[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream] 648 commits: Added man page for PKCS10Client
Timo Aaltonen
gitlab at salsa.debian.org
Thu Aug 23 07:14:03 BST 2018
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / dogtag-pki
Commits:
9ab493e3 by Amol Kahat at 2017-10-20T10:12:25Z
Added man page for PKCS10Client
- - - - -
92341c5b by Dinesh Prasanth M K at 2017-12-13T14:49:18Z
Fixed Travis python issue
pyenv variable has been update in response to
Travis CI current update: https://docs.travis-ci.com/user/build-environment-updates/2017-12-12/
Change-Id: Id6a65a895a5f56415582a5dfe369f5f7ed4179b1
- - - - -
c2f41579 by Endi S. Dewata at 2017-12-13T18:58:15Z
Fixed pylint warnings.
Some Python files have been modified to avoid pylint warnings due
to subsequent changes.
https://pagure.io/dogtagpki/issue/167
Change-Id: If16e5d7f60cef776c6b65ad9f803b178ba52bc85
- - - - -
d56a5543 by Endi S. Dewata at 2017-12-13T19:02:57Z
Added wrappers for pkispawn and pkidestroy.
The existing pkispawn and pkidestroy Python scripts have been
moved into pki.server package. New shell wrappers have been added
as replacements. The wrappers will allow loading the environment
variables defined in pki.conf.
https://pagure.io/dogtagpki/issue/167
Change-Id: I9a4a360229b589164c4c21a9ab345e4b46f9fd06
- - - - -
e8e504c9 by Endi S. Dewata at 2017-12-14T03:22:15Z
Added pki.util.chmod().
A new chmod() function has been added to set file or folder
permissions recursively. The existing chown() has been modified
to work with files as well.
https://pagure.io/dogtagpki/issue/167
Change-Id: I219bfe54d97afaedb864c71cb4f7e53e87a2733d
- - - - -
fd842db8 by Endi S. Dewata at 2017-12-14T03:24:25Z
Added PKIDeployer.record().
The code that generates manifest records has been refactored into
a new record() method in the PKIDeployer class.
https://pagure.io/dogtagpki/issue/167
Change-Id: If3073e618c0b40b320e93c19406542acf66bc8c6
- - - - -
c945f3d4 by Endi S. Dewata at 2017-12-15T23:13:03Z
Updated version number to 10.6.0-1.
Change-Id: I48753242fd05fc1fe652c270e0ae0ba1e105b0bc
- - - - -
c7cd967c by Endi S. Dewata at 2017-12-16T18:09:32Z
Removed hard-coded app server names in CMake scripts.
Currently PKI only supports Tomcat 7.0 and 8.0 and the related
files are stored in tomcat7 and tomcat8 folders, respectively.
The folder is selected during build using WITH_TOMCAT7 or
WITH_TOMCAT8 variables in CMake scripts.
To support other app servers (e.g. Tomcat 8.5), the app server
name now can be specified using APP_SERVER variable which will be
used to select the folder to use.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I4229a341e23f992a290ceeb15b518ff209a3f6d9
- - - - -
22d486c1 by Endi S. Dewata at 2017-12-16T18:12:13Z
Removed hard-coded app server names in pki-core.spec.
Currently PKI only supports Tomcat 7.0 and 8.0 and the app server
is selected during build using with_tomcat7 and with_tomcat8 macros.
To support other app servers (e.g. Tomcat 8.5), the app server name
now can be specified using app_server macro which will be used to
set the APP_SERVER variable in CMake scripts.
https://pagure.io/dogtagpki/issue/2560
Change-Id: Ied83799289f2e4ae00d2eb763f7ecbb2b27ef158
- - - - -
f54b4a8d by Endi S. Dewata at 2017-12-18T22:33:17Z
Fixed missing admin PKCS #12 file on external KRA/OCSP installation.
The deployment tool has been modified to generate a PKCS #12 file
that contains the admin certificate for KRA/OCSP installation with
external certificates.
https://pagure.io/dogtagpki/issue/2873
Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f
- - - - -
d7269edb by Ade Lee at 2018-01-03T14:19:58Z
Fix various PEP8 and pylint issues
Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7
- - - - -
6e4a1050 by Ade Lee at 2018-01-03T14:20:22Z
Modified systemd invocations in pkispawn to handle nuxwdog
The systemd invocations in pkispawn/pkidestroy did not account for
nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to
use the right service name if the nuxwdog service unit files exist.
Also modified instance_layout deployment script to delete the right
systemd link.
Change-Id: I25eac0555aad022784d7728913ae4a335eab3463
- - - - -
7ef597aa by Ade Lee at 2018-01-03T14:20:22Z
Allow prompting for token passwords if not present
Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff
- - - - -
e7ae46a7 by bbhavsar at 2018-01-04T15:20:11Z
Added Banner CLI Automation
Change-Id: Ia6f72b847d90bccc86a983f943d95188d35c6350
Signed-off-by: bbhavsar <bbhavsar at redhat.com>
- - - - -
057f75b1 by Endi S. Dewata at 2018-01-04T15:44:21Z
Removed temp script creation in compose scripts (part 1).
The compose scripts have been modified to execute rpmbuild command
directly without using a temporary script.
Change-Id: I6abac3b11e1903b741efcdc0e374432ee6c70b6a
- - - - -
da712a52 by Endi S. Dewata at 2018-01-04T15:45:25Z
Removed temp script creation in compose scripts (part 2).
The compose scripts have been modified to remove unused code
related to temporary script creation.
Change-Id: I95b4b5e12d2aa6cea7b3d9d8fea8d3b5e34bb5ec
- - - - -
7bc83bb4 by Endi S. Dewata at 2018-01-04T16:25:02Z
Removed temp script creation in compose scripts (part 3).
The compose scripts have been modified to define the rpmbuild
operation in a separate variable.
Change-Id: Ie6495b73b861fb867df6d75d3fabf7989abb4b36
- - - - -
db2c54dc by Endi S. Dewata at 2018-01-05T05:39:00Z
Updated version number to 10.6.0-0.1.
Change-Id: I2e2c7684ec04e43b672eea0686295381e95acced
- - - - -
e66cf40d by Christina Fu at 2018-01-05T19:43:00Z
Ticket #2604 adding FIPS support-RFE: shared token storage and retrieval mechanism
This patch adds FIPS support to the original ticket 2604. Two changes were
made:
1. in CMCSharedToken tool, "-p" is used to specify the password for token login
and "-s" is used to specify the shared secret (or passphrase)
2. on the server side, in SharedSecret, an existing configuration parameter, cmc.token is utilized for admin to specify
the token where the issuance protection cert's private key resides on.
Change-Id: Ia454598bca7843bfc0a6ad21f57f6a74d05d67fe
- - - - -
3c61c4a7 by Endi S. Dewata at 2018-01-10T18:12:02Z
Added pki-server <subsystem>-audit-event-find command.
A new pki-server <subsystem>-audit-event-find command has been
added to list audit events and their attributes (e.g. filter).
Currently the command can only list enabled events.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I7319ac4e449045d7456e9ae225aca58075093bcd
- - - - -
b142b035 by Endi S. Dewata at 2018-01-10T18:32:14Z
Merged CMC_USER_SIGNED_REQUEST_SIG_VERIFY events.
The CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS and
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE events have
been merged into CMC_USER_SIGNED_REQUEST_SIG_VERIFY event,
and encapsulated using CMCUserSignedRequestSigVerifyEvent
class.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I85ec9c871526da9ca8711ebcd6c9281086e2199f
- - - - -
a669e4d2 by Sumedh Sidhaye at 2018-01-11T20:57:33Z
added role user creation code and a sanity test for it
Change-Id: I10924fa1cf6ff03dbb46d27db1ced196027668be
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
- - - - -
52a7543e by Ade Lee at 2018-01-12T18:39:00Z
Modify get_cert to get rid of spurious certutil error messages
Also shortened some lines to comply with PEP8
rhbz# 1520277
Change-Id: I71d5ecb24c979c1be642a0c3529aebfae6e98aa7
- - - - -
fc3067f2 by Fraser Tweedale at 2018-01-16T03:53:51Z
Set nextUpdate in OCSP responses
Some OCSP clients adhere to the Lightweight OCSP Profile (RFC 5019)
which requires that the OCSP response include the nextUpdate field.
Update the CA subsystem's OCSP responder to include the nextUpdate
field when it is configured to use the CRL cache. The nextUpdate
field in the OCSP response is set to the nextUpdate time of the
"master" CRL issuing point.
If the OCSP responder is not configured to use the CRL cache, there
is no reasonable value for nextUpdate. In this case, we continue to
omit it.
Fixes: https://pagure.io/dogtagpki/issue/2661
Change-Id: Idbf7354b0ecc45c0498c4b7c05458f726f40336f
- - - - -
2922cdaa by Endi S. Dewata at 2018-01-17T17:32:11Z
Removed redundant constants in CA's SigningUnit.
Some constants in CA's SigningUnit have been removed since they
are already defined in ISigningUnit.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I130bb22eb09fb59b8ce30a2f0bac8d4024daad7d
- - - - -
ce8872cf by Ade Lee at 2018-01-17T18:07:35Z
Make sure tomcat is running as pki user with nuxwdog
The nuxwdog process needs to run as a privileged user to be able
to retrieve the passwords from the systemd tty agent in systemctl.
Therefore, the nuxwdog unit file should NOT specify the PKI user
there.
However, we have added an option to nuxwdog to specify the user
in the nuxwdog config file, so that the process that nuxwdog spawns
(ie. tomcat) will run as the specified user.
The code changes in this patch ensure that when the nuxwdog conf
file is created, the user is set correctly as the value of the
variable TOMCAT_USER.
Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf
- - - - -
982e4da5 by Endi S. Dewata at 2018-01-17T18:33:30Z
Renamed constants in ISigningUnit.
The constants in ISigningUnit have been renamed to be more
consistent with OCSP's SigningUnit.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I0b9137c80ad2be0a6c7dd063382629c85961a7f3
- - - - -
991f263f by Endi S. Dewata at 2018-01-17T19:02:15Z
Removed redundant constants in OCSP's SigningUnit.
Some constants in OCSP's SigningUnit have been removed since they
are already defined in ISigningUnit.
https://pagure.io/dogtagpki/issue/2901
Change-Id: Ie9b00194782f07499b595c108e0bf311946505ed
- - - - -
e715c8a9 by Endi S. Dewata at 2018-01-17T20:00:09Z
Fixed pki-server cert-find to work with HSM.
Previously the pki-server cert-find command would prompt for
token password if used with HSM. It has been fixed with the
following changes:
The PKISubsystem.create_subsystem_cert_object() was modified to
get the certificate info from the proper token.
The NSSDatabase.get_cert_info() was modified to specify the token
name in the certutil command if provided.
https://pagure.io/dogtagpki/issue/2901
Change-Id: If8862abe4c3057f3094c414134b9719088796963
- - - - -
c52c51c6 by Christina Fu at 2018-01-17T21:59:26Z
Ticket #2675 additional fix to allow requests without POP
This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.
Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b
- - - - -
f65ea152 by Endi S. Dewata at 2018-01-17T23:14:33Z
Fixed pki-server subsystem-cert-verify to work with HSM.
The pki-server subsystem-cert-verify has been modified to use the
proper token name to call pki client-cert-verify.
https://pagure.io/dogtagpki/issue/2901
Change-Id: Ifc496beb0f81c1c6310b183175037243b71a1926
- - - - -
fe33d958 by Endi S. Dewata at 2018-01-17T23:26:50Z
Merge pull request #4 from amolkahat/man-pages
Added man page for PKCS10Client
- - - - -
b4797134 by Amol Kahat at 2018-01-17T23:32:12Z
Fixed small error message of certificte-revoke.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
c8f90584 by Endi S. Dewata at 2018-01-18T04:20:51Z
Fixed nssdb.add_cert() for HSM.
The nssdb.add_cert() has been modified to import certificates
properly. If HSM is used, the certificate will be imported into
HSM without trust attributes. If trust attributes are specified,
the certificate will be imported into internal token as well with
the trust attributes. If no HSM is used, the certificate will be
imported into the internal token with the trust attributes if
available.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I4027b3064694ecf41bc616cf1b67581e4d103531
- - - - -
95f2931c by Endi S. Dewata at 2018-01-18T22:06:53Z
Added CalledProcessError handler for pkispawn.
A CalledProcessError handler has been added for pkispawn to show
the command that failed.
Change-Id: I0027bf1d82f0739e9f20ca8ad9ba5e9fa4a3a5d7
- - - - -
d1435e2b by Ade Lee at 2018-01-19T00:04:18Z
Allow instances to be created with custom users
Some folks want to run instances under a different user and
group (ie. not pkiuser). They may even want a different user for
each instance. The way to do this in systemd is to create systemd
override files for the specific instance.
The deployment scriptlets have been updated to create (and delete)
these override files.
Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037
- - - - -
1cda0ab3 by Endi S. Dewata at 2018-01-19T04:43:10Z
Added default CA cert nickname in pki client-cert-import.
The pki client-cert-import has been modified to support optional
nickname for CA cert. If not specified, a default nickname will
be generated based on the subject DN.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I285a6f1ceb68d388fdf8bb5638f3767a312854a5
- - - - -
ca5e4fde by Endi S. Dewata at 2018-01-19T05:47:17Z
Added NSSDatabase.add_ca_cert().
A new NSSDatabase.add_ca_cert() method has been added to import
CA cert without nickname using pki client-cert-import.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I45d83938e92293dd54ec5af6e05c6edb215f80ea
- - - - -
ad67ee99 by Endi S. Dewata at 2018-01-19T05:54:05Z
Refactored ClientCertImportCLI.sort().
The ClientCertImportCLI.sort() has been changed to support sorting
in both directions. It also has been renamed to sortCertificateChain().
https://pagure.io/dogtagpki/issue/2901
Change-Id: I431b80e65e4a859d8d6deadf43af6af6aeefad4d
- - - - -
1622094a by Endi S. Dewata at 2018-01-19T05:54:49Z
Moved ClientCertImportCLI.sortCertificateChain().
The ClientCertImportCLI.sortCertificateChain() has been moved into
CryptoUtil for reusability. It also has been changed to use SLF4J
logger.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I465c99b9763147357c38ad0526137302acf90a5e
- - - - -
96a3bb4d by Matthew Harmsen at 2018-01-19T16:25:13Z
Fixed setup of ECC CA
Restored ECC functionality that was lost during
'Refactoring SSL server cert creation'
(https://pagure.io/dogtagpki/issue/2786).
Additionally, to avoid confusion, deprecated
'pki_admin_keysize' and use 'pki_admin_key_size'
to make parameters consistent across different
certificate key types.
Fixes: https://pagure.io/dogtagpki/issue/2887
Change-Id: I1206b37a00b7da5e30fef5b2d12fb266e2779cfb
- - - - -
165c7865 by Endi S. Dewata at 2018-01-19T17:21:06Z
Added pki pkcs7 CLI.
A new pki pkcs7 CLI has been added to manage a certificate chain in
a PKCS #7 file. The pki pkcs7-cert-find can be used to inspect the
certificates. The pki pkcs7-cert-export can be used to export the
certificates into separate files. The output certificates are sorted
from root to leaf so they can be processed further more consistently.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I7e5c9e2dc0ddd12db126955114b3314f75d475d7
- - - - -
3d231ae0 by Endi S. Dewata at 2018-01-19T17:37:12Z
Fixed NSSDatabase.import_pkcs7() for HSM.
Previously NSSDatabase.import_pkcs7() was implemented using pki
client-cert-import --pkcs7 which uses JSS to import the certificate
chain from a PKCS #7 file. Apparently, when it is used with HSM
outside of PKI server JSS imports the certificates incorrectly.
The method has been changed to use pki pkcs7-cert-export to sort
and split the certificate chain into separate files. The CA certs
will be imported with pki client-cert-import --ca-cert (such that
the nickname will be consistently generated by JSS), and the user
certificate will be imported using certutil with the nickname
provided by the caller. This method seems to be working fine with
HSM.
https://pagure.io/dogtagpki/issue/2901
Change-Id: If04963eb6ad86737593df7d64eef8b17f7bde75f
- - - - -
26bc6988 by Ade Lee at 2018-01-19T19:09:32Z
Fix masking in the archived deployment.cfg
Resolves rhbz#1532759
Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4
- - - - -
91c6c781 by Christina Fu at 2018-01-19T22:45:17Z
Ticket #2675 take care of PKCS#10 for cmc.popLinkWitnessRequired
This patch adds support to handle PKCS#10 which was neglected in previous
"additional" fix.
Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055
- - - - -
2ffa4485 by Endi S. Dewata at 2018-01-22T15:32:29Z
Fixed cert chain importation.
For KRA/OCSP installation with external certs, the installer has
been modified to always import the cert chain into the internal
token regardless if HSM is used.
https://pagure.io/dogtagpki/issue/2901
Change-Id: Ifedb54e88ea6c8fc2ef3b562e15fb4077ec5179a
- - - - -
c86eb1bc by Endi S. Dewata at 2018-01-22T16:14:44Z
Refactored replace_sslserver_cert() in configuration.py.
The replace_sslserver_cert() in configuration.py has been split into
separate methods for removing the temp SSL server cert and importing
the permanent SSL server cert.
https://pagure.io/dogtagpki/issue/2901
Change-Id: I35cb95e61959ff99c235f116304c7272a39694e5
- - - - -
249c323d by Endi S. Dewata at 2018-01-22T16:54:58Z
Fixed SSL server cert creation and replacement.
The configuration.py has been modified to generate the temp SSL certificates
(and remove it later) in internal token regardless of HSM. It also has been
modified to import the perm cert if it has not been imported already.
https://pagure.io/dogtagpki/issue/2901
Change-Id: If473e2b314727399854638a94c6ec5a148fc52fb
- - - - -
1127a63c by Endi S. Dewata at 2018-01-22T17:33:44Z
Fixed admin cert processing.
For KRA/OCSP installation with external certs, the installation
tool has been modified to import the externaly-generated admin
cert and also copy it to a location normally expected by admin.
https://pagure.io/dogtagpki/issue/2901
Change-Id: Id18ec2b6b8b1c3f307af11e2acba7866b2b5ee75
- - - - -
441b832f by Endi S. Dewata at 2018-01-22T20:14:38Z
Fixed cert import for exiting certs case.
The configuration servlet has been fixed to properly import the
externally-signed certs in existing CA and external KRA/OCSP cases.
https://pagure.io/dogtagpki/issue/2901
Change-Id: Ida7bd7758670c72063765462b7d735f69a465804
- - - - -
3f9def4c by Matthew Harmsen at 2018-01-25T01:34:36Z
Updated dependencies in spec files
- https://pagure.io/dogtagpki/issue/2870 - openssl
- https://pagure.io/dogtagpki/issue/2904 - nuxwdog
- https://pagure.io/dogtagpki/issue/2911 - jss
Change-Id: I1e5b5c7ea5d1f5be51e4b3eb262b04d71114f626
- - - - -
1c262721 by Jack Magne at 2018-01-25T02:32:53Z
Fix Bug 1501436 - TPS CS.cfg should be reflected with the changes after an in-place upgrade.
This upgrade script will add the needed config params to an existing CS.cfg for TPS.
The params consist of the params required for the token profile : externalRegISEtoken.
The code also grabs the unsecure phone home url out of the instances's server.xml.
This way the new profile is configured exactly like what happens when doing a pkispawn.
The correct nonsecure url will be in place.
Added some review changes. Also we modified the python properties file class to be able to
handle a property value that happens to contain the delimeter "=". Ex name=cn=people.
Added directory server/upgrade/10.5.1 so rhel can use it when performing this upgrade.
Change-Id: I2478013b396082ffdc3d99ed86a821ec86ac4c5d
- - - - -
70978157 by Jack Magne at 2018-01-25T02:47:00Z
Fix Bug 1501436 - TPS CS.cfg should be reflected with the changes after an in-place upgrade.
Spec file changes only for the main commit that fixes this bug.
Change-Id: If5bea41591c2b4c33bee2285e705e36b23d62b7b
- - - - -
e2a72fff by Endi S. Dewata at 2018-01-26T07:55:05Z
Updated RollingLogFile.EXPIRATION_TIME.
The RollingLogFile.EXPIRATION_TIME has been changed to 0 such that
log expiration is disabled in case the log.instance.*.expirationTime
parameter is missing from the CS.cfg.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I8c8c7a1560f986920244f9660b0de10e197f93b4
- - - - -
c006503c by Endi S. Dewata at 2018-01-26T08:07:44Z
Merged TOKEN_APPLET_UPGRADE events.
The TOKEN_APPLET_UPGRADE_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenAppletUpgradeEvent class.
https://pagure.io/dogtagpki/issue/2656
Change-Id: Ifa34eacaa5a0da1c8026eb702e09828234d7f0f5
- - - - -
2c614e98 by Endi S. Dewata at 2018-01-26T08:26:00Z
Merged TOKEN_KEY_CHANGEOVER events.
The TOKEN_KEY_CHANGEOVER_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenKeyChangeoverEvent class.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I09c5179645c2037ff6208e923f35177104e5babd
- - - - -
d928a667 by Endi S. Dewata at 2018-01-26T23:13:09Z
Updated default audit events.
The default audit events and their filters have been updated in
all PKI subsystem configuration files.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I867a38a366ad7cc23d71f2a0c22996a9ccce8088
- - - - -
a1ff57e0 by Endi S. Dewata at 2018-01-26T23:41:45Z
Using case-insensitive audit event filter.
The code that evaluates audit event filter has been modified to
use case-insensitive attribute value comparison.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I548dee048b0ed70779fb67a8cdfc39943f2bc9b7
- - - - -
5dcab6c7 by Endi S. Dewata at 2018-01-30T20:08:24Z
Refactored pkispawn and pkidestroy logger configuration
The method that configures the loggers for pkispawn and pkidestroy
has been modified to configure the global pki logger as well.
https://pagure.io/dogtagpki/issue/2916
Change-Id: I724d9e0fae37e8c6407fc36a73dca4c38af2b16d
- - - - -
2660c8ca by Endi S. Dewata at 2018-01-30T21:32:30Z
Added pki.nssdb logger.
To help troubleshooting, the pki.nssdb module has been modified to
generate debug logs using the standard Python logger.
https://pagure.io/dogtagpki/issue/2916
Change-Id: Iba74df01fd796fa9fe5fa48f117721d790b7337c
- - - - -
bde116f2 by Endi S. Dewata at 2018-01-30T21:49:09Z
Fixed NSSDatabase.get_cert().
The NSSDatabase.get_cert() method has been modified to ignore the
certutil exit code due to bug #1539996.
https://pagure.io/dogtagpki/issue/2916
Change-Id: I10e489d14bdaaace9f917b797a7da14ac64a9a67
- - - - -
d6a70005 by Endi S. Dewata at 2018-01-31T01:32:31Z
Fixed NSSDatabase.get_cert_info().
The NSSDatabase.get_cert_info() has been modified to use get_cert()
to retrieve the cert since it has the workaround for bug #1539996.
Then it will use Python Cryptography to get the cert info.
A new method has been added into pki module to convert X.509 Name
into NSS-style DN string.
https://pagure.io/dogtagpki/issue/2916
Change-Id: I726e2c442e5b7f351dac2d9515e9f13965d7de3f
- - - - -
8f370068 by Matthew Harmsen at 2018-02-01T01:58:48Z
Enable FIPS ciphers as the new default cipher suites
https://pagure.io/dogtagpki/issue/2855
Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37
- - - - -
8319105b by Endi S. Dewata at 2018-02-01T16:44:00Z
Fixed inconsistent CERT_REQUEST_PROCESSED outcomes.
Some CERT_REQUEST_PROCESSED events in ProcessCertReq have been
modified to generate a FAILURE outcome since there is no cert
issued for the request.
https://pagure.io/dogtagpki/issue/2838
Change-Id: I38656f950599f06bd9969c278137fdd192e26ae8
- - - - -
79e8a8e9 by Ade Lee at 2018-02-01T20:42:44Z
More fixes for non-standard users
Needed to fix some python code that was added that works only on Python 3.
The top level directories for the registry should be owned by
root and be world readable/executable so that different users
can read the registry.
Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282
- - - - -
dcc66d50 by Ade Lee at 2018-02-01T20:43:06Z
Spec file changes to add registry directories to package
Change-Id: Ib1c3761e33ed4adf107e0288e0fe8452d6071076
- - - - -
c1f607dc by Endi S. Dewata at 2018-02-01T21:39:37Z
Refactored SecurityDataArchivalProcessedEvent.
The SecurityDataArchivalProcessedEvent has been modified to provide
separate factory methods for SUCCESS and FAILURE events.
https://pagure.io/dogtagpki/issue/2848
Change-Id: Ie102aabaa81553ac1ea6963841a0568f1b6e04a5
- - - - -
3c4770d5 by Endi S. Dewata at 2018-02-01T23:42:40Z
Changed audit event types in EnrollmentService.
The EnrollmentService has been modified to generate
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED instead of.
