summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Removed hard-coded paths in pki.policy.Endi S. Dewata2016-07-262-131/+17
| | | | | | | | | The operations script has been modified to generate pki.policy dynamically from links in the <instance>/common/lib directory. This allows the pki.policy to match the actual paths in different platforms. https://fedorahosted.org/pki/ticket/2403
* Added CMake target dependencies.Endi S. Dewata2016-07-267-1/+8
| | | | | | | | | | To help troubleshooting build issues, some CMake dependencies have been added to some targets even though the actual codes do not require those dependencies. This will ensure the targets are built sequentially so build failures can be found more easily at the end of the build log. https://fedorahosted.org/pki/ticket/2403
* Allow PrettyPrintCert to process HEADERs and TRAILERs.Matthew Harmsen2016-07-221-2/+2
| | | | | * PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements Checked-in under one-liner/trivial rule.
* Stop using a java8 only constant. Will allow compilation with java7.Jack Magne2016-07-221-1/+3
| | | | Trivial fix.
* Fixed param substitution problem.Endi S. Dewata2016-07-221-2/+2
| | | | | | | The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399
* Fixed error handling in SystemConfigService.Endi S. Dewata2016-07-201-6/+6
| | | | | | | | To help troubleshooting the SystemConfigService has been modified to chain the original exception and to log stack trace into the debug log. https://fedorahosted.org/pki/ticket/2399
* Fixed pkispawn installation summary.Endi S. Dewata2016-07-201-4/+3
| | | | | | | | | The pkispawn installation summary has been modified not to show the admin certificate nickname and NSS database if pki_client_database_purge or pki_clone is set to true since the NSS database will not be created in those cases. https://fedorahosted.org/pki/ticket/2399
* Removed redundant question in interactive pkispawn.Endi S. Dewata2016-07-201-4/+4
| | | | | | | | The pkispawn has been modified such that if the admin selects to import the admin certificate the admin will not be asked where to export the certificate. https://fedorahosted.org/pki/ticket/2399
* Ticket #2246 [MAN] Man Page: AuditVerifyChristina Fu2016-07-151-0/+110
| | | | This patch contains the man page for AuditVerify.
* Fixed cert usage list in pki client-cert-validate.Endi S. Dewata2016-07-152-1/+8
| | | | | | | | The pki client-cert-validate has been modified to add the missing EmailRecipient and to list the supported cert usages. https://fedorahosted.org/pki/ticket/2376 https://fedorahosted.org/pki/ticket/2399
* [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to ↵Jack Magne2016-07-144-2/+178
| | | | | | | | | | | | appropriate 'pki' man page This fix will involve the following changes to the source tree. 1. Fixes to the CS.cfg to add two new cert profiles. 2. Make the caDualCert.cfg profile invisible since it has little chance of working any more in Firefox. 3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI to have convenient profiles from which to enroll signing ONLY certificates.
* Fixed certificate validation error message.Endi S. Dewata2016-07-141-1/+1
| | | | | | | The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399
* Added fix for pki-server for db-updateGeetika Kapoor2016-07-141-2/+2
| | | | | | | fixes: https://fedorahosted.org/pki/ticket/1667 Signed-off-by: Geetika Kapoor <gkapoor@redhat.com> Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
* Ticket #2389 fix for regular CA installationChristina Fu2016-07-111-6/+11
| | | | This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails.
