| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte. Update the code to expect JSON instead.
No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.
Fixes: https://fedorahosted.org/pki/ticket/2351
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
|
| |
When renewing a certificate, propagate the Authority ID from the
original request to the new request, to ensure that the new
certificate is issued by the same issuer as the original.
Part of: https://fedorahosted.org/pki/ticket/2327
|
| |
|
|
|
|
|
| |
The selftest interface has been removed from TPS UI to avoid
confusion due to its limited usefulness.
https://fedorahosted.org/pki/ticket/2344
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simple fix will grab the subject info out of the cert
associated with either pending or complete recovery requests being
viewed in the KRA UI.
For example:
KeyOwner: UID=jmagne, O=Token Key User
Will be displayed.
This simple fix should be good enough for this round, despite the bug
asking about agent info and such.
Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the token activity message
in a textarea to avoid truncation.
The UI framework class has been modified to handle textarea.
The CSS has been modified to align the field label with the top of
textarea.
https://fedorahosted.org/pki/ticket/2299
|
| |
|
|
| |
for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests.
|
| |
|
|
|
|
|
|
| |
This allows IPA to handle the case of a pure ipv6
environment in which the ipv4 loopback interface is
not available.
Ticket 1717
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex
Added pki-server db-schema-upgrade
If the admin has the directory manager (or equivalent) simple creds,
then they can enter them as parameters and perform the operations.
Otherwise, they can specify --generate-ldif to generate LDIF files
containing the changes that need to be implemented, and implement
them using GSSAPI or otherwise.
Tickets 2320, 2319
|
| |
|
|
|
|
|
|
|
| |
For the benefit of code locality and subsequent to the
generalisation of IPACustodiaKeyRetriever to
ExternalProcessKeyRetriever, the pki-ipa-retrieve-key script is
being moved to the FreeIPA codebase.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPACustodiaKeyRetriever doesn't really do anything specific to
IPA or Custodia; it merely executes a certain executable with a
particular behavioural contract.
Add support for passing configuration to KeyRetriever instances, and
rename IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
updating it to use the "executable" config property instead of a
hardcoded filename.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
| |
If lightweight CA key retrieval fails, retry the retieval after a
delay of 10 seconds initially, increasing thereafter.
Fixes: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If additional LDAP events are processed for a lightweight CA while
key retrieval proceeds in another thread, when retrieval is
complete, the KeyRetrieverRunner reinitialises the signing unit of a
stale object.
Instead of holding onto a CertificateAuthority, hold onto the
AuthorityID and look it up afresh when ready to reinitialise its
SigningUnit.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
|
| |
Before implementing lightweight CA key retrieval retry with
exponential backoff, ensure that only one key retriever thread can
execute at a time, for each CA.
Also make SigningUnit initialisation (initSigUnit) synchronised.
Part of: https://fedorahosted.org/pki/ticket/2293
|
| |
|
|
|
|
|
|
|
| |
When manufacturing a CertRequestInfo, CertRequestInfoFactory
includes the serial number of issued certs, but does not show serial
numbers of revoked certs for completed revocation requests.
Include the serial number for this case.
Fixes: https://fedorahosted.org/pki/ticket/1073
|
| |
|
|
|
|
|
|
|
|
| |
When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.
Catch the CANotFoundException and respond with status 410 Gone.
Fixes: https://fedorahosted.org/pki/ticket/2332
|
| |
|
|
|
|
|
| |
When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.
Fixes: https://fedorahosted.org/pki/ticket/2328
|
| |
|
|
|
|
|
|
|
| |
When deleting lightweight CAs, the call to
CryptoStore.deletePrivateKey() throws an exception because the
preceding call to CryptoStore.deleteCert() also deletes the key.
Remove the redundant call and add some commentary.
Fixes: https://fedorahosted.org/pki/ticket/1640
|
| |
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
| |
|
|
|
|
|
|
|
| |
The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.
https://fedorahosted.org/pki/ticket/2334
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.
