summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Add HSM options to pkispawnMatthew Harmsen2015-04-146-0/+108
| | | | - PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-1411-177/+305
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Consolidate profile persistent search try/catch blocksFraser Tweedale2015-04-131-15/+15
|
* Remove unneeded collection from profile subsystemsFraser Tweedale2015-04-133-11/+1
| | | | | | Caveat: This changes the order in which profiles are listed, but the previous order doesn't seem very logical and there doesn't appear to be any contract for a particular order.
* pki-tomcatd fails to start on system bootMatthew Harmsen2015-04-1310-34/+162
| | | | | - PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot - PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
* Simplified login response formatsEndi S. Dewata2015-04-131-26/+16
| | | | | | | The formats of XML and JSON responses of the AccountService.login() have been modified to be more consistent and user-friendly. https://fedorahosted.org/pki/ticket/1343
* Add pkispawn config option for ldap profilesFraser Tweedale2015-04-134-1/+9
| | | | | | Add the `pki_profiles_in_ldap' pkispawn config to control whether profiles are stored on the filesystem (old behaviour) or LDAP (new behaviour). The default is file-based profiles.
* Monitor database for changes to LDAP profiles.Fraser Tweedale2015-04-132-78/+178
| | | | | | | | Use a persistent query to monitor the database for changes to LDAP profiles, and update the contents of the ProfileSubsystem according to the changes (Add/Modify/Delete) that occur. The monitoring occurs within its own thread.
* Added upgrade script to fix instance work folder ownership.Endi S. Dewata2015-04-082-0/+61
| | | | | | | | The <instance>/work/Catalina/localhost/pki folder was owned by root in Dogtag 10.0.x but now should be owned by pkiuser. An upgrade script has been added to fix the ownership. https://fedorahosted.org/pki/ticket/802
* Fixed problem deleting newly created TPS profiles.Endi S. Dewata2015-04-084-17/+27
| | | | | | | | | All TPS services have been fixed to set the default status of a new record to Disabled if the client does not provide the initial status. This will ensure a newly created profile to always have a status so it can be deleted normally. https://fedorahosted.org/pki/ticket/1273
* Fixed problem with TPS profile default status.Endi S. Dewata2015-04-089-64/+74
| | | | | | | | | | The base class of ProfileDatabase (i.e. CSCfgDatabase) has been modified to return the correct default value (i.e. Enabled) if the status parameter doesn't exist. The TPSProcessor has been modified to use ProfileDatabase and other TPS codes have also been changed to use constants instead of string literals to ensure consistency. https://fedorahosted.org/pki/ticket/1270
* Fixed incorrect link in TPS UI.Endi S. Dewata2015-04-081-1/+1
| | | | | | | The "Subsystem Connections" link in the home.html has been fixed to point to #connectors. https://fedorahosted.org/pki/ticket/1274
* Added interface to show TPS token certificates.Endi S. Dewata2015-04-0810-11/+56
| | | | | | | The TPS REST service, CLI, and UI have been modified to provide an interface to search for certificates belonging to a token. https://fedorahosted.org/pki/ticket/1164
* Update pki-profile CLI commands to work with "raw" formatFraser Tweedale2015-04-078-47/+407
| | | | | | | | Update CLI commands for working with the (now LDAP-based) profiles in the same format as was used by the files, by way of the --raw option. Also add the "edit" command to interactively edit a profile.
* Import profiles when spawning CA instanceFraser Tweedale2015-04-072-0/+117
|
* Add ability to enable/disable dynamic subsystemsFraser Tweedale2015-04-074-17/+83
| | | | | | | | | | | | | | | | | The CA installation process requires starting with the profile subsystem disabled, then enabling it once profiles have been loaded into the database. Accordingly, to avoid hacks with hardcoded offsets, add the "enabled" CS.cfg configuration parameter along with methods to enable or disable a subsystem based on the subsystem ID. A disabled subsystem does not have its `init` method called, but it is still instantiated and added to the registry so that other code can look up a subsystem by name and find out its class. Subsystems are enabled by default. This commit also removes an assumption that the subsystem config sub-store names are sequential numbers beginning at `0`.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-0710-200/+437
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* Add LDAPConfigStore classFraser Tweedale2015-04-071-0/+195
| | | | | The LDAPConfigStore class is an IConfigStore that reads and writes its configuration to a given attribute and DN in an LDAP database.
