summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Enabled certificate revocation checking by default.Endi S. Dewata2014-09-034-1/+15
| | | | | | | | The CS.cfg templates for all subsystems have been modified to enable certificate revocation checking during authentication. This will affect new installations only. Ticket #1117, #1134
* Integrate 'tpsclient' back into primary TPS packageMatthew Harmsen2014-09-022-5/+2
| | | | - PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps
* Remove Apache info from pkispawn and pkidestroyMatthew Harmsen2014-09-0216-276/+22
| | | | - PKI TRAC Ticket #1077 - Consider removing [Apache] section from 'default.cfg'
* ticket #882 unique certID for certificate recordsChristina Fu2014-09-023-16/+43
|
* Fix kra-connector-removeAde Lee2014-09-028-37/+94
| | | | | | | | | | | | | | | | | | | | The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113
* Recovery and Renewal feature:Jack Magne2014-09-0210-252/+1166
| | | | | | | | | | | | | | | | | | 1. Basic token key recovery functionality is there. 2. Tested with mostly the "damaged" scenerio. The low level code that writes the recovered certs to the token works and has been tested with a real token. Some of the other more obscure cases need some more testing, for instance, the temporary on hold scenario. 3. Renewal has been tested with a real token to work. 4. Much of the complex code to write cert objects and key objects, as well as importing recovered keys, has been centralized to a method. This leaves the calling code simpler and easier to trouble shoot. 5. Added a method to check token operation transition states. 6. Fixed an issue with formatting a blank token I introduced. 7. Fixed a few issues with updating certificate records for a token that were discovered. 8. Added tps code to retrieve a certificate for the recovery case. 9. Minor Review fixes.
* ticket 941 Renewal/Reenroll/Recovery/Renew policy 3rd cut; Renewal code; ↵Christina Fu2014-08-298-60/+588
| | | | RetrieveCert code
* Makes output of secrets consistent for all clients.Abhishek Koneru2014-08-296-25/+36
| | | | | | All the secrets/keys retrieved using the client API's using Java/python clients will be of the type - byte array. This applies to output of the retrieveKey method and the public key attribute of the KeyInfo object.
* Fixes for tickets 1087, 1089, 1090, 1091.Abhishek Koneru2014-08-297-20/+26
| | | | | Addresses upstream issues in the pki key-* CLI commands. Updates the man page in all the required cases.
* Fixed NPE in client-cert-import.Endi S. Dewata2014-08-282-3/+8
| | | | | | | The client-cert-import command has been modified to propertly initialize the CLI environment to avoid a null pointer exception. Ticket #1126
* Fixed problems with CLI authentication parameters.Endi S. Dewata2014-08-282-83/+80
| | | | | | | | | | | | | | | | | | | | Previously specifying a security database password in the CLI would require a certificate nickname to be specified as well. While this is correct for client certificate authentication, it caused a problem for operations that do not authenticate against the server such as client-init. The CLI has been modified to require a security database password only if the nickname is specified for client certificate authentication. Similar changes have been made to require user password only if the username is specified for basic authentication. The CLI also has been modified to store all specified parameters in the config object regardless of parameter validation. The manual page has been modified accordingly. Ticket #1125
* Remove RA and pkicreate and pkisilentMatthew Harmsen2014-08-28252-55922/+0
| | | | | - PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' packages . . .
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-2812-257/+4
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* Added missing upgrade folders.Endi S. Dewata2014-08-272-0/+8
| | | | | | The current upgrade framework requires that all supported versions to upgrade from to have corresponding upgrade folders even though they might be empty. New empty folders have been added for 10.1.1.
* Fixed problems in group operations.Endi S. Dewata2014-08-275-52/+92
| | | | | | | | | | | | | Previously modifying the description of an empty group failed because the server tried to delete a uniqueMember attribute that did not exist because the group was already empty. The servlets and group subsystem has been fixed to retrieve the existing group data first, perform the changes on it, then save it back to the database. Also adding a new group will no longer require a description because it's not required by the LDAP object class. Ticket #818
* Generate asymmetric keys in the DRM.Abhishek Koneru2014-08-2725-174/+1081
| | | | | | | | | | | | Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
* Fixed problem emptying a field in TPS UI.Endi S. Dewata2014-08-266-17/+66
| | | | | | | | | | | | Previously emptying a field in TPS UI could not be saved because the change was not saved and sent to the server. The UI framework now has been fixed to save and send the empty field to the server such that the database can be updated properly. Additional parameters have been added to the tps-token-mod command to modify all editable fields. Ticket #1085
* Misc TPS packaging tasks:Jack Magne2014-08-22538-1/+95
| | | | | | | | | | | | | 1. Make sure the new TPS packages all the applet files, like the old TPS has done. 2. Create a small new package called "pki-tps-client", which will hold ONLY the command line utility "tpsclient" and all of its supporting libraries. 3. Move the directory pki/base/tps to pki/base/tps-client We will do this until we can rewrite "tpclien" on the new Java TPS system. Add package pki-tps-client.
