[Pkg-freeipa-devel] dogtag-pki: Changes to 'refs/tags/debian/10.5.3-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Thu Dec 21 16:11:45 UTC 2017
Tag 'debian/10.5.3-1' created by Timo Aaltonen <tjaalton at debian.org> at 2017-12-21 16:11 +0000
tagging package dogtag-pki version debian/10.5.3-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJaO90rAAoJEMtwMWWoiYTc/hIP/iwyftYYYq2ptHr6Hk1eXAU+
A3eqrmzOp8+xU3o3HMBNm8wR5VBq9oLiZwUIDf1CX1v+Kp0xYtiu8QCMK8DWMlUc
KB61cRBVertKFom+wX7LX+ECbq1LUyf1dbtPTMpbnhpjSjEISOKDhQd2WHAKF4ql
owflrgqp9QEfrqM/MUSbiFjo/hBV4AqejO9wN1lRwWKIRtsyD0KuElJzLH/EDwcd
3pn2TVFzX/oLbViAy/Sf6pUXh5Unfu+BFFoCS7zcKAOOjl9CkeE53SFmHzAdCN1x
OyIU7GzgS4TyqpMaQAEgyKGRHf5zf2Cm+3s878m9S9Ncq8+WcC4rdwvOyZOu8htp
Hbvmvd4490RuR1zIyWydncCpWf9DDy40LD4ODBEVu8XPxDrnlCN5gLGT+k5R0qdM
2CMgu5iwkH5qsP8tdT9NcpU2weXs58eZToNh/twXvOEjQ+1oxFu/aNPBtlwGWgZo
4spsInMULc52DTkqJ65Xk0ofWOx2Xwojne5wVb/yvY0wI4MYGyHpVpZFv8VnaCdf
omNrB2OmRXaYXZ5G6NRGkH1IJgRVAGzFWyg6L2QyTAz3ngV6PIvOJtbUiGipziRD
9P7CIxiUiVqbrOqKwt85T2JDCDaB7dVaEdmZOdNNC2vcyhXgplF22nPCK1nz0HLM
ofakxRafgUxk2DBCZ3/D
=d/wI
-----END PGP SIGNATURE-----
Changes since debian/10.3.5+12-5:
Abhijeet Kasurde (1):
Added check for pki-server-nuxwdog parameter
Ade Lee (102):
Fix CertRequestInfo URLs
Refactor SecurityData archival and recovery code
Modify retrieval and archival mechanisms in KRA REST
Add option to pass existing request to retrieveKeyCLI
Add field to KeyData to allow request to be returned when non-synchronous
Fix approvals for asynchronous requests
Fix auditing and rename kra.ephemeral as per review comments
Add python-client code for key resource changes
Fix bug in getting secrets from approved request
Add option to remove signing cert entry
Fix allowed key usages list for symkey generation
Remove unused method
Refactored EncryptionUnit
Parametrize the encryption functions
Parametrize crypto methods part 2
Parameterize crypto functions, part 3
Cleanup exception handling
Refactor exception handling in the EncryptionUnit
Refactor key recovery to centralize crypt functions
Remove unused method
Refactored EncryptionUnit
Parametrize the encryption functions
Parametrize crypto methods part 2
Parameterize crypto functions, part 3
Cleanup exception handling
Refactor exception handling in the EncryptionUnit
Refactor key recovery to centralize crypt functions
Change internal wrapping to AES
Fix incorrect function in generating symmetric keys.
Change transport unit to create wrapping parameters based on incoming data
Fix wrapping params on the security data recovery service
Refactor crypto code
Continue to move more crypto into CryptoUtil
Add config options to allow storage wrappings to be set
Merge branch 'master' of github.com:dogtagpki/pki
Merge "Add config options to allow storage wrappings to be set"
Add config options to allow storage wrappings to be set
Merge github.com:dogtagpki/pki
Fix Java client to use AES
Added infoClient to PKIClient to get server info
Merge "Fix Java client to use AES"
Merge "Added infoClient to PKIClient to get server info"
Added comparator function to version
Refactor code that creates PKIArchiveOptions objects
Merge github.com:dogtagpki/pki
Change CRMFPopClient to use AES-KeyWrap with padding
Modify storage unit to generate a new IV
Fix retrieval for symmetric keys
Fix generation of CRMF request for ECC keys
Change default key size for KRA storage unit to 128
Added python info client
Add util code to source environment files
Merge "Added python info client"
Merge "Add util code to source environment files"
Added python info client
Add util code to source environment files
Merge github.com:dogtagpki/pki
Fix pylint errors
Add python-cryptography crypto provider
Add code in KRA python client to support multiple crypto algorithms
Modify the classpath to work correctly with eclipse in f25+
Add KRAInfo resource
Add CAInfo resource
Modified CRMFPopClient to use correct wrapping for encrypt case
Fix python issues identified in review
Fix symkey retrieval in python client
Add field to indicate if key was encrypted or wrapped
Allow key recovery to use encrypted field in key record
Modify cert clients to check server for wrapping params
Make sure connection is always closed
Modify the key client to default to 3DES
Fix DES3 using python-cryptography provider
Fix symkey retrieval using NSS python client
Make sure generated asym keys are extractable
Use AES-CBC in storage unit for archival in key wrapping
Fix symmetic key retrieval in HSM
Encapsulate the archival audit log
Encapsulate archival processed audit logs
Encapsulate key recovery audit events
Encapsulate recovery processed audit events
Eliminate async recovery audit events
Encapsulate key retrieval audit events
Fix auditing in retrieveKey
Encapsulate recovery request approval audit logs
Fix failing audit log
Make sure archivalID is passed through archival
Simplify recovery audit logging
Encapsulate symmetric and asymmetric keygen audit events
Encapsulate key status change audit logs
Encapsulate server side keygen audit events
Set encryption flag for generated keys
Convert CMC code to use AES
Fix NPE in audit log invocation
Refactor client to not use keysets
Server side changes to correctly parse the new PKIArchiveOptions
Stop using hardcoded IV in CMC
Add possible keywrap algorithms to usage
Add one more possible keywrap algorithm to usage
Fix 3DES archival
Fix token enrollment and recovery ivs
Add doc on using nuxwdog with HSM tokens
Add pkispawn option for ephemeral requests
Amol Kahat (2):
Added -t and --token information in pki man page.