SECURITY_DATA_ARCHIVAL_REQUEST.
https://pagure.io/dogtagpki/issue/2848
Change-Id: I63017c4d9c058daac92fe606f0096402ca78b6ec
- - - - -
933db6ae by Endi S. Dewata at 2018-02-02T00:47:01Z
Added IMAGE_REPO variable for Travis configuration.
The Travis configuration has been modified to support IMAGE_REPO
variable to specify a different image repository. By default it
will use dogtagpki/pki-ci.
Change-Id: Ie34c0950a20298507755748aa5f28a7f54385abd
- - - - -
8a387264 by Endi S. Dewata at 2018-02-02T16:16:28Z
Cleaned up Travis configuration.
The .test_runner_config.yaml has been renamed to ipa-test.yaml and
moved into .travis folder. The task names in .travis_run_task.sh
have been simplified.
Change-Id: I84ed747a6e104ab4037259e0f4f05a3b949f8c6b
- - - - -
55a6fa09 by Christina Fu at 2018-02-02T19:52:22Z
Ticket #2880 missing CMC request and response record
This patch adds audit events to record received CMC requests and signed CMC responses:
CMC_REQUEST_RECEIVED
CMC_RESPONSE_SENT
This patch fixes https://pagure.io/dogtagpki/issue/2880
Change-Id: Id093225b22a2c434e680726442c49b410fa738a3
- - - - -
4d54490f by Endi S. Dewata at 2018-02-02T20:54:01Z
Fixed try-catch block in NetkeyKeygenService.serviceRequest().
The try-catch block in NetkeyKeygenService.serviceRequest() has
been fixed to return false on exception. It also has been split
into two blocks.
https://pagure.io/dogtagpki/issue/2848
Change-Id: Ia78bd5371720dc551c2470898d83597d554183b7
- - - - -
e7ec7d30 by Christina Fu at 2018-02-03T00:39:30Z
Ticket #2920 CMC: Audit Events needed for failures in SharedToken scenarios
This patch adds the missing CERT_STATUS_CHANGE_REQUEST_PROCESSED event in case of shared token failure at revocation;
In addition, a missing validate() call is made for decrypted POP request as well as the failure audit event.
fixes: https://pagure.io/dogtagpki/issue/2920
Change-Id: I45b53f579794c3a5f32cc475a6293240025922c2
- - - - -
74d72d9b by Endi S. Dewata at 2018-02-03T01:35:55Z
Added SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED events in NetkeyKeygenService.
The NetkeyKeygenService.serviceRequest() has been modified to catch
all exceptions and generate SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
with FAILURE outcome.
https://pagure.io/dogtagpki/issue/2848
Change-Id: I08608fbb21ef14fddc2076d2e993766c30fd3cf0
- - - - -
268cc707 by Jack Magne at 2018-02-03T05:14:47Z
Fix Bug 1522938 - CC: Missing failure resumption detection and audit event logging at startup
This patch addressed two cases listed in the bug:
1. Signing Failure due to bad HSM connection.
2. Audit log failure of some kind.
I felt the best and safest way to handle these conditions was to simply write to the
error console, which results in a simple System.err.println being sent to the former
catalina.out file now covered with the journalctl command.
I considered using some other dogtag log file, but if we are in some sort of emergency
or resource constrained situation, it is best to write the log out mostly simply.
Quick testing instructions:
1. To see signing failure put this in the CS.cfg for ONLY testing purposes.
ca.signing.testSignatureFailure=true , This will force an error when trying to sign and log it.
Approve a certificate request, which will trigger a signing operation.
2. Check the journalctl for a log message.
3. Remove the config value to resume normal operation.
4. To see an audit log failure do the following:
[root at localhost signedAudit]# ps -fe | grep pki
pkiuser 8456 1 2 14:39 ? 00:00:32 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
lsof /var/lib/pki/pki-tomcat/ca/logs/signedAudit/ca_audit
java 9905 pkiuser 124u REG 253,0 17298 3016784 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
gdb /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 8456 , Use the pid from above
Inside gdb do this:
call close(124)
This will close the file descriptor for the running server.
5. Now just try to do anything with the CS UI and observe errors written to the journalctl log,
having to do with not being able to write to the ca_adit file. If signed audid logging is configured,
many of these conditions will result in the the shutdown of the server.
Change-Id: I21c62a5ad6bedfe8678144a764bff2e2a4716dce
- - - - -
c2c5bdad by Christina Fu at 2018-02-04T03:59:12Z
Ticket #2921 CMC: Revocation works with an unknown revRequest.issuer
This patche adds check between the issuer value of the RevokeRequest against the issuer of the certificate to be revoked.
fixes: https://pagure.io/dogtagpki/issue/2921
Change-Id: Ib2bb2debeb7d1c7ffea1799b5c32630062ddca6a
- - - - -
e634316e by Fraser Tweedale at 2018-02-05T04:51:45Z
Fix profile import dropping backslash characters
When writing (importing, updating) RAW profile data, config values
that have backslashes in them have the backslashes dropped, leading
to issuance failures or issuance of incorrect certificates. For
example:
policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat\, Inc.
becomes:
policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat, Inc.
which causes issuance failures due to parse failure of the resulting
DN.
This occurs because java.util.Properties is opinionated about what
does or doesn't need to be escaped. The ProfileSubsystem "raw"
methods originally used Properties to avoid more use of our "custom"
SimpleProperties class. That turned out to be a mistake, due to
Properties' incompatible treatment of backslashes. Switch over to
SimpleProperties for handling raw profile data.
Fixes: https://pagure.io/dogtagpki/issue/2909
Change-Id: I5cd738651cbfba0cad607d2b02edea04fe6be561
- - - - -
8629de7f by Matthew Harmsen at 2018-02-07T22:26:27Z
Removed install section from dogtag-pki.spec file
- Bug 1542743 - Unable to build 'dogtag-pki' meta package in Fedora rawhide
Removing the %install section remedied this problem on Fedora 28, and was
basically some benign artifact on previous Fedora platforms.
Change-Id: I5d47e14467ccef29543981573c1323207fe61079
- - - - -
ff70df12 by Jack Magne at 2018-02-07T22:59:43Z
Fix Bug 1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs
Simple sensitive data debug log prevention here.
Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46
- - - - -
49825ff4 by Fraser Tweedale at 2018-02-08T04:41:54Z
Fix lightweight CA key replication
The resolution for issue https://pagure.io/dogtagpki/issue/2654
caused a regression in lightweight CA key replication. When the
authorityMonitor encounters a CA whose keys are not present,
signingUnit initialisation fails (as expected). The signing info
event logging behaviour introduced in commit
4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a
NullPointerException, crashing the authorityMonitor thread.
Fix the issue by extracting the signing info event logging behaviour
to a separate method, and invoke that method as the final step of
signingUnit initialisation.
Fixes: https://pagure.io/dogtagpki/issue/2929
Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473
- - - - -
9eae7da2 by Endi S. Dewata at 2018-02-09T02:45:22Z
Refactored add_junit_test() (part 1).
The add_junit_test() function has been modified to use lowercase
variable names for clarity.
https://pagure.io/dogtagpki/issue/2908
Change-Id: I2d216fdf946a2fb2420b43030cd1963cfac42587
- - - - -
17fcac5f by Endi S. Dewata at 2018-02-09T04:15:13Z
Disabled failing unit tests.
Some unit tests have been disabled since they are currently
failing. This allows other tests to be enabled later. These
failures need to be investigated further.
https://pagure.io/dogtagpki/issue/2908
Change-Id: If5aa31c10f89fb8388085b59377347338ae729a1
- - - - -
d90ffc38 by Endi S. Dewata at 2018-02-09T05:01:20Z
Refactored add_junit_test() (part 2).
The add_junit_test() function has been modified to support target
dependencies.
The util and server tests have been modified to depend on the
corresponding classes.
https://pagure.io/dogtagpki/issue/2908
Change-Id: Ied9c270f074621f74a69ba20a817ddad7b16b4ed
- - - - -
19b06d85 by Endi S. Dewata at 2018-02-09T05:16:11Z
Added CMake option to run unit tests.
The CMake script has been modified to provide a WITH_TEST option
to control unit test execution. The option is enabled by default.
https://pagure.io/dogtagpki/issue/2908
Change-Id: Iaa7a4ef6f0f72dd9cd20d19f15b916d7cac12a0a
- - - - -
e4616df9 by Endi S. Dewata at 2018-02-09T15:18:07Z
Updated TestRunner output.
The TestRunner has been modified to show the test result and the
location of the test reports.
https://pagure.io/dogtagpki/issue/2908
Change-Id: Icf16ffc56c661ea13667ac48f75e949988ef0069
- - - - -
60ea5173 by Endi S. Dewata at 2018-02-09T16:00:05Z
Added unit test option in pki-core.spec.
The pki-core.spec file has been modified to provide a
"--without test" option to control unit test execution.
The unit test is enabled by default.
The redundant WITH_SERVER parameter has been removed
from CMake invocation.
https://pagure.io/dogtagpki/issue/2908
Change-Id: I614c58adf6852a06254c8e3de5cf53ef212f207b
- - - - -
77ec93da by Timo Aaltonen at 2018-02-09T19:19:50Z
Don't assume /bin -> /usr/bin symlink exists
Be more consistent with hardcoding paths, and use paths that work on
other distros too which don't have a /bin -> /usr/bin symlink.
Change-Id: Ic2c85f074b6703367b882a9e5eb67fce47eff5ab
- - - - -
775dda50 by Endi S. Dewata at 2018-02-09T20:13:12Z
Added unit test option in compose script.
The compose script has been modified to provide a "--without-test"
option to control unit test execution. The unit test is enabled by
default.
https://pagure.io/dogtagpki/issue/2908
Change-Id: I322fb64723457310fc39edacc7f3040508fff1b2
- - - - -
56a9bbb2 by Christian Heimes at 2018-02-12T16:14:46Z
Improve shebang handling and script generation
Instead of hardcoded Python interpreter, the pki, pkispawn, pkidestroy,
pki-upgrade, and pki-server-upgrade are now shell wrappers that are
created by cmake and use @PYTHON_EXECUTABLE@ to use the current Python
interpreter. This will make it easier to update all scripts to Python 3
in the future.
- Convert remaining commands to shell script wrappers.
- Update shell scripts to use @PYTHON_EXECUTABLE@ instead of hard-coded
'python' binary.
- Remove shebang and executable bit from all Python scriplets. The
scriptlets have neither a __main__ entry point nor code.
- Remove shebang from .py files that are installed in site-packages
- Update all remaining /usr/bin/python shebangs to use python2
explicitly.
Change-Id: I0bf1db42b6d64cba4b854d2f41be1ed6c357f4c8
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
b3af944f by Christian Heimes at 2018-02-12T16:49:46Z
Add flags for Python 2 / 3 support
Add flags to enable / disable support for Python 2, Python 3 and to
build pki.server with Python 3 instead of 2.
Change-Id: I75cd5caffa310ae662fc1dff8f6defd58ada346f
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
7455cc20 by Endi S. Dewata at 2018-02-12T23:38:01Z
Added two-step installation mode in pkispawn man page.
The pkispawn man page has been updated to include the two-step
installation mode.
https://pagure.io/dogtagpki/issue/2938
Change-Id: Icf2edad5477072e33c8eab556b95d5ad4b986131
- - - - -
d11d6b58 by Endi S. Dewata at 2018-02-13T15:34:58Z
Added Key ID encoder and decoder.
The following methods have been added to encode and decode NSS key
ID properly:
- CryptoUtil.encodeKeyID()
- CryptoUtil.decodeKeyID()
A unit test has been added to verify the functionality.
https://pagure.io/dogtagpki/issue/2884
Change-Id: Ib295bc1cb449f544cd0220bfaea1ed0d71136365
- - - - -
275b706f by Endi S. Dewata at 2018-02-13T15:34:58Z
Fixed Key ID encoding and decoding.
The code that encodes and decodes NSS key ID has been changed to
use CryptoUtil.encodeKeyID() and decodeKeyID(), respectively.
https://pagure.io/dogtagpki/issue/2884
Change-Id: Ic97a9f8ea1ad7819c8f6ff0faf732ee04a2174e8
- - - - -
1671d9c3 by Fraser Tweedale at 2018-02-15T04:27:41Z
PKIConnection.get: time out after 5s
There is a contention between the timeouts of PKIConnection.get (the
default for connect(2)) and Instance.wait_for_startup (60s). When
/etc/hosts contains an IP address for the host which is routable but
not responded to (e.g. during FreeIPA installation with --setup-dns
and --ip-address=<not-yet-existant>), the connection attempt causes
pkispawn() to block for a long duration. By the time it unblocks,
the Instance.wait_for_startup() timeout has been exceeded and no
further connection attempts are made. Installation fails.
Avoid this situation by setting a timeout of 5 seconds on
PKIConnection.get().
Fixes: https://pagure.io/dogtagpki/issue/2939
Change-Id: Id746faee9bd9a2a61bbc15f55d9ccbc652997bf1
- - - - -
8fce616a by Christian Heimes at 2018-02-16T07:16:32Z
Fix Python 3 bug in nssdb.get_cert()
In Python 3, subprocess returns stderr and stdout as bytes. Therefore
startswith() must also use bytes to check the error output. cert_data
(stdout) is also bytes, but both b64encode and cryptography's load_pem()
require bytes any way.
Change-Id: I70f1b235c65ee1d2d3e90d610cb9a9b3444bdd91
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
d7db5fa8 by Endi S. Dewata at 2018-02-16T15:27:33Z
Fixed SERVER_SIDE_KEYGEN_REQUEST_PROCESSED filter in KRA.
The filter definition for SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
event in KRA's CS.cfg has been updated to fix a typo.
https://pagure.io/dogtagpki/issue/2656
Change-Id: I6f2e3d38597355e04b1899aeb324db43caefd4df
- - - - -
5d80aee3 by Endi S. Dewata at 2018-02-16T19:16:48Z
Revert "PKIConnection.get: time out after 5s"
The patch apparently causes installation with HSM to fail
since the timeout is too short. It probably should be
implemented as a configurable parameter.
This reverts commit 1671d9c3b3b2bdd48fd74c3229c2869e5cfac80c.
Change-Id: Ibb54ca4b0e2b0071fe5079206dbc0c4e089a7b04
- - - - -
2f8fa5bb by Endi S. Dewata at 2018-02-16T19:23:23Z
Fixed NSSDatabase.add_ca_cert().
The NSSDatabase.add_ca_cert() has been modified to import CA
certificates into internal token instead of HSM since trust
validation is done by NSS using internal token.
https://pagure.io/dogtagpki/issue/2944
Change-Id: I460cd752d741f3f91306c510ce469a023828343b
- - - - -
bc6e505e by Endi S. Dewata at 2018-02-17T01:21:58Z
Converted OPTIONS variable into array.
The OPTIONS variable in compose scripts has been converted into
array such that it can be modified more easily.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I9ec7d0ca8c9bf04138424fda629cfad26c59feed
- - - - -
6016cea8 by Endi S. Dewata at 2018-02-17T02:08:00Z
Merged release and stage numbers.
The compose_functions has been modified to merge the release and
the stage numbers for simplicity. The USE_STAGE variable is no
longer needed so it has been removed.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I29d01207efc53591152649b56649c842a58099e7
- - - - -
29d10f46 by Endi S. Dewata at 2018-02-17T02:36:52Z
Merged release and stage macros.
The <platform>_release and <platform>_stage macros in all RPM specs
have been merged for simplicity.
https://pagure.io/dogtagpki/issue/2852
Change-Id: Ib422fa7dd5af348f0234ca3911f320aa97d4a9ae
- - - - -
e0275aa8 by Endi S. Dewata at 2018-02-17T03:16:17Z
Added timestamp and commit ID macros.
The RPM specs have been modified to provide _timestamp and _commit
macros for inclusion in the release number.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I1240f9d89c712a19efce12474e1966a0e138b588
- - - - -
cd64f2dd by Endi S. Dewata at 2018-02-17T04:18:40Z
Replaced PKI_RELEASE with macro definitions.
The compose_functions has been modified to use the new macros to
specify the timestamp and commit ID for building the package.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I2d45956d1099e056a40406a406504dfc69febd8c
- - - - -
8542e347 by Endi S. Dewata at 2018-02-17T04:48:22Z
Fixed redundant builds.
The spec files have been modified to combine the make all and make
install commands to avoid redundant builds.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I52a3fa8607d07770e5f60fcf97b1f0042ddc3e6c
- - - - -
11924963 by Endi S. Dewata at 2018-02-17T04:49:18Z
Removed unused PKI_RELEASE variable.
The PKI_RELEASE variable is no longer used so it has been removed
from the compose scripts.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I615840675983c0e353a3aa0648e2a29d3190c07f
- - - - -
7fa0d55d by Endi S. Dewata at 2018-02-17T04:53:58Z
Removed unused pki_release macro.
The pki_release macro is no longer used so it has been removed
from the spec files.
https://pagure.io/dogtagpki/issue/2852
Change-Id: Ide29c52c8be02b8a18d9a1de8d7f24e6d9dce8c8
- - - - -
367d06c6 by Endi S. Dewata at 2018-02-17T05:36:34Z
Removed unused default_release_value variable.
The default_release_value variable is no longer used so it has
been removed from the compose_functions.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I8840ae38d19fc89b9cf2a601e158cf09e7119c6d
- - - - -
2a9db610 by Endi S. Dewata at 2018-02-17T06:14:19Z
Removed unused default_release macro.
The default_release macro is no longer used so it has been removed
from the spec files.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I589bc007139f75bfec8faa879fe0fba8798815bb
- - - - -
f37fca0d by Fraser Tweedale at 2018-02-19T19:50:57Z
Add SystemCertData.toString()
When debugging instance configuration problems related to
certificates, it will be helpful to see the actual certificate data
(e.g. so missing fields can be identified). Define the toString
method so that the debug log will contain a richer expression of the
value.
Fixes: https://pagure.io/dogtagpki/issue/2859
Change-Id: I3bc5a16278912903a31a207e5d26c26029c725eb
- - - - -
e0c29881 by Dinesh Prasanth M K at 2018-02-19T22:02:05Z
Updated PKI image and disabled IPA tests
Configured to use following config:
- F27
- copr pki 10.6
- Disabled IPA tests
Change-Id: I721756ec1a89a2312d5836f2ea849b1a6c761e33
- - - - -
dff4dcb0 by Endi S. Dewata at 2018-02-19T22:14:14Z
Updated PKIListener.
Previously TomcatJSS was initialized at the first SSL connection
to the server. The PKIListener has been modified to initialize
TomcatJSS at startup time.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I6ac820fe4399b14897b59d88217abd66164db56a
- - - - -
df19661b by Dinesh Prasanth M K at 2018-02-19T23:47:55Z
Added and updated IPA tests
- IPA tests now runs from python3-ipatests.
- Runs on F27 image
- Uses IPA COPR 4-6 version
Change-Id: I40c1ddb9967d9565ef0fae2d1479bf1b815b2b6f
- - - - -
e4a72429 by Endi S. Dewata at 2018-02-20T00:26:58Z
Fixed exception handling in CertificateAuthority.initSigUnit().
The CertificateAuthority.initSigUnit() has been modified to chain
the original exception to help troubleshooting.
Change-Id: Id6f7985daf8ed3f5539ce50d22b7b906b784ed3b
- - - - -
17194729 by Endi S. Dewata at 2018-02-20T00:32:12Z
Refactored PKISubsystem.load().
The PKISubsystem.load() has been modified to check whether the
CS.cfg exists before loading it. This allows the class to be
used to construct a subsystem from scratch.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I80dd8f78f96b3c0583ff540742dda234b0be37b0
- - - - -
d1377a16 by Endi S. Dewata at 2018-02-20T00:59:22Z
Added ServerConfiguration class.
A new ServerConfiguration class has been added to encapsulate
Tomcat configuration that has been loaded from server.xml.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I58624314c67631c94b8149d8c716e7df98a26095
- - - - -
16bbf68a by Endi S. Dewata at 2018-02-20T01:42:34Z
Removed unused server-minimal.xml.
https://pagure.io/dogtagpki/issue/773
Change-Id: Ia8f3707c8f043a4d7fc3d4427c9f4c62664031ec
- - - - -
6f9b3dd5 by Endi S. Dewata at 2018-02-20T01:50:49Z
Removed unused workers.properties.
https://pagure.io/dogtagpki/issue/773
Change-Id: I44a9f9a185b135d533d00bc4fb121234874d6f4f
- - - - -
4c93e74d by Christian Heimes at 2018-02-20T09:53:20Z
NSS DB related doc updates
In preparation of the DBM to SQL format switch, occurances of "cert8.db",
"key3.db", and "secmod.db" have been replaced with the more generic term
"NSS database".
Change-Id: Ifdbc571ac80c8e4af40045437a95cff2a9ba5937
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
fa884a1c by Christian Heimes at 2018-02-20T15:20:49Z
Add methods to convert NSSDB from DBM to SQL
A new method NSSDatabase.get_db_type() guesses the database format from
file names. It also validates that all additional files exist if the
master cert[89].db is present.
NSSDatabase.convert_db() converts a database from DBM to SQL format
while preserving ownership and permission as well as fixing SELinux
context. The old files are backed up.
The new feature will be used in a subsequent patch to convert
/etc/pki/pki-tomcat/alias on Fedora 28+.
Change-Id: If338bc8eed77d8f0bd7a6d5703f5cd29ef6f7a7b
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
841497dc by Endi S. Dewata at 2018-02-20T15:43:17Z
Removed unused tomcat-users.xml.
https://pagure.io/dogtagpki/issue/773
Change-Id: I757d78964869e0237202b7be6eeb05dcbd204b1f
- - - - -
a73eb66d by Christian Heimes at 2018-02-20T15:53:02Z
Add Python 3 default to pki-core.spec
The pki-core packages now support Python 3 as default Python for all
commands like pkispawn and pkidestroy. The pki-base and pki-server
packages can be build for Python 3. Optionally packages can be build
without Python 2 support and without any Python 2 dependencies.
The Python 2 and 3 client packages have been renamed to python[23]-pki
to follow Fedora's packaging guidelines. The packages still provide
pki-base-python[23].
A new package python2-pki has been added that contains the Python 2 bits
of pki client package. The pki-base package either depends on
python2-pki or python3-pki.
See http://pki.fedoraproject.org/wiki/PKI_10.6_Python_Support for more
details.
Change-Id: I020766027f38da9bb0982d85dd4ae7d39a7487ac
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
90d633bc by Christian Heimes at 2018-02-20T17:14:56Z
Unify config loading and NSS default db type
The inclusion of pki.conf shell snippets and handling of
NSS_DEFAULT_DB_TYPE env var is now simplified and unified. The default
DB type is no longer a user modifyable setting. The selection of NSS DB
type is platform and release specific. The value is controlled by the
CMake flag PKI_NSS_DB_TYPE.
All shell scripts source a common /usr/share/pki/scripts/config file.
The config file loads default, system-wide, and user pki.conf. It also
ensures that NSS_DEFAULT_DB_TYPE is set correctly. Now all scripts support
~/.dogtag/pki.conf, too.
Tomcat services load a default tomcat.conf environment file from
/usr/share/pki/etc/, which sets NSS_DEFAULT_DB_TYPE for pki-tomcatd and
pki-tomcatd-nuxwdog.
Change-Id: I36fc28e9098de9db9f81a1dfd521292b27d57550
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
72dc1a87 by Endi S. Dewata at 2018-02-20T19:42:11Z
Removed unused web.xml.
https://pagure.io/dogtagpki/issue/773
Change-Id: Ibe86c2f85f5c86e1bfb003bcc2548f53e5f9fadd
- - - - -
edd79d6c by Christian Heimes at 2018-02-20T20:46:15Z
Export all conf vars in single location
All exports of pki.conf vars is handled in central config script.
pki-upgrade now also includes the config script, too.
Change-Id: Icc5e6fe13d6ce70adb6770ff5d2673ec3d642148
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
cbc83853 by Endi S. Dewata at 2018-02-20T21:40:49Z
Added pki-server http-connector CLI.
A new CLI module has been added to manage PKI server's HTTP
secure and unsecure connectors.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I1fec1275ede117c9e2c74d5eea248a96d6174759
- - - - -
4ff46e50 by Endi S. Dewata at 2018-02-21T01:49:14Z
Fixed local ID encoding for pki pkcs12 CLI.
The pki pkcs12 CLI has been modified to use byte array to store
local ID instead of BigInteger to ensure proper encoding.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I5a3801b5d796621a65d3db2867d1ff219cc99b70
- - - - -
4d05bf71 by Fraser Tweedale at 2018-02-21T16:49:52Z
Bump tomcatjss dependency to 7.3.0
Commit dff4dcb05883ec9d60ed57339f20ce9906df61eb introduced a
dependency on tomcatjss >= 7.3, but there was no corresponding bump
in the spec file. Bump it now.
Change-Id: I026bc6ed8586ad8aa183e6b60b4ee769b8f95c86
- - - - -
dfeb3c66 by Fraser Tweedale at 2018-02-21T18:20:12Z
libtps.so: link zlib
nss-3.35 no longer links zlib. libtps calls `compress` and
`uncompress` but we were not explicitly linking zlib so the build
fails as of nss-3.35. Include -lz when linking libtps.
