<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream-next
at <a href="https://salsa.debian.org/freeipa-team/dogtag-pki">FreeIPA packaging / dogtag-pki</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9beafcf5abe5a17b6d37bfb4b211266569e7fd1f">9beafcf5</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T14:45:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new healthcheck - CA System cert expiry
This patch adds a new healthcheck to test whether CA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a2fd414bb8625f0f5ce4cd9beab5af471a80e6bc">a2fd414b</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T14:45:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new healthcheck - KRA System cert expiry
This patch adds a new healthcheck to test whether KRA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/964a701f278842c6fce5157c7aabed0e37179d78">964a701f</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T14:45:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move the cert expiry calculation logic to generic method
This patch creates a reusable method that returns the pre-filled Result
object, that carries the Cert expiration status. The method can process
only 1 cert at a time.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4b81e951578dd9a12ba9d4384275c099c8a51a2d">4b81e951</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added CertUtil.toPEM() for PKCS10
The code that converts a PKCS10 object into a PEM string has
been moved into CertUtil.toPEM().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a8a6416b983935faaa502604118c65f7e09ec485">a8a6416b</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removed deprecated methods in ClientConfig
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/43197691bb51e37a53be75ab4feded987dd13c12">43197691</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored MainCLI.getNSSDatabase()
The MainCLI.getNSSDatabase() has been modified to return
an NSSDatabase object.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/313b57b1e8332274af0da041466afed6d8712d3e">313b57b1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ClientCertImportCLI.importCACert() (part 1)
The code that imports a CA cert with a nickname has been moved
out of ClientCertImportCLI.importCACert().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3933b16001283738b77747faddcb5b3b98cc5d8a">3933b160</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ClientCertImportCLI.importCACert() (part 2)
The ClientCertImportCLI.importCACert() has been converted
into NSSDatabase.addCertificate().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3de6843e91b0c1d5fd93ae57afc91ebfbaf810b3">3de6843e</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ClientCertImportCLI.importCert()
The ClientCertImportCLI.importCert() has been converted into
NSSDatabase.addCertificate().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c701cf624c32a88fb98b377ecc7af2991e99d98e">c701cf62</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T14:52:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up ACME doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ab386a98c1f6a54bd7ce7f17b94ea06b86e1809a">ab386a98</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T16:06:21-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new healthcheck - OCSP System Cert Expiry
This patch adds new healthcheck to test the expiration
of OCSP system certs
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/800540534a24ed1a9d2e2d7acbb4d8324978e575">80054053</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T16:06:21-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new healthcheck - TKS System Cert Expiry
This patch adds a new healthcheck to test the expiration
of TKS system certs
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/235cfe1ae490aa064aeb426cb691cd79280c346d">235cfe1a</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-11T16:06:21-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new healthcheck - TPS System cert expiration
This patch adds a new healthcheck to check the expiration
of system certs in TPS
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d206ef17facc083734de037f2624f00338ceaf14">d206ef17</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T18:49:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed NSSDatabase.create()
The NSSDatabase.create() has been modified to create the
NSS database with the internal token password.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2dea4a7685cdcc0a22eb581ea1d132528626d2ce">2dea4a76</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T18:50:40-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added NSSDatabase.addPEMCertificate()
The NSSDatabase.addPEMCertificate() methods have been added
to import certificate files in PEM format.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a755dc78985d55ccbdb71a7c5780adcc7751a6b4">a755dc78</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T19:03:57-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added pki nss-cert-import
The pki nss-cert-import has been added to replace
pki client-cert-import --cert and --ca-cert.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/95366b7031fcdadc65cf65b6acd499c12596b0f1">95366b70</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T19:03:57-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified pki pkcs12-import options
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0d59b969146e6ade3ba776cea269c4370d3c568a">0d59b969</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-11T19:03:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added PostgreSQL database doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8f75debdb29890574c21e9e25815b4a5e0412dde">8f75debd</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T12:45:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified pki pkcs7-import options
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/804d827a8e127e965f6d659febe6bd9c9dfb6fac">804d827a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T12:45:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified pki pkcs12-export options
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9f4f293fffb2a4d733b919f4987db551512d0f03">9f4f293f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T12:45:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated CMSEngine.configureAutoShutdown() (part 1)
A try-catch block in CMSEngine.configureAutoShutdown() has
been removed to expose all exceptions generated by the code.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/057ce47d8e2d2d1eb70756256a9f4359cb229ca3">057ce47d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T13:29:13-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated CMSEngine.configureAutoShutdown() (part 2)
A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in finding the audit signing cert.
The CMSEngine.init() has also been modified to call the method
only after the audit signing cert has been created.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/379277389829c85f46d8de41e8e38e2083236531">37927738</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T13:29:13-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated CMSEngine.configureAutoShutdown() (part 3)
A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in removing existing auto-shutdown
crumb file.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7a31f28f4766e0a220ca4eeaf6fa771dbcedd40f">7a31f28f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T19:32:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added NSSDatabase.createRequest()
The NSSDatabase.createRequest() has been added to create a
certificate signing request using a local NSS database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/99793a50e60c23260a51b42da23646aca91c5a69">99793a50</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T19:32:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added NSSDatabase.createCertificate()
The NSSDatabase.createCertificate() has been added to issue
a certificate using a CA signing certificate stored in a local
NSS database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0b4ba07c4766e595f3f621bb2065c683287d1cb2">0b4ba07c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T19:32:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added pki nss-cert-request
The pki nss-cert-request have been added to create a certificate
signing request using a local NSS database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3d82cdfe4adfbdd84b63a0e0b1a8d9d4ebe919d7">3d82cdfe</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-15T19:32:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added pki nss-cert-issue
The pki nss-cert-issue have been added to issue a certificate
using a CA signing certificate stored in a local NSS database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/21528f4940587680edb6e67da168dee74e0780de">21528f49</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-16T14:01:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up ACMEEngine log messages
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/85b7b89e3a38fdab0b4c27dc2042985516f2ec6b">85b7b89e</a></strong>
<div>
<span>by dependabot[bot]</span>
<i>at 2020-06-16T20:32:47-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump xercesImpl from 2.11.0 to 2.12.0
Bumps xercesImpl from 2.11.0 to 2.12.0.
Signed-off-by: dependabot[bot] <support@github.com></pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0011cfbed92e28f213bd25e914c647f14a6bb9f1">0011cfbe</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug 1805541 improvement over verifySCT - [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch made some more attempt to improve on verifySCT
(though still not working; lack of the signed blob from sender
makes it a bit challenging)
It adds the following:
- Include code to use LinkedHashMap instead of Hashtable (requires jss fix)
- Added debugging code to be sure that the extensions didn’t get out of order through manipulation
- Allow for CT lg connection issue, but disallow for failed CT verification (though still temporarily disable failure for signature verification)
- For verifySCT
- Added missing 3 byte length for tbsCert
- Added processing for extensions, though most likely not needed for some time
Note: the global on/off is rigid at this point without "per-profile" control;
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f183aa0d0d3391bfedbeb0840bd0cca8d5baf462">f183aa0d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CT: decode signature value properly
The CT signature is TLS-encoded structure with 4 leading bytes. The
rest of the signature is the signature value, which is a DER-encoded
ECDSA-Sig-Value per https://tools.ietf.org/html/rfc5480. This is
exactly what JSS needs, so only drop the first 4 bytes.
With this change, SCT signature verification now works.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/43466bf02606c68d31da7221c7181c10f30987d3">43466bf0</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CT: cleanups
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/85fdca4b91e9bec8680f2dcecec710cdae8b7835">85fdca4b</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CT: tidy up "allow failed SCT verification" control
The "allow failed SCT verification" behaviour was a bit buggy. If
it got a boolean verification result it "correctly" ignored failed
verification, but if an exception was thrown (e.g. due to malformed
log server response) it returned 'false', aborting issuance.
Extract the "allow failed verification" check out of verifySCT to
the call site. A single boolean now controls the behaviour. It
should be further extracted to a config knob in a future commit.
For now the default remains to ignore failed verification.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/62b8df1b74bbde0545051d2ca0f041c770cd3f88">62b8df1b</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CT: createSCTextension: handle SCT extensions properly
To handle possible future extensions, read the extensions from the
log server response(s) and copy them into the SCT extension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/decf11920d40103f5290be157388979341fb18fa">decf1192</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-18T15:53:12+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CT: extract "write fixed-width length field" method
Define 'intToFixedWidthBytes' which encapsulates the logic of
writing a length as a fixed-width big-endian uint. This avoids
repetition and makes things easier to follow at call sites.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/e39d5978db53553a12dd43afd8b38dfadd4f1cec">e39d5978</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable TLS 1.3 post handshake auth
TLS 1.3 no longer supports renegotiations. Clients must announce support for
post handshake authentication to support conditional authentication with
client certs.
The fix is required to make Dogtag work with FreeIPA and TLS 1.3 enabled
Apache HTTPd proxy.
n.b.: rebased by Alexander Scheel, enabled PHA
Change-Id: I07da8779e233f6e77526df30e29da575676ac0e9
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72">50c23ec1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable certificate verification in PKIConnection
To PKIConnection's initialization handler, we introduce a new argument,
cert_paths, which takes a string or iterable; each unit of which is
treated as a capath or cafile depending on whether or not it is a
directory. See ssl.SSLContext.load_verify_locations for more
information. This enables both PKI and IPA to specify independent CA
file locations at the same time and have fallback if this does not work.