Fixed typo in pki-server db command
Christian Heimes (10):
Misc pylint, flake8 and tox fixes
Added python3-pyldap build dependency
Fix for pylint when using Python 3.6
Add Travis CI to compose core RPM packages
Spawn a CA and KRA on Travis
Get journald output from test container
Python 3 support and Travis testing
pki.authority: Don't send header as POST body
pkispawn: wait after final restart
Ignore empty key in read_environment_files
Christina Fu (38):
Ticket #2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM)
Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix)
Ticket #2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
Ticket #2498 Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true
a few simple debugging messages in TPS that will make debugging easier.
Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
Ticket #2534 (additional) - reset cert status after successful unrevoke
Ticket #1741 ECDSA certs Alg IDs contian parameter field
pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)
pagure#2605 (add one missing method) CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)
Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
Bug #2615 CMC: cleanup code for Encrypted Decrypted POP This patch adds more error checking and debugging
Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch provides the feature for CMC on handling id-cmc-popLinkWitnessV2
Ticket #2717 CMC user-signed enrollment request
Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfg
Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof
Ticket#2618 feature: pre-signed CMC renewal request
Ticket #2617 part2: add revocation check to signing cert
Ticket #2619 Allow CA to process user-signed CMC revocation requests
Ticket#2737 CMC: check HTTPS client authentication cert against CMC signer
Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison
Ticket #2616 CMC: id-cmc-statusInfo ==> id-cmc-statusInfoV2
Ticket #2779 cmc plugin default change
Ticket #2757 CMC enrollment profiles for system certificates
Ticket #2788 Missing CN in user signing cert would cause error in cmc user-signed
Ticket #1665 (code realignment) Certificate Revocation Reasons not being updated in some cases
Ticket #2742 CMC: CMC request are available on the CA Agent page even after Rejected status in Audit logs
Merge branch 'cmcReqs'
Ticket #1559 email notification failed.
Ticket #2772 TPS: correct tokenOrigin and tokenType attrs for recovered externalReg certs
Ticket 2772 (added patch) ExternalReg tokenOrigin for recovered cert
Ticket #2631 ExternalReg Recovery needs to go to the kra in user record
Ticket #2604 RFE: shared token storage and retrieval mechanism
Ticket #2834-Missing CN causing NPE in CMCAuth
Ticket #2819 Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY
Ticket #2861 ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates
Dinesh Prasanth M K (13):
Smoke test with FreeIPA
Patch for "pki-server subsystem-cert-update" command
Temp SSL Certificate Creation - Offline System Certificate Renewal
Added CLI tools to pki-server
Added support to create & import cert in pki-server tool
Added tool for create permanent certificates online
Updated cert-create and nssdb tool to get cert info
Concurrent Travis CI build
Added man pages for `pki-server cert` module
Fixed Travis CI python env
Docker images have been updated to Fedora 26
Added tool for selftest enable/disable through CLI
Updated Travis to use the Docker image from new repo.
Endi S. Dewata (605):
Removed PKCS #7 from add user cert dialog in TPS UI.
Added cert validation error message in selftest log.
Added exception wrapper for invalid LDAP attribute syntax.
Removed misleading log in SelfTestSubsystem.
Fixed SelfTestService.findSelfTests().
Added debug messages for ConfigurationUtils.handleCerts().
Allowing optional CA signing CSR.
Updated pki-server subsystem-cert-update CLI.
Added upgrade script to fix deployment descriptors.
Updated RPM spec for RHEL.
Fixed default token name for system certificates.
Moved subsystem initialization after database initialization.
Fixed debug log in UpdateNumberRange servlet.
Added support to create system certificates in different tokens.
Removed FixSELinuxContexts upgrade script.
Updated RPM spec.
Removed support for creating system certificates in different tokens.
Troubleshooting improvements for SigningUnit.
Troubleshooting improvements for ConfigurationUtils.
Additional improvements for SigningUnit.
Removed duplicate classes.
Troubleshooting improvements for GetCertChain.
Fixed NSSDatabase.create_request().
Fixed ConfigurationUtils.importCertChain().
Fixed Eclipse classpath for Fedora 23.
Fixed installation error message.
Fixed pki-nsutil build order.
Fixed CryptoUtil.getTokenName().
Fixed TPS UI system menu.
Fixed TPS UI for agent approval.
Fixed typo in UserPwdDirAuthentication.
Troubleshooting improvement for ConfigurationUtils.handleCerts().
Reformatted SecurityDataRecoveryService.serviceRequest().
Fixed KRA key recovery via CLI in FIPS mode.
Fixed default OCSP port in server.xml.
Fixed exception message in PKCS12Util.loadFromByteArray().
Added constructors to chain EPropertyException.
Fixed resource leak in OtherName.
Fixed resource leak in GenericASN1Extension.
Fixed resource leak in OCSPNoCheckExtension.
Fixed resource leak in ExtendedKeyUsageExtension.