Fixes: https://pagure.io/dogtagpki/issue/2946
Change-Id: If26d71d8c6ad2cc89f60c0de26ccf48673971d55
- - - - -
d7ecd7c2 by Endi S. Dewata at 2018-02-22T00:49:07Z
Fixed CalledProcessError handlers in pki and pki-server CLI.
The pki and pki-server CLIs have been modified to show the external
command as a string instead of array to simplify troubleshooting.
Change-Id: I15d8dfae05e5cf70b1ae2dba844302e679ee4622
- - - - -
210f0c64 by Endi S. Dewata at 2018-02-22T02:01:37Z
Updated friendly name field in PKCS12KeyInfo.
The PKCS12KeyInfo has been modified to store the certificate
nickname instead of subject DN in the friendlyName field.
https://pagure.io/dogtagpki/issue/2945
Change-Id: Ieb7675b9e48bd0392fe32cc9538d8ff9123d6655
- - - - -
00f42e80 by Endi S. Dewata at 2018-02-22T02:32:13Z
Updated friendly name field in PKCS12CertInfo.
The nickname field in PKCS12CertInfo and related variables and
methods have been renamed to friendlyName for consistency.
https://pagure.io/dogtagpki/issue/2945
Change-Id: Ida5e9b63975670a0ac3a34e7ee83abae30c3c554
- - - - -
285f8213 by Endi S. Dewata at 2018-02-22T02:33:33Z
Removed redundant PKCS12Util.createLocalID().
The PKCS12Util.createLocalID() has been replaced with
SafeBag.getLocalKeyIDFromCert().
https://pagure.io/dogtagpki/issue/2945
Change-Id: I6fc232617b2bf1453192df201794ccf3aacf0f40
- - - - -
48864895 by Christian Heimes at 2018-02-22T15:39:25Z
Use cached results of read_environment_files()
KeyClient.get_client_keyset() no longer calls read_environment_files()
in every call. The read_environment_files() spawns a shell process to
source default and global pki.conf and update's the process' environ.
The get_client_keyset() only parses the function, when KEY_WRAP_PARAMETER_SET
env var is not present yet.
Fixes: https://pagure.io/dogtagpki/issue/2851
Change-Id: Ibe285d9070487fc78200b8b11e14e0ca651ab458
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
aedf5d7a by Christian Heimes at 2018-02-22T18:26:56Z
Drop pki_root_prefix parameter
The pki_root_prefix parameter allows installing PKI instances in
non-standard locations, but those instances will not be upgraded
automatically, which may cause confusions. To avoid this problem, the
pki_root_prefix should be dropped.
Fixes: https://pagure.io/dogtagpki/issue/2919
Change-Id: I4700489f047b1fea95f6fa5db1f65f40776caa28
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
8fbe83f9 by Christian Heimes at 2018-02-22T20:26:38Z
Use SQL format NSS database on F28
On Fedora 28, Dogtag now uses the new SQL format for NSS databases instead of
the old DBM format. The SQL format with sqlite files is the new default format
since Fedora 28. It supports concurrent access.
Existing NSS database are migrated from DBM to SQL format. All commands
use SQL format.
Change-Id: I3f470f6cfe5dd8545a97a7c09b1822656656ea17
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
4a066ac2 by Endi S. Dewata at 2018-02-22T20:33:26Z
Fixed key and cert order in PKCS12Util.generatePFX().
The PKCS12Util.generatePFX() has been modified to import the keys
before the certificates to match pk12util.
https://pagure.io/dogtagpki/issue/2945
Change-Id: I8df8696762241b6f305c4d91bda7904bf60feac6
- - - - -
78af477f by Endi S. Dewata at 2018-02-22T20:35:32Z
Fixed MAC computation in PKCS12Util.generatePFX().
The PKCS12Util.generatePFX() has been modified to use the same
salt size and number of iterations as in pk12util when computing
MAC data.
https://pagure.io/dogtagpki/issue/2945
Change-Id: I73a4ac277e524e1b5ec7306c3940bb672a254cdb
- - - - -
bc3020ef by Endi S. Dewata at 2018-02-22T23:06:13Z
Added cert/key encryption options for pki pkcs12 CLI.
The pki pkcs12-export and pki-server cert-export commands have been
modified to provide options to select the cert and key encryption
algorithms to use.
https://pagure.io/dogtagpki/issue/2945
Change-Id: Ic841790221589bf81c9bc91d1e2373f193a370be
- - - - -
eeef5567 by Christian Heimes at 2018-02-23T16:10:50Z
Fix Fedora 28 requirements and NSS db type
On Fedora 28, pki-server now uses correct Python 3 dependencies and
shared SQL NSS database.
pki-server's requirements for Python 2 and 3 where switched. The cmake
wasn't updated after the variable was renamed to PKI_NSS_DB_TYPE.
Change-Id: Ibfea8ec8ce62be927d4ff0c7ad1e20095a5a7797
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
00bd20cb by Endi S. Dewata at 2018-02-23T18:16:02Z
Updated logging in realm classes.
The logging in PKIRealm and ProxyRealm classes has been updated
to use SLF4J logger.
https://pagure.io/dogtagpki/issue/195
Change-Id: I314f0a2ab46b4204c9c2adec134b58ba34d91d66
- - - - -
39c45d0d by Endi S. Dewata at 2018-02-24T00:44:27Z
Refactored logger level configuration.
The code that configures logger level for PKI classes has been
consolidated into PKILogger.setLevel().
https://pagure.io/dogtagpki/issue/195
Change-Id: Iff9bb9ad4ff843e37c3e2d6d53ce7b7a2f564823
- - - - -
bdb987c8 by Endi S. Dewata at 2018-02-24T01:24:19Z
Replaced JUL API with SLF4J API.
The code that logs using JUL API has been modified to use the more
generic SLF4J API.
https://pagure.io/dogtagpki/issue/195
Change-Id: I2803275b31421cd69aa38eb9a1d3affce4c68c4a
- - - - -
1c40faea by Endi S. Dewata at 2018-02-24T04:51:16Z
Updated logging in CMSEngine.
The CMSEngine has been modified to use SLF4J logging API.
https://pagure.io/dogtagpki/issue/195
Change-Id: I5696ecfd62391ea98a9448eaebb063f587f77a82
- - - - -
05b2e6c4 by Endi S. Dewata at 2018-02-25T20:09:56Z
Updated logging in AccountService.
The AccountService has been modiifed to use SLF4J logging API.
https://pagure.io/dogtagpki/issue/195
Change-Id: I6b287ec62da2f7540123f2036f7d9b755f701280
- - - - -
3e3a840c by Endi S. Dewata at 2018-02-25T20:42:52Z
Updated logging in PKI Tomcat classes.
PKI Tomcat classes have been modified to use JUL instead of SLF4J
to avoid library loading issue.
https://pagure.io/dogtagpki/issue/195
Change-Id: I012182400f8731e10d4a494578b1560ba8043638
- - - - -
881ab15e by Endi S. Dewata at 2018-02-26T01:59:48Z
Fixed pki pkcs12-import.
The pki pkcs12-import has been modified to parse the
pki pkcs12-cert-find output properly.
https://pagure.io/dogtagpki/issue/2945
Change-Id: I1bcdea496896a6f70156f7ca5bb2419c3966f132
- - - - -
5e1e2104 by Endi S. Dewata at 2018-02-26T02:38:35Z
Updated CMake scripts for PKI Tomcat classes.
The CMake scripts have been modified to compile all PKI Tomcat
classes at once such that the dependency can be defined properly
for each Tomcat version.
https://pagure.io/dogtagpki/issue/2560
Change-Id: Ie72cf2098dbff3242ab3dc3e498611a48a7f3690
- - - - -
18a61b2f by Endi S. Dewata at 2018-02-26T15:16:47Z
Removed NSS DBM dependency in security_databases.py.
The security_databases.py has been modified to set the permission
and remove the whole NSS database directory instead of individual
NSS DBM files.
https://pagure.io/dogtagpki/issue/167
Change-Id: I1542c7858dea16c781ebb3e415b2540abbf6720b
- - - - -
25a3e940 by Christian Heimes at 2018-02-26T16:18:22Z
Execute upgrade and NSSDB conversion with service
pki-server-upgrade calls have been moved out of the RPM post install
hook into the systemd service. Each instance start ensures that the
instance is up to date.
10.6.0 update may not trigger the NSSDB migration, e.g. on Fedora 27.
Attempt to migrate for all version upgrades and in systemd service. It's a
fast and idempotent call.
Change-Id: Ia8c1f910570a361e9fa29519a856180f37d5d7a1
See: https://pagure.io/dogtagpki/issue/167
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
61bec69f by Endi S. Dewata at 2018-02-27T00:28:27Z
Fixed pki-server cert CLI.
The pki-server cert CLI has been changed such that it can run
based on the list of certificates defined in CS.cfg even if the
certificate themselves are not available yet in the NSS database.
The security_databases.py has been modified to store the system
cert nicknames and token names in CS.cfg such that the pki-server
cert CLI can be used to export certificates during installation.
https://pagure.io/dogtagpki/issue/203
Change-Id: I046cfa7d45e2d0ae7b6de353d0840db0899789f7
- - - - -
d9ec2bee by Endi S. Dewata at 2018-02-27T05:31:06Z
Added separate logging for each subsystem.
The links to SLF4J libraries have been moved into each subsystem
to allow separate logging. A new logging.properties files has been
added to each subsystem as well.
The pki.policy has been modified to allow Tomcat JULI to read the
logging.properties and write log files for each subsystem.
https://pagure.io/dogtagpki/issue/195
Change-Id: I6c8b6e6744408e21d620ca1983b2be18c353de73
- - - - -
3912fd55 by Endi S. Dewata at 2018-02-27T05:31:06Z
Updated CMS.debug() to use Tomcat JULI.
The CMS.debug() method has been modified to use Tomcat JULI logger.
The PKI log levels (1=OBNOXIOUS, 5=VERBOSE, 10=INFORM) are mapped
to FINEST, FINE, INFO, and anything above 10 is mapped to WARNING.
Unused code in the Debug class has been removed.
https://pagure.io/dogtagpki/issue/195
Change-Id: Ib6193833bc25561758dffbfc316ce3a8cd7db4d3
- - - - -
c6630a42 by Christina Fu at 2018-02-27T18:15:14Z
Ticket #2949 CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database
This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication. During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts:
public boolean isCertValid(byte[] certPackage, boolean checkSig,
CertUsage certUsage)
That call is not appropriate for the purpose.
Looking closely, certificate validation has been done in various places:
* SSL client authentication (if used)
* the isRevoked() call either in agent authentication or in CMCUserSignedAuth
* the cert.checkValidity() call in CMCUserSignedAuth
The extra isCertValid call is not only redundant but also problematic.
This patch fixes https://pagure.io/dogtagpki/issue/2949
- - - - -
0abff3e1 by Endi S. Dewata at 2018-02-27T19:34:51Z
Added SLF4J library for PKI Tomcat classes.
The build and install scripts have been modified to provide
links to SLF4J library in the <instance>/lib directory such
that it can be used by PKI Tomcat classes without interfering
with subsystem logging.
https://pagure.io/dogtagpki/issue/195
Change-Id: I049f5e826f75b6aee9e68085d37e2e2780f7e918
- - - - -
b38452d9 by Endi S. Dewata at 2018-02-27T22:40:24Z
Updated logging in PKI Tomcat classes.
This reverts commit 3e3a840caee07b0b0dd1bb937146f6c4d91047b8.
The PKI Tomcat classes have been updated again to use SLF4J
logging API since now it can be used without interference with
subsystem logging.
https://pagure.io/dogtagpki/issue/195
Change-Id: I7cf56b80cf3c603e4cbc57cff1583e5987ad98aa
- - - - -
dbbdf75f by Endi S. Dewata at 2018-02-27T22:45:02Z
Fixed CryptoUtil.sortCertificateChain().
The CryptoUtil.sortCertificateChain() has been modified to support
sorting incomplete certificate chain.
https://pagure.io/dogtagpki/issue/203
Change-Id: I978e9cc3069d78b7d46c654b8733b0bf65e86b29
- - - - -
132ddb4f by Fraser Tweedale at 2018-02-27T23:48:02Z
pkispawn: make status check timeout configurable
There is a contention between the timeouts of PKIConnection.get (the
default for connect(2)) and Instance.wait_for_startup (60s). When
/etc/hosts contains an IP address for the host which is routable but
not responded to (e.g. during FreeIPA installation with --setup-dns
and --ip-address=<not-yet-existant>), the connection attempt causes
pkispawn() to block for a long duration. By the time it unblocks,
the Instance.wait_for_startup() timeout has been exceeded and no
further connection attempts are made. Installation fails.
This situation can be avoided by setting a reasonable timeout on
PKIConnection.get(). An earlier attempt set a fixed timeout of 5
seconds (commit 1671d9c3b3b2bdd48fd74c3229c2869e5cfac80c), but this
caused problems with installation in HSM environments and was
reverted. This commit addresses the issue by making the timeout
configurable (defaulting to None) via the pki_status_request_timeout
pkispawn config knob.
Fixes: https://pagure.io/dogtagpki/issue/2939
Change-Id: I3c6705b3e5d7b66b269f2dbb22a099450496268e
- - - - -
94894a3b by Endi S. Dewata at 2018-02-28T01:00:52Z
Added trust manager for Tomcat's NIO connector.
A new PKITrustManager has been added to validate incoming SSL
client certificate against trusted CA certificates.
The class also depends on pki-nsutil.jar and pki-cmsutil.jar so
they have been moved into the commons/lib folder.
The pki-server http-connector-mod CLI has been modified to remove
the options for trustore file and password since the connector is
now configured using the trust manager instead of PKCS #12 file.
https://pagure.io/dogtagpki/issue/203
Change-Id: I00d88f43d9952f9de6e72fe4cf4f42d1b8f31178
- - - - -
a60744da by Endi S. Dewata at 2018-02-28T02:16:32Z
Moved PKIFormatter.
The PKIFormatter class has been moved into a more appropriate
package: org.dogtagpki.util.logging.
https://pagure.io/dogtagpki/issue/195
Change-Id: Ie7db969235838b2668453572136c445190afb6ef
- - - - -
dbce4965 by Endi S. Dewata at 2018-02-28T02:30:02Z
Logging cleanup.
The Debug class has been modified to use PKILogger to set the
log level. Some LoggerFactory.getLogger() invocations have been
simplified.
https://pagure.io/dogtagpki/issue/195
Change-Id: I2175888b08d04ae1f42efebbad3d213b07b82ef5
- - - - -
d94c9506 by Endi S. Dewata at 2018-02-28T05:20:58Z
Update pki-server migrate.
The pki-server migrate CLI has been updated to create links to
log4j.properties and SLF4J libraries in addition to the standard
Tomcat libraries.
https://pagure.io/dogtagpki/issue/195
Change-Id: I10c4c39388cd218254e870c9f74454be55f5ad95
- - - - -
dd8bdc6c by Endi S. Dewata at 2018-02-28T16:19:04Z
Added instance name option for pki-server migrate.
The pki-server migrate CLI has been modified to provide an option
to select the instance to be migrated. If not specified, all
instances on the system will be migrated.
https://pagure.io/dogtagpki/issue/167
Change-Id: I155919bca5ef1fbdd96aaf9bda916fed452cf707
- - - - -
d06bed84 by Endi S. Dewata at 2018-02-28T21:30:11Z
Moved pki-server migrate into systemd unit file.
The pki-server migrate execution has been moved from RPM spec into
systemd unit file such that the migration will be executed while
the server is not running.
https://pagure.io/dogtagpki/issue/2947
Change-Id: Id5ecc91d61e27f09cf53fd6ed6fce8db8c6ae96a
- - - - -
e4384d2c by Endi S. Dewata at 2018-02-28T21:57:18Z
Moved NSS migration into pki-server migrate.
The code that migrates NSS database from DBM into SQL has been
moved from pki-server-upgrade into pki-server migrate.
https://pagure.io/dogtagpki/issue/2947
Change-Id: I70f45dcbd4f84d041caf4c5b7b9b0b52fd7dd76e
- - - - -
c02268cc by Endi S. Dewata at 2018-02-28T22:26:37Z
Moved pki-server-upgrade into RPM spec.
The pki-server-upgrade execution has been moved back from systemd
unit file into RPM spec since some operations need root permission.
https://pagure.io/dogtagpki/issue/2947
Change-Id: I21b490c4abecba734329e9b706596f9ebd777e1f
- - - - -
b02c55c5 by Endi S. Dewata at 2018-03-02T02:13:55Z
Refactored wait_for_startup() (part 1).
The wait_for_startup() method in pkihelper.py has been modified
to create the PKIConnection object only once, then reuse it for
each invocation of get_instance_status().
https://pagure.io/dogtagpki/issue/203
Change-Id: I6b55e35589027b9cefd7310eacc1d7125195564a
- - - - -
0a05eab2 by Endi S. Dewata at 2018-03-02T02:18:21Z
Refactored wait_for_startup() (part 2).
The wait_for_startup() method in pkihelper.py has been modified
to handle the exceptions thrown by get_instance_status(). If it
is an SSLError, the method will terminate immediately. If it's a
ConnectionError, it will wait for the server to start.
https://pagure.io/dogtagpki/issue/203
Change-Id: I70f97c08b1ff3dbf54e6ee5657fcf1af1605ccaa
- - - - -
336e2a7b by Endi S. Dewata at 2018-03-02T03:15:44Z
Updated logging for CertUtil.
https://pagure.io/dogtagpki/issue/195
Change-Id: Ibaff829cbb9ba94e3461ba30bd13d639235ba54c
- - - - -
4dc93f0c by Endi S. Dewata at 2018-03-02T15:25:17Z
Updated logging in LDAPProfileSubsystem.
https://pagure.io/dogtagpki/issue/195
Change-Id: I6dabb69bfb7b4078cfde232851eeee038634c6c0
- - - - -
92d5462b by Endi S. Dewata at 2018-03-02T16:10:48Z
Updated logging in ConfigurationUtils.
https://pagure.io/dogtagpki/issue/195
Change-Id: Iabc876816d0ebfef48575100841413a894943be0
- - - - -
8922995b by Endi S. Dewata at 2018-03-02T16:29:01Z
Updated logging in GetStatus.
https://pagure.io/dogtagpki/issue/195
Change-Id: I52efafd393dd5c22a720b68badf72911d62d1cdc
- - - - -
1dce9d03 by Endi S. Dewata at 2018-03-02T20:29:19Z
Replaced pki pkcs12-cert-add with pki pkcs12-cert-import.
Currently the pki pkcs12-cert-add provides an option to import a
cert into a new file. For consistency, a new pki pkcs12-cert-import
has been added with an option to import the cert into an existing
file. Now the pki pkcs12-cert-add has been deprecated and the man
page has been updated accordingly.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ifddcbfdd0ffb86987f575cf08b5d395169e3d1fe
- - - - -
7f0415e5 by Endi S. Dewata at 2018-03-02T22:20:02Z
Refactored PKIInstance.export_external_certs().
The PKIInstance.export_external_certs() has been modififed to use
the new pki pkcs12-cert-import.
https://pagure.io/dogtagpki/issue/203
Change-Id: I98532efbf5de5da021753795f09327d120459a34
- - - - -
948bddc5 by Endi S. Dewata at 2018-03-02T22:20:44Z
Refactored PKISubsystem.export_system_cert().
The PKISubsystem.export_system_cert() has been modififed to use
the new pki pkcs12-cert-import.
https://pagure.io/dogtagpki/issue/203
Change-Id: I9c88896bcfa0b753a4720cd63020c33b5eaba0ee
- - - - -
cb909274 by Endi S. Dewata at 2018-03-03T02:44:02Z
Fixed duplicate PKCS #12 import during cloning.
The pkihelper.py has been modified such that if a PKCS #12 file is
provided using pki_clone_pkcs12_path parameter, it will only be
imported once by security_database.py, and it will not be imported
again by the configuration servlet.
Change-Id: I8ecd1dfda6fe9dda402c20ab4caa5ecd288bee88
- - - - -
001f2c39 by Endi S. Dewata at 2018-03-05T14:08:28Z
Refactored PKCS12Util.loadCertFromNSS().
Previously PKCS12Util.loadCertFromNSS() would load a certificate
from NSS database and import it into PKCS #12 with a nickname from
the NSS database. The method has been modified provide an optional
parameter to import the certificate with a different nickname.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ied6b4b341961b80ae0329ee2cf6c71c977220673
- - - - -
f4c4b3ea by Endi S. Dewata at 2018-03-05T14:19:56Z
Added cert and key encryption options for pki pkcs12-cert-import.
The pki pkcs12-cert-import has been modified to provide cert and
key encryption options as in pki pkcs12-export. The command also
provides an option to import with a different nickname.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ie02043f9f9c2e1cfe369ac42465e97c00b1ff78d
- - - - -
7eebed29 by Endi S. Dewata at 2018-03-05T15:07:23Z
Added NSSDatabase.export_cert().
A new NSSDatabase.export_cert() method has been added which is
similar to export_pkcs12(), but it only exports one certificate
into a PKCS #12 file, and also provides an optional parameter to
use a different nickname.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ia9764cc874c253113ac362f2b2ce5beb93e7a0e9
- - - - -
8f438fb6 by Endi S. Dewata at 2018-03-05T15:17:24Z
Added nickname option for pki-server cert-export.
The pki-server cert-export has been modified to provide an option
to export a system certificate into PKCS #12 with a different
nickname.
https://pagure.io/dogtagpki/issue/203
Change-Id: Icf242524ae5c2bc35265119c9c3999ca760bfe81
- - - - -
27142606 by Christian Heimes at 2018-03-05T20:05:01Z
Modernize sslget's TLS version and cipher suite
Disable all cipher suites unless NSS says it's a FIPS approved suite.
* SSL 2.0 and SSL 3.0 are disabled
* Broken or weak suites with 3DES, RC4 and effective key bits less than
80 bits are disabled.
Fixes: https://pagure.io/dogtagpki/issue/2918
Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
d08ceb23 by Endi S. Dewata at 2018-03-06T00:21:36Z
Added nickname param for PKCS12Util.loadKeyInfoFromNSS().
Previously PKCS12Util.loadKeyInfoFromNSS() would load a key from
NSS database and import it into PKCS #12 with the certificate's
nickname in NSS database. The method been modified to provide an
optional parameter to import the key with a different nickname.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ife0f436879766ed2a1a62ff7c22a0792393e5f53
- - - - -
54d1586f by Endi S. Dewata at 2018-03-06T17:30:27Z
Fixed pki-server migrate for Python 3.
The pki-server migrate has been fixed to write XML document as
UTF-8 encoded byte as required by Python 3.
https://pagure.io/dogtagpki/issue/2560
Change-Id: Ib7ea53105877c87a84a656e4b6e5a1b044273761
- - - - -
7d570fff by Endi S. Dewata at 2018-03-07T01:39:39Z
Renamed RPM spec templates to *.spec.in.
To distinguish from actual RPM specs, the RPM spec templates have
been renamed to *.spec.in. All references to the templates have
been updated accordingly.
Some unused theme build files have been removed as well.
https://pagure.io/dogtagpki/issue/2923
Change-Id: Id5fdb9a22307721e54eac708ceedef8b414d2a18
- - - - -
21b25555 by Endi S. Dewata at 2018-03-07T03:15:38Z
Removed changelog entries from RPM spec templates.
Changelog entries should only be added in downstream RPM spec
files (e.g. Fedora, RHEL), so they have been removed from upstream
RPM spec templates. The list of changes upstream can be obtained
directly from git repository.
https://pagure.io/dogtagpki/issue/2923
Change-Id: I58b276c441e225f7a812dd9dd09e19ef043cc3bb
- - - - -
970b3654 by Endi S. Dewata at 2018-03-07T04:20:10Z
Removed unused compose targets.
The unused hybrid_* and patched_* targets for compose scripts have
been removed.
https://pagure.io/dogtagpki/issue/2923
Change-Id: If32440c3dddf32be26d47e258c3d1f4295da011a
- - - - -
389773c9 by Endi S. Dewata at 2018-03-07T04:35:46Z
Removed unused variables and functions in compose scripts.
The following variables and functions have been removed from the
compose scripts since they are no longer used:
* FETCH_PATCH_FILES
* FETCH_SOURCE_TARBALL
* FETCH_RHEL_PATCH_FILES
* FETCH_RHEL_SOURCE_TARBALL
* Fetch_Patch_Files()
* Fetch_Source_Tarball()
https://pagure.io/dogtagpki/issue/2923
Change-Id: Iaf6ff874d1d4af6e5a4e5a4278ee5ecf711abeb3
- - - - -
67059fae by Fraser Tweedale at 2018-03-07T22:55:11Z
IPAddressName: remove unused getLength method
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I732bd39446efcce18b6dc597d9c613a6b0a6422d
- - - - -
93d6af74 by Fraser Tweedale at 2018-03-07T22:55:11Z
parseGeneralName: properly parse iPAddress GN with netmask
There are a couple of problems with iPAddress general name parsing
(primarily used for the Name Constraints extension).
