| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'CommonNameToSANDefault' profile default class. When used
on a profile, this will examine the (most-specific) Common Name in
the Subject DN, and if it looks like a DNS name, will add it to the
Subject Alternative Name extension, creating the extension if it
does not already exist.
Also add upgrade scriptlet to add the component to registry.cfg in
existing installations.
Fixes: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies the CN to a SAN dNSName,
we need to examine the CN values present in the Subject DN.
Specifically, we want to look at the "most specific" CN value. The
'getCommonName' method returns the "least specific" value in the
name, thus is not suitable.
Add the 'getAttributesForOid(ObjectIdentifier)' method, which
returns an ordered list of values of the given name attribute type,
from least specific to most specific.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to read and set the 'GeneralNames' of the extension. This can
be done via the 'get' and 'set' methods but this interface is
awkward and requires the caller to deal with exceptions that aren't
fundamental to the get/set actions.
Add the 'setGeneralNames' and 'getGeneralNames' methods.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'GeneralNameInterface' interface represents a single X.509
General Name value. Various types are supported. The 'GeneralName'
class (which also implements 'GeneralNameInterface') is a singleton
container for another 'GeneralNameInterface' value.
To implement a profile component that copies CN to a SAN dNSName, we
need to examine existing General Names in the SAN extension (if
present), to avoid duplicate values. We can iterate 'GeneralNames',
but if the value is of type 'GeneralName' we need a way to "unwrap"
the value, down to the innermost value which will be of a specific
General Name type.
Add the 'unwrap' method to 'GeneralName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to examine existing dNSName values. To support this, add the
'getValue()' method to 'DNSName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
| |
The TPS CLIs have been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
| |
The system, logging, and selftest CLIs have been modified to use
Exceptions instead of System.exit() such that errors can be
handled consistently.
|
| | |
|
| |
|
|
|
|
| |
The feature and authority CLIs have been modified to use
Exceptions instead of System.exit() such that errors can be
handled consistently.
|
| |
|
|
|
|
|
| |
The MergePKIWebapps upgrade script has been modified to ensure
that the old deployment descriptors exist before deleting them.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
| |
The client and PKCS12 CLIs have been modified to use Exceptions
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
| |
A new parameter has been added to set the serial number field in
CertEnrollmentRequest and in profile input if available.
|
| |
|
|
|
| |
A new parameter has been added to set the renewal field in
CertEnrollmentRequest.
|
| |
|
|
|
| |
KEY_USAGE was accidentally added and verify usage was left off.
This results in BZ#1238684
|
| |
|
|
|
| |
To help troubleshooting the CAEnrollProfile class has been modified
to chain the original exceptions.
|
| | |
|
| |
|
|
|
|
| |
Currently, PKIConnection does not allow to have client certificate
and private key stored in different files. However, python-requests
library allows this separation so it should be made possible.
|
| |
|
|
|
| |
The PKI CLI has been modified to catch KeyboardInterrupt and exit
cleanly without displaying the stack trace.
|
| |
|
|
|
| |
The names of restricted commands have been moved into a list for
clarity.
|
| |
|
|
|
| |
The key CLIs have been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
| |
The cert and profile CLIs have been modified to use Exceptions
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the /pki webapp was only added if the theme was present
during installation, and there were separate webapps for /pki/admin
and /pki/js. If the theme was installed later, the /pki webapp had
to be configured manually.
To simplify the installation and to support other developments
(e.g. login banner), the /pki webapp will always be added during
installation regardless of theme, and the /pki/admin and /pki/js
webapps are merged into /pki webapp. When the theme package is
installed, it will create links in /pki webapp so the theme files
will become available without additional configuration.
An upgrade script has been added to merge the /pki webapp in
existing instances.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously if a certificate request page only has one entry the
entry itself will be removed from the page, resulting in a blank
page.
The QueryReq.trim() has been modified not to remove the marker
entry if it's the only entry in the page.
https://fedorahosted.org/pki/ticket/2450
|
| |
|
|
|
|
| |
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
|
| |
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CryptoUtil has been modified to provide two separate methods
to obtain a token given the token name:
- getCryptoToken() returns crypto token
- getKeyStorageToken() returns key storage token
The getKeyStorageToken() was renamed from the existing
getTokenByName(). All codes using the old method have been updated
accordingly.
If the provided token name matches internal token name the methods
will return the corresponding internal crypto/key storage token.
The isInternalToken() was modified to check for empty string in
addition to the short and full name of the internal token.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The internal token short name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
| |
The CMSTemplate has been fixed to escape HTML special characters
in method documentation.
|
| |
|
|
|
| |
The CMake script for Javadoc has been fixed to include the missing
SLF4J library in the class path.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
| |
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The wrapper script for legacy CLIs has been updated to use
java.ext.dirs to specify the client library folder instead
of a class path variable containing individual JAR files.
The same mechanism is already in use in PKI CLI.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type. If entryUSN value is too large to fit in
'int', NumberFormatException is raised.
Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.
Fixes: https://fedorahosted.org/pki/ticket/2579
|
| |
|
|
|
|
|
| |
The KeyRecoveryAuthority.PR_INTERNAL_TOKEN_NAME has been replaced
with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The HttpClient.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMCRevoke.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMCRequest.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The KRATool.INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.
https://fedorahosted.org/pki/ticket/2570
|
| |
|
|
|
|
| |
The user and group CLIs have been modified to use Exception
instead of System.exit() such that errors can be handled
consistently.
|
| |
|
|
|
| |
The MainCLI has been modified to use Exceptions instead of
System.exit() such that errors can be handled consistently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
|
| |
|
|
|
| |
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
|
| |
|
|
|
|
|
|
| |
The ConfigurationUtils.handleCerts() has been modified to log the
actual exception instead of showing the "deleteCert" operation
which may not be executed yet.
https://fedorahosted.org/pki/ticket/2457
|