Because some users might've already loaded the CA certificate into the
system-wide CA certificate store (if they're running Dogtag in
production), we also inclue the global trust store.
Resolves: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8705ebeb31c123d21f864dcad5e88f3cbfc59793">8705ebeb</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make healthcheck check CA certificate
When running healthcheck, use the CA certificate in PEM form at
/etc/pki/<instance>/alias/ca.crt to verify connections with
PKIConnection. This is because the healthcheck tool is run on the
server, not on a remote client system.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/e5793704caf37ba90eb1f9f8d9147d3f1ceb9a23">e5793704</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PKI server operations verify CA certificate
We create a path ~/.dogtag/nssdb/ca.crt which contains the PEM-encoded
CA certificate in the NSS DB. When setting up PKI server authentication,
check for this CA file and use it when present. If we're performing
cert-based auth, we're dumping the CA certificate into the .p12 file, so
we can extract just the CA certificate to create it if it is missing.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/de680af221ff134cbbd773622e22b60d1a560fb7">de680af2</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check CA Certificate in Security Domain
When checking a Security Domain connection, we should ensure the CA
certificate is already provisioned to this machine prior to attempting
this call.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7fba9a1610992f72baa8cdd25deec3b3ba67d8be">7fba9a16</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Secure PKIConnection during pkispawn, add CA cert
When the CA certificate is missing in PEM form in the NSS DB (but is
present from the pki_ca_cert_path parameter in the spawn configuration,
add it to this instance's alias prior to using PKIConnection.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/614846ecfefe38c8d7ca295e1a90bf5b665e0ec7">614846ec</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Export CA certificate from clone PKCS#12 file
When creating a cloned subsystem, export the CA certificate into the
expected location prior to continuing subsystem installation. This
should ensure we provision the CA certificate prior to any calls to
PKIConnection.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/35c52586632e90d429a76344fa34ebc6e4d8445a">35c52586</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ignore certificate validation during status checks
When waiting for a subsystem to come up, we initialize a new
PKIConnection. However, we don't necessarily need to validate this
certificate: it is a status check and spoofing the result at worst
causes us to fail somewhere else, later, if the server isn't yet alive
and/or the connection was spoofed. Since this is primarily used in
pkispawn, it should be safe to ignore any certificate validation
failures and set verify=False here.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c4a3454e52b178597ec00bd4e3f10ab22e0bd57d">c4a3454e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Verify CA certificate when destroying KRA
When destroying a KRA instance, we query a list of all CAs this KRA
instance is registerred to. When querying this list, verify the
certificate on the remote peer.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/00fdf77f9a9a511157679a867cbea6f7608092a5">00fdf77f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Export CA certificate after NSS DB migration
In order to ensure all subsystems continue to function with enforced CA
validity checking, export the CA after NSS DB migration. This should
ensure we always get the latest CA certificate (as the CA would
presumably be restarted after a new CA certificate has been issued).
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/dc5b3e78e2141109353bfbc74592f428468fd72e">dc5b3e78</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-18T11:33:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add documentation on PKI certificate validation
This documents utilizing the pki_cert_chain_path to configure an
existing CA certificate into the NSS DB. We also document proper CLI
setup procedures, including mentioning that the CA certificates must be
imported.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/578f682ef9e9293af062432997ce3049ff921441">578f682e</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-18T10:35:28-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added auto-reconnect for PostgreSQL database
The PostgreSQLDatabase.connect() has been added to create
the initial connection, validate the current connection,
and reestablish the connection if it's closed.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b235c0f3c6c249dbba692410b525d8d6fb7409f4">b235c0f3</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-18T13:38:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix XSS in PathLength attribute in CA agent web page
- The input type is set to number when "integer" is encountered
- The server error message is html escaped, before it gets displayed in client browser
Resolves: BZ#1710171
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6c43dd3005aa9d193578f392358f376ff190bdc0">6c43dd30</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-18T13:03:09-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added certificate storage in ACME database
The ACMEDatabase has been modified to provide a certificate
storage for ACME issuers that do not have their own storage.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/56b8375e6e02d69df427c768e2e792c4bca4b089">56b8375e</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-18T20:02:18-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix reflected XSS attack when hitting getCookie endpoint
This patch sanitizes the Server generated error message, to escape
the HTML tags if any present.
Resolves: BZ#1789907
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/50585c651668a02c7c961f84a8068ace76e46e70">50585c65</a></strong>
<div>
<span>by Pritam Singh</span>
<i>at 2020-06-19T10:05:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added client-side prevention for XSS in recoveryID endpoint
Signed-off-by: Pritam Singh <prisingh@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/835f1dcd739752d000448d42ac3a05233310e446">835f1dcd</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T10:16:40-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified pki pkcs12-cert-find options
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/73da2085388876c9f398f836d54c960102f99938">73da2085</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T10:16:40-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added default ACME validators configuration
The ACMEEngine.loadValidatorsConfig() has been modified to
load the default validators.conf if the configuration file
is not available.
The pki-server acme-create command has been modified to no
longer create validators.conf so the ACME responder will
use the default one.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/edff88c927dfaeca41f67f3105ecbfaacc5616a8">edff88c9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T10:17:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added non-blocking ACME validation
The ACMEChallengeProcessor has been added to perform the
ACME validation using a separate thread such that it does
not block the main thread.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/426d5f736bf124f3debf89d9feaa1c1bbc273156">426d5f73</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-06-19T12:02:06-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug1629025: KRA transporCert nick: Server-Side keygen Enrollment for EE
This patch fixes the issue where CA attempts to get
ca.ca.connector.KRA.transportCertNickname
instead of
ca.connector.KRA.transportCertNickname
from it's CS.cfg
https://bugzilla.redhat.com/show_bug.cgi?id=1629025
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/63a75f81aa8714d328c3829160b6149a96f59cf9">63a75f81</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-06-19T15:12:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix javadoc build on Debian
Tried to build 10.9.0-a1 on Debian, but it fails building javadoc:
[ 98%] Generating Javadoc for pki-javadoc
cd /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc && /usr/lib/jvm/java-11-openjdk-amd64/bin/javadoc -d /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc/javadoc/pki-10.9.0 -windowtitle 'pki-javadoc' -doctitle '<h1>PKI Javadoc</h1>' -author -use -version -quiet -Xdoclint:none -sourcepath :/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/javadoc:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/util/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/common/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/java-tools/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/server/src -classpath :/usr/share/java/slf4j-api.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/xalan2.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/commons-cli.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/velocity.jar:/usr/share/java/servlet-api-3.1.jar:/usr/share/java/tomcat9-catalina.jar:/usr/share/java/tomcat9-util.jar:/usr/share/java/httpclient.jar:/usr/share/java/httpcore.jar:/usr/share/java/jaxrs-api.jar:/usr/share/java/jackson-annotations.jar:/usr/share/java/jackson-databind.jar:/usr/share/java/jackson-module-jaxb-annotations.jar:/usr/share/java/resteasy-jaxrs.jar:/usr/share/java/resteasy-atom-provider.jar:/usr/share/java/resteasy-client.jar:/usr/share/java/jss4.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/symkey.jar:/usr/share/java/tomcatjss.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cmsutil.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-certsrv.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tools.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tomcat.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cms.jar -subpackages :com.netscape.cmsutil:com.netscape.certsrv:com.netscape.cmstools:org.dogtagpki:com.netscape.cms
javadoc: error - No source files for package com.netscape.cmsutil
I believe base/javadoc/CMakeLists.txt needs to be updated..
it was quite simple
Resolves: https://www.pagure.io/dogtagpki/issue/3176
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/364de389758962fbd64f794c85dcbfd7800634a7">364de389</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T14:53:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up ACME doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0447bd7228fded2af4604bc0cc5c9f7839cbc79a">0447bd72</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added NSSExtensionGenerator
The NSSExtensionGenerator has been added to create certificate
extension objects from a configuration file. Initially it only
supports BasicConstraintsExtension.
The NSSDatabase has been modified to support creating certificate
request or issuing certificates with extensions.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/57e97b2bccffe81c1f5cf8ace3fdd7f36c19528b">57e97b2b</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for AuthorityKeyIdentifierExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthorityKeyIdentifierExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/302edc84c891e44bad4aa956a4c5a72b643d06bf">302edc84</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for SubjectKeyIdentifierExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support SubjectKeyIdentifierExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6e28f76af755579db298dbc2d0343c75b827f862">6e28f76a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for AuthInfoAccessExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthInfoAccessExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3e035de670499d8b80801a2ba835852c4bea91fe">3e035de6</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for KeyUsageExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support KeyUsageExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bec9b60e08d3151f9202d5f7e2c09f62a4e996cb">bec9b60e</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for ExtendedKeyUsageExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support for ExtendedKeyUsageExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/923e1e1247f5a502913a55cc607fb9eba567b70d">923e1e12</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T15:00:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added support for CertificatePoliciesExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support CertificatePoliciesExtension.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/74918419b0059e5aa9d1ba28b385dcd205700f06">74918419</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T16:42:44-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use password during NSS DB creation
In most instances, MainCLI has already parsed options prior to executing
MainCLI.init(). Require the caller to ensure this holds. When a NSS DB
password has been provided, use it to create the NSS DB when one doesn't
yet exists. This matches users's expectations.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1843537
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3a92a1db581541ad700916aa970f098937be5171">3a92a1db</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-19T18:09:04-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added NSSIssuer
The NSSIssuer has been added to provide an embedded
CA for the ACME responder using a local NSS database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ca428b43651e8f7e3d28ef32c9a50c50aa3f83c9">ca428b43</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T19:36:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set -Dcom.redhat.fips=false in Tomcat config
FIPS mode in OpenJDK shipped on RHEL-like platforms uses SunPKCS11 to
provide cryptographic primitives for SunJSSE (including SSLEngine and
SSLSocket) and other high-level providers. However, because SunPKCS11
uses NSS, we'd have a race between JSS and SunPKCS11. This isn't good,
because when Tomcat loads up, SunPKCS11 will consistently load before
TomcatJSS initialization, starving JSS's chance to become the default
provider. By setting -Dcom.redhat.fips=false unconditionally, we
decrease the JDK's reliance on SunPKCS11, decreasing the chance it'll
load. Indeed, prior to the changes to follow system FIPS mode, we've not
encountered any issues with SunPKCS11 loading ahead of JSS.