First, an IP address with netmask expressed as e.g.
1.2.3.4,255.0.0.0 or ::1,ffff:: is outright rejected, causing
issuance failure with a message like:
NameConstraintsExtDefault: createExtension
netscape.security.x509.InvalidIPAddressException: Invalid IP
Address '10.10.10.10,255.255.255.0'
Second, an IPv4 address with CIDR-style netmask is misinterpreted as
an IPv6 address _without_ netmask, e.g. the input "192.168.1.1/24"
gets misinterpreted as "c0a8:1c8:ffff:ffff:000:000:000:000", which
is not a conforming value in the Name Constraints extension.
To resolve these problems, separate the handling of these two cases
and fix the logic. A new class, CIDRNetmask, does the heavy lifting
in the CIDR netmask case.
Consider the following configuration (irrelevant keys and key
prefixes omitted for brevity). It contains values which caused
failures or incorrect outputs:
nameConstraintsExcludedSubtreeNameChoice_0=IPAddress
nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24
nameConstraintsExcludedSubtreeNameChoice_1=IPAddress
nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0
nameConstraintsExcludedSubtreeNameChoice_2=IPAddress
nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128
nameConstraintsExcludedSubtreeNameChoice_3=IPAddress
nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff::
This configuration now succeeds and produces the correct output.
The extension value produced using the above configuration is (per
OpenSSL pretty print):
X509v3 Name Constraints: critical
Excluded:
IP:10.10.10.10/255.255.255.0
IP:10.10.10.10/255.255.255.0
IP:DEAD:BEEF:0:0:0:0:0:1/FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
IP:DEAD:BEEF:0:0:0:0:0:0/FFFF:FFFF:0:0:0:0:0:0
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I61d5fcceadcca28cc951802ee4b95691653dd356
- - - - -
c8ca22a5 by Fraser Tweedale at 2018-03-07T22:55:11Z
GeneralNameInterface: methods for checking name validity
Some general names may be valid only for describing a single subject
(e.g. Subject Alt Name extension), or for describing a range of
subjects (e.g. Name Constraints extension). For example, an
iPAddress name MUST have 4 (IPv4) or 16 (IPv6) octets in the
"single" context, or 8 (IPv4) or 32 (IPv6) octets in range context.
Add the validSingle() and validSubtree() methods to
GeneralNameInterface and all implementing classes. These methods
can be used to check whether the value is valid for use in the
corresponding context.
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: Ib77286b309f1d505fe15313483ec658a55780f83
- - - - -
ab401936 by Fraser Tweedale at 2018-03-07T22:55:11Z
Check validity of Subject/Issuer Alt Names and Name Constraints
Different forms of some GeneralName types (in particular, iPAddress)
are valid only in "single subject" or "multiple subject / range"
context. Update SubjectAltNameExtDefault, IssuerAltNameExtDefault
and NameConstraintsExtDefault to check the validity of GeneralName
values for use in the prevailing context.
This change prevents certificates being issued with netmasked
iPAddress values in the SAN/Issuer Alt Name extension, or
non-netmasked iPAddress values in the Name Constraints extension.
Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I42478e2b554e7d53a7c07db59208bf855b476572
- - - - -
628ace0c by Fraser Tweedale at 2018-03-07T22:55:11Z
IPAddressName: refactoring
Merge the content of some classes that don't need to be classes into
the main IPAddressName. Rename the 'getIPAddress' method to
'fillIPv(4|6)Address', to better reflect its behaviour. Enhance
initAddress to not only intialise the byte[] but also populate the
address.
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: If9cd9f3134ef2086b283a51abc35f2918869aca2
- - - - -
b23ed156 by Endi S. Dewata at 2018-03-07T23:19:58Z
Moved DRMTool compatibility links creation into CMake scripts.
The code that creates the compatibility links for DRMTool, its
configuration, and man page has been moved from RPM spec into
CMake scripts.
https://pagure.io/dogtagpki/issue/2923
Change-Id: Ic750a539cad9a515f4be53d8c54609dfce23925f
- - - - -
2e3c503d by Endi S. Dewata at 2018-03-08T00:00:32Z
Moved admin console links creation into CMake scripts.
The code that creates admin console links in the subsystem UI has
been moved from RPM spec into CMake scripts.
https://pagure.io/dogtagpki/issue/2923
Change-Id: I2b4da3e42b9a2f3a5b7dbe9f6e56cb9a5b7fc31c
- - - - -
099c123d by Endi S. Dewata at 2018-03-08T15:48:23Z
Removing tests/dogtag/dev_java_tests/bin folder.
The .classpath has been modified to no longer create a separate
folder (i.e. tests/dogtag/dev_java_tests/bin) for test classes.
The folder can be removed from local repository with this command:
rm -rf tests/dogtag/dev_java_tests/bin
The .gitignore file has been modified to remove this folder and
other unnecessary in-source build directories. To simplify
maintenance, in-source builds should be done in the top-level
'build' folder only.
https://pagure.io/dogtagpki/issue/2923
Change-Id: I6701959fa40db006628730b819a8c190de5a016c
- - - - -
5a11c0c4 by Endi S. Dewata at 2018-03-08T17:30:09Z
Added pki password-generate CLI.
A new pki password-generate CLI has been added to generate a
FIPS-compliant password.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ia70ed2ad9cbee33286c94fa4e4bcfa52c8124831
- - - - -
847a52cc by Endi S. Dewata at 2018-03-08T19:20:10Z
Removed buildroot definitions and cleanups.
The RPM spec templates have been modified to no longer define or
clean up buildroot directories since they are managed by the system.
https://pagure.io/dogtagpki/issue/2923
Change-Id: Ia2d854275635d3e4a2ba7eedc12bf7d76263c2ab
- - - - -
f46a81a0 by Endi S. Dewata at 2018-03-08T19:49:38Z
Removed deprecated RPM groups.
The RPM spec templates have been modified to remove deprecated
RPM groups (https://fedoraproject.org/wiki/RPMGroups).
https://pagure.io/dogtagpki/issue/2923
Change-Id: I22b04b64b11e1eb076545fc183697efd4535dc12
- - - - -
af1ea318 by Endi S. Dewata at 2018-03-08T23:26:01Z
Added missing gcc-c++ build dependency.
The console and theme spec file templates have been updated to
include gcc-c++ build dependency since it is required by CMake.
https://pagure.io/dogtagpki/issue/2923
Change-Id: Ie5da5fcc1b8d6f33a2f334a079dfc04679c1a9f7
- - - - -
675c7722 by Endi S. Dewata at 2018-03-09T03:48:12Z
Removed redundant extract_release_information().
The extract_release_information() in compose_function is now
redundant due to various refactoring so it has been removed.
https://pagure.io/dogtagpki/issue/2852
Change-Id: Id667e9c91d9e5bc043fc975e91f1dbe0d91a95b9
- - - - -
ce9c1049 by Endi S. Dewata at 2018-03-09T15:29:01Z
Refactored compute_release_information().
The compute_release_information() in compose scripts has been
renamed into compute_build_options(). The unused spec file
parameter has been removed as well.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I3c42f82eee1d59a4823d713f404bceb253585576
- - - - -
b6323edf by Endi S. Dewata at 2018-03-09T17:35:22Z
Fixed timestamp and commit ID in RPM packages
The compose scripts have been modified to insert timestamp and
commit ID while copying the spec template into actual spec file,
so the information is stored in the SRPM. This way when the SRPM
is used to build RPM packages, the file names of the packages will
contain the timestamp and commit ID.
https://pagure.io/dogtagpki/issue/2852
Change-Id: I62a622ebbac2d5f781737ab0157aa18b80da4d5e
- - - - -
a7da82f4 by Endi S. Dewata at 2018-03-09T23:58:44Z
Exporting SSL server certificate on startup.
The operations script has been modified such that if nuxwdog is disabled,
it will export the SSL server certificate into a PKCS #12 keystore with a
random password. The PKCS #12 keystore will be used by Tomcat's built-in
HTTP NIO connector later.
https://pagure.io/dogtagpki/issue/203
Change-Id: Ib79bfd3fabb7b4931842901fb6a46bf299f31f1e
- - - - -
3be16204 by Endi S. Dewata at 2018-03-09T23:58:44Z
Switching to HTTP NIO connector.
The server.xml has been modified to use Tomcat's built-in HTTP NIO
connector with SSL server certificate in a PKCS #12 keystore by
default.
The pki-server migrate tool has been modified to automatically
convert existing instances to use the HTTP NIO connector.
The pki-server http-connector tool has been modified to configure
the SSL server certificate friendly name in the PKCS #12 keystore.
https://pagure.io/dogtagpki/issue/203
Change-Id: I1966aea3c04b95f750607856663b37ab6381126d
- - - - -
a379703d by Endi S. Dewata at 2018-03-10T03:25:15Z
Fixed missing exception stack trace in log message
To fix CMS.debug(exc), the Debug.printStackTrace() has been
modified to generate a log message that includes the exception
class name and the stack trace.
To fix Logger.warn(msg, exc) and Logger.error(msg, exc), the
PKIFormatter.format() has been modified to append the stack trace
to the log message.
https://pagure.io/dogtagpki/issue/195
Change-Id: Ia3b67b7edb3b6dc78de069f8f9b1ad2b4d295ddd
- - - - -
d7882556 by Endi S. Dewata at 2018-03-12T15:28:42Z
Reorganized Tomcat files.
Tomcat 7.0 and 8.0 files have been moved into tomcat-7.0 and
tomcat-8.0 folders for consistency.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I38c901fae4e4bb1bd500a326e672328f021f9dc9
- - - - -
27cf99ef by Christina Fu at 2018-03-12T21:52:02Z
Ticket #2950 Need ECC-specific Enrollment Profiles for standard conformance
This patch adds ECC-specific enrollment profiles where the Key Usage Extension
bits for SSL server and client certificates are notably different per RFC 6960:
new file: base/ca/shared/conf/ECadminCert.profile
new file: base/ca/shared/conf/ECserverCert.profile
new file: base/ca/shared/conf/ECsubsystemCert.profile
new file: base/ca/shared/profiles/ca/ECAdminCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECUserCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECserverCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECAdminCert.cfg
new file: base/ca/shared/profiles/ca/caECAgentServerCert.cfg
new file: base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
new file: base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
new file: base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECServerCert.cfg
new file: base/ca/shared/profiles/ca/caECSubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
new file: base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
In addition, some existing enrollment profiles are adjusted.
And while in there, signing algorithms with SHA1, MD2, and MD5 are removed
No attempt has been made for TPS enrollment profiles in this round.
No attempt has been made for adding ECDH-appropriate profile.
This patch addresses: https://pagure.io/dogtagpki/issue/2950
Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d
- - - - -
7809f40b by Matthew Harmsen at 2018-03-12T21:52:02Z
Permit additional FIPS ciphers to be enabled by default for RSA . . .
It was determined that the following additional FIPS ciphers should be
enabled by default for RSA:
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Reference: dogtagpki Pagure Issue #2855 - restrict default cipher suite to
those ciphers permitted in fips mode
Fixes: https://pagure.io/dogtagpki/issue/2952
Change-Id: I0947e8581beb3140e4c07800dd2c6bc9d90a6cd8
- - - - -
dab54826 by Endi S. Dewata at 2018-03-12T23:27:17Z
Updated compose scripts to create full source tarballs
Previously the compose scripts for core, console, and theme would
create different tarballs which contained the relevant sources
only even though they are coming from the same source repository.
To reduce maintenance, the compose scripts will now generate
identical tarballs that contain the complete source files in the
repository.
In this patch the tarballs will still have different names, but
in a subsequent patch they will be changed to use the same name.
https://pagure.io/dogtagpki/issue/2923
Change-Id: I453b044fa8ecb9df16b4f81a2aac942ed0f9fd55
- - - - -
5c57b446 by Endi S. Dewata at 2018-03-12T23:27:17Z
Updated RPM spec templates to use the same source tarball
The RPM spec templates for core, console, and theme packages have
been modified to use the same tarball from GitHub which contains
the entire source repository.
The compose scripts have been updated to generate tarballs from
local repository with the same name.
https://pagure.io/dogtagpki/issue/2923
Change-Id: Iaa8a9790eaa4e87741853c49284ba6b986da23c7
- - - - -
405de41e by Endi S. Dewata at 2018-03-12T23:29:47Z
Fixed outdated global web.xml
The web.xml in /usr/share/pki/server/conf is outdated so it has
been replaced with a direct link to Tomcat's web.xml.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I71f3613772861e1b1e31e9803d29c0825cfa844a
- - - - -
b017b929 by Endi S. Dewata at 2018-03-12T23:30:08Z
Fixed outdated global context.xml
The context.xml in /usr/share/pki/server/conf is outdated so it
has been replaced with a direct link to Tomcat's context.xml.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I3dde88e8c04d9c9a0f49b51afd1db7595599de90
- - - - -
69434ec0 by Amol Kahat at 2018-03-13T06:32:41Z
Fixed BZ 1549632: Not able to generate certificate request
with ECC using pki client-cert-request
Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
a32fbda3 by Endi S. Dewata at 2018-03-13T15:36:27Z
Fixed outdated catalina.properties (part 1)
The catalina.properties in /usr/share/pki/server/conf is outdated
so it has been refreshed with the latest from Tomcat 7.0 and 8.0.
The TOMCAT_INSTANCE_COMMON_LIB in common.loader property has been
replaced with ${catalina.base}/commons/lib/*.jar.
http://pagure.io/dogtagpki/issue/2560
Change-Id: Idb62fc3603725a39e838e8b89ec58ef6170b8489
- - - - -
cdbad9ce by Endi S. Dewata at 2018-03-13T16:06:15Z
Fixed outdated catalina.properties (part 2)
The catalina.properties in <instance>/conf folder has been
replaced with a link to simplify upgrades.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I4c1ca71e9c87dbd0afbf87e79af5ed8eeeb7ef4c
- - - - -
30d17258 by Endi S. Dewata at 2018-03-13T16:06:39Z
Cleaned up server.xml
The server.xml files for Tomcat 7.0 and 8.0 have been cleaned up
to simplify keeping track of customizations.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I509c37fcf2a26149f1d503c8680c555f49c93694
- - - - -
29092bd3 by Fraser Tweedale at 2018-03-14T02:26:17Z
Move parseACL to ACL.java
The parseACL function currently lives in CMSEngine, which is an
awkward place for it. Move it into the ACL class as a static
method.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I2a22618a8e295864e218e067fadf4255ceada9b3
- - - - -
f5e399a6 by Fraser Tweedale at 2018-03-14T02:26:17Z
ACL.java: Remove unused constructor
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Id8eee2d31538e2c95debb03a6102e0a7fdb0bd60
- - - - -
f4edd440 by Fraser Tweedale at 2018-03-14T02:26:17Z
ACL.java: Make constructor private and add sanity check
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I5b15695df8692941646151b92ddaa893b3f93468
- - - - -
db05fc2c by Fraser Tweedale at 2018-03-14T02:26:17Z
ACL.java: retain all resourceACLs strings when merging
When writing a merged ACL back to the database, only the first
resourceACLs string is written, and the other resourceACLs strings
are lost.
Retain all the original resourceACLs strings when merging ACLs and
write them all back to the database when saving.
This commit also performs some minor refactors. Extract the merging
routine into ACL.merge(). Remove the now-unused addRight(),
addEntry() and setName() methods.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Ica36f1ed1517b4d13f13fd78259b6bb78ef1f22c
- - - - -
8f0b4a2f by Fraser Tweedale at 2018-03-14T02:26:17Z
ACL.java: remove setDescription method
The only place setDescription was used was in parseACL() which is
now part of this class, so we can replace that method with a new
constructor argument and avoid another way to unreasonably mutate
an ACL.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I8cff0cbb5cb47b80b7b0e6dc37702e16ec2a85e0
- - - - -
476320b4 by Fraser Tweedale at 2018-03-14T02:26:17Z
ACLEntry.java: return null on parse error
If an ACL entry has an empty permission expression a
StringIndexOutOfBoundsException is thrown because an expected space
character cannot be found. Detect this condition and return null.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I1518f53f68e106e877d24d7dce8a5756ca5aedbd
- - - - -
f62f8931 by Fraser Tweedale at 2018-03-14T02:26:17Z
DirAclAuthz.updateACLs: re-throw ACL exception
Currently DirAclAuthz catches EACLsException when attempting to
update an ACL, logs the error, and then throws a new EACLsException,
discarding the info about where the original exception occurred.
There is no need to throw a new exception of the same type, so
re-throw the caught exception.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: If6e38e2217b8884b54b7daf07a7b79e23b8175d7
- - - - -
223e6980 by Fraser Tweedale at 2018-03-14T02:26:17Z
console: prohibit empty ACL expression
The ACL expression (e.g. ``user=caadmin || group="Administrators"``)
gets parsed and validated on the client side before sending the ACL
update command to the admin servlet. But empty expressions are
currently permitted on the client side and prohibited on the server
side. Leaving the expression field empty can result in unhelpful
error messages and stack trace in the server logs.
Update the validation logic in pkiconsole to treat an empty
expression as a syntax error.
Also do some drive-by updates for type safety, instantiating the
Vector<> type parameter at String.
Fixes: https://pagure.io/dogtagpki/issue/2957
Change-Id: I5317d2a86f6d2add7482729661bcbae9ebadc4d9
- - - - -
4fa7e826 by Endi S. Dewata at 2018-03-14T05:05:14Z
Moved pki.server.pkiserverupgrade
The pki.server.pkiserverupgrade Python module has been moved into
pki.server.cli.upgrade for consistency.
https://pagure.io/dogtagpki/issue/1129
Change-Id: I990bfbfce9223fa85850ebeac2278df7841465d4
- - - - -
40777dfb by Endi S. Dewata at 2018-03-14T05:24:00Z
Using Python logging in pki-server-upgrade
The pki-server-upgrade CLI and related modules have been modified
to use Python logging.
https://pagure.io/dogtagpki/issue/1129
Change-Id: I8454a4d7338fbb04d4747bd55e533062b8df3ed2
- - - - -
268f8b94 by Christian Heimes at 2018-03-14T16:38:24Z
Don't install tomcat.conf.in
Change-Id: I4a4ee986ecaef9fb1379666e4778702d7b2ccd52
Closes: https://pagure.io/dogtagpki/issue/2962
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
7188137b by Christian Heimes at 2018-03-14T17:08:55Z
Remove NSS_DEFAULT_DB_TYPE from /etc/sysconfig
A Dogtag 10.5 installation may contain NSS_DEFAULT_DB_TYPE="dbm" in
/etc/sysconfig/pki-tomcat. The setting interfers with new global
configuration in /usr/share/pki/etc/tomcat.conf. A new migration step
removes the config stanza from instance's sysconfig file.
Change-Id: I5123e719eb9ecaa32ad02d8aa737e5426a442c80
Closes: https://pagure.io/dogtagpki/issue/2963
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
e9089a4e by Endi S. Dewata at 2018-03-14T17:32:34Z
Added rich comparison methods into pki.upgrade.Version.
The pki.upgrade.Version class has been modified to include
additional rich comparison methods.
https://pagure.io/dogtagpki/issue/1129
Change-Id: I2dff91f9dd1321b026ac5ca53f02c86d0ccda370
- - - - -
738a37f5 by Endi S. Dewata at 2018-03-14T18:07:12Z
Fixed upgrade framework
The upgrade framework has been fixed such that the upgrade path
always starts from the current version and stops at the target
version.
https://pagure.io/dogtagpki/issue/1129
Change-Id: Ie9bb62465a77f52027a74210a1e78c8375f9a79e
- - - - -
fb087d2a by Endi S. Dewata at 2018-03-14T18:16:27Z
Removed empty upgrade folders
Due to a recent change in the upgrade framework, it is no longer
necessary to create an empty upgrade folder for each released
version.
https://pagure.io/dogtagpki/issue/1129
Change-Id: I8b5a30fbc1365f1f68ed971b644b4e0bdd2a790e
- - - - -
4d4f6b9b by Endi S. Dewata at 2018-03-14T22:37:25Z
Fixed outdated ciphers.info.
The pkispawn has been modified to link ciphers.info instead
of copying it into the instance folder so it can be upgraded
automatically.
https://pagure.io/dogtagpki/issue/2560
Change-Id: Ieb05a9c214807aa90024025559dbb3a9ffcbabf8
- - - - -
44b39b11 by Endi S. Dewata at 2018-03-14T23:31:53Z
Added upgrade script to fix outdated server configuration
An upgrade script has been added to replace some configuration
files in existing instances with links as in new installations,
which will simplify future upgrades. The original files will be
backed up so they can be restored if necessary.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I35a6e539a214dadeee88a9aab9bb085434236e49
- - - - -
6228c90b by Endi S. Dewata at 2018-03-15T01:18:41Z
Switching to Tomcat 8.5 on Fedora 27.
New server configuration files, webapp context files, library files,
and CMake scripts have been added for Tomcat 8.5.
The RPM spec template has been modified to use Tomcat 8.5 on
Fedora 27. The build and runtime dependencies have been updated
accordingly.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I6f8be772cc099bd95ec3482415b9ab99a9747ab1
- - - - -
a114b40a by Endi S. Dewata at 2018-03-15T02:03:03Z
Updated version number to 10.6.0-0.2
The version number has been changed to 10.6.0-0.2 due to the new
Tomcat 8.5 dependency.
https://pagure.io/dogtagpki/issue/2560
Change-Id: I3eec3fb7fdd5b4bd0e2e17da87bbabf4f7533535
- - - - -
cc8e5179 by Christian Heimes at 2018-03-15T15:40:05Z
sslget: Use relative include for sslproto.h
sslget.c uses relative, local includes except for sslproto.h. The global
include was added in 27142606.
Change-Id: I4ce05417a0679a373dc610b8a4b2fae4eca7ca79
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
156f1883 by Endi S. Dewata at 2018-03-15T16:41:03Z
Refactored MainCLI.printHelp().
The MainCLI.printHelp() has been modified to call CLI.printHelp()
which displays deprecated commands properly.
https://pagure.io/dogtagpki/issue/2536
Change-Id: I803c0bcf041624eb7e37b04db5f455337e73caed
- - - - -
96df98aa by Endi S. Dewata at 2018-03-15T16:41:03Z
Deprecated pki user command
The pki user command has been replaced with pki <subsystem>-user,
so it has been deprecated by adding a deprecated ProxyUserCLI
class.
https://pagure.io/dogtagpki/issue/2536
Change-Id: Ida1123620d99e9237cb55d380eaded4deba78a27
- - - - -
5b73386f by Endi S. Dewata at 2018-03-15T16:41:03Z
Deprecated pki group command
The pki group command has been replaced with pki <subsystem>-group,
so it has been deprecated by adding a deprecated ProxyGroupCLI
class.
https://pagure.io/dogtagpki/issue/2536
Change-Id: Iebdef91d47c758a34e817b5379fa8f980e518862
- - - - -
4b5ce752 by Christian Heimes at 2018-03-16T13:22:54Z
Fix verify_certificate_exists() call
verify_certificate_exists() no longer takes certdb, keydb and secmod
args.
Change-Id: Idcf781cc85a01d33867349a4ba25a81b60afc344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
7e240d1a by Christian Heimes at 2018-03-16T14:53:42Z
Add with_python[23] to console and theme package
Add with_python2, with_python3 and with_python3_default to console and
theme package. The theme package can now be built without Python 2
present.
Change-Id: I06a513145e2d3a3512f2d2211d4c2a45ef58d3bd
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
1597b5bc by Christina Fu at 2018-03-16T16:37:35Z
Ticket #2940 [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken, and CMCRevoke
This patch adds man pages for CMCRequest, CMCResponse, and CMCSharedToken.
In addition, the usage in CMCResponse has been enhanced to include a
verbose mode which will output certs in Base64 encoding individually.
A "note" has been added to CMCRevoke --help to direct users to CMCRequest
for better usability. The man page for CMCRevoke is intentionaly left out
for this reason.
The URL in CMCRequest.1 is a placeholder for the follow-up patch. It will
be replaced once the examples are complete.
This patch addresses https://pagure.io/dogtagpki/issue/2940
Change-Id: Id1df31a29207a0d12d50b7a3b959a3abcd9748d0
- - - - -
20799a8f by Christian Heimes at 2018-03-16T17:32:45Z
Only detect Python for core and console packages
The theme package doesn't depend on Python. Only detect Python when
building the pki core or pki console package.