* Add schema for LDAP-based profilesFraser Tweedale2015-04-072-1/+19
|
* Fixed missing port error during installation.Endi S. Dewata2015-04-071-0/+13
| | | | | | | | | The DBSubsystem has been modified to ignore the EPropertyNotDefined exception in pre-op mode and only display a notification instead of a stack trace since it's part of a normal operation. The missing port will be supplied in a later stage of installation. https://fedorahosted.org/pki/ticket/1293
* PKI TRAC Ticket #1319 - Invalid upgrade script in 10.2.1Matthew Harmsen2015-03-251-0/+0
|
* Removed problematic header file from CMakeLists.txt file that preventedMatthew Harmsen2015-03-171-1/+0
| | | | compilation on Fedora 22.
* NISTSP8000 feature.Jack Magne2015-03-1713-141/+657
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Store groups on AuthToken and update group evaluatorFraser Tweedale2015-03-165-35/+141
| | | | | | | | | | | | | Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-1316-20/+179
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* PKI TRAC Ticket #1284 - pkispawn URL redirect issue (simple fix)Matthew Harmsen2015-03-062-1/+7
|
* Fixed CMake issues on F22.Endi S. Dewata2015-03-053-3/+3
| | | | | | Some CMake scripts have been updated to work on both F21 and F22. https://fedorahosted.org/pki/ticket/1281
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-2726-687/+3800
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Updated CRMFPopClient parameter handling.Endi S. Dewata2015-02-273-217/+353
| | | | | | | | | | | | The CRMFPopClient has been modified to use Apache Commons CLI library to handle the parameters. The help message has been rewritten to make it more readable. The submitRequest() will now display the error reason. The options in ClientCertRequestCLI have been simplified. A new option was added to generate CRMF request without POP. https://fedorahosted.org/pki/ticket/1074
* Add granularity to token termination in TPSAde Lee2015-02-264-35/+160
| | | | | | BZ 1163987. Added revocation checks to optionally revoke expired certs, and handle cases where certs are shared on multiple tokens.
* Bugzilla 1134405 - CRL publishing fails after Java heap out of memory errorAde Lee2015-02-261-0/+24
| | | | Added fix from hot fix.
* Refactored OCSPClient.Endi S. Dewata2015-02-164-239/+366
| | | | | | | The OCSPClient CLI has been refactored into an OCSPProcessor utility class such that the functionality can be reused. https://fedorahosted.org/pki/ticket/1202
* ticket#822 creates root CA subject DN when renewing with empty params.name ↵Christina Fu2015-02-121-1/+1
| | | | in orig profile
* Refactored LDAPDatabase.createFilter().Endi S. Dewata2015-02-114-23/+65
| | | | | | | | | | The createFilter() method in LDAPDatabase has been changed to construct an LDAP filter based on a keyword and a set of attributes with their values. This will allow searching the database based on specific attribute values. The subclasses of LDAPDatabase have been updated accordingly. https://fedorahosted.org/pki/ticket/1164
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-1013-161/+1586
|
* Fixed additional pylint warnings.Endi S. Dewata2015-02-061-1/+1
| | | | | | | The pki CLI has been modified to remove additional pylint warnings that appear on Fedora 22. https://fedorahosted.org/pki/ticket/703
* Fixed problem cloning Dogtag 10.1.x to 10.2.x.Endi S. Dewata2015-02-061-12/+53
| | | | | | | | The JSON format of security domain info has changed between Dogtag 10.1.x and 10.2.x, so the Python client library has been changed to accommodate both formats. https://fedorahosted.org/pki/ticket/1235
* Fixed pylint report.Endi S. Dewata2015-02-0516-165/+165
| | | | | | | | | | | | | | | Previously pylint report was saved it into a file which may not be accessible on a build system. The pylint-build-scan.sh has been changed to display the report so it will appear in the build log. The pylint configuration has also been modified to disable C and R messages by default. This way when other errors or warnings occur the build will fail without having to check for specific codes. Some Python codes have been modified to reduce the number of pylint warnings. https://fedorahosted.org/pki/ticket/703
* Updated Resteasy and Jackson dependenciesEndi S. Dewata2015-02-036-78/+60
| | | | | | | | | | In Fedora 22 the Resteasy package has been split into several subpackages. The pki-core.spec has been modified to depend on more specific Resteasy packages which depend only on Jackson 1.x. The classpaths and various scripts have been modified to remove unused references to Jackson 2.x. https://fedorahosted.org/pki/ticket/1254
