| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.
Additional checks have been added to validate the certificate
parameters in CS.cfg.
The output of the command has been modified to be more consistent
with other pki-server commands.
The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password in a file.
https://fedorahosted.org/pki/ticket/2043
|
| |
|
|
|
|
| |
This patch requires JSS with the jss-lunasaUnwrap.patch to work properly on the lunaSA.
It is also required for the lunaSA to be of the following model:
CKE – Key Export Models
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
| |
The TPS UI has been modified to show a warning message about
removing the certificates and keys from the token when marking
it for reuse.
https://fedorahosted.org/pki/ticket/2287
|
| |
|
|
|
|
|
| |
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
https://fedorahosted.org/pki/ticket/2287
|
| |
|
|
|
|
| |
The token status READY has been renamed to FORMATTED for clarity.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
| |
An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set. Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.
Fixes: https://fedorahosted.org/pki/ticket/2317
|
| |
|
|
|
| |
- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
within Chrome
|
| |
|
|
|
|
|
|
| |
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
|
| |
|
|
|
|
|
| |
Ticket #1921
Trivial fix to add or up this connectionTimeout value to 80000 or 80 secs.
Fix already tested informally in the field by QE.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The key is now generated with the flags needed to keep the data from being displayed
with simple tools such as symkeyutil.
As per cfu's instructions,
I was able to test this with the nethsm only.
I also was able to make the key des3 and everything works fine with the master key.
This will help all the warnings we get about insecure des2 keys.
If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is present on hsm.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
| |
The ConfigurationUtils.handleCertRequest() has been modified
to throw an exception on error during CSR generation instead
of silently ignoring it. The method has also been renamed to
generateCertRequest() for clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, in external CA case if pkispawn was executed with
pki_skip_configuration=True, it would stop the execution before
the step 1 was fully completed (i.e. generating CSR), but it would
incorrectly show a message indicating the CSR has been generated.
The code that displays the installation summary has been fixed to
check for pki_skip_configuration first before checking for external
CA case to ensure that it displays the appropriate message for each
step.
The code that generates the Tomcat instance systemd service link
was moved into instance_layout.py to avoid redundant executions.
The pkispawn and pkidestroy have also be modified to remove
redundant log of deployment parameters in master dictionary.
|
| |
|
|
|
|
| |
If the existing CA keys are in an HSM, the code fails to
load the keys becauseit does not take into account the full nickname.
This small fix addresses this bug.
|
| |
|
|
| |
This patch adds the token prefix to connector nickName's when installed with HSM
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, add a
certificate search parameter for limiting searches to a particular
issuer.
Fixes: https://fedorahosted.org/pki/ticket/2321
|
| |
|
|
| |
Part of Ticket 2041
|
| |
|
|
| |
Ticket 2041
|
| |
|
|
|
|
|
| |
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
|
| |
Previously a deployment parameter has to be added to pkislots.cfg
before it can be used in copy_with_slot_substitution(). The method
has been modified to support substitutions using the deployment
parameters directly, which simplifies the development.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
| |
The CS.cfg.in have been renamed to CS.cfg to clean up the CMake
scripts and for consistency. This change does not affect the actual
files shipped in the RPM packages.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA. This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
The LDAP attribute for token status has been modified to store the
same values displayed on the CLI. This way searching tokens with
specific status can be done correctly with simple LDAP filter such
as (tokenStatus=<status>).
https://fedorahosted.org/pki/ticket/2296
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The tps.operations.allowedTransitions property has been updated
to include 4:4 transition by default.
The inline documentation for tokendb.allowedTransitions and
tps.operations.allowedTransitions has been updated to remove
unsupported states and to add a note about adding/removing
transitions.
https://fedorahosted.org/pki/ticket/1290
|
| |
|
|
|
| |
- PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
succeeds but fails on import into browser
|
| |
|
|
|
|
|
|
| |
Some certificate profiles have been modified to remove the default
one minute validity delay, allowing the certificate issued with
those profiles to be used immediately.
https://fedorahosted.org/pki/ticket/2304
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
Add the 'pki ca-authority-key-export' CLI command for exporting a
PKIArchiveOptions object containing a nominated target key, wrapped
by a nominated wrapping key. This command is to be used by Custodia
to export key data for transmission to a requesting clone.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
Add the method CryptoUtil.importPKIArchiveOptions for importing a
wrapped key from a PKIArchiveOptions object. Also add another
variant of the createPKIArchiveOptions method, with a narrower API.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the 'authorityKeyHost' attribute which will contain names of
hosts that possess the authority's signing keys.
Add the 'authoritySerial' attribute which may contain the serial
number of the certificate most recently issued for the authority.
Change other attributes to be single-valued.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB. It falsely returns the parent of
the target cert, if the certs have the same serial number.
In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.
Update the method to check the Issuer DN.
Fixes: https://fedorahosted.org/pki/ticket/2301
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
| |
The TokenStatus enumeration has been converted into a class to
allow overriding the TokenStatus.valueOf() to provide backward
compatibility.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
| |
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
|
| |
|
|
|
|
|
|
| |
The print_existing_ca_step_one_information() has been removed from
pkispawn since existing CA installation no longer requires two-step
operation.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
| |
When installing a standalone KRA the admin certificate is base-64
encoded and stored in the kra.admin.cert property in the CS.cfg.
Previously the encoded certificate contains EOL characters which
may cause uninstall to fail due to parsing error. The install code
has been fixed to normalize the encoded certificate properly.
|
| |
|
|
| |
- PKI TRAC Ticket #856 - Incorrect clone installation summary
|
| |
|
|
|
|
| |
The StringUtils.equals() invocation in AuthzSubsystem has been
replaced with regular String.equals() since it's unavailable in
apache-commons-codec 1.8.
|
| |
|
|
|
|
|
|
| |
The unused rv instance variables in all deployment scriptlets have
been removed. The spawn() and destroy() are now returning None
instead of error code. If an error happens during execution the
scriptlet will throw an exception which will be caught by pkispawn
or pkidestroy and then displayed to the user.
|
