| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Previously the default AJP hostname was an IPv4 loopback address.
To avoid problems in IPv6 environments the default has been
changed to a generic "localhost" address. The man page has been
updated accordingly.
https://fedorahosted.org/pki/ticket/2570
|
| | |
|
| |
|
|
|
|
| |
To improve reusability the deployment system variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
| |
|
|
|
|
| |
To improve reusability the deployment timestamp variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the flatten_master_dict() has been moved
from PKIConfigParser into PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the PKIDeployer class has been moved from
the pkihelper.py into the top level pki.server.deployment module.
|
| |
|
|
|
|
| |
To improve reusability the pki_subsystem object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
| |
|
|
|
| |
To improve reusability the pki_config object has been moved from
PKIConfigParser into PKIDeployer.
|
| |
|
|
|
|
| |
To improve reusability the user_config object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
| |
|
|
|
|
|
| |
To improve reusability the deployment tools have been modified
such that the master and slots dictionary objects are created in
PKIDeployer at the beginning of the program. The PKIConfigParser
has been modified to use the same dictionary objects.
|
| |
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
| |
|
|
|
|
|
|
| |
To help troubleshooting build issues the pki-tools build targets
have been modified such that they run sequentially. This way error
messages will be easier to find in the build log.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
| |
The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
| |
Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
Look backwards from end of string for the final ':', so that the ACL
parses correctly.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
still a lot of duplicate code. Push the duplicated bits up into the
AAclAuthz.
Also remove abstract method flushResourceACLs() from AAclAuthz, and
its implementation from BasicAclAuthz, because it is only
implemented (meaningfully) by DirAclAuthz.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
|
| |
|
|
|
|
|
|
|
| |
nistp384 is specified in spawn config
Ticket #2552.
This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user renews its certificate using pki client-cert-request
the CLI will authenticate using the certificate and send an empty
request message. The server is supposed to use the certificate's
serial number to process the renewal request.
Currently the request fails if the serial number is missing from
the request message. The server has been fixed such that it
ignores the missing serial number and use the certificate's serial
number instead.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
| |
Just a small drive-by refactor.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
|
|
|
| |
Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2535
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Previously the pki user-cert-add fails to check whether the server
has a CA subsystem when it's invoked over SSL. That is because the
CLI tries to establish a new but improperly set up SSL connection.
Now the CLI has been modified to use the existing server
connection.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
|
| |
|
|
|
|
|
|
| |
The pki-cert man page has been updated to clarify that certain
profiles may require authentication and the CLI supports certain
authentication types.
https://fedorahosted.org/pki/ticket/2289
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been updated to support TPS agent approval process
for changes in authenticators, connectors, and profile mappings in
addition to profiles.
The ConfigEntryPage has been updated to display the action links
consistently in the above components for all possible role and
status combinations.
The ProfilePage has been removed since the code has been merged
into its super class.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
| |
When request was approved and retrieved through the rest
interface, the corresponding volatile requests object was not
created due to the new flow. This makes sure the volatile request
is created.
|
| | |
|
| |
|
|
|
|
| |
shows different certificate status
This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.
|
| |
|
|
|
|
|
|
|
| |
The PKCS12Util class has been modified to use SLF4J logging
framework. The CMake scripts has been modified to include SLF4J
libraries in the classpath. The spec file has been modified to
add SLF4J dependencies.
https://fedorahosted.org/pki/ticket/195
|
| |
|
|
|
|
|
| |
New man pages have been added for the common and server logging
configurations.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
The logging.properties files in OCSP, TKS, and TPS folders are
never deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
The logging.properties files in CA and KRA folders are never
deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