Fixed resource leak in InhibitAnyPolicyExtension.
Replaced deprecated DefaultHttpClient.
Replaced deprecated ProxyParser.
Added man pages for PKCS #12 utilities.
Updated pki-core.spec.
Reverted policy framework deprecation.
Generalized list of files in CMakeLists.txt.
Moved policy framework classes to org.dogtagpki.legacy.
Fixed problem installing subordinate CA with HSM in FIPS mode.
Fixed hanging subordinate CA with HSM installation in FIPS mode.
Removed unused CA and KRA logging.properties.
Removed unused OCSP, TKS, and TPS logging.properties.
Updated logging.properties.
Updated log4j.properties.
Added man pages for logging configuration.
Updated spec file for logging configuration man pages.
Update PKCS12Util to use SLF4J.
Updated AccountInfo.
Fixed TPS UI system menu.
Fixed TPS UI for agent approval.
Updated pki-cert man page.
Refactored PKIConnection.get().
Fixed problem with pki user-cert-add.
Revert "Replaced deprecated ProxyParser."
Revert "Replaced deprecated DefaultHttpClient."
Updated NSS dependency on Fedora.
Fixed user certificate renewal using pki client-cert-request.
Fixed pki-tools build order.
Removed redundant find_file() for Tomcat libraries.
Refactored pki_copytree().
Refactored master & slots dictionaries creation.
Refactored user_config object in pkiconfig.py.
Refactored pki_config object in pkiparser.py.
Refactored pki_subsystem object in pkiconfig.py.
Refactored PKIDeployer.
Refactored PKIConfigParser.flatten_master_dict().
Refactored deployment timestamp variables.
Refactored deployment system variables.
Replaced default AJP hostname with generic loopback address.
Fixed misleading error message on duplicate cert in HSM.
Added global TCP Keep-Alive option.
Cleaned up error handling in PKI CLI.
Cleaned up error handling in user and group CLIs.
Added upgrade script to update AJP loopback address.
Refactored Constants.PR_INTERNAL_TOKEN.
Refactored Constants.PR_INTERNAL_TOKEN_NAME.
Refactored Constants.PR_FULL_INTERNAL_TOKEN_NAME.
Refactored ConfigurationRequest.TOKEN_DEFAULT.
Refactored KRATool.INTERNAL_TOKEN.
Refactored CMCRequest.PR_INTERNAL_TOKEN_NAME.
Refactored CMCRevoke.PR_INTERNAL_TOKEN_NAME.
Refactored HttpClient.PR_INTERNAL_TOKEN_NAME.
Refactored KeyRecoveryAuthority.PR_INTERNAL_TOKEN_NAME.
Updated wrapper script for legacy CLIs.
Replaced internal token full name literals.
Fixed missing SLF4J in Javadoc classpath.
Fixed Javadoc failure caused by HTML special characters.
Replaced internal token short name literals.
Updated CryptoUtil.
Fixed inconsistent internal token detection.
Fixed problem searching the latest certificate request.
Replaced CryptoManager.getTokenByName().
Merged /pki webapps.
Updated Dogtag theme build script.
Updated Dogtag theme spec file.
Cleaned up error handling in cert and profile CLIs.
Cleaned up error handling in key CLIs.
Refactored restricted command list in PKI CLI.
Fixed Ctrl-C handling in PKI CLI.
Troubleshooting improvements for CAEnrollProfile.
Added --renewal param to pki ca-cert-request-submit.
Added --serial param to pki ca-cert-request-submit.
Cleaned up error handling in client and PKCS12 CLIs.
Fixed MergePKIWebapps upgrade script.
Cleaned up error handling in feature and authority CLIs.
Cleaned up error handling in system, logging, and selftest CLIs.
Cleaned up error handling in TPS CLIs.
Converted library links creation into CMake scripts.
Removed library links creation from RPM spec.
Cleaned up CMake scripts for Jackson libraries.
Refactored PKIService class.
Refactored ClientConfig.
Refactored SubsystemClient.
Added CAClientExample.
Added CACertClientExample.
Updated RPM spec to include Java examples.
Added log message in CMCAuth.
Troubleshooting improvements for CertRequestService.
Renamed index.html to index.jsp in CA UI.
Renamed index.html to index.jsp in KRA UI.
Renamed index.html to index.jsp in OCSP UI.
Renamed index.html to index.jsp in TKS UI.
Renamed index.html to index.jsp in TPS UI.
Refactored pki-ui.js.
Added Console source folder to Eclipse classpath.
Fixed error handling for Console authentication.
Updated classpath in Console wrapper script.
Reorganized PKI UI pages.
Secured PKI UI main page.
Fixed build problem on RHEL.
Added PKIApplication.
Added InfoService and LoginService.
Added access banner for PKI UI.
Added access banner for CA UI.
Added access banner to KRA UI.
Added access banner to OCSP UI.
Added access banner to TKS UI.
Added access banner to TPS UI.
Added access banner for PKI console.
Added access banner for PKI CLI.
Refactored PKIInstance.load().
Added exception chaining for EInvalidCredentials.
Troubleshooting improvement for ClientCertValidateCLI.
Added cascading configuration for PKI CLI.
Exporting environment variables for PKI client.
Merge pull request #1 from amolkahat/pki_man
Removed duplicate code to configure SSL version ranges.
Cleaned up CryptoUtil.setClientCiphers().
Added missing Eclipse dependency.
Default NSS database for PKI CLI.
Moved default SSL configuration out of PKIConnection.
Cleaned up CryptoUtil.setClientCiphers(String).
Fixed PKIClient initialization in PKI CLI.