This change adds -Dcom.redhat.fips=false to the Tomcat configuration
unless the key is already present.
Because JSS is FIPS conforming, and provides a SSLEngine and SSLSocket
implementation since JSS 4.7.0, this is safe to do. In the future,
java.security can be used to ensure only JSS is loaded, preventing any
non-FIPS operations completely.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1655466
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1759335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1780335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1821851
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1830090
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/43a2738ceedc61f062124004f2ea38229d51d518">43a2738c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T10:49:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added PKIServer.nssdb_link
The code in PKIInstance that creates and removes the link
to the NSS database has been moved into PKIServer.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/41e1590b02f1334b60e6fc86cbf28075ce3ae262">41e1590b</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T10:49:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME database files
The ACME database files have been moved into acme/database
to simplify the paths.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b20f0803621f37f35859087b1b79011987d5cab7">b20f0803</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T10:49:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME issuer files
The ACME issuer files have been moved into acme/issuer
to simplify the paths.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b04097fc279d632093e9fba099c144bde6184ff4">b04097fc</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T10:49:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified pki pkcs12-cert-mod options
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/abc01031c325c9dd6ef2af6510a3a94e543dfd07">abc01031</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T11:38:38-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.0-0.3 (beta 1)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/412b3150f33d2648a262642ecb5adda5dbc82386">412b3150</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T15:12:37-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Renamed issuer parameter in NSSIssuer
The issuer parameter in NSSIssuer has been renamed to
nickname for clarity.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/606aa7b9a3c8fb2d4fc725e1baa0f80a5215c6e1">606aa7b9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T15:13:12-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added default value for NSSIssuer nickname
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4f3db1aec319921112d3ef04fd6739d2a6cd15c1">4f3db1ae</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-22T15:13:13-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added default value for NSSIssuer extensions
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4f47a2f65ccde0ff00d6a40d602d35c1a0e3eb7a">4f47a2f6</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-23T18:00:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require python3-setuptools explicitly
python3-setuptools is required to setup PKI healthcheck tool. There
was a request submitted by setuptools developers to specify BR directly
rather than using tranisitive dependency (ie) python3-devel pull
python3-setuptools currently
Ref: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GCPGM34ZGEOVUHSBGZTRYR5XKHTIJ3T7/
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/1b4558bf7ebac2d1fcf5d431ac12b0c6a15dadb9">1b4558bf</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-24T11:53:59-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix extraction of CA certificate
openssl pkcs12 gets annoyed when the CA certificate already exists.
Remove it before exporting on each migration.
This manifests itself as a failure during pki-tomcatd startup:
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: Export complete
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21375]: ERROR: Command: openssl pkcs12 -in /tmp/tmpfn_vr9yx/sslserver.p12 -out /etc/pki/pki-tomcat/alias/ca.crt -nodes -nokeys -passin pass::6|xZFEk8Dog
See also: https://github.com/freeipa/freeipa/pull/4820#issuecomment-648729659
Related: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/deca1c8792008a5298ec1971414d9669258b64d4">deca1c87</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-24T17:12:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Healthcheck: Ignore SSL verification in connectivity check
The connectivity check's motive is to test whether the given
subsystem is up and able to respond. Strict SSL validation is not
required. This patch turns it off for the COnnectivity Healthcheck.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a21bd28cc2abfbf0f6a8d0bf8591bcba2f437c63">a21bd28c</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:35:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provision CA certificate for Security Domain check
When checking the Security Domain during pkispawn, we enforce
certificate validation. This is because we're also checking the
username/password given to us. This should go over a secured connection,
so simply setting verify=False would be a bad fix. Instead, ask the user
for a pki_cert_chain_path if one isn't given and use that to validate
the security domain's connection when the ca.crt path isn't already
populated.
This manifests itself as the following error:
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 930, in <module>
main(sys.argv)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 544, in main
check_security_domain()
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 716, in check_security_domain
info = deployer.get_domain_info()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 270, in get_domain_info
self.domain_info = sd_client.get_domain_info()
File "/usr/lib/python3.6/site-packages/pki/system.py", line 270, in get_domain_info
response = self.connection.get(self.domain_info_url, headers=headers)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 55, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 259, in get
timeout=timeout,
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='pki1.example.com', port=20443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
Related: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/57fdb9bb6bb2653a428818fc2792f6940740d515">57fdb9bb</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-25T14:33:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored EnrollDefault.deleteExtension() (part 1)
The EnrollDefault.deleteExtension() has been modified to
throw a generic exception.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/16269168dcf252174344d7ed84301a2c4b95beb4">16269168</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-25T14:34:16-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored EnrollDefault.deleteExtension() (part 2)
The EnrollDefault.deleteExtension() has been modified to use
a separate loop to avoid ConcurrentModificationException.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b2388e9a82534a0c3fb81b954c0db2b04f363225">b2388e9a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-25T15:00:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored CAProcessor.saveAuthToken() (part 1)
The code that checks that the authentication token and the
request are not null in CAProcessor.saveAuthToken() has been
moved to the caller.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/134f20ba17ea84551c3809564b8befc4cd34e3d6">134f20ba</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-25T15:22:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored CAProcessor.saveAuthToken() (part 2)
The variable names and log messages in CAProcessor.saveAuthToken()
have been modified for clarity.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/e131adc0794ad2b0b5fadcff5b6a03e8a97088cb">e131adc0</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-25T16:53:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.0-0.4 (beta 2)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3073c64aa41c0c736634ff6fe7cbfa51a049910e">3073c64a</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-06-25T19:31:17-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug1805541-parseAlgs-[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch parses the CT response for hashing and signing algorithms.
There is plan to fine-tune the CT code later.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2a0dae85067446f0b834c19cee67b58f789cf89c">2a0dae85</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T10:55:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removed default user/group in pki-server create
The hard-coded default user/group in pki-server create has
been removed such that it's going to be determined by the
type of instance being created.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6c18b47f9d07f8c9b97a2ed5b6aefba8a05b3fe9">6c18b47f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T10:55:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in PKIIssuer
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4ce3a7e4d946f22188a955beb82a864f9888dbf2">4ce3a7e4</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T10:55:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up main web.xml
The main web.xml has been modified to map .properties
files to text/plain to avoid syntax errors in Firefox.
https://github.com/jquery-i18n-properties/jquery-i18n-properties
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7ab7f7319ee739d10a0c6042f6f0559b438e716a">7ab7f731</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T10:55:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up ACME's web.xml
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/33f4893ca2c3dc9daa669da8b1d03a52afb34c04">33f4893c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T14:20:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACME Dockerfile
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0682f55322bdf583bd5b0492f0995cdd560f96a3">0682f553</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-29T14:20:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACME deployment config for OpenShift
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/93732b527a9083987f6fd16960e42a02433ee7f3">93732b52</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-30T11:20:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Healthcheck: Add method to load dogtag specific config values
This patch adds a reusable method to load dogtag specific values
specified in the config file. Note that each registry calls this
method but, the values are read only once. The registry initialization
is handled by the underlying 'pkg_resources' library and there was no
particular order.
