| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| | |
|
| |
|
|
|
|
|
| |
A bug in the approval code for asynchronous requests
results in the number of agents needed being calculated incorrectly
for SECURITY DATA (REST based) requests. This one liner
fixes this problem.
|
| |
|
|
|
| |
If a retrieval is non-sychronous, we create a non-ephemeral recovery
request and return this Request ID to the client.
|
| |
|
|
|
|
| |
Continuation of the previous patch. These are client changes
to allow the client to pass through an approved recovery request
to retrieveKey()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
| |
|
|
|
|
|
| |
Put logic in a Processor, so that it can be reused for synchronous
requests. The only differerence between synchronous and asynchronous
requests will be that forsynchronous requests, the request will be
triggered from and updated on the request queue.
|
| |
|
|
|
|
|
| |
New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and
pki-pkcs12-key.
https://fedorahosted.org/pki/ticket/1920
|
| |
|
|
|
|
| |
The deprecated ProxyParser has been replaced with DefaultParser.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
| |
The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient,
and OCSPProcessor has been replaced with HttpClientBuilder.
https://fedorahosted.org/pki/ticket/2531
|
| |
|
|
|
|
|
|
|
|
| |
The InhibitAnyPolicyExtension has been modified to always close
the DerOutputStream instance.
The InhibitAnyPolicyExtDefault has been modified to wrap the
original exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
|
|
| |
The ExtendedKeyUsageExtension has been modified to always close
the DerOutputStream instance.
The ExtendedKeyUsageExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
| |
|
|
| |
This reverts commit 3c4f9c7eb1aa9a71c0f5a943314d355d2fdeebb4.
|
| |
|
|
|
|
|
|
|
|
| |
The OCSPNoCheckExtension has been modified to always close the
DerOutputStream instance.
The OCSPNoCheckExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The GenericASN1Extension has been modified to always close the
DerOutputStream instance.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The OtherName has been modified to always close the
DerOutputStream instances.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
To help troubleshooting, the EPropertyException has been modified
to provide constructors to chain the original exception.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
For clarity the PKCS12Util.loadFromByteArray() has been modified
to generate a more accurate exception message on PKCS #12
verification failure.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
| |
For consistency the server.xml templates for Tomcat 7 and 8 have
been modified to use the same unsecure port used by the instance
in the default OCSP responder URL.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
|
| |
Based on investigation and solution provided by cfu and jmagne,
the SecurityDataRecoveryService.serviceRequest() has been modified
to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
FIPS mode.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
| |
The code in SecurityDataRecoveryService.serviceRequest() has been
reformatted for clarity.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
| |
To help troubleshooting, the ConfigurationUtils.handleCerts()
has been modified to throw the exception instead of returning an
integer.
https://fedorahosted.org/pki/ticket/2463
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/2460
|
| |
|
|
|
|
|
|
| |
db is on fips mode.
Ticket #2513.
Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
|
| |
|
|
|
|
| |
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.
Ticket #2510.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been updated to support TPS agent approval process
for changes in authenticators, connectors, and profile mappings in
addition to profiles.
The ConfigEntryPage has been updated to display the action links
consistently in the above components for all possible role and
status combinations.
The ProfilePage has been removed since the code has been merged
into its super class.
https://fedorahosted.org/pki/ticket/2523
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to adjust the system menu based
on the list of accessible components obtained during login.
The TPSApplication has been modified to use TPSAccountService
which returns the list of accessible components based on the
following properties in the CS.cfg:
* admin: target.configure.list
* agent: target.agent_approve.list
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using
the "by cert" method.
Also this bug addresses:
Bug 1379379 - Unable to read an encrypted email using renewed tokens
The URL encoding problem was affecting the proper verification of this bug.
and
Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued
The URI encoding was also making this bug appear to fail more than it should have.
There is also a minor fix to the feature that makes sure it works.
This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
|
| |
|
|
|
|
|
|
|
|
| |
The CryptoUtil.getTokenName() has been modified to check both the
short name and full name of the internal token.
The ConfigurationUtils.deleteCert() has also been modified to call
CryptoUtil.getTokenName().
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
|
|
| |
To help troubleshooting build issues the pki-nsutil-classes
build target has been modified to depend on symkey-jar although
there is no actual code dependency. This way the targets will
be built sequentially and error messages will be easier to find.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
|
|
| |
The verify_subsystem_does_not_exist() has been modified to display
the proper error message when the subsystem to be installed already
exists.
https://fedorahosted.org/pki/ticket/2476
|
| |
|
|
|
|
| |
op.format.externalRegAddToToken.revokeCert=true
This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
|
| |
|
|
|
|
|
| |
multiple tokens. #1664
We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The default is YESk you have to explicitly set it to NO to turn it off.
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will be made.
junk
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
key id on the ldap user mismatches
Problem: There are two ways to recover the keys with
a. by cert
b. by keyId
When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped.
This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover.
Code summary for externalReg key recovery:
config default: externalReg.recover.byKeyID=false
Recover either by keyID or by cert
When recovering by keyid: externalReg.recover.byKeyID=true
- keyid in record indicates actual recovery;
- missing of which means retention;
When recovering by cert: externalReg.recover.byKeyID=false
- keyid field needs to be present
but the value is not relevant and will be ignored (a "0" would be fine)
- missing of keyid still means retention;
(In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
|
| |
|
|
|
|
|
|
| |
The ConfigurationUtils.importCertChain() has been modified to
ignore UNKNOWN_ISSUER error when connecting to a server that
does not have the complete certificate chain.
https://fedorahosted.org/pki/ticket/2497
|
| |
|
|
|
| |
The NSSDatabase.create_request() has been modified to remove
a superfluous argument when invoking certutil.
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the GetCertChain servlet has been modified
to log the certificate chain being returned. The ConfigurationUtils
has also been modified to log the certificate chain received.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
| |
This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem
to drop all its profiles and reload them. If a profile is read
during this time, e.g. to issue a certificate, it might not have
been reloaded thus causing the operation to fail.
Introduce the AsyncLoader class which allows a consumer to await the
completion of a (re)load, if one is happening. Update the
getProfile and getProfileIds method to use it.
The existing 'initialLoadDone' CountDownLatch for blocking
LDAPProfileSubsystem init until the inital load of profiles is
completed was subsumed by AsyncLoader.
Fixes: https://fedorahosted.org/pki/ticket/2453
NOTE: This patch is ONLY intended for Dogtag 10.4.0 versions and later;
it is NOT intended to be back-ported to Dogtag 10.3.x versions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created. It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.
If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values. This causes the
addition of a spurious host authority entry every time the server
starts.
Serialise DNs before comparing, to avoid these false negatives.
Fixes: https://fedorahosted.org/pki/ticket/2475
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.
Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).
Fixes: https://fedorahosted.org/pki/ticket/2466
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the ConfigurationUtils has been modified
to chain the original exceptions and to show additional log
messages.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
| |
To help troubleshooting the SigningUnit for CA and OCSP have been
modified to chain the original exceptions.
https://fedorahosted.org/pki/ticket/2463
|
| |
|
|
|
|
|
|
| |
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
|