Added configuration parameters for SSL version ranges.
Renamed CryptoUtil.setClientCiphers().
Fixed error handling in CryptoUtil.unsetSSLCiphers().
Fixed error handling in CryptoUtil.setClientCiphers().
Refactored CryptoUtil.setClientCiphers().
Added pki.conf parameter for SSL ciphers.
Added pki.conf parameter for default SSL ciphers.
Added hard-coded default values for SSL parameters in PKI CLI.
Fixed default value for SSL datagram.
Allowing pki client-init without NSS database password.
Allowing pki pkcs12-import without NSS database password.
Allowing client cert auth without NSS database password.
Added support for hex cipher IDs in pki.conf.
Added support for disabling SSL ciphers in pki.conf.
Added CLI.getConfig().
Refactored CLI.getClient().
Refactored ClientCLI.
Refactored ProxyCLI.
Refactored SubsystemCLI.
Refactored CA CertCLI.
Refactored GroupCLI.
Refactored KRA KeyCLI.
Refactored SecurityDomainCLI.
Refactored UserCLI.
Refactored AuthorityCLI.
Refactored FeatureCLI.
Refactored KRAConnectorCLI for CA.
Refactored CA ProfileCLI.
Refactored CA ProfileMappingCLI.
Refactored SelfTestCLI.
Refactored TPSConnectorCLI for TKS.
Added audit logs for SSL/TLS events.
Refactored ActivityCLI.
Refactored AuditCLI.
Refactored AuthenticatorCLI.
Refactored TPSCertCLI.
Refactored TPS ConfigCLI.
Refactored TPS ProfileCLI.
Refactored TPS TokenCLI.
Refactored TPS ConnectorCLI.
Removed duplicate PROP_ROLLOVER_INTERVAL constant.
Removed duplicate PROP_MAX_FILE_SIZE constant.
Removed duplicate PROP_EXPIRATION_TIME constant.
Fixed default subsystems for top-level CLI commands.
Fixed pylint errors in pki.server.cli.subsystem.
Fixed pylint error in pki.authority.
Removed redundant Context attributes.
Refactored AuditCLI.
Added audit service and CLI to all subsystems.
Added PKIRESTProvider.
Added CLIs to access audit log files.
Fixed PKIServerSocketListener.
Fixed pki_console_wrapper.
Added SSLSocketListener for PKIConnection.
Fixed pki user and group commands.
Deprecated -t option for pki CLI.
Added FIPS-compliant password generator.
Added pki-server <subsystem>-audit-file-find CLI.
Added pki-server <subsystem>-audit-file-verify CLI.
Added audit event constants for SSL session.
Added audit event constants for TPS.
Reorganized audit event constants for KRA.
Reorganized audit event constants for TKS.
Reorganized audit event constants for OCSP.
Reorganized audit event constants for authentication.
Reorganized audit event constants for CA.
Reorganized additional audit event constants for KRA.
Reorganized audit event constants for configuration.
Updated CMS.getLogMessage().
Added methods to log AuditEvent object.
Fixed ClientIP field in SSL session audit log.
Fixed missing IP addresses and subject ID in audit log.
AdminConnection cleanup by Eclipse.
Added AuditEvent.setParameters().
Added session timeout for PKI console.
Updated default SSL connection timeout.
Fixed SSL connection timeouts.
Refactored line concatenation.
Refactored additional line concatenation.
Added AdminServlet.audit(AuditEvent).
Refactored CAProcessor.auditInfoCertValue().
Refactored ConnectorServlet.auditInfoCertValue().
Refactored ProfileSubmitCMCServlet.auditInfoCertValue().
Fixed missing IAuditor.log(AuditEvent).
Added AuthSuccessEvent.
Added AuthFailEvent.
Added AuthzSuccessEvent.
Added AuthzFailEvent.
Added RoleAssumeEvent.
Added ConfigRoleEvent.
Added CertRequestProcessedEvent.
Updated debug logs in SystemConfigService.
Added ConfigSignedAuditEvent.
Added CertRequestProcessedEvent constructor for X509CertImpl.
Added CertRequestProcessedEvent constructor for IRequest.
Added log messages for server shutdown.
Simplified conditions to log CERT_REQUEST_PROCESSED.
Added AuditEvent attributes.
Added ConfigTrustedPublicKeyEvent.
Refactored CertRequestProcessedEvent to use AuditEvent attributes.
Added certificate serial number for CERT_REQUEST_PROCESSED.
Fixed audit event outcome for agent-rejected cert request.
Fixed audit event outcome for agent-canceled cert request.
Refactored UpdateCRL.process() (part 1).
Refactored UpdateCRL.process() (part 2).
Refactored UpdateCRL.process() (part 3).
Reformatted UpdateCRL.process().
Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.
Added CertStatusChangeRequestProcessedEvent.
Refactored RevocationRequestListener.accept().
Reformatted RevocationRequestListener.accept().
Added debug logs for UpdateCRL servlet.
Added debug logs for JssSubsystem.
Fixed problem with --ignore-banner option.
Added configurable random number generator in JssSubsystem.
Enabling all subsystems on startup.
Moved TokenServlet into pki-tks package.
Updated log messages in OCSPProcessor.
Cleaned up DefStore.processRequest() (part 1).
Cleaned up DefStore.processRequest() (part 2).
Cleaned up DefStore.processRequest() (part 3).
Updated OCSP log messages.
Replaced random number generator in SecurityDataProcessor.
Replaced random number generator in RequestQueue.
Added CRLIssuingPoint.generateCRLExtensions().
Added CRLIssuingPoint.generateDeltaCRL().
Added CRLIssuingPoint.generateFullCRL().