TODO: This is a temporary patch and the parsing method should be
moved into the ipa-healthcheck-core library
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bb0739e027121756f51f6c9002ac08db0b7e5f0b">bb0739e0</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-30T11:20:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactor DogtagCertsConfigCheck to accommodate other subsystems
This patch refactors DogtagCertsConfigCheck to accommodate other
subsystems: OCSP, TKS and TPS. This patch also uses the config names
mentioned in the healthcheck config file.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/400a5a8f8db6a60efe9c904583a365e2a8c042b9">400a5a8f</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-30T11:20:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Healthcheck: Allow healthchecks to load custom named instances
This patch allows the Healthchecks to use the custom instance
names provided via the pki specific healthcheck config file. This
will allow healthcheck to be executed in standalone Dogtag PKI
environments.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a8f7eedea809ba34c728db539f064ed76acbb3d7">a8f7eede</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-30T11:20:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update PKI-healthcheck documentation
Add documentation related to /etc/pki/healthcheck.conf
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7fcb8993fc4a2e9dddb4653e554d6330a57dfa5e">7fcb8993</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-30T11:20:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Healthcheck: Minor improvements to config and expiration check
This patch:
* Uses expiration day value specified in config to report warnings
during the System Certificate Expiration Check
* Prior to this commit, if a custom instance name is specified for a
subsystem, ALL subsystem's instance names needed to be specified. This
patch removes that restriction.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d6c91ee4a11a55534c733d144b3108e16b0ac6aa">d6c91ee4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-30T12:05:57-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pki password fix for FIPS
NSS DB in FIPS mode seems to require a password in all cases. When pki
attemps to open NSS DB without password in FIPS mode, it blocks with a
prompt to enter a password. This breaks installation in FIPS mode:
Enter password for NSS FIPS 140-2 User Private Key
Signed-off-by: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/573f574e53719c1e7be470471f6c7ca776c36a69">573f574e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-30T17:59:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add separate bootstrap CSS file
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/01d46248bb5c645a88dc4437f7de383179ab12c3">01d46248</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-30T17:59:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Link in new Bootstrap CSS file
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/021b273cc59965fdb4daa4d7d1ae914fd549acfb">021b273c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-30T18:19:22-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removed tech preview notifications
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/44a6c53c345ce8901cb105457a2dc4d32b72f1d1">44a6c53c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-30T23:16:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Renamed TPS profile service
The ProfileService for TPS has been renamed into
TPSProfileService for clarity.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f9db0af1c316743504312746fd72f846a90404b7">f9db0af1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-30T23:17:17-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in TPSProfileService
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f306fa8afa74886ea00245d1d38a01227bcf87ca">f306fa8a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-30T23:17:17-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ProfileData.profileID
The ProfileData.profileID has been added to store the ID
before the profile is added into the database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a4336bad6e8c446d577f196fd43d74d41f762a96">a4336bad</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-30T23:17:17-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ErrorDialog.htmlContent
The ErrorDialog has been modified to provide an option to
display HTML content.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8884b4344225bd6656876d9e2a58b3268e9a899b">8884b434</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-01T11:30:30-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace CMSTemplate custom sanitization with lang2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f770c4e5425c8ce3b2c3da53b4e11d4c12b61468">f770c4e5</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-01T10:42:04-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored EntryPage.save()
The EntryPage.save() has been renamed to saveEntry() for clarity.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8734909bc5b61e230b18c112ffcd501fbe01e388">8734909b</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-01T10:42:04-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated ErrorDialog.close()
The ErrorDialog.close() has been modified to trigger an event.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/02e3f1e5b448425954082691f17d0cf7556c9806">02e3f1e5</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-01T11:25:00-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in TokenService
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8">1dbb07f8</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-01T15:47:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added input validation for TPS
The TPSProfileService has been modified to validate the
profile ID and profile property names received via REST API.
The TPS UI has been modified to validate profile ID and
profile property names before they are sent to the server.
The TableItem.renderColumn() has been modified to escape
the value already stored in the database before displaying
it in the UI.
https://bugzilla.redhat.com/show_bug.cgi?id=1791099
https://bugzilla.redhat.com/show_bug.cgi?id=1793076
https://bugzilla.redhat.com/show_bug.cgi?id=1725129
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/da7d9cc31740f86074893411ca413e0b6eb0d1cf">da7d9cc3</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T11:16:09-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.0-0.5.unstable (beta 3)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c1098bb1bb8841427d80fa13c050107853bb3019">c1098bb1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T16:23:51-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated build.sh to generate UTC timestamp
The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/fd3e3dea77976451ee9e1d06018d6da124ab98be">fd3e3dea</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T17:05:00-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in CertRequestService
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9de45c2812e9eaddaeef50dd422117cf57820581">9de45c28</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T17:11:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in PKIRealm
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/44c34cc125b5a514082ed706d44a6a5bcfc403fe">44c34cc1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T17:11:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added UserClient constructor
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/62e86aa28b7871bde0573de6804eade7d1be5e68">62e86aa2</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T17:11:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added GroupClient constructor
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bd46b1a598a089c6ada55eca84c124d028dbded4">bd46b1a5</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T17:11:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added setter/getter for CertEnrollmentRequest.serverSideKeygenP12Passwd
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/14ece271f28f16a1583819cddc43c02b6acf817e">14ece271</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T18:47:27-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Deprecated PKIInstance.server_cert_nick_conf()
The PKIInstance.get_sslserver_cert_nickname() has been modified
to get the SSL server cert nickname from the server.xml. The
PKIInstance.server_cert_nick_conf() is no longer used so it has
been deprecated.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/68e7c3b5b771aa7ceac6b9d3ee48cf99cbae4ceb">68e7c3b5</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T21:28:13-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up basic PKI server install doc
The doc for installing basic PKI server has been
modified to use the default instance name.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/59f58e7ee03fb817fc659decb0f3ec46a475b9d0">59f58e7e</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T21:28:13-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated basic PKI server install doc with NSS database
The doc for installing basic PKI server with NSS database
has been modified to use pki nss commands.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/5d97b91afd56767a91818bae794ac3afbfc3d1ba">5d97b91a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-06T22:52:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized basic PKI server install doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f378079415b8f9c9bef0936dd3b419079b1c8263">f3780794</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T09:30:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed NSSExtensionGenerator.createAIAExtension()
The NSSExtensionGenerator.createAIAExtension() has been modified
to call AuthInfoAccessExtension.encode() in order to populate its
extensionValue field. Otherwise, the null extensionValue will
cause an NPE in CertificateExtensions.parseExtension().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3493f58df6a1ac8fc941398ed4ee81ef1f17262f">3493f58d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T09:30:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added PostgreSQL.setup()
The PostgreSQL.setup() has been added to automatically create
the tables when the server initially connects to the database.
This eliminates the requirement to create the tables manually.
The docs have been updated accordingly.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/fa9d5a4ccdb3caa7da483569e38b42eae366d3e2">fa9d5a4c</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-07-08T17:09:41-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug1629025-handle large keys-ServerSideKeygen
This patch addresses the issue that for ServerSideKeygen enrollments,
if the RSA keys are larger (3072 or 4096), the enrollment would fail.
It may very well have to do with Apache's limit on HTTP header.
While there might exist a better way to resolve this, I'm opting
to remove a duplicated "issued cert" entry in the request itself which
effectively resolves the issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1629025
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0067bada6803a3c7a6da05f3a0afe7272c40b02d">0067bada</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added JUL logging options for PKI console
The PKI console has been modified to provide CLI options
to set the log level for java.util.logging.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d6a511b2cd15cea974435bfa75183533179ea208">d6a511b2</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEEngine.start()/stop()
The code that starts and stops the ACME engine in
ACMEEngine.contextInitialized() and contextDestroyed() has
been moved into start() and stop().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0215655f04866e4ee4790afd8acbb922ab43036d">0215655f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngineConfigSource (part 1)
The setEnabled and setWildcard fields in ACMEEngineConfigSource
have been renamed into enabledConsumer and wildcardConsumer for
clarity. Setters/getters have also been added for these fields.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c369ffa19a87373b6c8fa040411e485398135a9a">c369ffa1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngineConfigSource (part 2)
The ACMEEngineConfigSource.init() has been modified such that
the caller is responsible to initialize the consumers.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/1223d8b93990448b6d0820c3fc06992a066f146d">1223d8b9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored PostgreSQLDatabase.deleteAccountContacts()
The PostgreSQLDatabase.deleteAccountContacts() has been converted
into removeAccountContacts() which takes an account ID.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/5b56a967fd1c7f55e8018fafa7cb1950a298e5c9">5b56a967</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-08T21:36:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored PostgreSQLDatabase.deleteAuthorizationChallenges()
The PostgreSQLDatabase.deleteAuthorizationChallenges() has been
converted into removeAuthorizationChallenges() which takes an
authorization ID.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7b9b3c6ce73903b99ced5d5dc51981d051dc3e5c">7b9b3c6c</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-09T10:49:00-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Measure individual test execution time
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3702d4a1bda9e558253e5be189a884c51bbb06dc">3702d4a1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-09T15:52:34-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEScheduler
The ACMEScheduler has been added to schedule tasks to run
periodically in the background.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8cb34a7723758c1af8f63b30afd9465eb53cff41">8cb34a77</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-09T15:52:34-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEMaintenanceTask
The ACMEMaintenanceTask has been added to clean up ACME
database. Initially it is used to clean up expired nonces
every 5 minutes.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/337cff960cf01c0cfd5ac759c11053a9f0de7e7f">337cff96</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-09T17:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Copy missing profiles between 10.5 and current version (10.9)
This patch copies all missing profiles introduced from 10.6+
and configures the CS.cfg in existing deployments. This ensures
that the old deployments (<=10.5) can use the latest profiles
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ec859b40c885d3997bb16bebe11c2c7067538ba7">ec859b40</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-09T17:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove duplicate entries from CS.cfg
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/21a8f05f5ccaee7eb583784217bb0e5b5563ea0b">21a8f05f</a></strong>
<div>
<span>by Deepak Punia</span>
<i>at 2020-07-10T09:03:57-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding downstream tier0-sanity job to upstream
installation-acme
role-user-creation-topo-02
topo-01-role-user-creation
Signed-off-by: Deepak Punia <dpunia@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/1df72734f9e9931002c83bc54838caa67a2c3c61">1df72734</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:11:41-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored PostgreSQLDatabase.getExpiredNonces()
The PostgreSQLDatabase.getExpiredNonces() has been modified
to only return the nonce values.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/eca5c92681ceec9e11bfaed3560464bdc28cc678">eca5c926</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:11:41-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEChallengeProcessor.processChallenge()
The code that finalizes valid and invalid authorizations in
ACMEChallengeProcessor.processChallenge() has been moved into
finalizeValidAuthorization() and finalizeInvalidAuthorization().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/020a3b3027e66e82b7c50a1c7d2469c71e29a54f">020a3b30</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:11:41-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added log messages in LDAPDatabase
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d0d803c878c9a778c57f98d2e83f36709834d1d5">d0d803c8</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:11:41-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.0-0.6.unstable (beta 4)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4ae9c7b1712174c80a7ed25028239664899ae64c">4ae9c7b1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:42:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed PostgreSQL orders.expires constraints
The PostgreSQL orders.expires column has been modified
to become optional.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/69e9d81ba7b0123c58d3fba2449d241eadb03baa">69e9d81b</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-10T09:42:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed PostgreSQL authorizations.expires constraints
The PostgreSQL authorizations.expires column has been
modified to become optional.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/fed60474d9830417200a10b4966c6c7b69bbf905">fed60474</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-07-10T15:02:54-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug 1805541-refactor:[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch reafactors the Certificate Transparency code.
