| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
|
| |
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
| |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
(cherry picked from commit 997c8ec32ed483f3af47d692039720e62fa65c94)
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
|
| |/
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page.
This patch will only do the following:
Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox.
Detect IE11 specifically and warn the user that there is no support.
This ticket will live to se we can fix this properly by porting the current
VBS script to Javascript to support cert enrollment on IE 11.
|
| |
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
| |
|
|
|
|
|
|
|
| |
The routine that sets the password of the "pinmanager" user was
not working. A very simple one character fix takes care of it.
Ticket # 1546 - Setpin utility doesn't set the pin for users.
Checking in under the one line trivial change rule.
|
| |
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
| |
|
|
|
|
|
|
| |
Some types implement __eq__ but don't provide a __hash__ function. Mark
these types as non-hashable with __hash__ = None. This fixes:
DeprecationWarning:
Overriding __eq__ blocks inheritance of __hash__ in 3.x
|
| |
|
|
|
|
|
| |
The default value for argparser's verbosity was None, but None can't be
compared to 2 in Python 3.
TypeError: unorderable types: NoneType() >= int()
|
| |
|
|
|
|
|
|
|
| |
In Python 3 subprocess.Popen() and check_out() return bytes. The rest of
PKI expects text, so the output has to be decoded.
- ascii for dnsdomainname
- sys.getfilesystemencoding() for paths
- utf-8 for the rest
|
| |
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
| |
|
|
|
|
|
|
|
| |
Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject
package is available for Python 3 but can't be imported because it
depends on sepolgen.
The workaround makes it possible to test the Python 3 port on Fedora 22.
It can be removed later once Fedora 23 is out.
|
| |
|
|
|
|
|
|
|
| |
In Python 3 dict methods like values(), items() and keys() return views
rather than lists. The iter equivalents are gone. Use six to use
iterators on Python 2 and 3.
In some places like setup.py a list is required. Use
list(somedict.values()) to get a list on all Python versions.
|
| |
|
|
|
| |
The unicode type has been renamed to str. six.text_type is unicode
in Python 2 and str in Python 3.
|
| |
|
|
|
|
| |
Python 3 has a different syntax for meta classes. The old __metaclass__
attribute is no longer supported. six.with_metaclass() constructs a
suitable metaclass for us.
|
| |
|
|
|
| |
execfile has been removed from Python 3. The upgrade importer now reads,
compiles and executed the upgrade scripts manually.
|
| |
|
|
|
| |
In Python 3 range() returns an iterator and xrange() is gone. Use
six.moves to use an iterable range() on Python 2.
|
| |
|
|
|
|
|
| |
In Python 3 raw_input() has been renamed to input() and the old,
insecure input() builtin is gone. six.moves simplifies the transition.
It provides the former raw_input() function under the same import name
on Python 2 and 3.
|
| |
|
|
|
|
|
|
|
| |
Replace print statement with Python 3's print() function.
For Python 2 'from __future__ import print_function' turns the print
statement into Python 3 compatible print function.
See https://www.python.org/dev/peps/pep-3105/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
(cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were some things wrong with the setpin utility.
1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.
2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'
3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.
Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.
4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Console
It appears that the PortalEnroll plugin was never converted to work in the
Profile Framework.
This patch takes out the following line from CS.cfg:
auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
so that it cannot be instantiated from the console, nor manually in CS.cfg,
unless explicitly put back in.
While in CS.cfg.in, I found the NSSAuth auths.impl line having no real
implementation, so I remove that too.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The ListCerts servlet and the templates have been fixed to pass
the skipRevoked and skipNonValid parameters to the subsequent page.
Some debugging messages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1538
|
| |
|
|
|
|
| |
This patch changes the relevant CA enrollment admin profiles so that they accept
requests for EC certs. The issue actually not just affected KRA, it also affected
other non-CA subsystems.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently disable the cert status maintenance thread on
clone CAs because CRL processing should only be done on the
master CA. Currently, the maintenance thread also performs
other checks on serial number ranges and settings. By disabling
the maintenance thread, we disable these checks too.
To fix this, we have separated the serial number checks into a
different maintenance thread, so that these tasks will occur
even if the cert status thread is disabled.
Bugzilla # 1251606
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3 has deprecated and remove Exception.message. Instead we should
simply use string formatting to print the message of an Exception.
>>> import pki
>>> pki.PKIException('msg')
PKIException('msg',)
>>> pki.PKIException('msg').message
'msg'
>>> str(pki.PKIException('msg'))
'msg'
>>> '%s' % pki.PKIException('msg')
'msg'
|
| |
|
|
|
|
|
|
|
| |
Several methods except OSError before they except shutil.Error. In
Python 3 the second except clause will be ignored because in Python 3
shutil.Error is a subclass of OSError.
The body of the except clauses only differs in the logging message. A
single except clause with an isinstance() check has the same effect.
|
| |
|
|
|
| |
The exceptions module is obsolete. All builtin exception classes are
globals.
|
| |
|
|
|
| |
Since Python 2.2 most types in the types module refer to builtin type
objects, e.g. types.ListType is list.
|
| |
|
|
|
|
| |
iteritems() is the preferred way to iterate over key, value pairs.
Python-modernize can convert iteritems() to efficient code on Python 2
and 3.
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1253
|
| |
|
|
|
|
|
| |
- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
- PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
shows an error page
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-
This patch adds a feature to allow a directory based authentication plugin
to use bound ldap conneciton instead of anonymous.
Two files need to be edited
1. <instance>/conf/password.conf
add a "tag" and the password of the binding user dn to the file
e.g. externalLDAP=password123
2. <instance>/ca/CS.cfg
add the tag to cms.passwordlist:
e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
add the authPrefix of the auths entry for the authentication instance
e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment
add relevant entries to the authentication instance
e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.
An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.
https://fedorahosted.org/pki/ticket/1535
|
| |
|
|
|
| |
- PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded
certificate display
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
| |
|
|
|
|
|
|
| |
Ticket #1523
Move the dire warning about the crypto object to sections where it applies.
Also slightly changed the message due to context.
|
| |
|
|
|
| |
- PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating
ecc admin certificate
|
| |
|
|
|
|
|
|
|
| |
It is true that his setting is not present.
The generic code that revokes certs for a format checks this value.
No harm in putting this value in the CS.cfg and setting it to false by
default for the externalRegAddToToken profile. No harm in giving the user
the way to use this feature , even if we decide it is not a good idea to revoke
certs associated with the external reg feature.
|
| | |
|
| |
|
|
|
|
|
| |
still shows old key
Simple matter of not updating the token record at the end of the pin reset operation.
Also, make sure the activity log is correct.
|
| |
|
|
|
|
|
|
| |
Noise file does not actually need to have random data because
NSS does not actually use this data. Certutil still needs
the file though, so we will put dummy data in there. This
solves potential problems with the random() method used and also
issues like BZ 1244382
|
