summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Updated ECAException constructor.Endi S. Dewata2017-05-261-3/+3
| | | | | | | | | The ECAException constructor has been modified to accept a more generic Throwable instead of Exception. https://pagure.io/dogtagpki/issue/2651 Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee
* Refactored CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-40/+40
| | | | | | | | | The code related to full CRL generation has been moved into generateFullCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
* Refactored CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-48/+54
| | | | | | | | | The code related to delta CRL generation has been moved into generateDeltaCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
* Replaced SHA1-based random number generators.Endi S. Dewata2017-05-253-4/+13
| | | | | | | | | The SHA1-based random number generators in some classes have been replaced with the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514
* Encapsulate server side keygen audit eventsAde Lee2017-05-256-37/+113
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Encapsulate key status change audit logsAde Lee2017-05-254-13/+57
| | | | Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
* Added CRLIssuingPoint.generateFullCRL().Endi S. Dewata2017-05-251-120/+134
| | | | | | | | | | The code that generates full CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateFullCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
* Added CRLIssuingPoint.generateDeltaCRL().Endi S. Dewata2017-05-251-67/+93
| | | | | | | | | | The code that generates delta CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateDeltaCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
* Added CRLIssuingPoint.generateCRLExtensions().Endi S. Dewata2017-05-251-23/+22
| | | | | | | | | | The code that generates CRLExtensions in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateCRLExtensions() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
* Replaced random number generator in RequestQueue.Endi S. Dewata2017-05-251-3/+6
| | | | | | | | | The RequestQueue has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e
* Replaced random number generator in SecurityDataProcessor.Endi S. Dewata2017-05-251-6/+19
| | | | | | | | | The SecurityDataProcessor has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189
* Encapsulate symmetric and asymmetric keygen audit eventsAde Lee2017-05-249-41/+221
| | | | Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
* Now the program can create and import shared secret keys while under FIPS mode.Jack Magne2017-05-243-22/+87
|
* Updated OCSP log messages.Endi S. Dewata2017-05-243-12/+32
| | | | | | | | | Some log messages in OCSP-related code have been updated for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
* Cleaned up DefStore.processRequest() (part 3).Endi S. Dewata2017-05-241-9/+11
| | | | | | | | | Some nested if-statements in DefStore.processRequest() has been merged for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d
* Cleaned up DefStore.processRequest() (part 2).Endi S. Dewata2017-05-241-14/+17
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3
* Cleaned up DefStore.processRequest() (part 1).Endi S. Dewata2017-05-241-59/+62
| | | | | | | | | | An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0
* Simplify recovery audit loggingAde Lee2017-05-243-38/+72
| | | | | | | | | | | | | | | | | Currently, when we use the retrieveKey() REST interface, there are two logs generated for the processing of a recovery request. To rectify this, logging has been removed from the lower level in the SecurityDataProcessor and is delegated to the higher level. This necessitated adding audit logging to the SecurityDataRecoveryService, which processes recovery events asynchronously. In addition, the logging in retrieveKey() has been pushed down to the retrieveKeyImpl, because there is at least one success exit point in retrieveKeyImpl where a recovery request is created, but no key is exported. Hence in this case, a KeyRetrieve success event is not warranted. Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87
* Make sure archivalID is passed through archivalAde Lee2017-05-2411-50/+104
| | | | | | | | | | | | | | | | There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
* Fix failing audit logAde Lee2017-05-241-2/+2
| | | | | | | | | | | | As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
* Updated log messages in OCSPProcessor.Endi S. Dewata2017-05-231-3/+11
| | | | | | | | | The OCSPProcessor has been modified to log the OCSP response to help troubleshooting. https://pagure.io/dogtagpki/issue/2695 Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f
* Moved TokenServlet into pki-tks package.Endi S. Dewata2017-05-233-18/+22
| | | | | | | | | | | | The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
* Encapsulate recovery request approval audit logsAde Lee2017-05-235-62/+61