* UI scrubMatthew Harmsen2014-08-225-12/+2
| | | | * PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
* ticket#882 tokendb policy handling, revocation and re-enrollChristina Fu2014-08-2011-218/+1071
|
* Fix enroll_cert in cert.py to account for rejected requestsAde Lee2014-08-181-21/+73
| | | | | As per review, modified to return CertEnrollmentResult objects. Ticket 1109
* Fixed missing TPS token attributes.Endi S. Dewata2014-08-158-32/+111
| | | | | | | | The missing token policy attribute has been added to token database. The REST services, CLI, and UI have been fixed accordingly. Other missing attributes in tokenRecord object class are unused. Ticket #1085
* Alternative CLI password methodsMatthew Harmsen2014-08-142-33/+313
| | | | - PKI TRAC Ticket #555 - Other ways to specify CLI password
* Adds a new CLI command pki ca-kraconnector-show.Abhishek Koneru2014-08-147-0/+138
| | | | | | | The new command allows users to view the information about kra connectors registered with the CA. Ticket #479
* Implement enrollment with server side keygen.Jack Magne2014-08-086-175/+545
| | | | | | | | | | | | This patch implements server side keygen when so configured in the CS.cfg. 1. In this case, the encryption cert's private key is generated on the KRA and archived by the KRA. 2. The private key is then injected onto the token. 3. This will allows us to later implement certificate recovery. 4. Fixed some minor issues discovered with the code that interfaces with the TKS and DRM. 5. Final certificate tested to work with Relyea's "SmartCard" utility to perform legal crypto operations. Minor change.
* Fix issues found by pycharmAde Lee2014-08-061-12/+15
| | | | Some formatting, uninitialized variables.
* Fix pkidestroy for proxy portsAde Lee2014-08-061-0/+8
| | | | | | | | Current pkidestroy fails to remove a system that has been configured to use proxy ports because the wrong ports are passed into the updateDomainXML servlet. This small patch fixes this problem. Ticket #1095
* ticket#882 tokendb management, policy, and activities, 1st cutChristina Fu2014-08-0413-82/+705
|
* Fix independent pkispawn installation and configurationMatthew Harmsen2014-08-044-21/+22
| | | | | * PKI TRAC Ticket #905 - 2 Step Configuration of CA instance using pkispawn fails
* Updated man page for pki key commandsAbhishek Koneru2014-07-283-9/+302
| | | | | | | | | | Updated man page for all the new CLI commands added for the Key and KeyRequest resources. Also added missing code to retrieve a secret wrapped in a user specified passphrase. Ticket #945
* Remove ACL mapping to user from error messagesMatthew Harmsen2014-07-283-3/+5
| | | | - PKI TRAC Ticket #965 - Improve error message - remove ACL mapping to the user
* Implement Symmetric Key Changeover FeatureJack Magne2014-07-254-24/+214
| | | | | | | | | 1. Created code to actually change the key over to a new key set. 2. Made calls to the code from the format and enrollment operations, the Pin Reset processor will do so when completed. 3. Tested with real card. Was able to change to key set #2 and then back to stock Ticket #878.
* authentication fix: fixed issue relating to authentication thatChristina Fu2014-07-244-24/+59
| | | | | | | switching between ESC and tpsclient needs to change CS.cfg param value and restart TPS. This fix makes the issue go away. The actual issue is the differences between "loginRequest" and "extendedLoginRequeest".
* First cut of end to end enrollment feature.Jack Magne2014-07-2318-56/+1326
| | | | | | | | | | | | | | | | | The following features implemented for enrollment. 1. Standard enrollment of a list of RSA certificates. 2. Certificates are only done with token side keygen. 3. Minimual enrollment based pin reset functionality implemented to create a pin for the enrolled token. 4. Much work done to the PKCS11 object code, which allows us to write the compressed object blob to the token, allowing coolkey to access it and use the certs and keys on the token. 5. Tested with Bob Relyea's "smartcard" utility to prove that signing and encryption operations worked as expected. 6. Some work done to get authentication working with esc. 7. Added stub for stand alone Pin Reset processor. 8. CFU review fixes.