* Ticket #978 PPS connector man page: add revocation routing infoChristina Fu2016-07-081-1/+22
|
* Fixed pki pkcs12-import output.Endi S. Dewata2016-07-071-1/+4
| | | | | | | | The pki pkcs12-import has been modified to suppress the output of external command execution and display a completion message more consistently. https://fedorahosted.org/pki/ticket/2399
* Fixed problem with pki pkcs12-import --no-trust-flags.Endi S. Dewata2016-07-071-3/+0
| | | | | | | | The pki pkcs12-import CLI has been fixed such that when it calls pki pkcs12-cert-find internally it does not add --no-trust-flags option. https://fedorahosted.org/pki/ticket/2399
* Added general exception handling for pki-server CLI.Endi S. Dewata2016-07-061-0/+6
| | | | | | | | The pki-server CLI has been modified to catch all exceptions and display a simple exception message. In verbose mode it will display the stack trace. https://fedorahosted.org/pki/ticket/2381
* Added validation for pki client-cert-request sensitive parameter.Endi S. Dewata2016-07-061-0/+3
| | | | | | | The pki client-cert-request CLI has been modified to validate the boolean sensitive parameter. https://fedorahosted.org/pki/ticket/2383
* Added validation for pki client-cert-request extractable parameter.Endi S. Dewata2016-07-061-0/+3
| | | | | | | The pki client-cert-request CLI has been modified to validate the boolean extractable parameter. https://fedorahosted.org/pki/ticket/2383
* Fixed CLI error message on connection problemsEndi S. Dewata2016-07-061-1/+12
| | | | | | | The CLI has been modified to display the actual error message instead of generic ProcessingException. https://fedorahosted.org/pki/ticket/2377
* Fixed exception chain in SigningUnit.init().Endi S. Dewata2016-07-063-19/+32
| | | | | | | The SigningUnit.init() has been modified to chain the exceptions to help troubleshooting. https://fedorahosted.org/pki/ticket/2399
* Added instance and subsystem validation for pki-server subsystem-* commands.Abhijeet Kasurde2016-07-061-13/+53
| | | | | | | The pki-server subsystem-* commands have been updated to validate the instance and subsystem before proceeding with the operation. https://fedorahosted.org/pki/ticket/2399
* Separated TPS does not automatically receive shared secret from remote TKS.Jack Magne2016-07-019-197/+435
| | | | | | | | | | | | | | | | | | | | | Support to allow the TPS to do the following: 1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS. 2. Have the TKS securely return the shared secret back to the TPS during the end of configuration. 3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and. 4. Given a name that is mapped to the TPS's id string. Additional fixes: 1. The TKS was modified to actually be able to use multiple shared secrets registered by multiple TPS instances. Caveat: At this point if the same remote TPS instance is created over and over again, the TPS's user in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret not functional. At this point we need to assume that the TPS user has ONE "userCert" registered at this time.
* Generting Symmetric key fails with key-generate when --usages verify is passedJack Magne2016-07-011-1/+3
| | | | | | | | | Ticket #1114 Minor adjustment to the man page for the key management commands to say which usages are appropriate for sym keys and those appropriate for asym keys. t
* Add HSM informationMatthew Harmsen2016-07-012-1/+180
| | | | | - PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages
* Updated notification message for DB subsystem commandAbhijeet Kasurde2016-07-011-5/+15
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TPS subsystem commandAbhijeet Kasurde2016-07-011-8/+26
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TKS subsystem commandAbhijeet Kasurde2016-07-011-0/+7
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for OCSP subsystem commandAbhijeet Kasurde2016-07-011-0/+6
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for kra-db-vlv* commandAbhijeet Kasurde2016-07-011-15/+23
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added instance and subsystem validation for pki-server ca-* commands.Endi S. Dewata2016-07-011-7/+37
| | | | | | | | | | | The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364
* Fixed pki-server subsystem-cert-update.Endi S. Dewata2016-07-013-96/+120
| | | | | | | | | | | | | | | | | | | | | | The pki-server subsystem-cert-update is supposed to restore the system certificate data and requests into CS.cfg. The command was broken since the CASubsystem class that contains the code to find the certificate requests from database was not loaded correctly. To fix the problem the CASubsystem class has been moved into the pki/server/__init__.py. All pki-server subsystem-* commands have been modified to check the validity of the instance. An option has been added to the pki-server subsystem-cert-show command to display the data and request of a particular system certificate. The redundant output of the pki-server subsystem-cert-update has been removed. The updated certificate data and request can be obtained using the pki-server subsystem-cert-show command. https://fedorahosted.org/pki/ticket/2385