Change-Id: I7a156a88371597cfe46938eb463f2293210d6f82
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
827fe40c by Christina Fu at 2018-03-16T23:00:31Z
Ticket #2940 (spec file only)
Change-Id: Ice17b4f985a7dc7c092902d920d40272c751941a
- - - - -
2195cce1 by Dinesh Prasanth M K at 2018-03-19T20:01:15Z
Adding console, meta and theme packages to CI
The CI now tries to build and install the following:
- pki-core
- pki-theme
- pki-console
- pki-meta
Ticket: https://pagure.io/dogtagpki/issue/2969
Change-Id: I148f9cafe4ba43371f58051368307fd746bf5f4b
- - - - -
0f09829c by Endi S. Dewata at 2018-03-20T04:00:07Z
Fixed NSSDatabase.export_cert()
The NSSDatabase.export_cert() has been modified to use the
certificate's full name which consists of nickname and token
name (if available) when invoking pki pkcs12-client-import.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ibfbb0d310b0f9b71bed47603b0d9f8396fe33e34
- - - - -
94c23b3e by Endi S. Dewata at 2018-03-20T04:02:44Z
Fixed PKCS12Util.loadCertFromNSS()
The PKCS12Util.loadCertFromNSS() has been modified to check whether
the specified certificate exists in the NSS database.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I336233e8734c4e02b959edef16860ea27d64ce56
- - - - -
c4c4db19 by Endi S. Dewata at 2018-03-20T13:56:29Z
Added PKIInstance.get_sslserver_cert_nickname()
A new PKIInstance.get_sslserver_cert_nickname() method has
been added to get the SSL server certificate nickname from
serverCertNick.conf.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I892a782c50ef2d40ba9161986290f61bc42e86fb
- - - - -
aa0a5a8a by Endi S. Dewata at 2018-03-20T14:19:45Z
Refactored pki-server cert-export (part 1)
The pki-server cert-export has been modified to use the token name
of the certificate when opening the NSS database.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ia34aeff300501026f1d51dd72bf859f5b1ff7876
- - - - -
f83c341b by Endi S. Dewata at 2018-03-20T14:29:54Z
Refactored pki-server cert-export (part 2)
The pki-server cert-export has been modified to get the SSL server
certificate nickname and token name from serverCertNick.conf
instead of CS.cfg.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I805a35efc83773562b3aafdcf4d0cd1cefaf0613
- - - - -
7acd6297 by Endi S. Dewata at 2018-03-20T19:57:13Z
Updated logging in SystemConfigService
https://pagure.io/dogtagpki/issue/195
Change-Id: I25924c347bb082954981576ca9c1c61cda6e0e83
- - - - -
a6a3dd81 by Endi S. Dewata at 2018-03-20T20:35:44Z
Fixed CSR format in configuration servlet's response
The configuration servlet has been changed to return system cert
CSRs as base64-encoded data. The Python code will then store them
into files in PEM format.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I156ab11191d6cd12b26283452547026d91a4a31d
- - - - -
178d0e04 by Endi S. Dewata at 2018-03-20T20:35:44Z
Fixed SSL server cert replacement.
The code that replaces the temporary SSL server cert with the
permanent one has been fixed to use the token name specified
for the SSL server cert instead of the global one.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I5014aa681d4aa04a0218a883697e932dd75022a4
- - - - -
169f5cf1 by Endi S. Dewata at 2018-03-20T22:23:42Z
Renamed client security database in PKI CLI messages.
The PKI CLI has been modified to use a more generic term of NSS
database instead of client security database since the command can
also be used to manage the server's NSS database.
Change-Id: I2f47637d8279bec10b4ffbce0d90217dc9e7f9ba
- - - - -
e61fd269 by Endi S. Dewata at 2018-03-20T22:35:46Z
Renamed client security database in man pages.
The man pages have been modified to use a more generic term of NSS
database instead of client security database since the command can
also be used to manage the server's NSS database.
Change-Id: Idcd6fc9a2641585b0a91efb9a4037066f600b864
- - - - -
feadd4a1 by Endi S. Dewata at 2018-03-20T22:38:36Z
Renamed client security database in test scripts.
The test scripts have been updated to reflect the recent changes
in PKI CLI messages.
Change-Id: Icae10e97c04202643d7d49ed83d2c752796dd192
- - - - -
bb66002a by Endi S. Dewata at 2018-03-21T00:58:39Z
Refactored ClientConfig fields
The certDatabase and certPassword fields have been renamed to
nssDatabase and nssPassword for clarity. New setter and getter
methods have been added. Existing setter and getter methods are
retained for backward compatibility.
Change-Id: I7a3981cbc55a9d2baa4991e00236e0b33e868bf7
- - - - -
47623442 by Endi S. Dewata at 2018-03-21T02:05:38Z
Added ClientConfig.nssPasswords field.
A new field has been added to ClientConfig to store NSS token
passwords.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I9febcd31d46574cb41690a60e966790b59cc87ee
- - - - -
3cf485f9 by Endi S. Dewata at 2018-03-21T02:32:42Z
Deprecated setters and getters in ClientConfig.
The setters and getters for the old certDatabase and certPassword
fields have been deprecated. The code that calls these methods
have been modified to use the new methods.
Change-Id: I311e0f3bcaaaaadc8f40cc944f62eecdf9121a20
- - - - -
25282e3d by Endi S. Dewata at 2018-03-21T04:03:16Z
Deprecated ClientConfig.serverURI setter and getter.
The setter and getter for the old serverURI field have been
deprecated. The code that calls these methods have been modified
to use the new methods. The man pages have been updated as well.
Change-Id: I518e2df364c7ab844548ea7f00c4dd3cdafd2d05
- - - - -
152ed503 by Endi S. Dewata at 2018-03-21T04:11:41Z
Updated test scripts due to server URI deprecation.
Test scripts that check for "server URI" have been modified to
check for "server URL" instead.
Change-Id: I41b2dc140a749370d847e5852bf9fbfaae66a407
- - - - -
f8f526f4 by Endi S. Dewata at 2018-03-21T15:33:17Z
Renamed NSS-related variables in MainCLI.parseOptions()
Some NSS-related variables in MainCLI.parseOptions() have been
renamed for clarity.
Change-Id: Ic67747943cc42f7c5b9d1a683974910508fb2872
- - - - -
578c2804 by Endi S. Dewata at 2018-03-21T16:20:40Z
Fixed exception handling in MainCLI.init()
The code that handles token login in MainCLI.init() has been
modified to include the token name in the exception message in
case the password is wrong.
Change-Id: I99aaf16f02c822b7c7179ed3aa29f0d0f66fa6e0
- - - - -
8c45ff35 by Endi S. Dewata at 2018-03-21T17:38:13Z
Fixed password handling in MainCLI.parseOptions()
The MainCLI.parseOptions() has been modified such that the NSS
password parameters are validated regardless of authentication
methods.
Change-Id: I67f91a2059272a6e044f9b2d067c285f5a7f443d
- - - - -
d62dbf9b by Endi S. Dewata at 2018-03-21T22:08:08Z
Updated PKI CLI help messages.
PKI CLI help messages have been updated for clarity.
Change-Id: I4f87ab1674c5e615d900ce08b97699ddd40330de
- - - - -
8746f09d by Endi S. Dewata at 2018-03-21T23:42:14Z
Added password configuration option for PKI CLI.
The PKI CLI has been modified to support an option to provide
multiple token passwords via a configuration file. This option
can be used to run the CLI using the server's NSS database and
password.conf.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I84a3da9e57556a1431c8864984cde614d2fbe83b
- - - - -
0012e50e by Endi S. Dewata at 2018-03-22T16:07:15Z
Refactored configuration.py
The code that imports system certs in configuration.py has been
refactored into a new import_system_cert() method.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ife5f7f526589f70a7db12d980b50569c4a67c98a
- - - - -
f1ec2c0c by Endi S. Dewata at 2018-03-22T19:27:52Z
Refactored internal token name literals
The literals for internal token names have been converted into
constants. A new method was added to normalize token name.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I3605edba57ebf5c38b4be3dcea05f12cf87134c3
- - - - -
4e237910 by Christina Fu at 2018-03-22T20:43:54Z
fix TPS CS.cfg param from tps.connector.connCAList to tps.connCAList
Change-Id: Ic391b845358736daab4b814c86e6f7f512a209bb
- - - - -
d8639cd7 by Endi S. Dewata at 2018-03-22T21:57:49Z
Fixed NSSDatabase.add_cert() default trust attributes
The NSSDatabase.add_cert() has been fixed to accept None value in
trust_attributes parameter and convert it into the proper string.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I5a0acb51618476cf08e00d5f1a51ea2ff3cdf519
- - - - -
428a00c4 by Endi S. Dewata at 2018-03-22T21:58:41Z
Added NSSDatabase.create_password_file()
The code that creates password files in NSSDatabase has been
refactored into a new create_password_file() method.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I4f7106129ccd2f84d2279d4dc7c98831e9243721
- - - - -
85c58d29 by Endi S. Dewata at 2018-03-22T23:11:30Z
Added param to override default token in NSSDatabase.
Some NSSDatabase methods have been modified to provide an
optional token parameter to override the default token name.
A new NSSDatabase.get_effective_token() has been added to
return the effective token name.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I4caa2e1ab3f64b9d667396f62a00878fa6557ebe
- - - - -
419e20bc by Endi S. Dewata at 2018-03-23T00:03:09Z
Added temp directory for NSSDatabase.add_cert()
The NSSDatabase.add_cert() has been modified to create and remove
a temp directory which will be used by a subsequent patch.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I89ef58420ea4771ec2ea1f3903186d5b19c3a291
- - - - -
0ddc8cbc by Endi S. Dewata at 2018-03-23T00:07:57Z
Added password map for NSSDatabase
The NSSDatabase has been modified to support password map
to store multiple token passwords. Some methods have been
modified to use the password map if available.
A new NSSDatabase.get_password_file() has been added to
create a temp password file to store the token password
from the password map.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I7edefade4cc348c681f0fdce1a392f14a03c1c63
- - - - -
cc37bad0 by Endi S. Dewata at 2018-03-23T01:26:57Z
Fixed default filename for NSSDatabase.create_password_file()
The NSSDatabase.create_password_file() has been modified to accept
None value as filename which will be converted into 'password.txt'.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ib2e1ebaece65e02d6e4f35c775ac6b8bc326f9f9
- - - - -
25de859d by Endi S. Dewata at 2018-03-23T02:01:47Z
Added logging in PropConfigStore
https://pagure.io/dogtagpki/issue/195
Change-Id: I8474a91b8dc250a33564407b21bccb32a0cc3fb5
- - - - -
c84ac1bd by Endi S. Dewata at 2018-03-23T02:23:28Z
Refactored ConfigurationUtils.updateConfig()
The ConfigurationUtils.updateConfig() has been modified to take
a Cert object instead of certificate tag.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I48b6059822fe9093582de87c5add5deb0e72a07c
- - - - -
47ae4108 by Timo Aaltonen at 2018-03-23T13:41:35Z
tps-client: Fix a typo in the service file.
https://pagure.io/dogtagpki/issue/2965
Change-Id: Ib9b28e0461f6846ac02f642ca51b4dcbe6f60fff
- - - - -
b39f3600 by Timo Aaltonen at 2018-03-23T13:50:33Z
Fixes to Debian tomcat setup
- scripts/operations has bashism, so best to force bash
- Debian doesn't use sysvinit anymore
- use system specific config dirs
- fix tomcat paths / variables
- fix CVE-2016-1240 regarding starting a tomcat instance
- modify start_instance to be common
https://pagure.io/dogtagpki/issue/2968
Change-Id: Icba3299fb540fcea513f53730914275b4f52590e
- - - - -
85ed28c8 by Endi S. Dewata at 2018-03-24T03:39:32Z
Refactored serverCertNick.conf configuration
A new PKIInstance.set_sslserver_cert_nickname() method has
been added to configure serverCertNick.conf when the SSL
server certificate is about to be created or imported.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ia5d7203b96b2e8007b441b241f6d88d3bbbfc672
- - - - -
2b072dd5 by Endi S. Dewata at 2018-03-24T03:55:00Z
Removed unused code
The old code for configuring serverCertNick.conf is no longer used
so they have been removed.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ie7471b29a825d6145f1f28648633c087b4e70189
- - - - -
353de17f by Christian Heimes at 2018-03-26T22:15:57Z
Retry request on timeout error
Commit 0a05eab2 introduced a regression in wait_for_startup. The routine
now catches and retries timeout errors along with connection errors. A
timeout error may occur while a server is starting but is not ready to
respond to a request fast enough.
Change-Id: Ica2ccea4a5b5feb92a46a69284950bf8cfd06258
Closes: https://pagure.io/freeipa/issue/7425
Closes: https://pagure.io/dogtagpki/issue/2973
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
13a8aef5 by Endi S. Dewata at 2018-03-28T01:17:21Z
Fixed token name properties in CS.cfg.
The configuration servlet has been modified to store each cert's
token name as specified in the pkispawn configuration instead of
the global one.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ibca8e664cb50d9886c5be7c7883db6d69e22838a
- - - - -
76b82fb0 by Timo Aaltonen at 2018-03-28T01:55:45Z
Rename LOGGING_CONFIG
It conflicts with Debian catalina startup.
https://pagure.io/dogtagpki/issue/2966
Change-Id: I00648bd62d4c3d14fce49795b84acf610fb1d4d9
- - - - -
fc925dff by Timo Aaltonen at 2018-03-28T20:14:33Z
Fix jar search and path hardcodings to support Debian
- add /usr/share/java to search paths
- check jar names found on Debian
- get rid of path hardcodings from symlink commands
- also be consistent and use only shortname of commons*.jar
- don't link to resteasy-jaxrs-jandex.jar anymore
- drop some duplicate jar searches
Change-Id: I0fd1f132cc0b67d5f630dd2b954efc8966e063fd
- - - - -
2581e314 by Endi S. Dewata at 2018-03-29T02:19:15Z
Fixed cert token in configuration.py
The configuration.py has been modified to use each cert's
token specified in pkispawn config when generating a CSR and
importing the cert.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I0e2cb7dcc81f9bd496e277dec02d562f62b18e6c
- - - - -
3ce3ae9b by Christina Fu at 2018-03-29T17:01:35Z
reflect dogtagpki url change in CMCRequest man page.
Change-Id: I8eb5884a26850b87f378c4417939c873c27fd409
- - - - -
99568215 by Christina Fu at 2018-03-29T17:46:11Z
quick fix on wrong keyType in profile
Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
- - - - -
4d91ae44 by Endi S. Dewata at 2018-03-29T17:49:15Z
Updated version number to 10.6.0-0.3
The version number in the spec files have been updated to
10.6.0-0.3. Some changes from Fedora have been merged as well.
Change-Id: Ic55f505379076d3827885fe812905bda40452149
- - - - -
03c138d1 by Endi S. Dewata at 2018-03-30T04:35:31Z
Cleaned up SystemConfigService.updateConfiguration().
The code that stores the cert and cert request data into CS.cfg in
SystemConfigService.updateConfiguration() has been removed since
it's already done in generate_csr() and configure_system_cert() in
configuration.py.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I5d06792fdb988534f7ad313cc3d16652d09ba8eb
- - - - -
8fda31da by Endi S. Dewata at 2018-04-02T16:06:08Z
Reformatted pkihelper.py
The logging commands in pkihelper.py have been reformatted to
simplify further cleanups.
https://pagure.io/dogtagpki/issue/195
Change-Id: I7e449ce6fd3d389e6ce80ff3e3beecf66447e3f5
- - - - -
439f9d14 by Endi S. Dewata at 2018-04-02T19:23:13Z
Fixed SystemConfigService.processCerts() to use cert token
The SystemConfigService.processCerts() has been modified to
generate the keys and certificates in each cert's token as
specified in pki_<cert>_token instead of in pki_token_name.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Iddac29e16f0ef306401f7f073dd8d976ed473f9c
- - - - -
16ce6bd0 by Endi S. Dewata at 2018-04-02T22:23:26Z
Fixed TPSInstaller.configureSubsystem()
The TPSInstaller.configureSubsystem() has been modified to use
each cert's token instead of the global one when creating the
subsystem connectors.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ifd5c09df6a35ea51d91a6fb8d620e7d01d80a7d3
- - - - -
9182f6d7 by Endi S. Dewata at 2018-04-03T01:21:11Z
Added logging for pki-server cert-find
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ib353e5f3a5f652e8d6c1d3898b1a9855bc97e7eb
- - - - -
f48a073d by Endi S. Dewata at 2018-04-03T21:26:45Z
Refactored pki-server cert-find
The pki-server cert-find has been modified such that it shows
the certificate as soon as it's retrieved from the NSS database
instead of waiting until all certificates are retrieved.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Id3f6776e67d089a457457cf4c8f41e0da4bd8450
- - - - -
6d958402 by Endi S. Dewata at 2018-04-03T22:20:09Z
Added logger for pki-server cert-create
https://pagure.io/dogtagpki/issue/2449
Change-Id: I16b05a3ebd80474b99ca53b509d0145a4924f1e8
- - - - -
2dee96d4 by Endi S. Dewata at 2018-04-03T22:45:21Z
Added logger for pki-server cert-import
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ie27062f1704ce287f670c144953abca1004b5017
- - - - -
2cf43d8d by Endi S. Dewata at 2018-04-04T01:07:01Z
Added logger for pki-server cert-update
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ia2527e8c5277e1d9bf0307807bb1259eb133271b
- - - - -
d123569c by Endi S. Dewata at 2018-04-04T01:57:15Z
Added pki-server cert-show
A new pki-server cert-show command has been added to display the
details of a system certificate.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I7eb43b45e0e5191698b34885e35f89d06fb23e6b
- - - - -
d914137b by Endi S. Dewata at 2018-04-04T02:28:24Z
Added logger for pki-server cert-export
https://pagure.io/dogtagpki/issue/2449
Change-Id: Icb61a8c0c42edc61acb28a6a208fb2c96a53078b
- - - - -
b5055b24 by Endi S. Dewata at 2018-04-04T04:53:42Z
Refactored NSSDatabase.get_cert()
The NSSDatabase.get_cert() has been modified to accept a token
name parameter to override the default one.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Id4c63d0df7c64dafb7b650a6017960542106af45
- - - - -
8afcf0b0 by Endi S. Dewata at 2018-04-04T05:00:35Z
Added pretty print option for pki-server cert-show
The pki-server cert-show has been modified to provide an option
to pretty print the system certificate.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ieec52e327c3c3b25d94db6368b175cb36d4b2233
- - - - -
db745d8d by Amol Kahat at 2018-04-04T13:55:45Z
PKCS10Client debug messages should be displayed in debug mode
Pagure: https://pagure.io/dogtagpki/issue/2891
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1532384
Change-Id: I419bfeafb7ca2053ba2464788693dd7f33a9a26c
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
6a43a3d6 by Endi S. Dewata at 2018-04-04T14:29:37Z
Updated logging in pki-server cert-create
The pki-server cert-create has been modified to use logger to
generate log messages.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Ie5ba494eaa2415982701657d1a79d25b3995cd2b
- - - - -
87e1fd13 by Endi S. Dewata at 2018-04-04T15:19:49Z
Refactored NSSDatabase.remove_cert()
The NSSDatabase.remove_cert() has been modified to accept a token
name parameter to override the default one.
https://pagure.io/dogtagpki/issue/2449
Change-Id: If20d2086fb5bed0b0b71f2b82aee5a3f05b8d995
- - - - -
696768b4 by Endi S. Dewata at 2018-04-04T16:08:35Z
Updated logging in pki-server cert-import
The pki-server cert-import has been modified to use logger to
generate log messages.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I2f9a82735916e4620f1d8f1b17123e39f0783691
- - - - -
123f0c65 by Endi S. Dewata at 2018-04-04T18:55:13Z
Updated logging in pki-server cert-find
The pki-server cert-find has been modified to use logger to
generate log messages.
https://pagure.io/dogtagpki/issue/2449
Change-Id: Id1ffe9cab579bf8a016a136c505bee1fa97bbef2
- - - - -
f4cb39d6 by Endi S. Dewata at 2018-04-04T21:48:33Z
Cleaned up pkispawn debug log
The slot dict contains only static values so it has been removed
from pkispawn debug log.
Change-Id: I809bd91335663431bddda703e28ce19da8d91916
- - - - -
89a911f2 by Endi S. Dewata at 2018-04-04T23:26:48Z
Added pki-server cert-del
A new pki-server cert-del has been added to remove a system
certificate from the server's NSS database.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I490bcf8e74583604106444bed2bb930308aa2009
- - - - -
9fe2d77d by Endi S. Dewata at 2018-04-05T01:04:31Z
Fixed pki-server cert-import
The pki-server cert-import has been modified to fail if a
certificate with the same nickname already exists in the token.
https://pagure.io/dogtagpki/issue/2449
Change-Id: If19245fd228d5826770ac624ab4b00fcf7876dd2
- - - - -
4e0aff3d by Endi S. Dewata at 2018-04-05T02:30:59Z
Cleaned up pki-server cert commands
The pki-server cert commands have been modified to parse cert ID
more consistently.
https://pagure.io/dogtagpki/issue/2449
Change-Id: I553a18c7a1e087c740a2b4f8c9f21ffba1ec9741
- - - - -
1f6d4e1e by Endi S. Dewata at 2018-04-05T23:41:27Z
Moved CMake files in top-level folder
Some CMake files in the top-level folder have been moved into
cmake/Modules folder.
The PKI_FILE_LIST variable in the compose_functions is no longer
used so it has been removed.
Change-Id: Ia418566dcb3ea1ab207bb9a60c8b65f2f9479b96
- - - - -
e9ba6212 by Endi S. Dewata at 2018-04-05T23:50:09Z
Fixed website URL
All references to pki.fedoraproject.org have been replaced with
www.dogtagpki.org.
Change-Id: I9dbe664865cd04f37567304fce6b3875ed96f8f4
- - - - -
0c544c6a by Endi S. Dewata at 2018-04-06T00:34:39Z
Moved CMake files in top-level folder (part 2)
Some additional CMake files in the top-level folder have been
moved into cmake folder.
Change-Id: I5cecb9d862e399ccb41e1c382034cbbb69966a23
- - - - -
6264c841 by Endi S. Dewata at 2018-04-06T02:00:31Z
Moved pylint-build-scan.py into tools folder
The pylint-build-scan.py and its configuration file have been
moved into the tools folder. All references have been updated
accordingly.
Change-Id: I353b3c0bb0ffad42ac9a2b614dbecf4acd98448c
- - - - -
de36c745 by Endi S. Dewata at 2018-04-06T02:19:32Z
Removed unused patches folder
Change-Id: I94d9b75ed8123b72c94f9edb6774b37062690467
- - - - -
7510822a by Endi S. Dewata at 2018-04-06T05:22:04Z
Added verbose option for compose scripts
Change-Id: I00fe757849591568d97186ef18cbfee8749122cf
- - - - -
56ca2dd4 by Endi S. Dewata at 2018-04-06T15:30:59Z
Removed unused PKI_COMPONENT_LIST in compose scripts
Change-Id: I6cdc607f95cd69c05fb48f885d18dbc647719d43
- - - - -
4bb8c553 by Endi S. Dewata at 2018-04-06T16:10:31Z
Fixed typo in CRMFPopClient
https://pagure.io/dogtagpki/issue/2875
Change-Id: I64921b968eca599f0de86cd3a246339667dd2462
- - - - -
889e8dd1 by Endi S. Dewata at 2018-04-06T18:05:32Z
Updated self cert revocation page title
https://pagure.io/dogtagpki/issue/1525
Change-Id: I43c3749af856118da257233d44dc455b1d954b38
- - - - -
31545b29 by Endi S. Dewata at 2018-04-06T20:45:31Z
Fixed Javadoc warnings
Change-Id: I91134abded91ad168da49ea5c17d8a29887c360d
- - - - -
f8f2e8cf by Endi S. Dewata at 2018-04-06T22:28:10Z
Fixed problem loading password from file in pki CLI
The MainCLI.loadPassword() has been modified to simply load a
file and return the first line as a password without parsing it
to avoid parsing issues.
https://pagure.io/dogtagpki/issue/2913
Change-Id: Ie103b3f77a956620a376b1ac93384590b062aade
- - - - -
138543e3 by Dinesh Prasanth M K at 2018-04-08T15:23:52Z
Redesigned CI infrastructure
The Travis CI infrastructure now directly sets Gerrit
labels instead of the TravisPy library being used.
- This avoids dependency on 3rd party libraries.
- Logs are posted directly as comments in case of failure
Change-Id: Ie399f612655f3172c065ccd626a9dd41b588ee59
- - - - -
fbc04cae by Dinesh Prasanth M K at 2018-04-08T16:40:44Z
Fixes minor bug in new CI
Avoid trying to delete (unexisiting) temp branch
in the official repo.
Change-Id: I0377ffddb78251f5fd62849fbaf4e83cbf7af0e1
- - - - -
4fd30663 by Endi S. Dewata at 2018-04-09T15:40:28Z
Removed unused build variables
The following variables are no longer used so they have been
removed from the build scripts:
- version_phase
- APPLICATION_VERSION_PHASE
- JAVADOC_APPLICATION_VERSION
Change-Id: I63186c6aa220a2338d012c73ce6c4f40257f5f38
- - - - -
1a5cdb64 by Endi S. Dewata at 2018-04-09T16:47:12Z
Cleaned up RPM descriptions
The RPM descriptions in the spec templates have been simplified
to make them more readable.
Change-Id: Ib9223b12bbbf74b967e9546ecbca8304e1a4d609
- - - - -
0ad893e5 by Endi S. Dewata at 2018-04-09T21:12:43Z
Removed package_*_packages macros
The package_*_packages macros are no longer needed since all
RPMs in the package will always be built at the same time.