* Fix rebase conflict.Jack Magne2014-07-231-6/+1
|
* Remove profile-ID argumentMatthew Harmsen2014-07-181-3/+3
| | | | | - PKI TRAC Ticket #992 - pki cert-request-profile-find doesn't display list of profiles by default
* Add ability to create database as subtree of existing treeAde Lee2014-07-1710-189/+309
| | | | | | | | | | | | | | | | This patch adds the ability to create a subsystem that uses an existing subtree to create the internal basedn. This is useful for instance, for IPA which will use the original o=ipaca as the top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca. The patch also allows such a system to be cloned, but not to setup the replication agreements, on the assumption that the data is already being replicated at the top-level DN or some higher level. The patch also contains some minor cleanups - removing unused imports and removal of an invalid reference in the python code. Ticket 1051
* Refactoring ProfileClient to remove the property fields.Abhishek Koneru2014-07-114-347/+147
| | | | | | | | | | | | | Replaced the usage of python property feature with a dict for attribute name conversion. Fixed an issue caused to traversing the NOTYPES dict in encoder.py to find the instance of an object. The traversal causes an issue in the presence of subclassing. Modified method attr_name_conversion to return a new dictionary with modified attribute names rather than making changes to the object's __dict__.
* Added transport cert attributes.Endi S. Dewata2014-07-093-9/+28
| | | | | | | | The REST service has been modified to return additional attributes for transport certificate including serial number, issuer DN, subject DN, and resource link. Ticket #1065
* Fixed transport certificate delimiters.Endi S. Dewata2014-07-093-5/+5
| | | | | | | | | | The REST service and client library have been fixed to use the correct delimiters for transport certificate. The REST service was also modified to insert a new line between the header and the certificate data. Ticket #1063
* Refactored SystemCertClient.get_transport_cert().Endi S. Dewata2014-07-075-7/+13
| | | | | | | | | | | | | | | To simplify the usage, the SystemCertClient.get_transport_cert() has been modified to parse and decode the PEM certificate in CertData object, store the DER certificate back into the object, and return the CertData object to the client. This way the client will have access to the certificate attributes and both PEM and DER certificates. The PKIService.sendConditionalGetResponse() has been fixed to use the requested format. This is needed to display the transport certificate properly in the browser. Ticket #1062
* Remove legacy 'systemctl' filesMatthew Harmsen2014-07-0328-2190/+38
| | | | - PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
* Renamed CryptoUtil to CryptoProvider.Endi S. Dewata2014-07-034-12/+12
| | | | | | | | The CryptoUtil classes in the Python client library has been renamed to CryptoProvider for consistency with the Java client library. The cryptoutil.py module has been renamed to crypto.py. Ticket #1042
* Add 'arm' architecture to tool scripts.Matthew Harmsen2014-07-021-0/+4
| | | | | - Bugzilla Bug #1081916 - freeipa does not install on arm architecture - PKI TRAC Ticket #935 - patch to BtoA and AtoB to get ARM working
* Backup and Archive CS.cfgMatthew Harmsen2014-07-026-1/+213
| | | | * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
* Added methods for providing file input for profile request.Abhishek Koneru2014-07-012-102/+541
| | | | | | Added new methods to allow user to provide file input to perform operations like create profile/modify profile. The supported file formats a re xml and json.
* Implemented remaining of the ProfileClient API.Abhishek Koneru2014-07-013-20/+225
| | | | | Provides methods to create/modify/delete a profile. Also adds put and delete methods to the PKIConnection object.
* Changes to fix rawhide buildAde Lee2014-07-013-6/+4
| | | | | | - Removed dependency on removed internal junit class - moved cmake reference to junit4.jar to junit.jar - Disambiguate a couple of references
* Fixes for #1040 and #1041 in cert and key python modulesAbhishek Koneru2014-06-276-317/+223
| | | | | | | | | | Ticket 1040 - Perform null checks on JSON attributes. Ticket 1041 - Rename module kraclient to kra. Also refactored the code in cert module removing the usage of property. Achieved the conversion of names(camelCase to '_' separated ) using a dictionaries in the objects. The default method in encoder module has also been modified to perform the reverse conversion.
* Swap numeric values of OBNOXIOUS and INFO debug logging for correctnessMatthew Harmsen2014-06-252-6/+6
| | | | * PKI TRAC Ticket #898 - Giant /var/log/pki-ca/debug
generated by cgit (git 2.34.1) at 2025-10-02 12:33:23 +0000