* Removed excessive error message in pki CLI.Endi S. Dewata2016-07-011-1/+2
| | | | | | | A recent change in the pki CLI caused excessive error message in normal usage. The change has been reverted. https://fedorahosted.org/pki/ticket/2390
* Add profiles container to LDAP if missingFraser Tweedale2016-07-011-0/+19
| | | | | | | | | | | | | | | | | | CMS startup was changed a while back to wait for LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem initialisation waits for all known profiles to be loaded by the LDAP persistent search thread. If the ou=certificateProfiles container object does not exist, startup hangs. This can cause a race condition in FreeIPA upgrade. FreeIPA switches the Dogtag instance to the LDAPProfileSubsystem and restarts it. The restart fails because the container object does not get added until after the restart. Update LDAPProfileSubsystem to add the container object itself, if it is missing, before commencing the persistent search. Fixes: https://fedorahosted.org/pki/ticket/2285
* AuthInfoAccess: use default OCSP URI if configuredFraser Tweedale2016-07-013-2/+13
| | | | | | | | | | | | | | | | The AuthInfoAccessExtDefault profile component constructs an OCSP URI based on the current host and port, if no URI is explicitly configured in the profile. Update the component to look in CS.cfg for the "ca.defaultOcspUri" config, and use its value if present. If not present, the old behaviour prevails. Also add the 'pki_default_ocsp_uri' pkispawn config to add the config during instance creation, so that the value will be used for the CA and system certificates. Fixes: https://fedorahosted.org/pki/ticket/2387
* Respond 400 if lightweight CA cert issuance failsFraser Tweedale2016-07-012-4/+17
| | | | | | | | | | | | | | If certificate issuance fails during lightweight CA creation (e.g. due to a profile constraint violation such as Subject DN not matching pattern) the API responds with status 500. Raise BadRequestDataException if cert issuance fails in a way that indicates bad or invalid CSR data, and catch it to respond with status 400. Also do some drive-by exception chaining. Fixes: https://fedorahosted.org/pki/ticket/2388
* Fix build on Fedora 25Fraser Tweedale2016-07-0113-91/+10
| | | | | | | | Look for the right JAX-RS API JAR (it has moved in Fedora 25). Also remove a lot of redundant 'find_file' operations for this JAR. Fixes: https://fedorahosted.org/pki/ticket/2373
* Updated notification message for kra-db-vlv-del commandAbhijeet Kasurde2016-07-011-12/+16
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added condition for checking instance id in kra commandsAbhijeet Kasurde2016-07-014-7/+36
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added fix for checking ldapmodify return code in db-schema-upgradeAbhijeet Kasurde2016-07-011-5/+7
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
* Added condition to verify instance id in db-schema-upgradeAbhijeet Kasurde2016-07-011-0/+4
| | | | Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-303-9/+2
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Separate PKI Instances versus Shared PKI InstancesMatthew Harmsen2016-06-301-42/+318
| | | | | - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation
* Add ability to disallow TPS to enroll a single user on multiple tokens.Jack Magne2016-06-303-26/+80
| | | | | | | | | | | | | | | | This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: tokendb.nonExternalReg.allowMultiActiveTokensUser=false tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
* Ticket #1306 config params: Add granularity to token termination in TPSChristina Fu2016-06-301-4/+119
| | | | | | | This patch adds the missing configuration parameters that go with the original bug. The code would take on defaults when these parameters are missing, but putting them in the CS.cfg would make it easier for the administrators.
* Ticket 2389 Installation: subsystem certs could have notAfter beyond CA ↵Christina Fu2016-06-292-0/+26
| | | | | | | signing cert in case of external or existing CA This patch implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixed KRA cloning issue.Endi S. Dewata2016-06-296-24/+91
| | | | | | | | | | | | | The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
* Ticket #1308 [RFE] Provide ability to perform off-card key generation for ↵Christina Fu2016-06-281-8/+35
| | | | non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
generated by cgit (git 2.34.1) at 2025-09-27 15:59:05 +0000