Replaced SHA1-based random number generators.
Refactored CRLIssuingPoint.generateDeltaCRL().
Refactored CRLIssuingPoint.generateFullCRL().
Updated ECAException constructor.
Added DELTA_CRL_GENERATION audit event.
Added DELTA_CRL_PUBLISHING audit event.
Added FULL_CRL_GENERATION audit event.
Added FULL_CRL_PUBLISHING audit event.
Added SCHEDULE_CRL_GENERATION audit event.
Added pkispawn options for two-step installation.
Fixed two-step subordinate CA installation.
Fixed missing build dependency on slf4j-jdk14.
Removed hard-coded version numbers from compose scripts.
Fixed theme build script.
Removed superfluous deployment configuration backup.
Added upgrade script for keepAliveTimeout.
Reorganized upgrade scripts.
Added version number on supported platforms into spec files.
Fixed random password generator.
Excluded backslash from random password.
Refactored MainCLI.loadPassword() (part 1).
Refactored MainCLI.loadPassword() (part 2).
Refactored MainCLI.loadPassword() (part 3).
Refactored CLI.runExternal().
Fixed pki client-cert-import CLI.
Fixed default CA cert trust flags in pki CLI.
Fixed client cert auth in PKI console.
Cleaned up PKI console options.
Updated PKI console option parser.
Refactored AuditVerify (part 1).
Refactored AuditVerify (part 2).
Refactored AuditVerify (part 3).
Added RESTEasy paths into pki-console.spec.
Added verbose option for PKI console.
Fixed PKI console build issue on RHEL.
Fixed access banner normalization.
Fixed access banner encoding.
Fixed access banner encoding (part 2).
Fixed initial audit log signature verification.
Fixed audit log signature problem due to rotation.
Fixed pki ca-cert-find and ca-cert-show output.
Added default URL for OCSPProcessor.
Added banner validation during server startup.
Added search filter for pki ca-authority-find.
Added pki ca-cert-status.
Added log messages for OCSP service.
Fixed OCSP service error handling.
Fixed build dependency for javadoc.
Refactored LogQueue class.
Added LogCategory enumeration.
Added LogSource enumeration.
Refactored ILogEventFactory implementations.
Refactored Logger class.
Fixed build dependency for pki-cms.jar.
Reorganized Logger classes.
Added default log level for Logger.
Refactored signed audit logger.
Added LogEvent class.
Consolidated log() for audit events.
Fixed error message on invalid log type.
Fixed audit events class hierarchy.
Refactored ConfigurationUtils.configLocalCert().
Refactored ConfigurationUtils.configRemoteCert().
Refactored CertUtil.createLocalCert() (part 1).
Refactored CertUtil.createLocalCert() (part 2).
Refactored CertUtil.createLocalCert() (part 3).
Moved cert management methods into CertUtil.
Refactored CertUtil.importCert().
Refactored CertUtil.importExternalCert().
Refactored ConfigurationUtils.handleLocalCert().
Refactored CertUtil.createLocalRequest().
Refactored CertUtil.updateLocalRequest().
Refactored ConfigurationUtils.updateServerCertNickConf().
Refactored ConfigurationUtils.updateCloneConfig().
Fixed error message in SystemConfigService.processCerts().
Refactored SystemConfigService.processKeyPair().
Refactored SystemConfigService.processCert().
Merge pull request #5 from amolkahat/type_fix
Fixed CertUtil.updateLocalRequest().
Refactored ConfigClient.configure_pki_data().
Refactored server restart code.
Removed unused KRA initial profiles.
Removed cert chain requirement for standalone KRA.
Refactored NSSDatabase.remove_cert().
Refactored temp SSL server cert creation (part 1).
Refactored temp SSL server cert creation (part 2).
Refactored SSL server cert replacement.
Removed unnecessary UTF-8 encoding.
Fixed installation problem.
Refactored key parameter parsing.
Added aliases for SSL server cert params.
Refactored CSR generation.
Refactored CA signing CSR generation.
Deprecated pki_ssl_server_* parameters.
Fixed standalone OCSP installation.
Fixed CSR file validation for standalone installation.
Removed unused confirm_missing_file().
Fixed pki-server cert-find output.
Refactored system cert requests generation.
Refactored importing system cert requests.
Refactored importing system certs.
Refactored system certs configuration.
Refactored system certs verification.
Added parser for PKCS #7 in PEM format.
Added CLI to import PKCS #7 file.
Added CMCResponse option to export PKCS #7 cert chain.
Added CMCResponse return code.
Added support for extended key usage extension.
Refactored standalone admin cert configuration.
Refactored key generation for SSL server certificate.
Refactored CSR generation for standalone installation.
Refactored importing cert chain (part 1).
Refactored importing cert chain (part 2).
Refactored importing cert chain (part 3).
Refactored importing cert chain (part 4).
Refactored loading external system certs.
Added banner validation in InfoService.
Added support for importing PKCS #7 certificates.
Added parameter validation for pki client-cert-import.
Fixed ConfigurationTest.
Fixed Eclipse classpath to run unit tests.
Removed unnecessary exception handlers in CATestJunit.
Merged local and remote cert handlers.
Removed redundant hasSigningCert.
Removed unused external_signing cert.
Refactored ConfigurationUtils.configRemoteCert().
Refactored SystemConfigService.processCert() (part 1).
Refactored SystemConfigService.processCert() (part 2).
Displaying tokenType and tokenOrigin in TPS UI and CLI.
Removed redundant code in ConfigurationUtils.
Added ConfigurationRequest.getSystemCert().
Refactored ConfigurationUtils.loadCert().
