| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.
The FixDeploymentDescriptor script number has been changed
accordingly.
https://fedorahosted.org/pki/ticket/2452
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
| |
|
|
|
|
|
|
|
|
| |
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
|
| |
|
|
|
|
|
| |
(for shared HSM)
When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist. This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file.
This patch changes default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component: ou=%(pki_instance_name)s
|
| |
|
|
|
|
|
| |
To help troubleshooting the debug log in UpdateNumberRange servlet
has been modified to show the exception stack trace.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.
https://fedorahosted.org/pki/ticket/2423
|
| |
|
|
|
|
|
|
|
| |
Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.
https://fedorahosted.org/pki/ticket/2423
|
| | |
|
| |
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to fix missing deployment
descriptors or deployment descriptors that are pointing to
non-existent or empty folders.
https://fedorahosted.org/pki/ticket/2439
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
Previously we simply manually set the desired client auth cert nickname, which is provided
by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.
Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
cert name, established by the console.
This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
an external authentication directory.
2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.
3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CA signing CSR is already stored in request record which will
be imported as part of migration process, so it's not necessary to
export and reimport the CSR file again for migration.
To allow optional CSR, the pki-server subsystem-cert-validate
CLI has been modified to no longer check the CSR in CS.cfg. The
ConfigurationUtils.loadCertRequest() has been modified to ignore
the missing CSR in CS.cfg.
https://fedorahosted.org/pki/ticket/2440
|
| |
|
|
|
| |
* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
- CMCEnroll
|
| |
|
|
| |
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
|
| |
|
|
|
|
|
| |
To help troubleshooting some debug messages have been added into
ConfigurationUtils.handleCerts().
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
| |
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
|
|
|
| |
To avoid confusion, the isSelfTestCriticalAtStartup() and
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
modified to no longer log an error message if the selftest
being checked does not exist in the corresponding property
in CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
| |
The LDAPExceptionConverter has been modified to wrap LDAPException
for invalid attribute syntax with BadRequestException.
https://fedorahosted.org/pki/ticket/833
|
| |
|
|
|
|
|
| |
To help troubleshooting the selftest log has been modified to
include the cert validation error message returned by JSS.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
| |
The dialog box for adding user certificate in TPS UI has been
modified to no longer mention PKCS #7. The REST service itself
still accepts PKCS #7, but it should be cleaned up in the future.
https://fedorahosted.org/pki/ticket/2437
|
| |
|
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
|
| |
|
|
|
|
|
|
| |
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigCertApprovalCallback has been modified such that it
logs the server certificate being validated and can be configured
to ignore certain validation errors.
The ConfigurationUtils has been modified to use the
ConfigCertApprovalCallback to show and validate the server
certificate in all GET and POST operations except for the
importCertChain() in which the code needs to ignore untrusted
issuer in order to get the certificate chain via SSL.
https://fedorahosted.org/pki/ticket/2424
|
| | |
|
| |
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
| |
Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
|
| |
|
|
| |
This patch fixes the issue that when an agent visit one of the CA's system cert request records, exception is thrown.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The CMake create_symlink command fails if the link target does not
exist already. Since PKI JAR files may not exist at build time, the
commands to create the links to those files have been replaced with
the ln -sf command which will create the links regardless of the
targets' existence.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
| |
Need to put pki_server_side_keygen in a conditional to avoid
breaking other subsystem deployments.
Ticket 2418
|
| |
|
|
|
|
|
|
|
| |
* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
- AtoB,
- BtoA,
- KRATool,
- PrettyPrintCert, and
- PrettyPrintCrl
|
| |
|
|
|
|
|
| |
To help troubleshooting the PKIClient class has been modified to
log the certificate chain retrieved from the CA.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
| |
Ticket 2412
|
| |
|
|
| |
Ticket 2418
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.
An upgrade script has been added to fix existing instances.
https://fedorahosted.org/pki/ticket/2421
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to replace the <instance>/common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
|
|
| |
The deployment tool has been modified to link <instance>/common
to /usr/share/pki/server/common instead of creating separate links
for each dependency. This allows the RPM spec to customize the
links for different platforms.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified to use java.ext.dirs property to
load the dependencies instead of listing them individually. The
dependencies are stored as links in /usr/share/pki/lib folder.
This allows the RPM spec to customize the links for different
platforms.
https://fedorahosted.org/pki/ticket/2403
|