More refinement to come, but for this patche:
- the majority of the CT v1 code originally in CAService.java now goes
into CTEngine.java;
- some utility methods go into CertUtils.java
- new CT enablement logic is introduced to replace the original one:
The logic of whether SCT extension is to be added to the issued
cert or not now goes like this:
IN CS.cfg
* CT mode is controlled by ca.certTransparency.mode
* There are three CT modes:
* disabled: issued certs will not carry SCT extension
* enabled: issued certs will carry SCT extension
* perProfile: certs enrolled through those profiles
* that contain the following policyset
* will carry SCT extension
* SignedCertificateTimestampListExtDefaultImpl
* default is true
* if unknow mode then error will be thrown.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0fa50bb906e47d3b479a70ddc4caac2c8714a44f">0fa50bb9</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-13T15:47:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Build custom Fedora image that has systemd installed
With latest Fedora container images (starting from fedora:30) it seems
that the systemd script files have been removed. This patch builds a custom
fedora container image with systemd package installed, giving us the right
systemd-enabled environment to run PKI tests
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/cdbbb079d2eba050fda8db6ba367f231f09fa322">cdbbb079</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T18:30:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removed default max/min LDAP connections
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/43e4cd0fc03a2025036e7fa20d5b9a1bfedb12d1">43e4cd0f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T18:30:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated pki-server acme-database-show
The pki-server acme-database-show has been modified to support
LDAP database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/5ce46a35ae85cd637e3c17c6c8c39964242b3365">5ce46a35</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T18:30:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated pki-server acme-database-mod
The pki-server acme-database-mod has been modified to support
LDAP database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/280c2c3735b449c810aeb18d904406b06af85791">280c2c37</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T18:30:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated pki-server acme-issuer-show
The pki-server acme-issuer-show has been modified to support
NSS issuer.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6eec2d3ad5cec11c7d80dcea4303d5a54dda8b13">6eec2d3a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T18:30:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated pki-server acme-issuer-mod
The pki-server acme-issuer-mod has been modified to support
NSS issuer.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6f94b0d759ac699d5d8095f1298e84fe6e334c4d">6f94b0d7</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T20:30:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized CA install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2bd40bdf148f09884c91b8cf291429bea9e53ff8">2bd40bdf</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T20:30:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized KRA install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b17883dec0bc89d3ef37b13fa064af00c80790cd">b17883de</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T20:30:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized OCSP install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3b6cbc7d937903133efbf68a555a88aa7d2077d8">3b6cbc7d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T20:30:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized TKS install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3b58dcda5b6359822da693a0ae3d6bbf056eece6">3b58dcda</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-13T20:30:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized TPS install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f946a3e3c5881e022b830493147539d00051b318">f946a3e3</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-14T15:16:46-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed podman deployment doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9170acf282ada448b6218e05a6bf3833e63a371c">9170acf2</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-07-14T16:50:31-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug1856368- pki cli kra-key-generate request is failing
This patch fixes the issue with failed kra-key-generate from pki cli.
Investigation revealed that the underlying JSS changes where
base64encodeSingleLine call into
Base64.getEncoder().encodeToString(bytes);
does not tolerate null parameter.
Reference: Remove code dependency on Apache Commons Codec
https://github.com/dogtagpki/jss/commit/8de4440c5652f6f1af5b4b923a15730ba84f29e1#diff-b2e907677520a5d671a037de2e60e656L376
in PKI, since the caller for generateAsymmetricKey() in KeyClient.java
deliberately passed in "null" for transWrappedSessionKey, it is
safe to just skip over the following line when transWrappedSessionKey is null:
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey, false));
the CRMF issue reported in the same bug is very likley a separate issue
and should be filed in a separate bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1856368
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9ffb9925d8d0a86059f3ec300526cf5d5b4093d5">9ffb9925</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-14T19:19:49-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed error handling in PKIRealm
In commit 9de45c2812e9eaddaeef50dd422117cf57820581 the PKIRealm was
modified to wrap all exceptions that happen during authentication
and rethrow them as RuntimeExceptions in order to preserve the stack
trace for troubleshooting.
However, because of that when a client tries to authenticate with a
revoked certificate the server incorrectly reports it as an internal
server error instead of authentication failure.
To fix the problem, the PKIRealm has been modified to modified to
handle authentication failures (e.g. EInvalidCredentials) differently
from other internal server errors (e.g. LDAP exceptions).
For authentication failures PKIRealm will return null as described
in RealmBase documentation:
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/realm/RealmBase.html
For internal server errors it will log the stack trace and to wrap
the exception and rethrow it as RuntimeException for troubleshooting.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/180d42e9b4a2eb3aa7970448f888fb50d0d14522">180d42e9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T10:18:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACME authorization status
The ACMEChallengeProcessor.processChallenge() has been modified
to set the authorization status to invalid if the client fails
to fulfill the challenge.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/db7b73a44babf55cd9eca864227d49500cff6722">db7b73a4</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T10:18:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACME order status
The ACMEChallengeProcessor.processInvalidChallenge() has been
modified to set the order status to invalid if at least one of
the authorizations is invalid.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8feeea95029e57ea9ba55b1123e7f3ae2ca1e48d">8feeea95</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T10:49:40-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed LDAPDatabase.getAuthorizationByChallenge()
The LDAPDatabase.getAuthorizationByChallenge() has been
modified to return the complete authorization data such
that if the authorization is updated and saved into the
database it will not unintentionally lose data.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/71fced30e069c143fe9c188523f3fa94ba6c1297">71fced30</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T10:49:40-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removing incomplete ACME challenges
The code that finalizes ACME authorizations has been modified
to retain the completed challenge (either valid or invalid) and
remove the incomplete ones.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ce689dfa43b4fc5475dfed039d379c1e653a8049">ce689dfa</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T11:40:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up log messages in MessageFormatInterceptor
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d23240d030e49edae1c76500f378011eab760c07">d23240d0</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T11:40:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACMEAuthorization.expirationTime handling
The code that uses ACMEAuthorization.expirationTime has been
modified to handle a possible null value.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8edae3095a078204a946ec9736c83054b2685532">8edae309</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T11:40:48-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACMEOrder.expirationTime handling
The code that uses ACMEOrder.expirationTime has been modified
to handle a possible null value.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ec9b44851bab48dd42512473f3e672e95c64a493">ec9b4485</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-15T19:10:37-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated ACME database configuration doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/885ba3f6cad5f9042bdce65f7b336e912365d882">885ba3f6</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T12:30:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACME authorization expiration time
Previously the expirationTime field in ACMEAuthorization is
always set when the object is created. According to RFC 8555
the value is only required when the authorization is valid,
so the code has been updated accordingly.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2443d08aa0afc8d6fdb5635d6391d194e7e6395a">2443d08a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T12:30:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACME order expiration time
Previously the expirationTime field in ACMEOrder is always set
when the object is created. According to RFC 8555 the value is
only required when the order is valid or pending, so the code
has been updated accordingly.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/91889f162cf64dafaf4bc48666cf958eb1f2efc0">91889f16</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T12:30:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEDatabase.removeExpiredAuthorizations()
The ACMEDatabase.removeExpiredAuthorizations() has been added
to remove expired authorization records from ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/eec64fc4352305b5054bd06e96a749363ccbfe07">eec64fc4</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T12:30:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEDatabase.removeExpiredOrders()
The ACMEDatabase.removeExpiredOrders() has been added to remove
expired order records from ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b2215b72bae20ffc0b1879714a809d519b405022">b2215b72</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T12:30:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated ACME maintenance task
The ACME maintenance task has been updated to periodically remove
expired authorization and order records from ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/87c0aef6ecb97a23dce0254c5e3efcf6a8430d35">87c0aef6</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T17:26:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added silent mode for pki-server acme-database-mod
The pki-server acme-database-mod has been modified to provide
a silent mode for configuring ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8cee2f93370d3c102a4808cd5d488dc804be1630">8cee2f93</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T17:26:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added silent mode for pki-server acme-issuer-mod
The pki-server acme-issuer-mod has been modified to provide a
silent mode for configuring ACME issuer.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/95e338caf67342face3c42e7e95a8443eabe726a">95e338ca</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-16T17:26:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated ACME database and issuer configuration docs
The ACME database and issuer configuration docs have
been modified to use the slient mode.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f1e86ff0494c7541a322d3ed64fad449ea543feb">f1e86ff0</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:28:50-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadMetadata()
The ACMEEngine.loadMetadata() has been renamed into
initMetadata().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7eb2fc4838d2a0b4ee046aa888032abae8dcc831">7eb2fc48</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:29:38-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadDatabaseConfig()
The ACMEEngine.loadDatabaseConfig() has been merged into
initDatabase().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6772ba8e9724629ab534cfe24ca9b49959e3850e">6772ba8e</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:30:22-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadValidatorsConfig()
The ACMEEngine.loadValidatorsConfig() has been merged into
initValidators().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0c1916ea6cab0ab8a1f0eeb7ff61c5dd19c7cc3c">0c1916ea</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:30:45-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadIssuerConfig()
The ACMEEngine.loadIssuerConfig() has been merged into
initIssuer().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3bda0a4feb7287b717f3d0e0118f93e5e1ac0fdd">3bda0a4f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:31:52-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadSchedulerConfig()
The ACMEEngine.loadSchedulerConfig() has been merged into
initScheduler().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/87ab6e3c60331fe96c742b14876380172be525bb">87ab6e3c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T10:38:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEEngine.loadEngineConfig()
The ACMEEngine.loadEngineConfig() has been converted into
initMonitors().
