| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Lightweight CAs mean that a single database can include certificates
from many issuers. Update CRLIssuingPoint to only include
certificates issued by its associated CA.
For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.
Fixes: https://fedorahosted.org/pki/ticket/1626
|
| |
|
|
|
|
|
|
| |
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
Also add indices for the 'issuerName' LDAP attribute.
|
| |
|
|
| |
client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
|
| |
|
|
|
|
|
|
|
|
| |
The SecurityDomainProcessor.getEnterpriseGroupName() has been
added to simplify ConfigurationUtils.getGroupName().
The SecurityDomainProcessor.getInstallToken() has been modified
to validate the user role and to generate safer session ID.
https://fedorahosted.org/pki/ticket/1633
|
| | |
|
| |
|
|
|
|
|
| |
Implement lightweight authority deletion including CLI command. To
be deleted an authority must be disabled and have no sub-CAs.
Fixes: https://fedorahosted.org/pki/ticket/1324
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.
(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new setup.py in base/common/python makes it possible to bundle
the pki client library and upload it on PyPI. The setup.py in the root
directory is only used for tox and testing. It's a cleaner and less
fragile approach than to support two different build flavors with one
setup.py
The 'release' alias from setup.cfg creates and uploads a source
distribution and an universal wheel:
$ sudo yum install python-wheel python-setuptools
$ cd base/common/python
$ python setup.py release
The 'packages' alias just creates the source distribution and wheel:
$ python setup.py packages
The version number is taken from the Version and Release fields of
pki-core.spec.
|
| |
|
|
|
|
|
|
|
| |
Replace deprecated decodestring() and encodestring() with b64decode()
and b64encode().
Provice specialized encode_cert() / decode_cert() functions to handle
base64 encoding and decoding for X.509 certs in JSON strings. In Python
3 the base64 function don't suppor ASCII text, just ASCII bytes.
|
| |
|
|
|
|
|
|
| |
The pki client-cert-request CLI has been modified to generate a
default subject DN if it's not specified. The man page has been
updated accordingly.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
| |
The attribute used in requests to specify the authority has changed
from authority to issuer_id. This updates the python client
accordingly.
|
| |
|
|
|
|
|
|
| |
The pki cert-request-submit and client-cert-request CLIs have been
modified to provide options to specify the username and password
for directory-authenticated certificate enrollments.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
|
|
|
| |
The EnrollmentProcessor.processEnrollment() and RenewalProcessor.
processRenewal() methods that take CMSRequest object have been
moved into ProfileSubmitServlet because they are only used by
the legacy servlet.
https://fedorahosted.org/pki/ticket/1463
|
| |
|
|
|
|
|
|
|
| |
Some access to caMap was not correctly synchronized, with
authorities (of which there could be many) acquiring their own
intrinsic lock rather than the shared caMap.
Use 'Collections.synchronizedSortedMap' to fix this. As a bonus,
locking is now more fine-grained.
|
| |
|
|
| |
Set enable -> enabled
|
| | |
|
| |
|
|
|
|
| |
Includes python code (and unit tests!) to list, get
and create subCAs. Also fixed a couple of PEP 8 violations that
crept in.
|
| |
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|
| |
|
|
|
|
|
|
| |
Add the optional "ca" query parameter for REST cert request
submission. Also update the ca-cert-request-submit CLI command with
an option to provide an AuthorityID.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
| |
Add CLI commands for creating, listing and showing lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket # 1597
Currently, KRA allows sites to opt for doing encryption/decryption instead of
wrapping/unwrapping for key archival and recovery.
The new cli code was later added without such support. We should honor the
same flags when cli is called to do key archival and recovery.
This feature was due to a specific customer request.
Here is what is now supported:
1. When the pki cli tool is used to recover a asymmetric private key,
support is there to do so with encrypt / decrypt.
2. The passphrase and generic data facility already uses
encrypt / decrypt so nothing here was needed. Calling it out since
this will possibly be a customer issue.
3. While under the hood, it made sense to add this functionality to the
Symmetric key archival and recovery operations.
4. All tests in DRMTest.java worked successfully when the kra was
configured to support this feature and configured to not observe this feature.
What is missing:
We have since added a method to do a server side key generation of an
asymmetric key pair in the kra and also archive it there at the same time.
In order to do encrypt / decrypt in this case we need to extract the key
contents out of a key object that is used to generate this key. It proved
problematic to extract said key. This should be ok since the customer only
needs to recover an asymmetric key in their test cases. We could look into
doing this later if a pressing need arises.
|
| |
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.
https://fedorahosted.org/pki/ticket/1595
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
|
| |
|
|
|
|
|
|
|
|
| |
different cards for ExternalReg
The patch fixes an issue that the CUID comes in from the client has a different
format than that of the config cuid range strings. With the right conversion,
the cuid range would then be evaluated correctly. The issue may only be
discovered with certain cuid data, as it was not reproduceable in the dev
environment.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box
The earlier patch works fine for the feature requested. However, the default
keySetMappingResolver filter contains keySet extension which would fail smart
cards. Although this could be easily worked around, this patch provides the
default that would make it easier to play with.
|
| |
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
| |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
(cherry picked from commit 997c8ec32ed483f3af47d692039720e62fa65c94)
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A new man page has been added for pki <subsystem>-user-membership
commands. The pki-user-cert man page has been modified to fix some
errors.
https://fedorahosted.org/pki/ticket/1584
|
| |/
|
|
| |
Simple fix to correctly identify scp01/gp201 sc650 card.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page.
This patch will only do the following:
Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox.
Detect IE11 specifically and warn the user that there is no support.
This ticket will live to se we can fix this properly by porting the current
VBS script to Javascript to support cert enrollment on IE 11.
|
| |
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
| |
|
|
|
|
|
|
|
| |
The routine that sets the password of the "pinmanager" user was
not working. A very simple one character fix takes care of it.
Ticket # 1546 - Setpin utility doesn't set the pin for users.
Checking in under the one line trivial change rule.
|
| |
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
| |
|
|
|
|
|
|
| |
Some types implement __eq__ but don't provide a __hash__ function. Mark
these types as non-hashable with __hash__ = None. This fixes:
DeprecationWarning:
Overriding __eq__ blocks inheritance of __hash__ in 3.x
|
| |
|
|
|
|
|
| |
The default value for argparser's verbosity was None, but None can't be
compared to 2 in Python 3.
TypeError: unorderable types: NoneType() >= int()
|
| |
|
|
|
|
|
|
|
| |
In Python 3 subprocess.Popen() and check_out() return bytes. The rest of
PKI expects text, so the output has to be decoded.
- ascii for dnsdomainname
- sys.getfilesystemencoding() for paths
- utf-8 for the rest
|
| |
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
| |
|
|
|
|
|
|
|
| |
Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject
package is available for Python 3 but can't be imported because it
depends on sepolgen.
The workaround makes it possible to test the Python 3 port on Fedora 22.
It can be removed later once Fedora 23 is out.
|
