| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
The verify_subsystem_does_not_exist() has been modified to display
the proper error message when the subsystem to be installed already
exists.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
| |
op.format.externalRegAddToToken.revokeCert=true
This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
|
| |
|
|
|
|
|
| |
multiple tokens. #1664
We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The default is YESk you have to explicitly set it to NO to turn it off.
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will be made.
junk
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
key id on the ldap user mismatches
Problem: There are two ways to recover the keys with
a. by cert
b. by keyId
When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped.
This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover.
Code summary for externalReg key recovery:
config default: externalReg.recover.byKeyID=false
Recover either by keyID or by cert
When recovering by keyid: externalReg.recover.byKeyID=true
- keyid in record indicates actual recovery;
- missing of which means retention;
When recovering by cert: externalReg.recover.byKeyID=false
- keyid field needs to be present
but the value is not relevant and will be ignored (a "0" would be fine)
- missing of keyid still means retention;
(In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
|
| |
|
|
|
|
|
|
| |
The ConfigurationUtils.importCertChain() has been modified to
ignore UNKNOWN_ISSUER error when connecting to a server that
does not have the complete certificate chain.
https://fedorahosted.org/pki/ticket/2497
|
| |
|
|
|
| |
The NSSDatabase.create_request() has been modified to remove
a superfluous argument when invoking certutil.
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the GetCertChain servlet has been modified
to log the certificate chain being returned. The ConfigurationUtils
has also been modified to log the certificate chain received.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
| |
This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem
to drop all its profiles and reload them. If a profile is read
during this time, e.g. to issue a certificate, it might not have
been reloaded thus causing the operation to fail.
Introduce the AsyncLoader class which allows a consumer to await the
completion of a (re)load, if one is happening. Update the
getProfile and getProfileIds method to use it.
The existing 'initialLoadDone' CountDownLatch for blocking
LDAPProfileSubsystem init until the inital load of profiles is
completed was subsumed by AsyncLoader.
Fixes: https://fedorahosted.org/pki/ticket/2453
NOTE: This patch is ONLY intended for Dogtag 10.4.0 versions and later;
it is NOT intended to be back-ported to Dogtag 10.3.x versions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created. It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.
If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values. This causes the
addition of a spurious host authority entry every time the server
starts.
Serialise DNs before comparing, to avoid these false negatives.
Fixes: https://fedorahosted.org/pki/ticket/2475
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.
Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).
Fixes: https://fedorahosted.org/pki/ticket/2466
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the ConfigurationUtils has been modified
to chain the original exceptions and to show additional log
messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA and OCSP have been
modified to chain the original exceptions.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
|
| |
|
|
|
|
|
|
|
|
| |
The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.
The FixDeploymentDescriptor script number has been changed
accordingly.
https://fedorahosted.org/pki/ticket/2452
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
|
| |
|
|
|
|
|
| |
(for shared HSM)
When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist. This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file.
This patch changes default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component: ou=%(pki_instance_name)s
|
| |
|
|
|
|
|
| |
To help troubleshooting the debug log in UpdateNumberRange servlet
has been modified to show the exception stack trace.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.
https://fedorahosted.org/pki/ticket/2423
|
| |
|
|
|
|
|
|
|
| |
Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.
https://fedorahosted.org/pki/ticket/2423
|
| | |
|
| |
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to fix missing deployment
descriptors or deployment descriptors that are pointing to
non-existent or empty folders.
https://fedorahosted.org/pki/ticket/2439
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
Previously we simply manually set the desired client auth cert nickname, which is provided
by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.
Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
cert name, established by the console.
This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
an external authentication directory.
2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.
3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CA signing CSR is already stored in request record which will
be imported as part of migration process, so it's not necessary to
export and reimport the CSR file again for migration.
To allow optional CSR, the pki-server subsystem-cert-validate
CLI has been modified to no longer check the CSR in CS.cfg. The
ConfigurationUtils.loadCertRequest() has been modified to ignore
the missing CSR in CS.cfg.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
| |
* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
- CMCEnroll
|
| |
|
|
| |
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
|
| |
|
|
|
|
|
| |
To help troubleshooting some debug messages have been added into
ConfigurationUtils.handleCerts().
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
| |
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
|
|
|
| |
To avoid confusion, the isSelfTestCriticalAtStartup() and
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
modified to no longer log an error message if the selftest
being checked does not exist in the corresponding property
in CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
| |
The LDAPExceptionConverter has been modified to wrap LDAPException
for invalid attribute syntax with BadRequestException.
https://fedorahosted.org/pki/ticket/833
|
| |
|
|
|
|
|
| |
To help troubleshooting the selftest log has been modified to
include the cert validation error message returned by JSS.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
| |
The dialog box for adding user certificate in TPS UI has been
modified to no longer mention PKCS #7. The REST service itself
still accepts PKCS #7, but it should be cleaned up in the future.
https://fedorahosted.org/pki/ticket/2437
|
| |
|
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
|
| |
|
|
|
|
|
|
| |
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigCertApprovalCallback has been modified such that it
logs the server certificate being validated and can be configured
to ignore certain validation errors.
The ConfigurationUtils has been modified to use the
ConfigCertApprovalCallback to show and validate the server
certificate in all GET and POST operations except for the
importCertChain() in which the code needs to ignore untrusted
issuer in order to get the certificate chain via SSL.
https://fedorahosted.org/pki/ticket/2424
|
