| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, indicate
the issuer DN in the CertDataInfo structure that is returned for
certificate searches.
Fixes: https://fedorahosted.org/pki/ticket/2322
|
| |
|
|
|
|
|
|
| |
Now that Dogtag can host multiple CAs in a single instance, add a
certificate search parameter for limiting searches to a particular
issuer.
Fixes: https://fedorahosted.org/pki/ticket/2321
|
| |
|
|
| |
Part of Ticket 2041
|
| |
|
|
| |
Ticket 2041
|
| |
|
|
|
|
|
| |
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
|
| |
Previously a deployment parameter has to be added to pkislots.cfg
before it can be used in copy_with_slot_substitution(). The method
has been modified to support substitutions using the deployment
parameters directly, which simplifies the development.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
| |
The CS.cfg.in have been renamed to CS.cfg to clean up the CMake
scripts and for consistency. This change does not affect the actual
files shipped in the RPM packages.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA. This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
The LDAP attribute for token status has been modified to store the
same values displayed on the CLI. This way searching tokens with
specific status can be done correctly with simple LDAP filter such
as (tokenStatus=<status>).
https://fedorahosted.org/pki/ticket/2296
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The tps.operations.allowedTransitions property has been updated
to include 4:4 transition by default.
The inline documentation for tokendb.allowedTransitions and
tps.operations.allowedTransitions has been updated to remove
unsupported states and to add a note about adding/removing
transitions.
https://fedorahosted.org/pki/ticket/1290
|
| |
|
|
|
| |
- PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
succeeds but fails on import into browser
|
| |
|
|
|
|
|
|
| |
Some certificate profiles have been modified to remove the default
one minute validity delay, allowing the certificate issued with
those profiles to be used immediately.
https://fedorahosted.org/pki/ticket/2304
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
| |
Add the 'pki ca-authority-key-export' CLI command for exporting a
PKIArchiveOptions object containing a nominated target key, wrapped
by a nominated wrapping key. This command is to be used by Custodia
to export key data for transmission to a requesting clone.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
Add the method CryptoUtil.importPKIArchiveOptions for importing a
wrapped key from a PKIArchiveOptions object. Also add another
variant of the createPKIArchiveOptions method, with a narrower API.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the 'authorityKeyHost' attribute which will contain names of
hosts that possess the authority's signing keys.
Add the 'authoritySerial' attribute which may contain the serial
number of the certificate most recently issued for the authority.
Change other attributes to be single-valued.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB. It falsely returns the parent of
the target cert, if the certs have the same serial number.
In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.
Update the method to check the Issuer DN.
Fixes: https://fedorahosted.org/pki/ticket/2301
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status UNINITIALIZED has been renamed to READY for
clarity.
To simplify the transition, the CLIs and the REST API will continue
to accept UNINITIALIZED but it will be converted internally into
READY and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2288
|
| |
|
|
|
|
|
|
|
|
|
| |
The token status TEMP_LOST has been renamed to SUSPENDED such that
it can be used more general contexts.
To simplify the transition, the CLIs and the REST API will continue
to accept TEMP_LOST but it will be converted internally into
SUSPENDED and a deprecation warning will be generated.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
| |
The TokenStatus enumeration has been converted into a class to
allow overriding the TokenStatus.valueOf() to provide backward
compatibility.
https://fedorahosted.org/pki/ticket/2286
|
| |
|
|
|
|
|
|
| |
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
|
| |
|
|
|
|
|
|
| |
The print_existing_ca_step_one_information() has been removed from
pkispawn since existing CA installation no longer requires two-step
operation.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
| |
When installing a standalone KRA the admin certificate is base-64
encoded and stored in the kra.admin.cert property in the CS.cfg.
Previously the encoded certificate contains EOL characters which
may cause uninstall to fail due to parsing error. The install code
has been fixed to normalize the encoded certificate properly.
|
| |
|
|
| |
- PKI TRAC Ticket #856 - Incorrect clone installation summary
|
| |
|
|
|
|
| |
The StringUtils.equals() invocation in AuthzSubsystem has been
replaced with regular String.equals() since it's unavailable in
apache-commons-codec 1.8.
|
| |
|
|
|
|
|
|
| |
The unused rv instance variables in all deployment scriptlets have
been removed. The spawn() and destroy() are now returning None
instead of error code. If an error happens during execution the
scriptlet will throw an exception which will be caught by pkispawn
or pkidestroy and then displayed to the user.
|
| |
|
|
| |
- PKI TRAC Ticket #2248 - support only tomcat instances
|
| | |
|
| |
|
|
|
|
| |
- PKI TRAC Ticket #2249 - fix bashisms
- changes 'source' to '.'
- changes 'bash' to 'sh'
|
| |
|
|
|
|
|
|
| |
The TPSTokendb.shouldRevoke() has been modified such that it
throws an exception instead of returning boolean. The method
has also been renamed to checkShouldRevoke(). The revokeCert()
and unrevokeCert() have been modified to catch the exception
and log the failed operation.
|
| |
|
|
|
|
| |
The code in TPSTokendb.revokeCertsByCUID() has been split into
revokeCert() and unrevokeCert() to allow handling each operation
separately.
|
| |
|
|
|
| |
The TPSTokendb.tdbGetTokenEntry() invocations in shouldRevoke()
have been moved into revokeCertsByCUID().
|
| |
|
|
|
| |
The code that parses the token certificate serial number has been
refactored into a new method in TPSCertRecord.
|
| |
|
|
|
|
|
|
|
| |
The unused user status and type fields and the TPS Officers group
have been removed from the TPS UI.
https://fedorahosted.org/pki/ticket/2264
https://fedorahosted.org/pki/ticket/2265
https://fedorahosted.org/pki/ticket/2266
|
| |
|
|
|
|
|
|
| |
The TPS UI home page and the status menu item been temporarily
removed. The home links will now redirect to the tokens page.
https://fedorahosted.org/pki/ticket/2261
https://fedorahosted.org/pki/ticket/2262
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some incorrect code was added to request processing
in the realm patches. In the request LDAP modification code,
if the realm was not present, we added a modification to remove the
realm attribute.
Unfortunately, if the realm was not present to begin with, this resulted
in LDAP returning a "No Such Attribute (16)" error, causing all kinds
of requests - including certificate requests to fail to be submitted.
At this point, we do not permit users to change the realm of a request.
Therefore, there is no reason to remove the realm. If we ever need
to do this in future, we'll have to be smarter about it.
|
| |
|
|
|
|
|
|
| |
For clarity the TPS operatons that generate OP_DO_TOKEN activity
has been modified to generate OP_TOKEN_MODIFY instead, except for
the changeTokenStatus() which will generate OP_TOKEN_STATUS_CHANGE.
https://fedorahosted.org/pki/ticket/2268
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
| |
|
|
| |
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
| |
The async recovery request mechanism was implemented differently
from other requests. This makes it difficult to add tings like
authorization consisitently.
We move the required methods to the KeyRequestDAO to be more
consistent.
Part of Ticket #2041
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