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/249fae10d4dd945be9ced6f1713b926b056eacb8">249fae10</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-20T13:45:59-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix build with CMake out-of-source build change
Fedora 33 has introduced the following change proposal:
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
This makes CMake do out-of-source builds by default. However, Fedora has
opted to use the %{_vpath_builddir} macro as the location of the default
build directory, instead of the more standard (in the CMake community)
build/ directory. %{_vpath_builddir} expands to %{_target_platform},
giving a per-architecture build directory.
Replace build/ references with %{_vpath_builddir} in the RPM spec. In
the future, we could move %{__make} to %cmake_build instead.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/11024cd36f14e99d7a62d4304ce7cfcf43d0c250">11024cd3</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T13:42:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed pki-server acme-metadata/database/issuer-mod commands
The pki-server acme-metadata/database/issuer-mod commands have
been modified to use PKIServer.store_properties() instead of
pki.util.store_properties() to ensure the file permission is
set correctly.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a3ef1aa885e9a81bd7efa3ef876824842593763f">a3ef1aa8</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T13:42:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added default ACME metadata.conf
The ACMEEngine and pki-server acme-metadata commands have
been modified to use the shared metadata.conf by default.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bc899bec1957f7e338046fc17f4214e5a4d71b25">bc899bec</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T14:36:59-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added runtime dependency on systemd
The pki-server package has been modified to explicitly require
systemd as runtime dependency since systemd is no longer part
of Fedora container image:
https://docs.fedoraproject.org/en-US/minimization/
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9ddb383239f92e9d738b4b4eb2e1bac24e6abdca">9ddb3832</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-20T15:45:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support JDK8 and JDK11 RPM builds
Fedora 33 is moving to Java 11 as the default JDK version:
https://fedoraproject.org/wiki/Changes/Java11
This will make JDK11 the default JDK in this release of Fedora.
We need to support a generic JAVA_HOME based on OpenJDK, so move to
/usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided,
regardless of whether or not the JDK or JRE is installed. Additionally,
we set the minimum Java version based on what is available on the
system.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/1bc74857efc84538a9de6978ceb9a25a9fc0f07f">1bc74857</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-20T19:20:24-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed JAVA_OPTS parsing in PKISubsystem.run()
The PKISubsystem.run() parses JAVA_OPTS into a list of strings
and uses it as Java arguments. In some cases the list might
contain empty strings which can cause problems. The code has
been modified to remove empty strings from the list.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/3de067cf33f617c05c9b818080bbef738dd7f862">3de067cf</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-21T09:01:38-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplified ACME LDAP database parameters
The LDAPDatabase parameters have been simplified:
- basedn -> baseDN
- internaldb.ldapconn.host,port,secureConn -> url
- internaldb.ldapauth.authtype -> authType
- internaldb.ldapauth.bindDN -> bindDN
- internaldb.ldapauth.clientCertNickname -> nickname
- password.internaldb -> bindPassword
The old basedn parameter will continue to work but it has
been deprecated.
The internaldb.ldapauth.bindPWPrompt is no longer used so
it has been removed.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/ec612dbd04d9d5e4f1263925e9cb3d0a9562456b">ec612dbd</a></strong>
<div>
<span>by Coty Sutherland</span>
<i>at 2020-07-21T16:51:42-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix HTTP Request formatting in AdminConnection
AdminConnection's processRequest method creates a hand-rolled HTTP
request to the remote server. This is used by PKI Console when
authenticated as an administrator. Because of the recent CVE fix in
Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed)
terminated requests and headers, and instead reject them as a bad
request. We fix this by adding the missing and required CR, per HTTP
specification.
This fixes the following exception in PKIConsole:
java.io.IOException: 400
at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537)
at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497)
at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411)
at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788)
at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681)
at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646)
at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379)
at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128)
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0c41ac72c47f34b3dc1293768e656a03d3d283b5">0c41ac72</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-21T16:52:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support exporting CA certificate from HSM installs
When installing an installation with subsystem SSL certificate residing
on the HSM, export will fail because the NSS DB isn't opened with the
specified HSM token. When the subsystem SSL certificate resides on the
HSM, when we go to export the CA certificate, we must explicitly specify
this token.
Otherwise, subsystem startup will fail with an error like:
systemd[1]: Starting PKI Tomcat Server topology-02-CA...
pki-server[72759]: Enter password for NHSM6000-OCS
pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA
pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA
systemd[1]: pki-tomcatd@topology-02-CA.service: Control process exited, code=exited status=255
systemd[1]: pki-tomcatd@topology-02-CA.service: Failed with result 'exit-code'.
This is related to the earlier PR enforcing certificate verification
in PKIConnection, pr-#443.
Resolves: rh-bz#1857933
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/382de723e216870a1534ebacc51c427ba2f5a0d5">382de723</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-22T13:24:25-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pylint issue in healthcheck
This patch fixes the pylint issue caught in our CI. This
is a regression of change introduced in freeipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/75fed9db697d2e51137cd8cd60d8402a123b4bca">75fed9db</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-22T13:48:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Print the SD name when executing pki-server status
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/08370498e120b5f2d880b4fe78cf19a488e8b8eb">08370498</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-22T13:48:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pki-server status CLI to accept nuxwdog enabled service
This patch fixes pki-server to pick up the right systemd unit file
name if the nuxwdog is enabled on the PKI server.
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/951bad9d0aad4fd249472399e5c8fd2a10cb3ab4">951bad9d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-22T14:53:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEEngineConfig
The ACMEEngineConfig has been added to encapsulate ACME engine
configuration such as the enabled flag.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2a8e25fb2c02d7093bf9565b6bbd379faa5c9897">2a8e25fb</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-22T14:53:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEPolicy
The ACMEPolicy has been moved into org.dogtagpki.acme.server.
The enableWildcardIssuance field has been moved into a new
ACMEPolicyConfig class. The wildcard property in engine.conf
has been renamed into policy.wildcard.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/5cc193e645bd3a24664509760d13a11d445f8c87">5cc193e6</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-22T14:53:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removed hard-coded ACME validity policies
The ACMEValidityConfig has been added to encapsulate the
validity configuration of ACME objects including nonces,
authorizations, and orders.
The hard-coded validity policies for ACME nonces, valid
authorizations, pending and valid orders have been
replaced with configurable properties in engine.conf.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f">a93a65be</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-22T17:02:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Re-fix sanitization in CMSTemplate
When fixing CVE-2019-10179 originally in
8884b4344225bd6656876d9e2a58b3268e9a899b,
I had switched to Apache Commons Lang2's
sanitization framework. However, I didn't
enable the HTML sanitization necessary to
fix this CVE.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/db703d1de043688421e70e0c94d90baae0e92e1c">db703d1d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-22T18:44:10-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added sample ACME database URLs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6e10833110df629900294b3077158addf624f0b3">6e108331</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-22T19:48:35-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed ACME scheduler
The ACMEScheduler has been modified to no longer throw a
RuntimeException if a task execution fails such that the
task will be executed again in the next scheduled time.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/eb213bd09fc2e1191b3aaa5d9f8eeedbd85f3e5f">eb213bd0</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T12:58:06-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add sample PKI issuer URL and profile
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/8c41352aa8d1704b0690704df45b28a8fac03340">8c41352a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T12:58:16-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated ACME install doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/6f18a954c0b364066ed515ecee8dcb10f75e3310">6f18a954</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T12:58:16-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed InMemoryDatabase.getOrdersByAuthorizationAndStatus()
The InMemoryDatabase.getOrdersByAuthorizationAndStatus() has
been modified to use String.equals() to compare order status.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/40bd67c353022a4c6391d9e3e2e6ec3b8a1eb862">40bd67c3</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T12:58:16-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated pki-server acme-database/issuer-mod
The pki-server acme-database/issuer-mod commands have been
modified to load the database.conf/issuer.conf template if
the database/issuer type was changed.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f2641150a980fb42c290a82eb6a6acb8888068b7">f2641150</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T20:35:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed PKIServerFactory.create()
The PKIServerFactory.create() has been modified to check
whether the /etc/sysconfig/<instance> file exists before
trying to open it.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/28e19202b2c27db69cd1e3e8640976c3a347d900">28e19202</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-23T20:44:00-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized PKI server install docs
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/41b0226a945f33b986d7bae5a8369ada43ea26d8">41b0226a</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-27T17:12:24-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated log messages in PostgreSQLDatabase
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/46a66d65ab423bcd6756ed46bfa7e2ddd1fd67ae">46a66d65</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-27T17:12:33-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME deployment on OpenShift doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bf22510512870757d4070eac77fd407502683526">bf225105</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-28T14:52:20-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add TPS auditor
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/9da92ed353f7466e9f49679b9ab66c8ab6767217">9da92ed3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-28T14:54:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move PrettyPrint{Cert,Crl} to PKI_LIB classpath
JDK since v1.6 supports passing a directory with a glob (*) after it to
include all JARs in that given directory on the classpath. That is the
mechanism used by pki_java_command_wrapper.in which we should reuse for
the two CLIs which don't use that wrapper.
