| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
The pki-cert man page has been updated to clarify that certain
profiles may require authentication and the CLI supports certain
authentication types.
https://fedorahosted.org/pki/ticket/2289
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been updated to support TPS agent approval process
for changes in authenticators, connectors, and profile mappings in
addition to profiles.
The ConfigEntryPage has been updated to display the action links
consistently in the above components for all possible role and
status combinations.
The ProfilePage has been removed since the code has been merged
into its super class.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
| |
When request was approved and retrieved through the rest
interface, the corresponding volatile requests object was not
created due to the new flow. This makes sure the volatile request
is created.
|
| | |
|
| |
|
|
|
|
| |
shows different certificate status
This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.
|
| |
|
|
|
|
|
|
|
| |
The PKCS12Util class has been modified to use SLF4J logging
framework. The CMake scripts has been modified to include SLF4J
libraries in the classpath. The spec file has been modified to
add SLF4J dependencies.
https://fedorahosted.org/pki/ticket/195
|
| |
|
|
|
|
|
| |
New man pages have been added for the common and server logging
configurations.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
The logging.properties files in OCSP, TKS, and TPS folders are
never deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
The logging.properties files in CA and KRA folders are never
deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| | |
|
| |
|
|
|
|
|
| |
A bug in the approval code for asynchronous requests
results in the number of agents needed being calculated incorrectly
for SECURITY DATA (REST based) requests. This one liner
fixes this problem.
|
| |
|
|
|
| |
If a retrieval is non-sychronous, we create a non-ephemeral recovery
request and return this Request ID to the client.
|
| |
|
|
|
|
| |
Continuation of the previous patch. These are client changes
to allow the client to pass through an approved recovery request
to retrieveKey()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
| |
|
|
|
|
|
| |
Put logic in a Processor, so that it can be reused for synchronous
requests. The only differerence between synchronous and asynchronous
requests will be that forsynchronous requests, the request will be
triggered from and updated on the request queue.
|
| |
|
|
|
|
|
| |
New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and
pki-pkcs12-key.
https://fedorahosted.org/pki/ticket/1920
|
| |
|
|
|
|
| |
The deprecated ProxyParser has been replaced with DefaultParser.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
| |
The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient,
and OCSPProcessor has been replaced with HttpClientBuilder.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
|
|
|
|
|
|
| |
The InhibitAnyPolicyExtension has been modified to always close
the DerOutputStream instance.
The InhibitAnyPolicyExtDefault has been modified to wrap the
original exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
|
|
| |
The ExtendedKeyUsageExtension has been modified to always close
the DerOutputStream instance.
The ExtendedKeyUsageExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
| |
|
|
| |
This reverts commit 3c4f9c7eb1aa9a71c0f5a943314d355d2fdeebb4.
|
| |
|
|
|
|
|
|
|
|
| |
The OCSPNoCheckExtension has been modified to always close the
DerOutputStream instance.
The OCSPNoCheckExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The GenericASN1Extension has been modified to always close the
DerOutputStream instance.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The OtherName has been modified to always close the
DerOutputStream instances.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
To help troubleshooting, the EPropertyException has been modified
to provide constructors to chain the original exception.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
For clarity the PKCS12Util.loadFromByteArray() has been modified
to generate a more accurate exception message on PKCS #12
verification failure.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
| |
For consistency the server.xml templates for Tomcat 7 and 8 have
been modified to use the same unsecure port used by the instance
in the default OCSP responder URL.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
|
| |
Based on investigation and solution provided by cfu and jmagne,
the SecurityDataRecoveryService.serviceRequest() has been modified
to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
FIPS mode.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
| |
The code in SecurityDataRecoveryService.serviceRequest() has been
reformatted for clarity.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
| |
To help troubleshooting, the ConfigurationUtils.handleCerts()
has been modified to throw the exception instead of returning an
integer.
https://fedorahosted.org/pki/ticket/2463
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/2460
|
| |
|
|
|
|
|
|
| |
db is on fips mode.
Ticket #2513.
Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
|
| |
|
|
|
|
| |
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.
Ticket #2510.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been updated to support TPS agent approval process
for changes in authenticators, connectors, and profile mappings in
addition to profiles.
The ConfigEntryPage has been updated to display the action links
consistently in the above components for all possible role and
status combinations.
The ProfilePage has been removed since the code has been merged
into its super class.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using
the "by cert" method.
Also this bug addresses:
Bug 1379379 - Unable to read an encrypted email using renewed tokens
The URL encoding problem was affecting the proper verification of this bug.
and
Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued
The URI encoding was also making this bug appear to fail more than it should have.
There is also a minor fix to the feature that makes sure it works.
This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
|
| |
|
|
|
|
|
|
|
|
| |
The CryptoUtil.getTokenName() has been modified to check both the
short name and full name of the internal token.
The ConfigurationUtils.deleteCert() has also been modified to call
CryptoUtil.getTokenName().
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
|
| |
To help troubleshooting build issues the pki-nsutil-classes
build target has been modified to depend on symkey-jar although
there is no actual code dependency. This way the targets will
be built sequentially and error messages will be easier to find.
https://fedorahosted.org/pki/ticket/2476
|