* Refactored CRMFPopClient.Endi S. Dewata2015-01-285-508/+753
| | | | | | | | | | | | | | | | | | The CRMFPopClient has been refactored such that it is easier to understand and reuse. The code has been fixed such that it can read a normal PEM transport certificate. It also has been fixed to parse the request submission result properly. The client-cert-request CLI command was modified to support CRMF requests. The MainCLI and ClientConfig were modified to accept a security token name. The pki_java_command_wrapper.in was modified to include the Apache Commons IO library. https://fedorahosted.org/pki/ticket/1074
* Disabling subsystem on selftest failure.Endi S. Dewata2015-01-281-0/+19
| | | | | | | | | | | The SelfTestSubsystem has been modified such that if the selftest fails it will invoke the pki-server CLI to undeploy and disable the failing subsystem. The Tomcat instance and other subsystems not depending on this subsystem will continue to run. Once the problem is fixed, the admin can enable the subsystem again with the pki-server CLI. https://fedorahosted.org/pki/ticket/745
* Added server management CLI.Endi S. Dewata2015-01-287-1/+847
| | | | | | | | | | | | | A new pki-server CLI has been added to manage the instances and subsystems using the server management library. This CLI manages the system files directly, so it can only be run locally on the server by the system administrator. The autoDeploy setting in server.xml has been enabled by default. An upgrade script has been added to enable the autoDeploy setting in existing instances. https://fedorahosted.org/pki/ticket/1183
* Added server management library.Endi S. Dewata2015-01-283-31/+146
| | | | | | | | | | | | | | | The PKISubsystem and PKIInstance classes used by the upgrade framework have been converted into a server management library. They have been enhanced to provide the following functionalities: * starting and stopping instances * enabling and disabling subsystems * checking instance and subsystem statuses The validate() invocation has been moved out of the constructors into the upgrade framework such that these objects can be created to represent subsystems and instances that do not exist yet. https://fedorahosted.org/pki/ticket/1183
* Moved web application deployment locations.Endi S. Dewata2015-01-289-54/+229
| | | | | | | | | | | | | Currently web applications are deployed into Host's appBase (i.e. <instance>/webapps). To allow better control of individual subsystem deployments, the web applications have to be moved out of the appBase so that the autoDeploy can work properly later. This patch moves the common web applications to <instance>/ common/webapps and subsystem web applications to <instance>/ <subsystem>/webapps. An upgrade script has been added to update existing deployments. https://fedorahosted.org/pki/ticket/1183
* Fixed exception chains in ConfigurationUtils.Endi S. Dewata2015-01-211-16/+24
| | | | | | | The ConfigurationUtils has been modified such that if an exception is triggered by another exception the exceptions will be chained. https://fedorahosted.org/pki/ticket/915
* Added support for exception chains in EBaseException.Endi S. Dewata2015-01-215-39/+76
| | | | | | | | | | | The EBaseException has been modified to provide constructors that can be used to chain the cause of the exception. This way the root cause of the exception can be traced back to help troubleshooting. Some codes have been modified to utilize the proper exception chaining as examples. https://fedorahosted.org/pki/ticket/915
* Removed unnecessary EBaseException constructor.Endi S. Dewata2015-01-2117-160/+1
| | | | | | | | | The EBaseException(String msgFormat, String param) constructor has been removed because it's only used once and can be substituted with another constructor. All subclasses of EBaseException have been updated accordingly. https://fedorahosted.org/pki/ticket/915
* Fixed bash syntax errorMatthew Harmsen2015-01-081-5/+5
| | | | | - Bugzilla Bug #1147924 - dogtag: syntax errors in /usr/share/pki/scripts/operations
* Enable Authority Key Identifier CRL extension by defaultFraser Tweedale2015-01-071-1/+1
| | | | | | | | | | | RFC 5280 states: Conforming CRL issuers are REQUIRED to include the authority key identifier (Section 5.2.1) and the CRL number (Section 5.2.3) extensions in all CRLs issued. Accordingly, update CS.cfg so that the Authority Key Identifier extension is enabled by default.
* Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDFChristina Fu2014-12-1912-226/+2343
| | | | | - this patch does not include TPS side of changes: (#865 needs to be rewritten in Java)
generated by cgit (git 2.34.1) at 2025-10-01 10:53:08 +0000