Removed exception handler in ConfigurationUtils.configCert().
Removed redundant code in ConfigurationUtils.configRemoteCert().
Refactored ConfigurationUtil.configLocalCert().
Refactored admin configuration (part 1).
Refactored admin configuration (part 2).
Refactored admin configuration (part 3).
Removed unused ConfigurationRequest.stepTwo field.
Added X509CertImpl.getInfo() method.
Refactored CertUtil.createLocalCert().
Refactored system cert validator (part 1).
Refactored system cert validator (part 2).
Refactored SystemConfigService.configure().
Refactored SystemConfigService.processCert().
Refactored ConfigurationUtils.loadCertRequest().
Removed unused code ConfigurationUtils.handleCert().
Refactored SystemConfigService.processCert().
Fixed ConfigurationTest.
Refactored CertUtil.getPKCS10().
Refactored ConfigurationUtils.createAdminCertificate().
Refactored Cert class (part 1).
Refactored Cert class (part 2).
Removed redundant code in SystemConfigService.configureNewSecurityDomain().
Fixed system cert validation.
Refactored KRA connector configuration (part 1).
Refactored KRA connector configuration (part 2).
Refactored OCSP configuration update.
Refactored importing CA cert into OCSP.
Removed redundant import_external_ca_signing_cert().
Fixed pki client-cert-show output.
Renamed standalone KRA and OCSP deployment params.
Added request record for existing self-signed CA signing cert.
Added support for CA installation with all existing certs.
Renamed external CA parameters.
Added support for KRA and OCSP installation with external certs.
Added generic CMC servlet.
Refactored CMC_SIGNED_REQUEST_SIG_VERIFY event.
Cleaned up Logger invocations.
Refactored Logger class (part 1).
Refactored Logger class (part 2).
Refactored LogFile class (part 1).
Refactored LogFile class (part 2).
Refactored AUTH_SUCCESS and AUTH_FAIL events.
Refactored Logger class (part 3).
Refactored CA loggers.
Refactored KRA loggers.
Refactored OCSP loggers.
Refactored TKS loggers.
Refactored TPS loggers.
Refactored log factory (part 1).
Refactored log factory (part 2).
Refactored LogEvent class.
Refactored Logger class (part 4).
Refactored log factory (part 3).
Refactored log factory (part 4).
Refactored log factory (part 5).
Refactored log factory (part 6).
Refactored AsymKeyGenerationEvent.
Refactored AsymKeyGenerationProcessedEvent.
Refactored CertRequestProcessedEvent.
Refactored CertStatusChangeRequestProcessedEvent.
Refactored CMCSignedRequestSigVerifyEvent.
Refactored ConfigRoleEvent.
Refactored ConfigSignedAuditEvent.
Refactored ConfigTrustedPublicKeyEvent.
Refactored DeltaCRLGenerationEvent.
Refactored DeltaCRLPublishingEvent.
Refactored FullCRLGenerationEvent.
Refactored FullCRLPublishingEvent.
Refactored RoleAssumeEvent.
Refactored ScheduleCRLGenerationEvent.
Refactored security data archival events.
Refactored security data export event.
Refactored security data recovery events.
Refactored remaining security data events.
Refactored server-side key generation events.
Refactored symmetric key generation events.
Refactored authorization events.
Merged AUTH_SUCCESS and AUTH_FAIL events.
Merged AUTHZ_SUCCESS and AUTHZ_FAIL events.
Merged ACCESS_SESSION_ESTABLISH events.
Merge "Fix Weak ciphers (3DES) should not be enabled by default anymore."
Added audit log message parser.
Added audit event filter.
Revert "Added audit event filter."
Fixed pki client-cert-import.
Merge changes from topic 'ticket-2689'
Reorganized subsystem CLI classes.
Reorganized CA cert CLI class.
Reorganized CA cert client class.
Cleaned up CA client objects creation.
Fixed OCSPClient error message.
Removed redundant OCSPAuthority.arraysEqual().
Removed nested if-statement in DefStore.processRequest().
Fixed error handling in LDAPStore.processRequest() (part 1).
Fixed error handling in LDAPStore.processRequest() (part 2).
Fixed error handling in DefStore.processRequest() (part 1).
Fixed error handling in DefStore.processRequest() (part 2).
Fixed error handling in DefStore.processRequest() (part 3).
Fixed error handling in CertificateAuthority.validate().
Added OCSP_GENERATION audit event.
Encapsulated OCSP_ADD_CA_REQUEST events.
Encapsulated OCSP_REMOVE_CA_REQUEST events.
Merged OCSP_REMOVE_CA_REQUEST_PROCESSED events.
Removed trailing whitespaces in LogMessages.properties.
Fixed OCSP_REMOVE_CA_REQUEST event.
Encapsulated CERT_STATUS_CHANGE_REQUEST event.
Fixed pki-cms and pki-core dependency issue.
Refactored DoRevokeTPS.process().
Refactored DoUnrevokeTPS.process().
Fixed ReqID attribute in CERT_STATUS_CHANGE_REQUEST events.
Removed unused auditRequesterID() method.
Updated Travis CI configuration.
Updated LDAPJDK dependency.
Added audit event filter.
Fixed invalid audit log format.
Refactored Auditor.getParamString() (part 1).
Refactored Auditor.getParamString() (part 2).
Refactored Auditor.getParamString() (part 3).
Added SignedAuditEvent.setAttribute() method.
Added sub CA options for pki client-cert-request.
Added RANDOM_GENERATION event.
Refactored KeyRetrieverRunner._run().
Refactored CertificateAuthority.initSigUnit() (part 1).