| | | | | | | | The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
* Fix auditing in retrieveKeyAde Lee2017-05-234-19/+132
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Enabling all subsystems on startup.Endi S. Dewata2017-05-233-19/+59
| | | | | | | | | | | The operations script has been modified to enable all subsystems on startup by default. If the selftest fails, the subsystem will be shutdown again automatically as before. A pki.conf option has been added to configure this behavior. https://pagure.io/dogtagpki/issue/2699 Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50
* Encapsulate key retrieval audit eventsAde Lee2017-05-238-72/+117
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-234-66/+34
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-237-207/+184
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-2311-46/+114
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-238-48/+86
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-2311-187/+132
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Always check FIPS mode at installation timeMatthew Harmsen2017-05-231-0/+2
| | | | - Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
* Added configurable random number generator in JssSubsystem.Endi S. Dewata2017-05-232-16/+43
| | | | | | | | | | | | | The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
* Ticket#2618 feature: pre-signed CMC renewal requestChristina Fu2017-05-224-44/+132
| | | | | | | This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
* Fixed problem with --ignore-banner option.Endi S. Dewata2017-05-201-0/+10
| | | | | | | | | The pki CLI has been modified to parse the --ignore-banner option properly and pass it only to Java-based CLI commands. https://pagure.io/dogtagpki/issue/2683 Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5
* Added debug logs for JssSubsystem.Endi S. Dewata2017-05-201-11/+20
| | | | | | | | | Some debug logs have been added into JssSubsystem to improve code clarity. https://pagure.io/dogtagpki/issue/2695 Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc
* Fixed hardcoded values in ca CS.cfgMatthew Harmsen2017-05-191-3/+3
| | | | | - Bugzilla Bug #1452123 - CA CS.cfg shows default port - dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
* Added debug logs for UpdateCRL servlet.Endi S. Dewata2017-05-191-3/+43
| | | | | | | | | Some debug logs have been added into UpdateCRL servlet to improve code clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839
* Correct section headings in user deployment configuration fileMatthew Harmsen2017-05-171-0/+39
| | | | | | Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance creation
* Reformatted RevocationRequestListener.accept().Endi S. Dewata2017-05-171-71/+71
| | | | | | | | | The RevocationRequestListener.accept() has been reformatted to adjust the indentations after refactoring. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
* Refactored RevocationRequestListener.accept().Endi S. Dewata2017-05-171-3/+5
| | | | | | | | | The RevocationRequestListener.accept() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
* Added CertStatusChangeRequestProcessedEvent.Endi S. Dewata2017-05-176-69/+98
| | | | | | | | | A new CertStatusChangeRequestProcessedEvent class has been added to encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events. https://pagure.io/dogtagpki/issue/2636 Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
* Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.Endi S. Dewata2017-05-171-14/+5
| | | | | | | | | | | | | | | | | The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers. https://pagure.io/dogtagpki/issue/2690 Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-1721-398/+1204
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Reformatted UpdateCRL.process().Endi S. Dewata2017-05-171-174/+174
| | | | | | | | | The UpdateCRL.process() has been reformatted to adjust the indentations after refactoring. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c
* Refactored UpdateCRL.process() (part 3).Endi S. Dewata2017-05-171-2/+4
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47
* Refactored UpdateCRL.process() (part 2).Endi S. Dewata2017-05-171-16/+16
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5
* Refactored UpdateCRL.process() (part 1).Endi S. Dewata2017-05-171-3/+5
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198
* Fixed audit event outcome for agent-canceled cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is canceled by an agent. https://pagure.io/dogtagpki/issue/2694 Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a
* Fixed audit event outcome for agent-rejected cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is rejected by an agent. https://pagure.io/dogtagpki/issue/2693 Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40
generated by cgit (git 2.34.1) at 2025-09-26 19:35:28 +0000