Change-Id: I51ffbf5af00f3cac7f57c1ddda261d624d297359
- - - - -
cff2f209 by Endi S. Dewata at 2018-04-09T22:52:13Z
Removed redundant APPLICATION_FLAVOR_* variables
The APPLICATION_FLAVOR_* variables in CMake scripts have been
replaced with BUILD_* variables.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I1096d324527fac1965213cc3cacb2df6ded22f7e
- - - - -
d023d584 by Endi S. Dewata at 2018-04-10T01:36:49Z
Merged pki-core build dependencies into pki-console
The BuildRequires definitions in pki-core.spec.in have been
merged into pki-console.spec.in such that the console later
can be built independently.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I9e360ea5f100316192d0bcbbe20707d6a751e462
- - - - -
67c15caa by Endi S. Dewata at 2018-04-10T03:12:39Z
Fixed CMake build order
The spec templates have been modified not to use _smp_mflags
macro such that build targets will be executed sequentially
which will help troubleshooting build issues.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Id073a367f560521aa62af8646725b767e4e37685
- - - - -
7b645a2e by Endi S. Dewata at 2018-04-10T13:33:19Z
Removed pki-console build dependency
The pki-console.spec.in have been modified to build the core jar
files from its own source tarball such that the console can be
built without external dependency on pki-base-java.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ib09565686d3465cd4f4aef18ad05f23ce86343ad
- - - - -
1d193271 by Endi S. Dewata at 2018-04-10T14:36:35Z
Removed redundant ldapjdk.jar finders
https://pagure.io/dogtagpki/issue/2978
Change-Id: I865cf77893125a9e90f13274d01fe372eadefcea
- - - - -
419707e3 by Endi S. Dewata at 2018-04-10T14:53:11Z
Fixed javadoc warnings
https://pagure.io/dogtagpki/issue/2978
Change-Id: I7b0c9780006a53a233b2cf38cf209404fe3c89b8
- - - - -
d4f604e4 by Endi S. Dewata at 2018-04-10T17:18:30Z
Cleaned up pki-core.spec.in
The pki-core.spec.in has been modified to make it more legible.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ifd20ea3695c255983221e45c59ce900977832b42
- - - - -
1fe06842 by Endi S. Dewata at 2018-04-10T20:38:28Z
Cleaned up pki-console.spec.in
The pki-console.spec.in has been modified to make it more legible.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I8ddcf8485b60659e0048da9776edb5ab1af94075
- - - - -
3de520ee by Endi S. Dewata at 2018-04-10T23:39:30Z
Cleaned up dogtag-pki-theme.spec.in
The dogtag-pki-theme.spec.in has been modified to make it more
legible.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ia7b084c239e21b4a52aa4735e83ecfb1711f3933
- - - - -
a011d1b9 by Endi S. Dewata at 2018-04-11T01:05:43Z
Cleaned up dogtag-pki.spec.in
The dogtag-pki.spec.in has been modified to make it more legible.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I5fb38199dc26c14d1f53b42caa6b0c13e662aa47
- - - - -
48ac86ac by Endi S. Dewata at 2018-04-11T02:41:07Z
Removed esc_version macro in dogtag-pki.spec.in
The ESC dependency in dogtag-pki.spec.in has been modified to
specify the version number directly without esc_version macro.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I4bfbd14449a01b26d6811e9c948133cb0428fb8c
- - - - -
ed79cf1a by Endi S. Dewata at 2018-04-11T02:45:18Z
Fixed README location in dogtag-pki package
The README file in dogtag-pki package has been moved into a more
generic location in /usr/share/doc/pki folder.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I84710086dd4ac0ae25972fd520cf848c46d2cb7d
- - - - -
34c36915 by Endi S. Dewata at 2018-04-11T03:00:54Z
Removed pki_*_version macros in dogtag-pki.spec.in
The PKI dependencies in dogtag-pki.spec.in have been modified
to use the RPM version number directly.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I926628e00b6e4975305ae581070aec99df499b53
- - - - -
0ec550d2 by Amol Kahat at 2018-04-11T07:17:40Z
Added code for audit event enable, update, disable CLI.
New cli introduced:
pki-server <subsystem>-audit-event-enable
pki-server <subsystem>-audit-event-update
pki-server <subsystem>-audit-event-disable
Pagure: https://pagure.io/dogtagpki/issue/2914
Change-Id: Ifc97f7b0155cd266cb44df8301df77768dc360a0
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
38c05869 by Endi S. Dewata at 2018-04-11T17:18:42Z
Fixed logging for pki pkcs12-import
The pki pkcs12-import has been modified to use Python logger.
https://pagure.io/dogtagpki/issue/2977
Change-Id: I2e2a13bff5db425cc2db939926e2bc36f0b8281a
- - - - -
dcbf3837 by Endi S. Dewata at 2018-04-11T18:52:29Z
Fixed pki pkcs12-import with NSS SQL database
As suggested by kaie, the PKCS12Util has been modified to use
PK11Store.deleteCertOnly() instead of deleteCert() to remove
just the certificate while keeping the key in the database.
https://pagure.io/dogtagpki/issue/2977
Change-Id: If077abeb1370a53047c348a8205a1be4daaab87d
- - - - -
20f7a7ba by Endi S. Dewata at 2018-04-11T23:03:16Z
Updated version number to 10.6.0-1
Change-Id: Ibd5c5dffd9fde22829605f4de780e5e7f4712995
- - - - -
15a925eb by Endi S. Dewata at 2018-04-13T13:43:47Z
Fixed TestRunner output
The TestRunner has been modified to show the location of the
reports in the stderr if the test failed.
Change-Id: Iee833bf876798ab45a74c7449e68ddf108173af7
- - - - -
f5dbc762 by Endi S. Dewata at 2018-04-13T13:50:00Z
Renamed _commit macro
The _commit macro in the spec templates have been renamed into
_commit_id for clarity.
Change-Id: I3137d6f44b6a22a38b73f3cf6074dd3dc233b6cd
- - - - -
e9e59496 by Endi S. Dewata at 2018-04-13T16:22:30Z
Listing RPM packages built by compose scripts
The compose scripts have been modified to list the RPM packages
that have just been built.
Change-Id: Ibe57fb5f7f5a74a4328d709e6ba8205e5d20ef7c
- - - - -
7b7f60a0 by Endi S. Dewata at 2018-04-13T16:37:29Z
Fixed pki-javadoc build dependency
The CMake scripts and spec template has been modified such that
pki-javadoc can be built without building pki-server.
Change-Id: I9820d331485e8fac449b37cefe5feb5a004329f2
- - - - -
f67cc0f7 by Endi S. Dewata at 2018-04-13T18:57:31Z
Reduced pki-console build time
The pki-console.spec.in has been modified not to build the server
packages, javadoc, nor run the tests to reduce the build time.
Change-Id: I9c5ff95eb4a8743a874078fdefa323da8e686370
- - - - -
953803db by Endi S. Dewata at 2018-04-13T20:31:19Z
Cleaned up build logs
The CMake scripts and spec templates have been modified to show
more useful logs.
Change-Id: I61f2cb64d7ad1d54bf6e6faae96539a04cda085c
- - - - -
0e0b03ea by Endi S. Dewata at 2018-04-13T22:08:51Z
Suppressed unused CMake variable warnings
The spec templates have been modified to suppress warnings about
unused variables defined by CMake modules.
Change-Id: I3c28592d294f30ba9e9c4d206f1940eba76eba72
- - - - -
631df72e by Endi S. Dewata at 2018-04-13T22:46:36Z
Fixed warnings when building without server packages
The code that creates Python modules has been fixed such that
it doesn't generate warnings when building without the server
packages.
Change-Id: I66228b782f33cfdc23000fdc0e1f862c7c1c06f7
- - - - -
1362face by Endi S. Dewata at 2018-04-14T01:12:20Z
Fixed CI log messages
Change-Id: I9dab36f224df504274ca2282f1df7552af1f24e3
- - - - -
b54975f4 by Fraser Tweedale at 2018-04-14T03:56:05Z
Fix ACL evaluation in allow,deny mode
When `authz.evaluateOrder=allow,deny', ACL evaluation returns the
wrong result: matching allow rules deny access, and matching deny
rules allow access.
Fix the problem and improve type safety and readability by
introducing a couple of enums for ACLEntry.Type and EvaluationOrder.
CVE-2018-1080
Fixes: https://pagure.io/freeipa/issue/7453
Change-Id: Ic076ed4b90c305cda9da2c56ec90fc77b4dac039
- - - - -
d7b5ae8e by Endi S. Dewata at 2018-04-16T19:51:11Z
Fixed warnings about OWNER_EXECUTE permissions
The CMake scripts have been modified not to set OWNER_EXECUTE
permission on non-executable files.
Change-Id: I6808195907d1013ac0328dcd73a9266a0880f594
- - - - -
aa8ab51e by Endi S. Dewata at 2018-04-16T23:28:28Z
Added --without-debug option
The compose scripts have been modified to provide an option to
build without debug packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I664c4cb9f7c073bb9355cfc06ac83e51441d06eb
- - - - -
2e299050 by Christina Fu at 2018-04-17T00:43:52Z
Ticket #2940 post-ticket simple typo fix.
Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be
- - - - -
16c279a1 by Endi S. Dewata at 2018-04-17T01:35:28Z
Build script cleanup
Change-Id: If25c1d1dfee63377ccc973176fcc4281266ee47c
- - - - -
a6b6cd07 by Endi S. Dewata at 2018-04-17T01:42:20Z
Added pki.spec.in
A new pki.spec.in has been added to combine all spec templates.
Initially it will contain a copy of the pki-core.spec.in. Other
spec templates will be merged later.
A new build.sh script has been added to run the build process
using the new spec template.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ie3ae44b7af76190754dab571b3757f649979f4b3
- - - - -
b63892ee by Endi S. Dewata at 2018-04-17T02:06:16Z
Merged pki-console.spec.in
The pki-console.spec.in has been merged into pki.spec.in.
The build.sh was also modified to provide an option to build
without the console package.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I94acad9d10a16fae6da07dd568475ddf39e9f02d
- - - - -
be8b0ff9 by Endi S. Dewata at 2018-04-17T02:57:53Z
Merged dogtag-pki-theme.spec.in
The dogtag-pki-theme.spec.in has been merged into pki.spec.in.
The build.sh was also modified to provide an option to build
without the theme packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Id738b759894d18ff0e9b45378a692369197efaf2
- - - - -
64c8c982 by Endi S. Dewata at 2018-04-17T03:02:25Z
Merged dogtag-pki.spec.in
The dogtag-pki.spec.in has been merged into pki.spec.in.
The build.sh was also modified to provide an option to build
without the meta package.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I303143c4c4c23fea75e8f0ae78dd88794f0e908c
- - - - -
8855b2da by Endi S. Dewata at 2018-04-18T01:46:50Z
Added support for Tomcat 9.0
The PKIRealm and pki-server migrate CLI has been modified to
work with Tomcat 9.0.
https://pagure.io/dogtagpki/issue/2980
Change-Id: I141fc5e9f7a9971c4c6c9ac1f5577def6ca207bc
- - - - -
9b6cc6d2 by Endi S. Dewata at 2018-04-18T18:11:31Z
Fixed hard-coded Java home path
The hard-coded Java home path has been modified to use RPM macro
to avoid rpmlint error.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I7265c43a59aea0ea890c433ca4505a63a2151464
- - - - -
e4f45efb by Endi S. Dewata at 2018-04-18T20:57:42Z
Fixed macro-in-comment warnings
The spec templates have been modified to remove macro-in-comment
warnings from rpmlint.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I2b075d120ff539d5e13befd9637b2f764e3bd5f9
- - - - -
24ba40f6 by Endi S. Dewata at 2018-04-18T21:31:07Z
Validating spec files with rpmlint
The build scripts have been modified to use rpmlint to validate
the spec files.
The CI script has been modified to install rpmlint in the
container.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I60a9e6b7fc316342af8aa0f101c6d1986bb3fdb2
- - - - -
5d614f38 by Dinesh Prasanth M K at 2018-04-18T23:01:43Z
Reorganizing CI related stuffs
- `run_task.sh` has been split into `ipa-test.sh`
and `pki-test.sh`
- Deletion is now handled from Jenkins
- Fixed the log name for systemd
- Removed --quiet option to report pylint issues
Ticket: https://pagure.io/dogtagpki/issue/2990
Change-Id: I6fdca00419fd53ef3e0d3425268ae03cec2c749e
- - - - -
14b0d430 by Endi S. Dewata at 2018-04-19T02:03:43Z
Fixed unversioned-explicit-provides warnings
The spec templates have been modified to remove
unversioned-explicit-provides warnings from rpmlint.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ib5e6990e056611d762a192a6ac75048d5db2b92b
- - - - -
12ee7185 by Endi S. Dewata at 2018-04-19T02:04:05Z
Fixed unversioned-explicit-obsoletes warnings
The spec templates have been modified to remove
unversioned-explicit-obsoletes warnings from rpmlint.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ia4482faac041c872384fafbfe5671275ea908dc5
- - - - -
05fa5032 by Endi S. Dewata at 2018-04-19T02:04:05Z
Fixed missing %prep and %build sections
The dogtag-pki.spec.in has been modified to provide %prep and
%build sections to remove warnings from rpmlint.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ifedffcf2f6dd4e37816c885fe0a21989fb04c307
- - - - -
bf60c34c by Amol Kahat at 2018-04-19T06:59:51Z
Added "Serial No" in pki-server subsystem-cert-find CLI.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1566360
Pagure: https://pagure.io/dogtagpki/issue/2987
Change-Id: I35b29c37dc95c3415b4106c8c45d86a30f70628f
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
58e6e009 by Endi S. Dewata at 2018-04-19T21:12:36Z
Fixed empty build dir cleanup
The build.sh has been modified to remove the empty build dirs
properly.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I2c4fe62c880ad07b550d94f8b9a885626e5b0fcb
- - - - -
e15d3747 by Endi S. Dewata at 2018-04-20T00:37:16Z
Cleaned up build.sh
The build.sh has been modified to use a global variable instead of
literals for project name.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I651381a8ca4d36bc3386d980fe7297ae91bdd4db
- - - - -
2d9bc471 by Endi S. Dewata at 2018-04-20T01:38:00Z
Added generate_rpm_spec() in build.sh
The code that generates and validates the RPM spec in build.sh
has been moved into generate_rpm_spec().
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ic3fb5917ca3923e6be69db52b402fc109b7b8fd8
- - - - -
66f875b4 by Endi S. Dewata at 2018-04-20T01:41:40Z
Added generate_rpm_sources() in build.sh
The code that generates the tarball in build.sh has been moved
into generate_rpm_sources().
https://pagure.io/dogtagpki/issue/2978
Change-Id: I3ac22a8f341c7df40037017a2a2acd5dd9bf9a6e
- - - - -
1dc7533b by Endi S. Dewata at 2018-04-20T17:19:01Z
Cleaned up build.sh
The build.sh has been modified to use simpler method to generate
the timestamp and commit ID parameters for rpmbuild.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ia9bdb4d976da966ffa909de416af2b21d264d01e
- - - - -
2110d8c2 by Christina Fu at 2018-04-20T20:12:48Z
Ticket #2992 servlet profileSubmitCMCSimple throws NPE
This patch addresses the issue that when auth.instance_id is not specified in
the profile, NPE is thrown.
Alternative is to add auth.instance_id value, but it's better to leave this
as manual approval only without changing the functionality.
fixes https://pagure.io/dogtagpki/issue/2992
Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d
(cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96)
- - - - -
b47fc4f6 by Endi S. Dewata at 2018-04-21T02:30:33Z
Added option to create tarball from a source tag
The build.sh has been modified to provide an option to generate
the source tarball from a source tag.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ia85d1b164bfcf38b44fbc64d0ec84fed5e9c4be8
- - - - -
4874fa4a by Endi S. Dewata at 2018-04-21T02:30:33Z
Added automatic patch generation in build.sh
The build.sh has been modified to generate a patch for all
changes since the specified source tag.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I25ea186eaa379062e5814ce0856394346cdf17b0
- - - - -
e326be6f by Endi S. Dewata at 2018-04-23T14:42:25Z
Added option to build without base packages
The build.sh has been modified to provide an option to build
without the base packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I2799f4621f9266b559daf8dd353a27cb6f3ec01c
- - - - -
ba1a2d32 by Endi S. Dewata at 2018-04-23T16:42:05Z
Moved folder creation into CMake script
The code that creates /var/log/pki and /var/lib/pki folder has
been moved from spec files into the CMake scripts.
https://pagure.io/dogtagpki/issue/2978
Change-Id: If01558aa9eea6bee483316ee05345627b0343996
- - - - -
dea3f000 by Endi S. Dewata at 2018-04-23T19:33:20Z
Removed CryptoToken.login() invocation in SigningUnit.init().
The SigningUnit.init() has been removed to no longer call redundant
CryptoToken.login() since token login is already done in TomcatJSS.
Due to these changes, the jss.password parameter in CS.cfg is no
longer supported.
Change-Id: I0933e41b3a61531ac36f4c925a238c47d82e7ad0
- - - - -
76912e2e by Endi S. Dewata at 2018-04-24T04:09:21Z
Fixed token name normalization in pki-server subsystem-cert-validate
The pki-server subsystem-cert-validate has been modified to
normalize cert token name before calling pki client-cert-validate.
This way "Internal Key Storage Token" will be considered as an
internal token and no longer specified as a parameter.
https://pagure.io/dogtagpki/issue/2997
Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97
- - - - -
a8e7f8c8 by Endi S. Dewata at 2018-04-24T20:10:30Z
Added description for token name normalization
https://pagure.io/dogtagpki/issue/2997
Change-Id: I941e2bf20494100f804f2b5b753e4e4ab5e4c676
- - - - -
30e1c5fc by Endi S. Dewata at 2018-04-24T20:40:04Z
Added --without <package> option for each subsystem
The pki.spec.in has been modified to provide --without <package>
options for CA, KRA, OCSP, TKS, and TPS.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ic43757be5cc2a74a2249d918dbca46ea1e0a6e2d
- - - - -
a9369557 by Endi S. Dewata at 2018-04-25T18:01:30Z
Cleaned up build.sh
https://pagure.io/dogtagpki/issue/2978
Change-Id: I3002bec921f195f0c919a89c53590df2e76d04aa
- - - - -
3c71a3d4 by Endi S. Dewata at 2018-04-25T23:16:13Z
Fixed pki-symkey dependencies
The pki-server package has been modified to depend on pki-symkey.
All packages that depend on pki-server have been modified to no
longer depend on pki-symkey directly.
https://pagure.io/dogtagpki/issue/2972
Change-Id: Ic35e6cb677366b313bcfde83c80c270932638624
- - - - -
30caec50 by Endi S. Dewata at 2018-04-25T23:17:51Z
Cleaned up spec templates
The spec templates have been modified to use a minimum version
instead of exact version for dependencies on other PKI packages.
https://pagure.io/dogtagpki/issue/2972
Change-Id: Ibe40f9519707af84b3ea1ba31e917c784b023951
- - - - -
f0d60833 by Endi S. Dewata at 2018-04-26T02:03:25Z
Removed obsolete resolveHosts attributes
The server.xml templates have been modified to remove the
obsolete resolveHosts attributes.
https://pagure.io/dogtagpki/issue/2986
Change-Id: I2b9adf2dbc23b14d5b6033621f9278b40d44936f
- - - - -
8d3bdc96 by Endi S. Dewata at 2018-04-26T03:25:28Z
Removed warnings in CustomComboBoxModel
Change-Id: If7848e9823db41f743131c747bbf91c57ae15c8f
- - - - -
276e656d by Endi S. Dewata at 2018-04-26T03:30:37Z
Removed warnings in CMSRemoteClassLoader
Change-Id: Ib1ef1d2e5f9783e43d7399a0a96f485a814d0310
- - - - -
4ed9c908 by Endi S. Dewata at 2018-04-26T03:45:22Z
Removed warnings in CMSTableModel
Change-Id: I4e1855e42c61b3fee68f11c49041b6cdc98fa1ae
- - - - -
a5b7813f by Endi S. Dewata at 2018-04-26T04:20:51Z
Removed warnings in CMSTaskModel
Change-Id: Id52f1a347d46ebfc7b2077347ccf9b544c21f2ce
- - - - -
335f4b3b by Endi S. Dewata at 2018-04-26T04:41:03Z
Removed warnings in Console
Change-Id: Ifbd5b8b92263531001aa485d4689a6a062c0f085
- - - - -
98e48014 by Endi S. Dewata at 2018-04-26T13:58:32Z
Removed warnings in MessageFormatter
Change-Id: I4c82c22089dddedefc9a8094a684b70710b36d80
- - - - -
547d6427 by Endi S. Dewata at 2018-04-26T14:00:14Z
Removed warnings in ProfileDataTable
Change-Id: Ia14bb79e1b4a6bedd8251ac5b74d8fe5f5e4942a
- - - - -
ca66f8f8 by Endi S. Dewata at 2018-04-26T14:02:59Z
Removed warnings in UIMapperRegistry
Change-Id: I2df5cd8fd37bab91ff29467473ec4d3a248adba0
- - - - -
67bc4506 by Endi S. Dewata at 2018-04-26T14:04:11Z
Removed warnings in CRMFPopClient
Change-Id: Id248a6bf74f46e00dd53503d93d279e3285835a9
- - - - -
f6dcf396 by Endi S. Dewata at 2018-04-26T14:14:41Z
Removed warnings in CMSCRLFormatPanel
Change-Id: I1d55348aa01e77fd471ed5e8d20bd529e38dbc03
- - - - -
6181d206 by Endi S. Dewata at 2018-04-26T14:39:44Z
Removed warnings in ACIDialog
Change-Id: Ie6f37f7315945a151fc6adeeec27c1696bbcef45
- - - - -
77305651 by Endi S. Dewata at 2018-04-26T15:05:25Z
Removed warnings in ACLEditDialog
Change-Id: I1f87ef186c711aa5d546c0428ff56516ba925ddf
- - - - -
35f37ef7 by Endi S. Dewata at 2018-04-26T15:14:00Z
Removed warnings in UserListDialog
Change-Id: I9d4a10964217cf17284a1f22a750cd4d1d046fba
- - - - -
aba4a8bd by Endi S. Dewata at 2018-04-26T15:20:49Z
Removed warnings in UserEditor
Change-Id: Icd662b321c756e2eb5e3e0c413d760126b0c0580
- - - - -
ae91788b by Endi S. Dewata at 2018-04-26T19:26:02Z
Added options to build select packages
The build.sh has been modified to provide --with-pkgs=<list>
to build specified packages only, and --without-pkgs=<list> to
build everything except the specified packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I28b086e11fd5f48704ba750fe00e67ec49a4d955
- - - - -
a8f5e0ea by Endi S. Dewata at 2018-04-26T21:21:25Z
Added build option to change the distribution name
The build.sh has been modified to provide a --dist=<name> option
to change the default distribution name (e.g. fc28).
https://pagure.io/dogtagpki/issue/2978
Change-Id: I6a8392c0c03d398a9088228f065517208d54a810
- - - - -
45b9f76c by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in CMSCAConnectorPanel
Change-Id: I02c57d32f2c3135420144937308278278f6b12e2
- - - - -
6152e93d by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in CMSCRLIPPanel
Change-Id: I080cebf5818220dac4d99a5131b38afb80461ce5
- - - - -
4f1451da by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in CMSKRAPasswdPanel
Change-Id: Iec29d4469fe857223735c03300bd3b0f54e2be8f
- - - - -
ec7f1a3b by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in CMSRAConnectorPanel
Change-Id: I0a2adf7eb2dc4884fb2f647f5a7a9d4e12de6df8
- - - - -
1dd87a3b by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in ProfilePolicySelectionDialog
Change-Id: I4c28fc22252d79730d6343aa82d149b88239d5ad
- - - - -
6fbbb923 by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in CertManagementDialog
Change-Id: Ib0a96e59b326a85a252a972deb6b35f9eccc173d
- - - - -
e01d941e by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in GroupEditor
Change-Id: I1e37ec0f589e948a373f639c66dedc7d5a1e6603
- - - - -
da726268 by Endi S. Dewata at 2018-04-26T22:59:42Z
Removed warnings in PluginSelectionDialog
Change-Id: I6717e6a403f234ea9c4a21e44dbb2ab98d7b49c6
- - - - -
1ac8687a by Endi S. Dewata at 2018-04-27T03:05:15Z
Removed legacy Tomcat JK/JK2 files
https://pagure.io/dogtagpki/issue/773
Change-Id: I8ce3329826b45fd2e460fc58842fc618bd0fd8cc
- - - - -
6a08c251 by Endi S. Dewata at 2018-04-27T03:17:54Z
Removed warnings in PolicyRuleOrderDialog
Change-Id: Id0c8888ed666c26f532059c891d7d6914124336d
- - - - -
1c5f54d0 by Endi S. Dewata at 2018-04-27T03:29:34Z
Removed warnings in AbstractCipherPreference
Change-Id: Ia25508b0b849542e88aff49f25912af755840842
- - - - -
b7a2fe6c by Endi S. Dewata at 2018-04-27T03:52:27Z
Removed warnings in AuthImplTab
Change-Id: I935ef1a8d7b769fcb04067cf3d551451e0889ff3
- - - - -
5edf0333 by Endi S. Dewata at 2018-04-27T04:02:34Z
Removed warnings in CMSStart
Change-Id: Ic78afc514a3dc02ed9e7ab6c16155fb9bf874d81
- - - - -
62d725e8 by Endi S. Dewata at 2018-04-27T16:00:56Z
Added support for relative path for build.sh working directory.