Refactored CertificateAuthority.initSigUnit() (part 2).
Refactored CertificateAuthority.initSigUnit() (part 3).
Refactored SigningUnit.init() (part 1).
Refactored SigningUnit.init() (part 2).
Added SystemConfigService.handleCerts().
Refactored ConfigurationUtils.setCertPermissions() (part 1).
Refactored ConfigurationUtils.setCertPermissions() (part 2).
Refactored CertRequestProcessedEvent.
Consolidated certificate header and footer Java constants.
Added chunking option for Utils.base64encode().
Added signing info events.
Consolidated Base-64 encoding methods.
Consolidated Base-64 decoding methods.
Removed blank line in PEM certificates.
Refactored PKIClient.removeCert().
Refactored PKIClient.getCerts() and getCACerts().
Refactored PKIClient.getCert().
Removed redundant cert import methods in PKIClient.
Consolidated PKCS #7 header and footer for Java.
Consolidated CSR header and footer for Java.
Fixed CSR format in PKCS10Client and CRMFPopClient.
Reorganized CertUtil.importCert().
Refactored CertUtil.findCertificate() (part 1).
Refactored CertUtil.findCertificate() (part 2).
Refactored CertUtil.deleteCert().
Refactored CryptoUtil.importUserCertificate().
Refactored ConfigurationUtils.importCert().
Refactored CryptoUtil.importUserCertificate() (part 2).
Fixed install problem in HSM case.
Refactored RoleAssumeEvent (part 1).
Refactored RoleAssumeEvent (part 2).
Cleaned up authz-related debug messages.
Removed redundant ROLE_ASSUME events.
Refactored SecurityDataArchivalEvent.
Refactored CryptoUtil.encryptPassphrase().
Refactored CryptoProvider.wrapWithSessionKey().
Refactored KeyClient.archivePassphrase().
Fixed unit test classpath.
Updated pki-core.spec to run unit tests.
Revert "Updated pki-core.spec to run unit tests."
Refactored CryptoUtil.wrapSymmetricKey().
Refactored KeyClient.transportCert.
Refactored KeyClient.setTransportCert().
Added CLI option for transport cert nickname.
Added CLI option to archive binary data from file.
Added CLI option to store retrieved data into file.
Consolidated certificate parsing.
Replaced deprecated FileUtils.readFileToString().
Refactored EnrollmentService.verifyKeyPair().
Added failure reason to SECURITY_DATA_ARCHIVAL_REQUEST event.
Removed redundant audit() methods.
Fixed inconsistent OCSP signing certificate extensions.
Removed redundant audit() methods (part 2).
Cleaned up CMake scripts.
Refactored instance_layout.py.
Refactored configuration.py.
Removed obsolete JSS connector parameters.
Added pki-server cert-export CLI.
Updated logger for Tomcat-related classes.
Fraser Tweedale (76):
Revoke lightweight CA certificate on deletion
Prevent deletion of host CA cert and key from NSSDB
Accept LWCA entry with missing entryUSN if plugin enabled
Perform host authority check before entryUSN check
Do not attempt LWCA key retrieval for host authority
Compare serialised DNs in host authority check
Block reads during reload of LDAP-based profiles
Remove unused member
LDAPProfileSubsystem: log exception if profile creation fails
Remove unused string constant
Replace duplicate string literals with a constant
Move AuthToken key constants to IAuthToken
Merge duplicate authz plugin code into superclass
Allow ':' to appear in ACL expressions
Add getAuthzManagerNameByRealm to IAuthzSubsystem
Define "auth_token" IRequest extdata key prefix in one place
Define "profileId" IRequest extdata key in one place
Define "req_authority_id" IRequest extdata key in IRequest
Remove principal type assumption from AuthorityService
Use BigInteger for entryUSN
Remove unused dependency from tomcat classes build
DNSName: add method to get value
GeneralName: add method to get at inner value
SubjectAlternativeNameExtension: add GeneralNames getter/setter
X500Name: add method to get all attributes of a given type
Add profile component that copies CN to SAN dNSName
Add upgrade script to add CommonNameToSANDefault plugin
Allow DirAclAuthz to be configured to read alternative entry
Fix NPE in server shutdown when startup failed
Remove unused import
Refactor CertRetrievalRequest construction
Include revocation reason in REST cert data
pkispawn.8: fix setup-ds.pl command name
pki_default.cfg.5: fix ca_signing tag name
Define AgentCertAuthentication token keys in IAuthToken
CertProcessor: extract method setAuthTokenIntoRequest
Add groups and request attributes to external principals
Add IAuthToken implementation for external principals
Update AuthMethodInterceptor to handle external principals
Update SessionContextInterceptor to handle external principals
Update ACLInterceptor to support external principals
CMS.getLogMessage: escape format elements in arguments
Allow arbitrary user data in cert request
CertProcessor: set external principal attributes into request
Add ExternalProcessConstraint for request validation
Add authn manager that reuses auth token from session
LDAPProfileSubsystem: avoid duplicating logic in superclass
ISourceConfigStore: add clear() method to interface
ProfileService: clear profile attributes when modifying
KRA: do not accumulate recovered keys in token
Add upgrade script that adds KRA wrapping params
PKCS12Util: use AES to encrypt private keys
PKCS12Util: add some much-needed comments
KRA: use AES in PKCS #12 recovery for wrapped keys
CAInfoService: retrieve info from KRA
Fix PKCS #12 import during clone installation
Delete unused methods
Fix NPE in lightweight CA creation
Improve exception message for null AuthorityKeyIdentifier
KRA PKCS #12 export: add config to use 3DES PBE encryption
Fix regression in pkcs12 key bag creation
Fix FixDeploymentDescriptor upgrade script if source file is missing
pkispawn: allow override of server startup timeout
KeyClient: fix json encoding in Python 3
Fix regression in lightweight CA replication
KRA: use AES in PKCS #12 recovery for encrypted keys
Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31
Fix external CA CSR generation with custom extension
Fix pki-server subsystem-cert-validate command with big serial
UserSubjectNameDefault: don't change attribute encodings
Fix issuance when CA cert lacks Subject Key ID ext
CMSServlet.renderFinalError: log exception
TokenAuthenticate: avoid NPE on null session table
TokenAuthentication: log error message on error
Sleep after security domain login during configuration
pkispawn: make security domain login sleep duration configurable
Geetika Kapoor (2):
Fix for BZ 1358462
Added ansible playbooks code and documentation for setup
Jack Magne (25):
Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working.