No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The old KRA servlets to list and display keys do not go through
the same code paths as the REST API. Therefore, they do not
check the authz realm.
This patch adds the relevant code. No attempt is made to fix the
error handling of the old servlets. the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead. Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
|
| |
|
|
|
| |
- PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat
throws error.
|
| |
|
|
|
|
|
|
| |
The TPS VLV indexes have been fixed to use the correct vlvScope
(i.e. one level). The unsupported minus sign in vlvSort and the
redundant vlvEnabled have been removed.
https://fedorahosted.org/pki/ticket/2342
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.getSerialNumberFromCert() has been modified
to throw an exception instead of returning null to pass the error
message to the client to help troubleshooting.
The code has also be modified to remove redundant null checking
and redundant decoding and re-encoding.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The instance name is used in NSSDB key nicknames, which are stored
in the authorityKeyNickname attribute for mapping lightweight CAs to
their keys. The schema was PrintableString, which does not permit
'_', causing LDAP syntax errors if the instance name contains '_'.
To avoid this issue, change the attribute syntax to IA5String.
Existing instances should be largely unaffected. The schema update
can be successfully applied even for existing attributes, because
PrintableString and IA5String share the same underlying
representation in 389DS.
Fixes: https://fedorahosted.org/pki/ticket/2343
|
| |
|
|
|
|
|
|
|
| |
The CertUtils.verifySystemCertByNickname() has been modified to call
CryptoManager.verifyCertificate() to validate the system certificates
which will provide better information (i.e. NSS error message and
stack trace) to troubleshoot validation issues.
https://fedorahosted.org/pki/ticket/850
|
| |
|
|
|
|
| |
This patch handles Ticket 2298 non-TMS key archival/recovery, as well as
Ticket 2271 TMS recovery request ldap entries
Fields are zeroed out before being deleted in KRA request records
|
| |
|
|
|
|
|
|
| |
All methods in ProxyRealms for Tomcat 7 and 8 have been modified
to check whether the subsystem is available, then generate a proper
error message instead of null pointer exception.
https://fedorahosted.org/pki/ticket/2326
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The vlv.ldif for TPS has been modified to remove the hard-coded
database name and to use customizable parameter instead.
The token and activity REST services have been modified to search
the database using VLV.
The existing database can be fixed using the following procedure:
http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes
https://fedorahosted.org/pki/ticket/2342
|
| |
|
|
| |
Ticket 2254
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
| |
The REST API expects the integer revocation code to be passed
in a certificate search. We have modified the client to allow
the user to provide either a revocation code or a revocation
reason as a search parameter.
Ticket 1053
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously cert enrollment might fail after editing the profile
using the console. This is because the console added an empty
rangeUnit parameter, but the server rejected the empty value.
The convertRangeUnit() methods in several classes have been
modified to accept the empty value and convert it into the
default value (i.e. day).
https://fedorahosted.org/pki/ticket/2308
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
|
| |
The PKISubsystem.load() and PKIInstance.load() have been modified
to ignore blank and comment lines in CS.cfg and password.conf. If
the code fails to parse a line it will throw an exception showing
the location of the invalid line.
https://fedorahosted.org/pki/ticket/2314
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage the
user certificates.
The UserService has been modified to provide better error messages.
https://fedorahosted.org/pki/ticket/1434
|
| |
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage
the user roles.
The ErrorDialog was modified to handle both text and JSON error
responses.
https://fedorahosted.org/pki/ticket/2267
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #801 : Merge pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
to tokenKey, while enroll resolves to userKey.
-> now changed the userKey
d. if revocation fails during format, it was forgiving.
-> now changed so that error is logged in activity log and exception
thrown and bail out
|
| | |
|
| | |
|
| |
|
|
| |
- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
|
| |
|
|
|
|
|
|
|
| |
The pki-server ca-db-upgrade command has been renamed to db-upgrade
to be more general. In the future the command can be refactored to
handle additional upgrade scripts. Additional log messages have
been added to show the upgrade activities in verbose mode.
https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
| |
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
|
