
|
| |
The names of restricted commands have been moved into a list for
clarity.
|
| |
|
|
|
| |
The key CLIs have been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
| |
The cert and profile CLIs have been modified to use Exceptions
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the /pki webapp was only added if the theme was present
during installation, and there were separate webapps for /pki/admin
and /pki/js. If the theme was installed later, the /pki webapp had
to be configured manually.
To simplify the installation and to support other developments
(e.g. login banner), the /pki webapp will always be added during
installation regardless of theme, and the /pki/admin and /pki/js
webapps are merged into /pki webapp. When the theme package is
installed, it will create links in /pki webapp so the theme files
will become available without additional configuration.
An upgrade script has been added to merge the /pki webapp in
existing instances.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously if a certificate request page only has one entry the
entry itself will be removed from the page, resulting in a blank
page.
The QueryReq.trim() has been modified not to remove the marker
entry if it's the only entry in the page.
https://fedorahosted.org/pki/ticket/2450
|
| |
|
|
|
|
| |
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
|
| |
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CryptoUtil has been modified to provide two separate methods
to obtain a token given the token name:
- getCryptoToken() returns crypto token
- getKeyStorageToken() returns key storage token
The getKeyStorageToken() was renamed from the existing
getTokenByName(). All codes using the old method have been updated
accordingly.
If the provided token name matches internal token name the methods
will return the corresponding internal crypto/key storage token.
The isInternalToken() was modified to check for empty string in
addition to the short and full name of the internal token.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The internal token short name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
| |
The CMSTemplate has been fixed to escape HTML special characters
in method documentation.
|
| |
|
|
|
| |
The CMake script for Javadoc has been fixed to include the missing
SLF4J library in the class path.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
| |
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