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
PIN_RESET policy is not giving expected results when set on a token.
TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode.
Change lifecycle at end of enrollment if it is not already set.
Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config
Ticket #2569: Token memory not wiped after key deletion
First cut of scp03 support. Supports the g&d smartcafe out of the box.
SCP03 support for g&d sc 7 card.
CA in the certificate profiles the startTime parameter is not working as expected.
Non server keygen issue in SCP03.
Now the program can create and import shared secret keys while under FIPS mode.
Resolve #1663 Add SCP03 support .
Minor fix to already fixed issue:
SCP03 support: fix Key Changeover with HSM (RHCS)
TPS new configuration to allow the protocol of the to determine applet loaded.
Fix Weak ciphers (3DES) should not be enabled by default anymore.
Fix: #2695 Replacing Random with SecureRandom.
Fix: #792 Support SHA256 for SKI
Fix #2735 Secure removal of secret data storage.
Fix #2735 Secure removal of secret data storage (phase 2)
ReFix for #2824 TPS new configuration to allow the protocol of the to determine applet loaded.
Fix #2735 Secure removal of secret data storage (phase 3)
Matthew Harmsen (57):
Updated version number to 10.4.0-0.1
Resolves: rhbz #1366465
pki-tools HEADER/FOOTER changes
pki-tools CMCEnroll man page
pki-tools CMCEnroll man page (spec file)
Resolve python-requests dependencies appropriately by adding minimum required
Added openssl runtime dependency for support of External CA.
Fix for flake8 errors on Fedora 26 (cheimes)
Revert "Fixed TPS UI for agent approval."
Revert "Fixed TPS UI system menu."
Removed all references to 'xenroll.dll'
Cast 'char *' to 'const char *' in C++ files.
Re-base Dogtag pki packages to 10.4.x
Upgraded remaining 10.3.3 references to 10.4.0.
Synced changelog with Koji pki-core master.
Fixed typo.
Synced local source spec files with their upstream Koji counterparts.
Updated version number to 10.4.1-0.1
Synced up local spec files with latest release
Checked-in under one-liner/trivial rule.
Fixed typo.
dogtagpki Pagure Issue #2633 - Missing python-cryptography dependencies
Synced up local spec files with latest release
Synced up local spec files with latest release
Updated source version number to 10.4.3-1.1
Synced up local spec files with latest release (10.4.4)
Updated source version number to 10.4.4-1.1
Fix CA installation with HSM in FIPS mode
Added FIPS class to pkispawn
Added runtime requirement on sysctl to pki-core spec file
Correct section headings in user deployment configuration file
Fixed hardcoded values in ca CS.cfg
Synced up local spec files with latest release (10.4.5)
Updated source version number to 10.4.5-1.1
Always check FIPS mode at installation time
Updated minimum selinux-policy-targeted runtime requirement.
Synced up local spec files with latest release (10.4.6)
synced compose scripts to 10.4.6
Fixed pylint issues
Revert "Fixed theme build script."
Resolves: dogtag Pagure Issues #1663,2556,2674,2676,2687,2707,2713,2714,2717,2721,2726
Updated 'selinux-policy-targeted' and 'tomcatjss' requirements.
Updated source version number to 10.4.7-1.1
dogtagpki Pagure Issue #2745 - Platform Dependent Python Import
Synced up local spec files with latest release (10.4.8)
Update development spec file templates
Apply development spec file templates across all platforms
Unset build env variables
Fixed theme build script.
Updated LDAPJDK dependency.
Fixed builds on CentOS and synced spec file templates with Koji.
Cleanup spec file conditionals
Fix seobject pylint issues
Synced up local spec files with latest release (10.5.2)
Set the default NSS DB type
Set the default NSS DB type for console
Fix nuxwdog to work on all platforms
Nathan Kinder (1):
Remove dependency on svrcore library
Stanislav Laznicka (1):
PKIConnection: allow separation of client cert and pkey
Stanislav Levin (1):
Fix version compare for sphinx python module
Timo Aaltonen (22):
Merge branch 'upstream' into m-n
Merge branch 'master' into master-next
bump changelog
watch: Updated, upstream provides proper tags now.
copyright: Add Files-Excluded for tarball rebuild.
patches: Drop fix-CVE-2017-7537.diff, refresh others.
delete more binaries
Merge branch 'upstream-next' into master-next
use-usr-bin.diff: Replace with an upstreamed patch.
refresh create-target-wants.diff
bump changelog
WIP
Drop fix-junit-jar.diff, add fix-jar-search.diff and modify debian- support.diff and rules to not hardcode distro-specific jar names.
control: Add build-depends/depends
rules: Use dh_missing, and drop creating links under subsys dirs as that is handled by CMake now.
More information about the Pkg-freeipa-devel
mailing list