The build.sh has been modified to convert a relative path for
working directory into an absolute path.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I6d543e65c931a46eaf895f76f4578e374a9577b7
- - - - -
f9a48a40 by Christian Heimes at 2018-04-30T08:42:23Z
Pass keystroke commands as bytes
In Python 3, subprocess.communicate() requires bytes as input. Convert
two keystroke inputs from str to ASCII bytes.
Fixes: https://pagure.io/dogtagpki/issue/3005
Change-Id: Ifd00804177f86cf550c93ac1ba5861cd8fa17c81
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
22abe1c4 by Christian Heimes at 2018-04-30T14:13:46Z
pki-server validate: write password as bytes
The ``pki-server subsystem-cert-validate`` was failing with a bytes
TypeError. os.write() takes a fd and bytes-like object, but a password
text string was passed to os.write(). The password is now encoded from
text to UTF-8 bytes.
Fixes: https://pagure.io/dogtagpki/issue/3007
Change-Id: I5a4ea3be92ccae4dcf5eabd6168907a148e390c0
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
16f3197a by Christian Heimes at 2018-04-30T19:03:56Z
Convert certs to text for JSON serialization
Under Python 3, nssdb.get_cert() returns bytes. The serialized certificate
is hold by SystemCertData.cert attribute. Later on, the ConfigurationRequest
data structure with multiple SystemCertData instances is serialized to
JSON. But JSON doesn't support serialization of bytes, which results in
a TypeError.
The code now converts the cert to text before it gets assigned to
SystemCertData.cert.
Fixes: https://pagure.io/dogtagpki/issue/3008
Change-Id: I16632415de7aa6f7ab77f1351e656464931662f6
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
d3b007d5 by Endi S. Dewata at 2018-04-30T23:32:00Z
Consolidated cacertnickname literals.
The cacertnickname literals have been consolidated into
ISigningUnit.PROP_CA_CERT_NICKNAME constants.
Change-Id: I7ac4a0321e0384d88921f77f7549a132ade514e1
- - - - -
915defc9 by Endi S. Dewata at 2018-05-01T01:49:03Z
Refactored instance registry creation
The code that creates instance registry has been moved into instance_layout.py.
Change-Id: I63a20cd4ed4c554371d56e2745a4849fc81561f7
- - - - -
6d5f1eb5 by Endi S. Dewata at 2018-05-01T03:11:28Z
Refactored server.xml creation
The code that copies and customizes server.xml has been moved
into instance_layout.py.
Change-Id: I741060a4150c2d029c264bcd31d757c099361690
- - - - -
267b9973 by Endi S. Dewata at 2018-05-01T03:11:54Z
Refactored subsystem customization
The code that copies and customizes subsystem configuration files
has been moved into subsystem_layout.py.
Change-Id: Iada2556e33f2b4d19afd369a6c93f54085b6a6cc
- - - - -
db0fd238 by Endi S. Dewata at 2018-05-01T15:05:36Z
Renamed ASubsystem to BaseSubsystem
The ASubsystem has been renamed BaseSubsystem and cleaned up
so it can be used as the base class for all subsystems. The
UGSubsystem has been modified to extend the BaseSubsystem.
Change-Id: Ib51966dd2c68b6f1cc21d08a8d813250a9229137
- - - - -
de8c38bf by Endi S. Dewata at 2018-05-01T15:10:41Z
Refactored UGSubsystem
The UGSubsystem has been modified to extend the BaseSubsystem.
Some method/field definitions have become redundant so they have
been removed.
Change-Id: I3e96df57a6cbabe0f6a9525a6978a8b43c0446cb
- - - - -
e980a79b by Endi S. Dewata at 2018-05-01T15:41:09Z
Added enabled flag in BaseSubsystem
The BaseSubsystem has been modified to add an enabled flag with
its setter/getter methods. The flag is set to true by default.
Change-Id: Ie382838b46efc7a983bb08d6bc59605890987737
- - - - -
7a5d62b9 by Endi S. Dewata at 2018-05-01T16:46:28Z
Fixed exception handling in UGSubsystem
The UGSubsystem has been modified such that it will be enabled
only after database initialization.
https://pagure.io/dogtagpki/issue/1334
Change-Id: Ifaa20e2903a0d3dbf71435379003397b30dcc5a1
- - - - -
ecdd5ad1 by Endi S. Dewata at 2018-05-01T21:48:32Z
Refactored dynamic subsystems in CMSEngine
The array of dynamic subsystems in CMSEngine has been converted
into a Map to simplify its usage.
https://pagure.io/dogtagpki/issue/1334
Change-Id: I842d347900f63650c0461a375e504d71e3267ddd
- - - - -
c5905ab0 by Endi S. Dewata at 2018-05-01T23:34:41Z
Refactored CMSEngine initialization
The CMSEngine has been modified to be invoked directly during
initialization instead of indirectly using CMS wrapper methods.
https://pagure.io/dogtagpki/issue/1334
Change-Id: I95d027c7d91e1cfd621328adcea61b4dcd68246f
- - - - -
143dde47 by Endi S. Dewata at 2018-05-02T00:57:17Z
Updated loggers in CMSEngine
The CMSEngine has been updated to use SLF4J loggers.
Change-Id: Ie0fd3b713703477d7a55b70ca9592fd8db9e09ae
- - - - -
d3af8567 by Endi S. Dewata at 2018-05-02T02:21:12Z
Updated loggers in CertificateAuthority
The CertificateAuthority has been updated to use SLF4J loggers.
Change-Id: Iaaf4a377e17d65e1053d976a340550a5d30e9a17
- - - - -
fbbf9967 by Endi S. Dewata at 2018-05-02T03:16:32Z
Added debug messages for CA signing cert parsing
The CertificateAuthority has been modified to provide additional
debug messages around the code that parses the CA signing cert.
Change-Id: I9a1a094031ca1c8e558fc2d5007c94cdc75cb1fe
- - - - -
0817e99a by Christian Heimes at 2018-05-02T10:49:35Z
Fix more bytes/str issues in cert handling
The deployer script wrote ca.signing.cert as b'data' to CS.cfg. The bug
broke external CA feature. Certs are now serialized to disk or JSON as ASCII
base64-encoded cert string.
To catch similar mistakes in the future, The config writer for CS.cfg now
ensures that only supported value types are written to disk. If the value
is neither None, text string, or integer, a TypeError is raised.
Fixes: https://pagure.io/dogtagpki/issue/3005
Change-Id: Id1a4175ed8787e7e9ab15fa9b61f643a401a9af1
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
383d53e4 by Christian Heimes at 2018-05-02T13:56:51Z
Config: Write None value as empty value
None value is no longer written as string 'None'. Instead a key with
None value is written as "key=".
Change-Id: Ia38aa80891a3fad4f08db6c74e845293719aa102
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
752d1a63 by Endi S. Dewata at 2018-05-02T15:04:02Z
Updated loggers in CMS class
The CMS class has been modified to use SLF4J loggers.
Change-Id: I02f0dc67bfbfec547d982efd1c4c6d0ea1bf0062
- - - - -
14153b80 by Endi S. Dewata at 2018-05-02T15:07:36Z
Moved CMS.main() into PKIServer class
The CMS.main() has been moved into a new PKIServer class
for future use.
Change-Id: I96b6e92d26f308036d715eeef59a004b564bee23
- - - - -
3a614568 by Endi S. Dewata at 2018-05-02T15:28:01Z
Refactored CMS.start()
The code in CMS.start() has been moved into CMSStartServlet and
PKIServer to provide better control and to fix dependency issue.
Change-Id: I3a08849484910161218d4f9edce4ba1830141368
- - - - -
ebedc553 by Endi S. Dewata at 2018-05-02T18:06:10Z
Cleaned up CMSEngine.setServerCertNickname()
The obsolete comment in CMSEngine.setServerCertNickname()
has been removed.
Change-Id: Ibf3dddacfcc1675bf39221f51a7f078ba0925884
- - - - -
4fbc7567 by Endi S. Dewata at 2018-05-02T18:14:11Z
Moved SubsystemInfo into separate file
The SubsystemInfo class has been moved out of CMSEngine.java
into SubsystemInfo.java.
Change-Id: If444f5064e64c852cc778bff77368503e18f7cd4
- - - - -
28e04de4 by Endi S. Dewata at 2018-05-02T20:12:40Z
Refactored CMSEngine.loadDynSubsystems()
The CMSEngine.loadDynSubsystems() has been renamed into
loadSubsystems() to handle all subsystem loading.
Change-Id: Id1011ca757d13d79208164eb7c4af37b9d2a38b4
- - - - -
cb77d9d1 by Endi S. Dewata at 2018-05-02T20:21:22Z
Added CMSEngine.initSubsystems()
The code that initializes all subsystems has been moved into a
new CMSEngine.initSubsystems().
Change-Id: I30f0416685d87e76e2e4113b7a2e2258a2988f56
- - - - -
adf4cc91 by Endi S. Dewata at 2018-05-02T20:41:05Z
Refactored static subsystems in CMSEngine
The code that loads the static subsystems has been moved into
CMSEngine.loadSubsystems().
Change-Id: Ida36e58730736dcec046875fa01430c9e70f46a0
- - - - -
2c25dc7d by Endi S. Dewata at 2018-05-02T23:16:33Z
Refactored final subsystems in CMSEngine
The code that loads the final subsystems has been moved into
CMSEngine.loadSubsystems().
Change-Id: If78f45da725fd557bb9b04cc20c7d7a3b8078c21
- - - - -
2aef7573 by Endi S. Dewata at 2018-05-03T03:51:09Z
Added option to specify CMSEngine class
The CMSStartServlet has been modified to support a parameter
to specify a different CMSEngine class.
Change-Id: Ic882b34846518dbb563cbf0fdcfaecdd1ead0943
- - - - -
431a9e48 by Endi S. Dewata at 2018-05-03T03:53:10Z
Cleaned up CMSEngine
Unused methods in CMSEngine have been removed. Some debug
messages have been updated as well.
Change-Id: I74f89c59b4341e92b6f5109e261974dcf265c0b1
- - - - -
2eb39162 by Endi S. Dewata at 2018-05-03T03:53:58Z
Added CAEngine
A new CAEngine class has been added to customize the CMSEngine
behavior for CA.
Change-Id: I9cef80f3442678a3854d167c88812f7bdf532e99
- - - - -
782b5772 by Endi S. Dewata at 2018-05-03T03:55:36Z
Fixed error handling in CrossCertPairSubsystem
The CAEngine has been modified to enable CrossCertPairSubsystem
only after database initialization to prevent errors.
https://pagure.io/dogtagpki/issue/1334
Change-Id: Ia9f24dc2fb5ff85738463601767b32723811d512
- - - - -
370b69d9 by Endi S. Dewata at 2018-05-03T14:36:19Z
Delaying CA subsystem initialization during installation
The server has been modified to delay CertificateAuthority
subsystemm initialization until after database initialization
to prevent errors.
https://pagure.io/dogtagpki/issue/1334
Change-Id: Ice3d1d16b5cb7547b313518521b3949b00dd7442
- - - - -
1b005453 by Endi S. Dewata at 2018-05-03T15:19:52Z
Updated loggers in DBSubsystem
The DBSubsystem has been modified to use SLF4J loggers.
Change-Id: I9d8141efd05e728a755c99da018a875e843e626b
- - - - -
6da60ac7 by Endi S. Dewata at 2018-05-03T16:04:58Z
Updated version number to 10.6.1
Change-Id: Iaf5769fc13e7ee9c0c10272ad4e358e86c4352c9
- - - - -
592b4d0a by Endi S. Dewata at 2018-05-03T16:26:41Z
Fixed build dependency on git
The spec templates have been updated to require and use git to
apply patches.
Change-Id: Ic216f9842a507fdb795293478157a54a0dd42f9b
- - - - -
ede20176 by Dinesh Prasanth M K at 2018-05-03T19:50:52Z
Added F28 matrix
- Travis is configured with 3 parallel jobs.
- Tests against F28 and F27 simultaneously.
- Uses a single image rather than 2.
- Disabled rpmlint due to failures in F28
Note: ipa-test has been disabled in F28
Change-Id: Iec4edec81345df52bf58a2e2890a7cdcafe803ef
- - - - -
a390b7bf by Endi S. Dewata at 2018-05-03T22:48:56Z
Updated NSS dependencies.
The spec templates have been modified to require NSS 3.36.1
on all platforms.
Change-Id: I1001e85ad180902ea8727764fceb7da302bbcae2
- - - - -
ed08e351 by Endi S. Dewata at 2018-05-04T03:04:32Z
Updated Tomcat dependencies
The spec templates have been updated to require Tomcat 9.0.7
on Fedora 29.
Change-Id: I20ea698e99675d703360cce96f666b3629f31188
- - - - -
7b9aa323 by Endi S. Dewata at 2018-05-04T13:48:13Z
Fixed Servlet API dependency
The pki-tools package has been modified to depend on Servlet
API 4.0 package provided by Tomcat 9 on Fedora 29.
Change-Id: I6228fd86b5594c862a2c5285b6ca80ee6322c96d
- - - - -
a690f291 by Endi S. Dewata at 2018-05-04T16:07:14Z
Updated version number to 10.6.1-2
Change-Id: I8b4bde7bd9c73e7dde56584a43bc2af9a9454aa9
- - - - -
c0709155 by Endi S. Dewata at 2018-05-04T16:37:31Z
Fixed some rpmlint warnings
Change-Id: If496da802b68a8f25ddbea905d3b5a5905d849dd
- - - - -
b01ca991 by Endi S. Dewata at 2018-05-04T19:57:42Z
Fixed build order
The build.sh has been modified to build the RPM sources first
before the RPM spec file.
Change-Id: I6aa15251bab28ce443a6e3334011c76db1e4c7bf
- - - - -
fbe9664c by Endi S. Dewata at 2018-05-04T20:01:17Z
Fixed empty patch generation
The build.sh has been modified to prevent generating empty
patch file if there are no new commits since the specified
source tag.
Change-Id: Ica76a4709b05778b79174ec1dd7ecdfabb47033d
- - - - -
4f176a79 by Endi S. Dewata at 2018-05-05T03:16:32Z
Simplified CMake parameters
The spec templates have been modified to use a cleaner way to
construct some CMake parameter values from RPM macros.
Change-Id: Ib033404f47d83975d0e11995ca626cdf01f56aa5
- - - - -
6a7067b5 by Endi S. Dewata at 2018-05-05T04:44:25Z
Simplified CMake parameters (part 2)
The spec templates have been modified to use a cleaner way to
construct some CMake parameter values from RPM macros.
Change-Id: Ib220b16fcc5479c5124838006273f6b00fb80a16
- - - - -
0e8dfcec by Endi S. Dewata at 2018-05-07T16:01:14Z
Cleaned up sed commands in build.sh
The build.sh has been modified to concatenate the sed commands
into a single string then execute it only once.
Change-Id: Ibf93bc69bb1e26e435c3668eb456d9ba75ffa9fa
- - - - -
1e211fd2 by Endi S. Dewata at 2018-05-07T18:00:22Z
Generating spec with hard-coded test option
The build.sh has been modified to hard-code the test option
so the SRPM can be rebuilt with the same option.
Change-Id: I62ee5c2954a0f648b04ffd98c2cf3b3a0f602425
- - - - -
59796de3 by Endi S. Dewata at 2018-05-07T18:12:25Z
Renamed PKI_NSS_DB_TYPE to NSS_DEFAULT_DB_TYPE
The PKI_NSS_DB_TYPE build parameter has been renamed to
NSS_DEFAULT_DB_TYPE for consistency.
Change-Id: I756f64ad3288c621620cc1aa98c2a60e1c7b4339
- - - - -
ff827730 by Endi S. Dewata at 2018-05-07T18:39:04Z
Added nss_default_db_type macro
The spec templates have been modified to define the default NSS
database type in nss_default_db_type macro for clarity.
Change-Id: I07107cd23c8fb66f857595a8fa0b9444f4646afb
- - - - -
5c160ef4 by Endi S. Dewata at 2018-05-08T04:41:13Z
Added RPM build option for debug packages
The spec template has been modified to provide a --with/--without
option for debug packages.
Change-Id: Ieab171bd444be297f3e31b86525f6770098426af
- - - - -
c942f0d0 by Amol Kahat at 2018-05-08T05:48:20Z
Minor changes in audit.py and ca.py file.
Change-Id: I74f0167d8319505af4dbd9e2977478c42e818043
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
a843a5cd by Endi S. Dewata at 2018-05-08T15:58:17Z
Added package_option macro
The spec template has been simplified by wrapping the
bcond_with and bcond_without options for a package
with package_option macro.
https://pagure.io/dogtagpki/issue/2978
Change-Id: I4e63b3bb47204296915af5e38bec2ff50c1975a4
- - - - -
1c836008 by Endi S. Dewata at 2018-05-09T00:25:06Z
Generating spec with hard-coded packages
The build.sh has been modified to hard-code the list of
packages to build into the spec file such that the SRPM
can be rebuilt to produce the same packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Icf8af29c601529bcaf45dce80cdf90d6107a04b4
- - - - -
2a3d006b by Endi S. Dewata at 2018-05-09T02:00:01Z
Updated build.sh to rebuild RPM from SRPM.
The build.sh has been modified to rebuild the RPM packages from
SRPM package that contains hard-coded options.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Ibe7dc700ca9b0c2ecfe07c1834aded8c8ff72a02
- - - - -
e7344dbb by Endi S. Dewata at 2018-05-13T11:11:19Z
Updated version number to 10.6.1-3
The spec templates have been modified to use the standard Tomcat
8.0 on F27 to simplify development.
Change-Id: Ia8f482a1600d7d93e544cf0f37c1ab2d3887c2bd
- - - - -
e2b0c192 by Endi S. Dewata at 2018-05-13T22:43:34Z
Fixed warnings in AdminConnection
Change-Id: Ief9eba0a554e9e447a25da5712d50e62384e4208
- - - - -
79e135f5 by Endi S. Dewata at 2018-05-13T22:59:16Z
Fixed warnings in CMSAdmin
Change-Id: I7e4851093ff8a4c5d2ae056d00fa8a9d8b1c3125
- - - - -
067bace3 by Endi S. Dewata at 2018-05-14T00:45:00Z
Updated loggers in CAInstallerService
Change-Id: I4e9d089126f9cbc2736465e59d652b768c6bcf79
- - - - -
16334542 by Endi S. Dewata at 2018-05-14T00:45:43Z
Removed redundant CMS methods.
Some methods in CMS class have been removed since the actual
methods in CMSEngine can be called directly.
Change-Id: I1f1d02168234ced01b53c6c19895f2c5d71a25da
- - - - -
55a09191 by Endi S. Dewata at 2018-05-14T03:15:15Z
Refactored CMSEngine.initSubsystems()
The doSetId parameter in CMSEngine.initSubsystems() has been
coverted into SubsystemInfo.updateIdOnInit field.
Change-Id: I95df5c556ee67948e878f89a8e8246e3aaa9db42
- - - - -
517dca6f by Endi S. Dewata at 2018-05-14T03:41:47Z
Updated loggers in CMSEngine
Change-Id: I59053009e6985e9f7e5d0f4b87f4e5a3a55231db
- - - - -
e35a3214 by Endi S. Dewata at 2018-05-14T10:36:00Z
Removed dead code
Some classes have been modified to remove the dead code reported
by Eclipse.
Change-Id: I529d0a94efe7844e324fad1f2e4d0d2f3091d2b9
- - - - -
00fbc9de by Endi S. Dewata at 2018-05-14T11:24:26Z
Updated CAEngine
The CAEngine has been modified to disable additional subsystems
during installation to prevent misleading exceptions.
https://pagure.io/dogtagpki/issue/1615
Change-Id: Iebeeeab5a9c75ab37b2a899f39c41961b3215bac
- - - - -
dd5eaab0 by Endi S. Dewata at 2018-05-14T11:26:56Z
Added KRAEngine
A new KRAEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.
https://pagure.io/dogtagpki/issue/1615
Change-Id: Ie5917d686a3be09fc8bffe52d7f5e5c026629247
- - - - -
4110c928 by Endi S. Dewata at 2018-05-14T11:28:18Z
Added OCSPEngine
A new OCSPEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.
https://pagure.io/dogtagpki/issue/1615
Change-Id: I8c741da8f750968644f8651d217d9b096caa82be
- - - - -
275e0770 by Endi S. Dewata at 2018-05-14T11:29:44Z
Added TKSEngine
A new TKSEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.
https://pagure.io/dogtagpki/issue/1615
Change-Id: Ieae18c800ff71e33b8aa0bd73f3969ff98817418
- - - - -
9f52e75c by Endi S. Dewata at 2018-05-14T19:08:47Z
Fixed warnings in CMSStatus
Change-Id: I48a2fe2612ffdd18f2a4e0fdb26bfd666898bd20
- - - - -
4d696e97 by Endi S. Dewata at 2018-05-14T22:45:09Z
Added log messages in TPSInstaller
The TPSInstaller has been modified to provide additional log
messages to help troubleshooting.
Change-Id: I04f21568e9c6814116999861ded41bb4c6b9c228
- - - - -
2a9073e0 by Endi S. Dewata at 2018-05-14T23:32:55Z
Refactored ConfigurationUtils.reInitSubsystem()
The ConfigurationUtils.reInitSubsystem() has been converted into
SystemConfigService.reinitSubsystems().
https://pagure.io/dogtagpki/issue/1615
Change-Id: Ib6ef2f30095f5a043f8d6870893106b36e77aa8e
- - - - -
0be09139 by Endi S. Dewata at 2018-05-15T00:06:27Z
Renamed .travis folder
The .travis folder has been renamed to travis for simplicity.
Change-Id: I2a1edc856b96fe0ea2705bae5a8adfd7c20bc522
- - - - -
eb5b163c by Endi S. Dewata at 2018-05-15T00:50:53Z
Removed duplicate CI tests
The pki-test.sh has been modified to remove duplicate tests.
https://pagure.io/dogtagpki/issue/2882
Change-Id: I776cd848a0214be6bc03cb010e373dd13e3b27d4
- - - - -
ba8293e1 by Endi S. Dewata at 2018-05-15T01:27:52Z
Updated loggers in TPSSubsystem
Change-Id: I3530de27e89f3760552e4b45df04037eab48c923
- - - - -
01f01226 by Endi S. Dewata at 2018-05-15T02:24:30Z
Added basic OCSP installation test
Change-Id: I2837dce498d70822795e4de6d847a5b4c6efccb1
- - - - -
7f741fd3 by Endi S. Dewata at 2018-05-15T03:40:39Z
Fixed explicit-lib-dependency libselinux-python3 error
https://pagure.io/dogtagpki/issue/3017
Change-Id: I903d7a1e57c3848b962b2ac9e29f592f812de306
- - - - -
2bbdec65 by Endi S. Dewata at 2018-05-15T03:56:36Z
Fixed non-executable-script error
https://pagure.io/dogtagpki/issue/3017
Change-Id: I229a4a2ce8f7922da05f848334b2e58ba1d38c1d
- - - - -
28bbc5b8 by Endi S. Dewata at 2018-05-15T04:01:44Z
Added basic TKS installation test
Change-Id: Ib6ca651503055fd611d0cc199e723256570ebf35
- - - - -
719cfd4f by Endi S. Dewata at 2018-05-15T06:38:41Z
Added basic TPS installation test
Change-Id: Ic88a6b87fa1396076bd576bb3ab59f556f7b82ea
- - - - -
c72c62f4 by Endi S. Dewata at 2018-05-15T07:45:27Z
Cleaned up set_gerrit_message.sh
The set_gerrit_message.sh has been renamed to send-result.sh for
clarity. A new parameter has been added to read the message from
file.
Change-Id: Ia8196b8c96a9926560493ceeed6608be782f5738
- - - - -
520bc3f6 by Endi S. Dewata at 2018-05-15T09:48:07Z
Renamed TRANSFER_SH_URLS variable
The TRANSFER_SH_URLS variable has been renamed to LOGS for clarity.
Change-Id: I565a36446b824e8e08476c9b913b35a8bffdba12
- - - - -
92a279f9 by Endi S. Dewata at 2018-05-15T10:14:49Z
Refactored init_task.sh
The code that initializes the builder container has been moved
from init_task.sh into a new builder-init.sh.
Change-Id: Ibc2c0e9a49aa642f0449ab652eafe5616c35ccc3
- - - - -
6e3daff7 by Endi S. Dewata at 2018-05-15T13:07:39Z
Merged CI build scripts
The code that installs the dependencies and executes the build
have been merged into a single script.