Resolves: rh-bz#1854043
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/fd5222105813e100cfb5cb50e6d154d6306480db">fd522210</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-07-29T15:31:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Collect journalctl logs always during IPA tests
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c8c55f989ac88e53d08ab39267ee82ba0f0ecb7a">c8c55f98</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-29T16:45:07-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added openshift-acme deployment doc
A new doc has been added for deploying openshift-acme with
PKI ACME responder as the certificate issuer.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a0a06387da2f5fa0915a4602bdb4124b250d207a">a0a06387</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-29T17:45:10-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed CAInfoService.getKRAInfoClient()
The CAInfoService.getKRAInfoClient() and
CAService.getConnector() have been modified to use the
client certificate specified in the CA's KRA connector to
access KRA. If the client certificate is missing, it will
use the subsystem certificate instead.
The CAInfoService has also been modified to propagate
any exception during the above operation to the caller.
https://bugzilla.redhat.com/show_bug.cgi?id=1861911
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/038012850b303019b454ae3921684d36472c0746">03801285</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-29T22:18:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME user doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7b18448616a64071985cce1ecd50fae3376fc45f">7b184486</a></strong>
<div>
<span>by 06shalini</span>
<i>at 2020-07-30T20:59:57+05:30</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages (#393)
* Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages
- Changes includes:
- Change in .gitlab_ci.yml to spawn instance by using latest osp_provision.py
[with PSI resource issues].
- Change in .gitlab_ci.yml to use Fedora 32 image.
- Addition of post_provision.yml to get latest repo.
Signed-off-by: Shalini Khandelwal <skhandel@redhat.com>
* Code cleanup of osp_provision.py
Signed-off-by: Shalini Khandelwal <skhandel@redhat.com>
Co-authored-by: Shalini Khandelwal <skhandel@redhat.com></pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/23ae8b29a9f6bf2a558eb184f0ed3077150c9bf2">23ae8b29</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored ACMEPolicyConfig
The retention policies in ACMEPolicyConfig have been moved
into ACMERetentionConfig. The configuration properties have
been renamed into policy.retention.<name>.<param>. The
ACMEValidityConfig has been renamed into ACMERetention.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/64b37227b3d10a7fddebd00c560e355365003ee7">64b37227</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added retention policies for ACME authorizations
The ACME responder has been modified to support retention
policies for pending and invalid authorizations.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/769069bb6a2c56f10d7263f1b7d79b560d102b9c">769069bb</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added retention policies for ACME orders
The ACME responder has been modified to support retention
policies for invalid, ready, and processing orders.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/64a83f58aeac1ebb3e6c75e52b7eb6cf5176ccf8">64a83f58</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMEDatabase.removeExpiredCertificates()
The ACMEDatabase.removeExpiredCertificates() has been added
to remove expired certificates from ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0c1cac7270c26c499c0934870b13b3935da358ad">0c1cac72</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added ACMECertificate
The ACMECertificate has been added to encapsulate certificate
records in ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/d3957e6ca257277424ce0599408592a061eadca3">d3957e6c</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T10:58:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added retention policy for ACME certificates
The ACME responder has been modified to support retention policy
for certificate records in ACME database.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4bbb201c5c1874c7c43651f0b02ddfc9b44cc40f">4bbb201c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-07-30T10:59:56-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add missing required targets for pki-acme-classes target
Parallel build fails because of the races caused by the missing
(not yet built) jars.
Fixes: https://pagure.io/dogtagpki/issue/3196
Signed-off-by: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0cff9cd5090320e385acb787c005cba3f92e760a">0cff9cd5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-07-30T13:08:14-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix instance nssdb directory ownership
There was a typo in code which sets the ownership
of NSSdb directory and its content. This results
in the group with the same gid as pkiuser uid
can control this directory.
Fixes: https://pagure.io/dogtagpki/issue/3195
Signed-off-by: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/34807cb77039b240701f527d037a1b32ebe7ed36">34807cb7</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS
The PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS has been
replaced with pki.server.DEFAULT_LINK_MODE.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0aeacb09911623f79d20108ce96b2714095bdbf3">0aeacb09</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated log messages in PKIInstance
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/268c08ea4c07206bcd22a6c958ad395a00cd9842">268c08ea</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME Podman doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a287c3a02e3d812db231303c76f78a6cb82ab556">a287c3a0</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reorganized ACME install doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/e4c35cbc1e943801eec635114f9d6296113878f3">e4c35cbc</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated links to ACME config doc
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/fc95262d8e42e02fb5f02b3d1380c81d729b192d">fc95262d</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T16:33:20-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Restored ACME tech preview notification
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/bedf1adc9c618b372885b4ef288685684872f87b">bedf1adc</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T22:06:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Renamed value field in ACMENonce
The value field in ACMENonce has been renamed to id
for consistency.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/183558fa9df101442c27201f6c7fbd3fdfdd6044">183558fa</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T22:11:52-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Renamed nonce value variables in ACMEDatabase
The nonce value variables in ACMEDatabase have been renamed
to nonceID for consistency.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/63368b0f492e50f5a6fb0cb4778da8fed5a604bc">63368b0f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-30T22:11:57-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Renamed nonce value column/attribute in ACME database
The nonce value column/attribute in ACME database
has been renamed to id for consistency.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/a1235c3e22867605a816c1ae844d2e2a8b645f50">a1235c3e</a></strong>
<div>
<span>by jmagne</span>
<i>at 2020-07-31T10:20:48-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Address Bug 1462291 - CRL autoupdate from CS.cfg (#503)
This fix allows the admin to request that a change to this crl CS.cfg setting:
ca.crl.MasterCRL.autoUpdateInterval=xxx
This fix will allow the system to attempt to use the new value of auto update
immediately. The previous longstanding behavior was to have the new interval take affect,
AFTER the currently scheduled nextUpdate time.
What this fix does is allow the use of a new CS.cfg parameter:
ca.crl.MasterCRL.autoUpdateInterval.effectiveAtStart=true
This parameter must be inserted before a restart to allow this behavior to take place at all.
Without the param everything should be working as normal.
After changing the CS.cfg value, the server must be restarted.
At this point the delay time for the next update will be calculated based on the new auto update interval.
Previously the code would simply ignore the new calculated value and take whatever is already encoded into the
"nextUpdate" field of the crl.
This fix allows the new value to be accepted. Here are some caveats on how this thing behaves:
1. If the autoUpdate interval is made smaller , this thing works as expected, having the next update take place
in roughly the amount of time in the new interval.
2. If making the interval smaller, makes the calculated next update in the past, the update will occur now and then the
nextUpdate will be calculated with the new schedule..
3. If the admin makes the autoUpdate interval larger, the behavior is a little different.
Due to the fact that the calculations made with the new interval, is based off of starting with the time stamp
for "yesterday" or the very first daily update from yesterday, the new nextUPdate time calculated may be less
than simply adding the the new interval to the last update.
This fix was coded by allowing the current very comnplicated algorithm to calculate the nextUpdate do it's thing
while at the end of the process, this code simply chooses what is calculated instead of what is already encoded within
the crl's nextUpdate field.
Therefore if the new param is never set, nothing changes. This param should be used with care.
If the agent goes to the display crl page, the new value can easily be viewed as well as the debug log.
4. After the operation takes place the flag inside the server will be cleared and this feature will no longer
be attempted while the server is running.
5. The admin must clear the schedulUpdated setting before the restart to assure normal operation after the next restart.
Co-authored-by: Jack Magne <jmagne@localhost.localdomain></pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/607407e2641cf7f27009cf4ac2059043551ef53c">607407e2</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-07-31T11:40:54-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bug1805541 Doc for Certificate Transparency with embedded SCT
Created CertificateTransparency.adoc which provides documentation for
the Certificate Transparency feature for the RHCS Administrator's guide.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/7b6b6aa8fc8e8596b3065ee149bdc5fbbe06704e">7b6b6aa8</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-07-31T16:39:21-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CertificateTransparency.adoc default mode is "disabled" instead of "enabled"
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/0932b0eabfc77210492dc44927a3560c85b8c02f">0932b0ea</a></strong>
<div>
<span>by jmagne</span>
<i>at 2020-07-31T17:02:54-07:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Resolve: Bug 1454922 - [RFE] Need Ability to set the CRL This Update to be a Future Date when Generating a CRL. (#504)
This fix allows the admin to request this feature only by using the command line sslget utility to make such a request.
