| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
When deleting lightweight CAs, the call to
CryptoStore.deletePrivateKey() throws an exception because the
preceding call to CryptoStore.deleteCert() also deletes the key.
Remove the redundant call and add some commentary.
Fixes: https://fedorahosted.org/pki/ticket/1640
|
| |
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
| |
|
|
|
|
|
|
|
| |
The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.
https://fedorahosted.org/pki/ticket/2334
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.
No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The old KRA servlets to list and display keys do not go through
the same code paths as the REST API. Therefore, they do not
check the authz realm.
This patch adds the relevant code. No attempt is made to fix the
error handling of the old servlets. the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead. Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
|
| |
|
|
|
| |
- PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat
throws error.
|
| |
|
|
|
|
|
|
| |
The TPS VLV indexes have been fixed to use the correct vlvScope
(i.e. one level). The unsupported minus sign in vlvSort and the
redundant vlvEnabled have been removed.
https://fedorahosted.org/pki/ticket/2342
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.
The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
| |
The RenewalProcessor.getSerialNumberFromCert() has been modified
to throw an exception instead of returning null to pass the error
message to the client to help troubleshooting.
The code has also be modified to remove redundant null checking
and redundant decoding and re-encoding.
https://fedorahosted.org/pki/ticket/999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The instance name is used in NSSDB key nicknames, which are stored
in the authorityKeyNickname attribute for mapping lightweight CAs to
their keys. The schema was PrintableString, which does not permit
'_', causing LDAP syntax errors if the instance name contains '_'.
To avoid this issue, change the attribute syntax to IA5String.
Existing instances should be largely unaffected. The schema update
can be successfully applied even for existing attributes, because
PrintableString and IA5String share the same underlying
representation in 389DS.
Fixes: https://fedorahosted.org/pki/ticket/2343
|
| |
|
|
|
|
|
|
|
| |
The CertUtils.verifySystemCertByNickname() has been modified to call
CryptoManager.verifyCertificate() to validate the system certificates
which will provide better information (i.e. NSS error message and
stack trace) to troubleshoot validation issues.
https://fedorahosted.org/pki/ticket/850
|
| |
|
|
|
|
| |
This patch handles Ticket 2298 non-TMS key archival/recovery, as well as
Ticket 2271 TMS recovery request ldap entries
Fields are zeroed out before being deleted in KRA request records
|
| |
|
|
|
|
|
|
| |
All methods in ProxyRealms for Tomcat 7 and 8 have been modified
to check whether the subsystem is available, then generate a proper
error message instead of null pointer exception.
https://fedorahosted.org/pki/ticket/2326
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The vlv.ldif for TPS has been modified to remove the hard-coded
database name and to use customizable parameter instead.
The token and activity REST services have been modified to search
the database using VLV.
The existing database can be fixed using the following procedure:
http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes
https://fedorahosted.org/pki/ticket/2342
|
| |
|
|
| |
Ticket 2254
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the following areas:
* In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
* In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
* there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface. The search filter needs to be modified to
allow that.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
| |
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
|
| |
|
|
|
|
|
|
|
| |
The REST API expects the integer revocation code to be passed
in a certificate search. We have modified the client to allow
the user to provide either a revocation code or a revocation
reason as a search parameter.
Ticket 1053
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously cert enrollment might fail after editing the profile
using the console. This is because the console added an empty
rangeUnit parameter, but the server rejected the empty value.
The convertRangeUnit() methods in several classes have been
modified to accept the empty value and convert it into the
default value (i.e. day).
https://fedorahosted.org/pki/ticket/2308
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publish.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publish.enable = True
ca.publish.cert.enable = False
* to enable cert publishing only:
ca.publish.enable = True
ca.publish.crl.enable = False
Ticket 2275
|
| |
|
|
|
|
|
|
|
| |
The PKISubsystem.load() and PKIInstance.load() have been modified
to ignore blank and comment lines in CS.cfg and password.conf. If
the code fails to parse a line it will throw an exception showing
the location of the invalid line.
https://fedorahosted.org/pki/ticket/2314
|
| |
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage the
user certificates.
The UserService has been modified to provide better error messages.
https://fedorahosted.org/pki/ticket/1434
|
| |
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage
the user roles.
The ErrorDialog was modified to handle both text and JSON error
responses.
https://fedorahosted.org/pki/ticket/2267
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #801 : Merge pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
to tokenKey, while enroll resolves to userKey.
-> now changed the userKey
d. if revocation fails during format, it was forgiving.
-> now changed so that error is logged in activity log and exception
thrown and bail out
|
| | |
|
| | |
|
| |
|
|
| |
- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
|
| |
|
|
|
|
|
|
|
| |
The pki-server ca-db-upgrade command has been renamed to db-upgrade
to be more general. In the future the command can be refactored to
handle additional upgrade scripts. Additional log messages have
been added to show the upgrade activities in verbose mode.
https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
| |
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.
Additional checks have been added to validate the certificate
parameters in CS.cfg.
The output of the command has been modified to be more consistent
with other pki-server commands.
The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password in a file.
https://fedorahosted.org/pki/ticket/2043
|
| |
|
|
|
|
| |
This patch requires JSS with the jss-lunasaUnwrap.patch to work properly on the lunaSA.
It is also required for the lunaSA to be of the following model:
CKE – Key Export Models
|
| |
|
|
|
|
|
|
| |
Add issuer DN and serial number to the AuthorityData object, as
read-only attributes. Values are displayed in the CLI, when present
in the response data.
Fixes: https://fedorahosted.org/pki/ticket/1618
|
| |
|
|
|
|
|
| |
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
| |
The TPS UI has been modified to show a warning message about
removing the certificates and keys from the token when marking
it for reuse.
https://fedorahosted.org/pki/ticket/2287
|
| |
|
|
|
|
|
| |
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
https://fedorahosted.org/pki/ticket/2287
|
| |
|
|
|
|
| |
The token status READY has been renamed to FORMATTED for clarity.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
| |
An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set. Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.
Fixes: https://fedorahosted.org/pki/ticket/2317
|
| |
|
|
|
| |
- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
within Chrome
|
| |
|
|
|
|
|
|
| |
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
|
| |
|
|
|
|
|
| |
Ticket #1921
Trivial fix to add or up this connectionTimeout value to 80000 or 80 secs.
Fix already tested informally in the field by QE.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The key is now generated with the flags needed to keep the data from being displayed
with simple tools such as symkeyutil.
As per cfu's instructions,
I was able to test this with the nethsm only.
I also was able to make the key des3 and everything works fine with the master key.
This will help all the warnings we get about insecure des2 keys.
If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is present on hsm.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
| |
The ConfigurationUtils.handleCertRequest() has been modified
to throw an exception on error during CSR generation instead
of silently ignoring it. The method has also been renamed to
generateCertRequest() for clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, in external CA case if pkispawn was executed with
pki_skip_configuration=True, it would stop the execution before
the step 1 was fully completed (i.e. generating CSR), but it would
incorrectly show a message indicating the CSR has been generated.
The code that displays the installation summary has been fixed to
check for pki_skip_configuration first before checking for external
CA case to ensure that it displays the appropriate message for each
step.
The code that generates the Tomcat instance systemd service link
was moved into instance_layout.py to avoid redundant executions.
The pkispawn and pkidestroy have also be modified to remove
redundant log of deployment parameters in master dictionary.
|
| |
|
|
|
|
| |
If the existing CA keys are in an HSM, the code fails to
load the keys becauseit does not take into account the full nickname.
This small fix addresses this bug.
|
| |
|
|
| |
This patch adds the token prefix to connector nickName's when installed with HSM
|
