| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The wrapper script for legacy CLIs has been updated to use
java.ext.dirs to specify the client library folder instead
of a class path variable containing individual JAR files.
The same mechanism is already in use in PKI CLI.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type. If entryUSN value is too large to fit in
'int', NumberFormatException is raised.
Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.
Fixes: https://fedorahosted.org/pki/ticket/2579
|
| |
|
|
|
|
|
| |
The KeyRecoveryAuthority.PR_INTERNAL_TOKEN_NAME has been replaced
with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The HttpClient.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMCRevoke.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMCRequest.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The KRATool.INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.
https://fedorahosted.org/pki/ticket/2570
|
| |
|
|
|
|
| |
The user and group CLIs have been modified to use Exception
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
| |
The MainCLI has been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
|
| |
|
|
|
| |
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
|
| |
|
|
|
|
|
|
| |
The ConfigurationUtils.handleCerts() has been modified to log the
actual exception instead of showing the "deleteCert" operation
which may not be executed yet.
https://fedorahosted.org/pki/ticket/2457
|
| |
|
|
|
|
|
|
|
| |
Previously the default AJP hostname was an IPv4 loopback address.
To avoid problems in IPv6 environments the default has been
changed to a generic "localhost" address. The man page has been
updated accordingly.
https://fedorahosted.org/pki/ticket/2570
|
| | |
|
| |
|
|
|
|
| |
To improve reusability the deployment system variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
| |
|
|
|
|
| |
To improve reusability the deployment timestamp variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the flatten_master_dict() has been moved
from PKIConfigParser into PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the PKIDeployer class has been moved from
the pkihelper.py into the top level pki.server.deployment module.
|
| |
|
|
|
|
| |
To improve reusability the pki_subsystem object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the pki_config object has been moved from
PKIConfigParser into PKIDeployer.
|
| |
|
|
|
|
| |
To improve reusability the user_config object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
| |
|
|
|
|
|
| |
To improve reusability the deployment tools have been modified
such that the master and slots dictionary objects are created in
PKIDeployer at the beginning of the program. The PKIConfigParser
has been modified to use the same dictionary objects.
|
| |
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
| |
|
|
|
|
|
|
| |
To help troubleshooting build issues the pki-tools build targets
have been modified such that they run sequentially. This way error
messages will be easier to find in the build log.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
| |
The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
| |
Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
Look backwards from end of string for the final ':', so that the ACL
parses correctly.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
still a lot of duplicate code. Push the duplicated bits up into the
AAclAuthz.
Also remove abstract method flushResourceACLs() from AAclAuthz, and
its implementation from BasicAclAuthz, because it is only
implemented (meaningfully) by DirAclAuthz.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
|
| |
|
|
|
|
|
|
|
| |
nistp384 is specified in spawn config
Ticket #2552.
This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user renews its certificate using pki client-cert-request
the CLI will authenticate using the certificate and send an empty
request message. The server is supposed to use the certificate's
serial number to process the renewal request.
Currently the request fails if the serial number is missing from
the request message. The server has been fixed such that it
ignores the missing serial number and use the certificate's serial
number instead.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
| |
Just a small drive-by refactor.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
|
|
|
| |
Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2535
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Previously the pki user-cert-add fails to check whether the server
has a CA subsystem when it's invoked over SSL. That is because the
CLI tries to establish a new but improperly set up SSL connection.
Now the CLI has been modified to use the existing server
connection.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
|