The result will be haviing the "thisUpdate" field of the generated crl set to some arbitrary date in the future.
The nextUpdate field will be calculated as normal by calculating that as an offset to the future thisUpdate value requested.
There is also a new CS.cfg value designed to simply disallow the use of the feature whateover:
ca.crl.MasterCRL=forbidFutureThisUpdateValue=true (which is by default) will ignore any attempts to use this feature.
This feature does not as of yet support the GUI and will ONLY be available when ussing sslget to request a CRL update on demand.
Also there is a parameter to sslget that will allow the user to erase or cancel the whole custom future thisUpdate and
return crl processing to normal. Examples to follow:
Example 1, request an updated CRL with a custom future thisUpdateValue:
sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&customFutureThisUpdateDateValue=2020:9:22:13:0:0" -v -d . -p "" -r /ca/agent/ca/updateCRL localhost.localdomain:8443
Note the param for this feature is customFutureThisUpdateDateValue=<date>
The date format is this: 2020:9:22:13:0:0
The linux date utility can be used to make a date in this format. It's simply
year,month,day, hour, min ,sec, with min and sec optional.
The month is based on 1, with Jan = 1.
Example 2: clear the whole future thisUpdate an get back to normal:
sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&cancelCurCustomFutureThisUpdateValue=true" -v -d . -p "" -r /ca/agent/ca/updateCRL localhost.localdomain:8443
This will erase the current custom future thisUpdate and calculate the nextUpdate based on the actual current time.
This fix was done without affecting the complex calculations made to calculate update frequency. This only allows one, if they desire, to set thisUpdate to some futuristic time.
If a future thisUpdate time is chosen as in Ex 1, the nextUpdate time will be chosen based on that future date.
The Agent GUI can be used to display the CRL will reflect the new thisUpdate and nextUpdate values.
Co-authored-by: Jack Magne <jmagne@localhost.localdomain></pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/55d8a652eaf698d017c98b9d322c9e41cba723a0">55d8a652</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-31T19:46:29-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed PostgreSQL ACME database time zone (part 1)
The PostgreSQLDatabase has been modified to store timestamps
in UTC time zone.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/880a02d9bb2547e0f1b8f37e034888ee81fb5347">880a02d9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-31T19:46:29-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed PostgreSQL ACME database time zone (part 2)
The PostgreSQL ACME database has been modified to use
timestamps with time zone.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/2a0a2fceeac4b0fba41086422dec7b8a9ae93b36">2a0a2fce</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-31T19:46:29-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed LDAP ACME database time zone
The LDAPDatabase ACME has been modified to store timestamps
in UTC time zone.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/4cfd4cc115598aa15f825ed2f31932b6cc95ab76">4cfd4cc1</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-31T19:46:29-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up PostgreSQLDatabase
The PostgreSQLDatabase has been modified to call connect()
only in public methods implementing LDAPDatabase.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/b047c13247fbc7a0d330b598ed87dfec0bb26cb7">b047c132</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-31T21:16:44-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.0-1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/c5db17c86c84a565e21d729fc714bc475e0786ee">c5db17c8</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-08-06T12:38:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Secure connection issue when server is down
When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.
This patch:
* allows passes instance's nssdb as the client nssdb to
trust the SSL server created during cert-fix (offline
cert renewal process).
* Gets the hostname using socket instead of from env
variable
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/commit/f4b72edb5c703c0a8aae64ae07970407c83f656c">f4b72edb</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-08-06T11:55:45-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 10.9.1
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#4b905b3ce8db4f70f4829d47fb4b4f852ff810a2">
.github/workflows/required-tests.yml
</a>
</li>
<li class="file-stats">
<a href="#9a2aa4db38d3115ed60da621e012c0efc0172aae">
CMakeLists.txt
</a>
</li>
<li class="file-stats">
<a href="#0b3cc8b828fd333d07b22c8f8cd7923f0bf75ea9">
base/acme/CMakeLists.txt
</a>
</li>
<li class="file-stats">
<a href="#63ffd8e45cfcae6135a76ec084286fce4acc3a2f">
<span class="new-file">
+
base/acme/Dockerfile
</span>
</a>
</li>
<li class="file-stats">
<a href="#3ac070b7ef260099afd86c117e7d4ac02c430297">
<span class="deleted-file">
−
base/acme/conf/database/ldap/database.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#45680823c211c17f33667b72b24512d2eae61bca">
base/acme/conf/engine.conf
</a>
</li>
<li class="file-stats">
<a href="#da91ed988e696479a7811434d238186996337061">
<span class="new-file">
+
base/acme/conf/scheduler.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#cfa8b901bce5d4dd7d2ba2cf819e2b7ee1a8ae5e">
base/acme/conf/database/in-memory/database.conf
→
base/acme/database/in-memory/database.conf
</a>
</li>
<li class="file-stats">
<a href="#cd414bf01c797d3be6764d5c5d7c98cf9de39ac0">
base/acme/conf/database/ldap/create.ldif
→
base/acme/database/ldap/create.ldif
</a>
</li>
<li class="file-stats">
<a href="#770f6efce9770f3dcdc8ff0655313bca2334f7a0">
<span class="new-file">
+
base/acme/database/ldap/database.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#2b90e8da42abde5c1605767936beb0e202a3e02f">
base/acme/conf/database/ldap/schema.ldif
→
base/acme/database/ldap/schema.ldif
</a>
</li>
<li class="file-stats">
<a href="#09e2e7949ea81561c8eec8bd61d7b74d4a27392a">
base/acme/conf/database/postgresql/create.sql
→
base/acme/database/postgresql/create.sql
</a>
</li>
<li class="file-stats">
<a href="#1d30cdf549e58be2c3de419d367702c40b6de24a">
base/acme/conf/database/postgresql/database.conf
→
base/acme/database/postgresql/database.conf
</a>
</li>
<li class="file-stats">
<a href="#6f049b0c092ff159fd4e1ebd30f0939fb652ec1b">
base/acme/conf/database/postgresql/drop.sql
→
base/acme/database/postgresql/drop.sql
</a>
</li>
<li class="file-stats">
<a href="#f88eee053fb2ebc8ec64730ea2a26bf82714ecc3">
base/acme/conf/database/postgresql/statements.conf
→
base/acme/database/postgresql/statements.conf
</a>
</li>
<li class="file-stats">
<a href="#df4212ae2676b8911805ff064b4a156f39bfd859">
<span class="new-file">
+
base/acme/issuer/nss/ca_signing.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#69bf2c7992257dd1343211a5a106d2b67c0f3b5c">
<span class="new-file">
+
base/acme/issuer/nss/issuer.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#b0d06e9530190f72cc266eae534b58c1b4fe3528">
<span class="new-file">
+
base/acme/issuer/nss/sslserver.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#d81459437271930afb0f2674c508548e08ac34d8">
base/acme/conf/issuer/pki/issuer.conf
→
base/acme/issuer/pki/issuer.conf
</a>
</li>
<li class="file-stats">
<a href="#d1b41b2bc7573bd998bb9f8da9b76cc58e89a647">
<span class="new-file">
+
base/acme/openshift/pki-acme-certs.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#249eb09eefad52de4b9ed8781b08fd379e7dbe40">
<span class="new-file">
+
base/acme/openshift/pki-acme-database.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#c565b1970758217a97cb948e724f423c9f0ad719">
<span class="new-file">
+
base/acme/openshift/pki-acme-deployment.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#bcbf49f0483745ffaa41d222adcf1196a2615885">
<span class="new-file">
+
base/acme/openshift/pki-acme-is.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#a0fe44ed5cab5a0fd6768967458f62e2da03b026">
<span class="new-file">
+
base/acme/openshift/pki-acme-issuer.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#9fdca7ddc622af12af706e3bec4d64760410530e">
<span class="new-file">
+
base/acme/openshift/pki-acme-metadata.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#4184a169ebb95e077ba16a0bbb8ed88951ad502f">
<span class="new-file">
+
base/acme/openshift/pki-acme-route.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#842eaa5a21aef4b21725ae633c080759925e4e0c">
<span class="new-file">
+
base/acme/openshift/pki-acme-svc.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#81e9cce3810533652ac172671aae8e2aaf9328c3">
<span class="new-file">
+
base/acme/sbin/pki-acme-run
</span>
</a>
</li>
<li class="file-stats">
<a href="#498f86c52b24f5138ab789b97583252a188ec87e">
<span class="new-file">
+
base/acme/src/main/java/org/dogtagpki/acme/ACMECertificate.java
</span>
</a>
</li>
<li class="file-stats">
<a href="#ea9353d1648a7cbe3c07a3aa7c3955089f131c3b">
base/acme/src/main/java/org/dogtagpki/acme/ACMENonce.java
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/f7cd25bc03521876ed553ccb6584fad2004e30a9...f4b72edb5c703c0a8aae64ae07970407c83f656c">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>