Change-Id: I1a878796f1a51bb7a64ed3cfb809fab90fa9ebb3
- - - - -
4d105479 by Endi S. Dewata at 2018-05-15T15:12:54Z
Refactored pki-test.sh
The code that builds and installs PKI packages have been moved
from pki-test.sh into the install section in .travis.yml.
Change-Id: If84ce2420986fa74cd700a5a17b117b1b6115de4
- - - - -
b882fbb9 by Endi S. Dewata at 2018-05-15T16:02:50Z
Split pki-test.sh and remove-all.sh
The pki-test.sh and remove-all.sh have been split into separate
scripts for each subsystem.
Change-Id: Ia0d3d2451f0d2ef53700581d46412439a58ad476
- - - - -
8bc024ba by Endi S. Dewata at 2018-05-15T17:39:54Z
Fixed timestamp and commit ID in spec templates
The compose scripts have been modified to generate the proper
timestamp and commit ID in all spec templates.
Change-Id: I926f433f42920d4d633732e9236588c469ecb6c2
- - - - -
080aef27 by Endi S. Dewata at 2018-05-16T01:44:07Z
Cleaned up ipa-test.sh
The code that installs ipa-docker-test-runner has been moved from
ipa-test.sh into ipa-init.sh.
Change-Id: I377283d60beb0e9fbd1c5a8acbdd4b53966c7376
- - - - -
becd0514 by Endi S. Dewata at 2018-05-16T11:04:08Z
Cleaned up CI logs
Some CI variable names and log file names have been renamed
for clarity.
Change-Id: Ibfed36dbe129269914e2e51f8a0ccda8b397686f
- - - - -
9a8c3232 by Endi S. Dewata at 2018-05-16T13:01:26Z
Added -quiet param for javadoc
Change-Id: Iad09a9d447345b2effccec285a63173d75db0c20
- - - - -
71a4f987 by Endi S. Dewata at 2018-05-16T17:12:48Z
Cleaned up CMake output
The CMake script has been modified to suppress install messages.
Change-Id: Ia1420935a993afd0791cf20a5ca9c1d2c184902e
- - - - -
24490f21 by Endi S. Dewata at 2018-05-16T18:08:12Z
Added TPSEngine
A new TPSEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.
https://pagure.io/dogtagpki/issue/1615
Change-Id: Id52966431635819de5f2d98d159964dfc02fb707
- - - - -
e7799ed1 by Endi S. Dewata at 2018-05-17T01:44:05Z
Cleaned up CMake output (part 2)
The spec templates have been modified to suppress excessive
CMake messages about build target dependencies.
Change-Id: I629288038b885319b66a7bc054cf688e85a65333
- - - - -
ba497148 by Endi S. Dewata at 2018-05-17T02:22:11Z
Renamed COPYING to LICENSE
Change-Id: I21de12b9aac61e7277a3163ce4c4bcef24825455
- - - - -
5973c554 by Endi S. Dewata at 2018-05-17T14:51:57Z
Converted README to Markdown
Change-Id: I7d5ebb3a722010f71a9981044607676b44dc985f
- - - - -
37d6e3ae by Christina Fu at 2018-05-17T17:18:38Z
Ticket 1741 ECDSA Signature Algorithm encoding
This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3
Fixes https://pagure.io/dogtagpki/issue/1741
Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d
- - - - -
3c020c16 by Christina Fu at 2018-05-17T22:13:18Z
Ticket 3018 CMC profiles: Some CMC profiles have wrong input class_id
This patch fixes the profile input area where
cmcCertReqInputImpl should replace certReqInputImpl
and submitterInfoInputImpl should not be present
fixes https://pagure.io/dogtagpki/issue/3018
Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad
- - - - -
b743abbe by Endi S. Dewata at 2018-05-17T23:40:01Z
Fixed typo in pki-securitydomain man page
Change-Id: I84ec4d1da62ac9ee3c90c41f38c35445d1a1bc55
- - - - -
6fa2f87c by Endi S. Dewata at 2018-05-21T09:35:26Z
Removed old references to pki-selinux
The spec templates have been modified to remove references to
pki-selinux package that has been obsolete for quite a while.
Change-Id: I090d3fb5acdceb6cda421722fa925ce94d1f3886
- - - - -
7cfe5e18 by Endi S. Dewata at 2018-05-21T09:47:39Z
Added %doc macro for pki-base-java
The spec templates have been modified to provide a %doc macro
for pki-base-java package.
Change-Id: I825f8f82a8ff3c19f4eb8a880e3739558c0b2472
- - - - -
cce5ca5e by Endi S. Dewata at 2018-05-21T10:19:42Z
Renamed CI env vars for clarity
Change-Id: Id99119236e6467db2aa2ddba83a8b5bf3819d774
- - - - -
76ca5e2c by Endi S. Dewata at 2018-05-21T15:55:13Z
Fixed rpmlint warnings
Change-Id: I3e00379ac23487a18ec53b6ecb1521cd0e2040a5
- - - - -
cb7b0d12 by Endi S. Dewata at 2018-05-21T16:21:41Z
Removed references to old theme packages
The spec templates have been modified to remove references to
old theme packages that have been removed sometime ago.
Change-Id: Id8d3f9e0b5ac1dcff2d4b605c3b3818e705b55a1
- - - - -
f1167a6d by Christina Fu at 2018-05-21T16:38:13Z
Ticket #2995 SAN in internal SSL server certificate in pkispawn configuration step
This patch adds CommonNameToSANDefault to all server profiles so that
SAN will be placed in server certs by default.
For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault
will have to be used instead.
fixes: https://pagure.io/dogtagpki/issue/2995
Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641
- - - - -
94e0a563 by Jack Magne at 2018-05-21T18:16:56Z
Fix #2996 ECC installation for non CA subsystems needs improvement.
The problem is that the installation of say a KRA, which is ECC enabled fails out of the box.
This is due to the fact that the internal cert profiles for the following certificates is incorrect:
1. sslserver cert
2. subsystem cert
3. admin cert
In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs.
What we need in the ECC case is a way to correctly select the ECC versions of the above profiles.
Therefore this fix does the following:
1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise.
2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario.
Change-Id: I192dc18e50c87403624dd46754c5f22bc988d9a7
- - - - -
d021dc2b by Christian Heimes at 2018-05-22T10:09:13Z
Fix banner file loading
The banner code was loading the banner file with
codecs.open(filename, 'UTF-8'), but the second argument to codecs.open()
is not an encoding but a mode.
Since Dogtag no longer supports Python 2.6, the io.open() function does a
much better job here. It's equivalent to Python 3's open() builtin. By
default, it loads text files with UTF-8 codec.
Change-Id: I2fbaea04bb313bdaf21ceaa0c0c68d0cfcd5ea9a
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
0b8d0c91 by Endi S. Dewata at 2018-05-22T14:16:51Z
Added UnicodeDecodeError handler
The pki-server banner-validate CLI has been modified to catch
UnicodeDecodeError and show a proper error message.
The XML validation is no longer needed so it has been removed.
https://pagure.io/dogtagpki/issue/3022
Change-Id: I90f0d1068d974d611b6c269766e66bbeaef3a0d2
- - - - -
9e7f2352 by Christian Heimes at 2018-05-23T11:37:13Z
py3: write generic extension data in binary mode
Generic extension data gets supplied in pkispawn configuration as
hex-encoded text. pkispawn decodes it and writes the binary data to
a file that will be read by `certutil -R`. The datum being written
is bytes, so we must open the file in binary mode.
Change-Id: I934652e3408b12558532025e979eed6eb98106c2
Co-authored-by: Fraser Tweedale <ftweedal at redhat.com>
Fixes: https://pagure.io/dogtagpki/issue/3020
- - - - -
d5b6913a by Endi S. Dewata at 2018-05-24T12:45:22Z
Added -Xlint:deprecation option for javac
The CMake script has been modified to use -Xlint:deprecation option
when compiling Java code to show deprecated code.
Change-Id: I176284a0fe4eed81b30974d74ab63b86ca687f23
- - - - -
a05e82c7 by Endi S. Dewata at 2018-05-24T21:20:12Z
Cleaned up .travis.yml
The code the posts test status in .travis.yml has been moved into
separate scripts for clarity.
Change-Id: I8dc1ac699cf3826650aeefd61e76f8735b15d2b9
- - - - -
b0f9a67f by gkapoor at 2018-05-29T14:22:15Z
Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1544843
Change-Id: Id8d45bfc804a9f26a1a475cb928cf184975a8f5f
Signed-off-by: gkapoor <gkapoor at redhat.com>
- - - - -
fc63ceab by Fraser Tweedale at 2018-05-30T00:15:40Z
Bump required jss version
jss-4.4.4 fixes a problem with key unwrapping that broke lightweight
CA key replication. The problem only occurs when the SQL-based
NSSDB backend is in use. Bump the jss min version for environments
that use the SQL DB by default.
Change-Id: I022600631d3251560d69ab0ba41cda7d1345d3eb
- - - - -
8e556e34 by Endi S. Dewata at 2018-05-30T19:42:59Z
Bump required jss version (part 2)
The pki and pki-core spec templates have been modified to match
the JSS requirements in pki-core.
Change-Id: I902319ff6621f52d888a2d481e383ad9c99391b7
- - - - -
a16ec662 by Endi S. Dewata at 2018-05-30T21:40:01Z
Moved default.cfg
The default.cfg has been moved from /etc/pki to
/usr/share/pki/server/etc to fix non-conffile-in-etc
rpmlint warning.
https://pagure.io/dogtagpki/issue/3017
Change-Id: Ia74f5ba7fdf3dde2d29636fb02725874d45c479f
- - - - -
231d1fb1 by Endi S. Dewata at 2018-05-30T23:26:07Z
Fixed pylint error on F29
The upgrade.py has been modified to fix the try-except-raise
pylint error on F29.
Change-Id: I4f123ad2d38a5f353ec9be9c8b760cb35199fedf
- - - - -
8f4fbe3e by Endi S. Dewata at 2018-06-01T01:59:05Z
Updated loggers in CryptoUtil
The CryptoUtil class has been modified to use SLF4J loggers.
Change-Id: I23248b66723774b13adfb60fe94a3bc78a57d693
- - - - -
5efa4199 by Amol Kahat at 2018-06-01T06:51:03Z
Added pki CA authentication plugins automation tests.
Change-Id: I91e72faf458f4d4bbe3b912a6e08512951345f99
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
4b68c6e7 by Endi S. Dewata at 2018-06-04T17:40:49Z
Fixed BadPaddingException deprecation
The deprecated org.mozilla.jss.crypto.BadPaddingException has been
replaced with javax.crypto.BadPaddingException.
Change-Id: I9a685c9f56aea2bdccba0f45a48b1892a113c1fc
- - - - -
30002ee8 by Endi S. Dewata at 2018-06-04T19:02:29Z
Updated JSS dependencies
Change-Id: I0027c85f1199793df7ce7024bd49332c8fc815f6
- - - - -
bd936525 by Christina Fu at 2018-06-04T20:56:22Z
Ticket 3028 CMC CRMF request results in InvalidKeyFormatException when signing algorithm is ECC
This patch fixes the issue where in case of CRMF request with ECC keys the
public key was encoded incorrectly previously.
The fix was done in a way that RSA portion is unaffected.
Fixes https://pagure.io/dogtagpki/issue/3028
Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d
- - - - -
33f532f4 by Christina Fu at 2018-06-04T20:57:52Z
Ticket 3028 additional error checking
Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43
- - - - -
6c3ca7d4 by Endi S. Dewata at 2018-06-04T22:44:25Z
Added cert path validation during installation
The installer has been modified to validate the presence of the
mandatory certificates for existing/external CA scenarios and
external/standalone KRA/OCSP scenarios.
https://pagure.io/dogtagpki/issue/2999
Change-Id: I60aa5118a9048b1ea77c1b203a36e8e164d03af7
- - - - -
6ff2dfc3 by Fraser Tweedale at 2018-06-07T02:55:10Z
Handle empty NameConstraints subtrees when reading extension
When reading stored NameConstraints extension data on a request, if
includedSubtrees or excludedSubtrees is empty, an exception is
thrown. But these are valid cases, so do not thrown an exception.
Also perform some minor drive-by refactors and add the 'static'
qualifier to a few methods to improve readability.
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I925d8a64b96dd0f45b0548ceb11dbee4223cd64c
- - - - -
2ea0bd67 by Fraser Tweedale at 2018-06-07T02:55:10Z
IPAddressName: fix toString method
IPAddressName.toString() is invoked when saving
NameConstraintDefault configurations. Its implementation was wrong;
it produced bogus output for the netmasked variants used for
NameConstraints. This resulted in issuance failures. Update the
method to produce correct output for both netmasked and
non-netmasked addresses.
Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I3012565379961add5ac8286043f55c8e30520ddd
- - - - -
d6132233 by Endi S. Dewata at 2018-06-07T03:23:43Z
Removed dependency on sun.security.util.DerValue
All references to sun.security.util.DerValue have been replaced
with netscape.security.util.DerValue.
https://pagure.io/dogtagpki/issue/3023
Change-Id: I669cf3d59533921e99aa5867eae40a6ce6f058a9
- - - - -
6a95f01f by Christina Fu at 2018-06-08T23:31:06Z
Ticket 3033 CRMFPopClient tool - should allow option to do no key archival
This patch allows key transport cert file to not be specified, which would
then not include key archive option in the CRMF request.
fixes https://pagure.io/dogtagpki/issue/3033
Change-Id: I087bfa6700f22c794e7a316f4451b3a9dc800265
- - - - -
7b01ff4b by Christina Fu at 2018-06-09T00:22:31Z
Bugzilla #1580527 CMCAuth Authorization for agents.
This patch adds proper authz entries to enrollment profiles using CMCAuth;
It also adds proper acl check inside ProfileSubmitCMCServlet for CMCAuth.
Fixes 2nd part of Bugzilla #1580527
Change-Id: I61fa1613f752c5bc203ab18d6a073eb7a13c966b
- - - - -
b6142812 by Endi S. Dewata at 2018-06-11T20:00:20Z
Removed pki-tools dependency on Servlet API
The unused CertSearchRequest.buildFromServletRequest() has been
removed such that pki-tools package no longer depends on Servlet
API.
https://pagure.io/dogtagpki/issue/3035
Change-Id: Ic1e5a384ee1db5eae1c790fb6fe70e98a16872d3
- - - - -
f4b5423c by Endi S. Dewata at 2018-06-11T21:39:23Z
Cleaned up Tomcat dependencies
Change-Id: I585d371ea007652a06811141b0704a42e18e2393
- - - - -
64c8d80a by Endi S. Dewata at 2018-06-12T21:52:49Z
Added default build target
Change-Id: I1dbdab42118554c196ece6b69e343e50b0180f17
- - - - -
80d26225 by Endi S. Dewata at 2018-06-12T22:22:25Z
Added logging in ProxyRealm
Change-Id: I6b7965f413abd1a4a96821c75489cf5b06565ec5
- - - - -
5c5fba6f by Endi S. Dewata at 2018-06-13T00:53:20Z
Refactored pki.upgrade.Version
The pki.upgrade.Version has been moved into pki.util.Version
to make it more usable in general.
Change-Id: Ib5b9475b7ee2ea0c139b15c59bd90951f04285f1
- - - - -
0aa0a4a7 by Endi S. Dewata at 2018-06-13T03:24:17Z
Refactored Tomcat.get_major_version()
The Tomcat.get_major_version() has been converted into
get_version() which returns the full version number in
an instance of pki.util.Version.
Change-Id: Ief0f658a71479171e8c5f49a934c1916f6a18455
- - - - -
8d4f8ea9 by Endi S. Dewata at 2018-06-13T04:03:47Z
Added generics for Enumerations
Change-Id: I129457bf95572053f6b78160c419ca83fa29034d
- - - - -
2a044a9b by Endi S. Dewata at 2018-06-13T20:46:59Z
Added generics for Hashtables
Change-Id: I8bc616da33f38b3c4d60e4c8d6354e705fa28be3
- - - - -
7108352a by Endi S. Dewata at 2018-06-14T04:27:39Z
Added generics for JComboBoxes
Change-Id: I9c15064373ed556e03216b741b66092a305e3b87
- - - - -
a7913e9d by Endi S. Dewata at 2018-06-15T00:53:05Z
Added generics for CustomComboBox
Change-Id: Iedd680fd555beafe781e28e4b457c11fb730d655
- - - - -
ea97e0b2 by Endi S. Dewata at 2018-06-15T01:15:39Z
Added generics for JList
Change-Id: I910ebd25914839e1dd25d31e291fef7c5ea0864f
- - - - -
47fa845c by Endi S. Dewata at 2018-06-17T05:31:13Z
Ignored Flake8 warnings on Rawhide
The tox.ini has been modified to ignore Flake8 W504 warnings
to avoid build failure on Rawhide. In the future the code should
be fixed properly.
https://pagure.io/dogtagpki/issue/3036
Change-Id: I1ca9bf9d7fa3d2fdfae352d48d9122bdf0c1e5a1
- - - - -
871bb116 by Endi S. Dewata at 2018-06-17T05:31:25Z
Updated version number to 10.6.2
The spec files have been modified to update the version number,
Tomcat and JSS dependencies, and to remove redundant code.
Change-Id: Ic3fa7655972a535a8e9ac7549e634c6f4f11fafa
- - - - -
0addaf58 by Endi S. Dewata at 2018-06-18T19:49:29Z
Updated Python dependencies
Change-Id: Ife0f3461adfa42c5507acebe32ba023a4383f374
- - - - -
085e747f by Endi S. Dewata at 2018-06-19T00:43:50Z
Updated Python dependencies (part 2)
Change-Id: If6642363aacdc1daf75636c0ea6ece19ad072c2d
- - - - -
2746c4f7 by Christina Fu at 2018-06-20T02:21:24Z
Ticket 3037 CMC SharedToken SubjectDN default
This patch adds proper subjectDN to CMC requests authenticated via ShardToken.
Specifically, the AuthTokenSubjectNameDefault profile default is added to
the default CMC profiles that authenticates via SharedToken.
Code were added to ensure that the proper subjectDN retrieved from the
mapped user entry is added to the AuthToken for such utilization.
Fixes https://pagure.io/dogtagpki/issue/3037
Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc
- - - - -
0d568974 by Endi S. Dewata at 2018-06-21T04:03:38Z
Temporarily disabled cert validation for transfer.sh
The curl commands in Travis CI have been modified to ignore the
expired transfer.sh cert. Once the cert is renewed, the cert
validation should be restored.
Change-Id: Idfdcfc265bebf9351af12c2ef570e8091525d1fb
- - - - -
25aea9fd by Endi S. Dewata at 2018-06-21T04:31:10Z
Refactored replication configuration
The code that configures replication has been moved from
ConfigurationUtils class into a new ReplicationUtil class.
Change-Id: Ib3d27e7ca104fb6e531fa8664944d083582b49cf
- - - - -
bb1e72b3 by Endi S. Dewata at 2018-06-21T19:58:06Z
Updated pki.util.Version
The pki.util.Version has been modified to parse the first three
digits in the version number and ignore the rest.
Change-Id: I0d36a684d607ef4be02080a81ad1e37fec724d34
- - - - -
0bfc946c by Christina Fu at 2018-06-22T00:17:49Z
Ticket 2920 Part2 of SharedToken Audit
This patch addresses the issue that the original audit message for failure
got overwritten for SharedToken.
fixes https://pagure.io/dogtagpki/issue/2920
Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
- - - - -
3bb33d5e by Endi S. Dewata at 2018-06-22T20:43:04Z
Added pki pkcs11-cert-find
A new pki pkcs11-cert-find CLI has been added to list the certs in
PKCS #11 keystore.
Change-Id: I718fa72a5b11de046f110f70c7b286e7df8eaf83
- - - - -
b02912f5 by Endi S. Dewata at 2018-06-22T22:21:27Z
Added pki pkcs11-key-find
A new pki pkcs11-key-find CLI has been added to list the keys in
PKCS #11 keystore.
Change-Id: I3d0a3aa35b18064cce776734f5dbf2a84589353e
- - - - -
43a5d6c7 by Endi S. Dewata at 2018-06-22T23:12:58Z
Deprecated pki cert CLI
The pki cert CLI has been deprecataed in favor of pki ca-cert to
clarify that the operation will be performed on the CA instead of
locally.
Change-Id: I79e2b02ea733352e1d4fa5bfdd5a35109cfd7591
- - - - -
aed9a40c by Endi S. Dewata at 2018-06-22T23:50:03Z
Deprecated pki key CLI
The pki key CLI has been deprecataed in favor of pki kra-key to
clarify that the operation will be performed on the KRA instead of
locally.
Change-Id: I7545133738f0655b65cd97db74d446e2f1a33f3e
- - - - -
657dad20 by Endi S. Dewata at 2018-06-23T02:35:25Z
Moved pki ca-cert classes
The classes that implement the pki ca-cert CLIs have been moved
from com.netscape.cmstools.cert into com.netscape.cmstools.ca.
Change-Id: I53aabcb0acbe531213136d9a86d13106415b8d5d
- - - - -
f2804623 by Endi S. Dewata at 2018-06-23T02:39:55Z
Moved pki kra-key classes
The classes that implement the pki kra-key CLIs have been moved
from com.netscape.cmstools.key into com.netscape.cmstools.kra.
Change-Id: I3411f0857d508b3406557912c79ff29b1889eb8d
- - - - -
59c323a8 by Endi S. Dewata at 2018-06-23T03:33:23Z
Clearing Password objects
The MainCLI has been modified to clear the Password objects
explicitly.
Change-Id: Id0cb1727d1a8ca69e05cfd50deee06a03b1b94ab
- - - - -
01fa6d2f by Endi S. Dewata at 2018-06-23T04:03:11Z
Updated loggers in PKCS10
The PKCS10 class has been modified to use SLF4J loggers.
Change-Id: I0852f9876e262c9f8f032a5bf094ad28b48a489a
- - - - -
8622bce2 by Endi S. Dewata at 2018-06-24T03:26:20Z
Fixed static field access
Various classes have been modified to access static fields by their
classes insted of instances.
Change-Id: Ib338af5c4e0ccf8b89705d147f1127f7e220e011
- - - - -
1cca8f13 by Endi S. Dewata at 2018-06-24T03:37:15Z
Removed unused imports
Change-Id: I4fb6790954d6886c9169b2da174b5bc3f7493068
- - - - -
651b9ab9 by Endi S. Dewata at 2018-06-25T17:35:48Z
Moved TomcatJSS configuration into PKIListener
The code that loads TomcatJSS configuration from server.xml
has been moved into PKIListener to provide more control on
the initialization process.
Change-Id: Ic40fc7ef467ca9eaa5b9cd62fa1c87eaed397a77
- - - - -
9993d32b by Endi S. Dewata at 2018-06-25T18:23:03Z
Updated TomcatJSS initialization in PKIListener
The PKIListener has been modified to initialize TomcatJSS before
the initialization phase.
Change-Id: If4b96192a9edf6d0b8c61aaa1dc2f0c2637311e7
- - - - -
8c58112f by Endi S. Dewata at 2018-06-25T22:35:41Z
Updated pki-server migrate to use PKCS #11 keystore
The pki-server migrate CLI has been modified to configure the
HTTP Connector with PKCS #11 keystore instead of PKCS #12 file.
https://pagure.io/dogtagpki/issue/3024
Change-Id: I0c928c48bcb8d5ed09e3de27078f8ca333b2a228
- - - - -
df8198d6 by Fraser Tweedale at 2018-06-26T00:40:30Z
IPAddressName: fix construction from String
The IPAddressName(String) constructor (the non-netmask case) was
broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it,
and rename one of the helper methods to clarify its behaviour.
Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea
- - - - -
b1c244cf by Endi S. Dewata at 2018-06-26T01:01:06Z
Updated operations script
The operations script has been modified to no longer export the
SSL server cert into a PKCS #12 file since the HTTP connector
will now use a PKCS #11 keystore instead.
https://pagure.io/dogtagpki/issue/3024
Change-Id: I9289c00a1ebfa4b1cf4d1738e9c2a3507d36da77
- - - - -
21d0899b by Endi S. Dewata at 2018-06-26T02:52:37Z
Updated JSS dependencies
The spec templates have been modified to depend on JSS version
that provides PKCS #11 keystore implementation.
https://pagure.io/dogtagpki/issue/3024
Change-Id: I3b771acc8b5fc7bfb4fa9b1f8a4302f8c1f4d9c2
- - - - -
e3c0a585 by Christina Fu at 2018-06-26T16:50:48Z
Ticket 3003 AuditVerify failure due to line breaks
This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
in audit entry from running pki ca-user-cert-add which would cause AuditVerify
to fail. (note: adding user cert via the java console does not have such issue)
fixes https://pagure.io/dogtagpki/issue/3003
Change-Id: Iac60089349e78755ff94ce3231ee294ce8668f72
- - - - -
0c1ddc42 by Endi S. Dewata at 2018-06-26T19:08:30Z
Added generics for Vectors
Change-Id: Ic4016c09efe7b71cf84193aea3b426675d3bc1f6
- - - - -
1288df31 by Endi S. Dewata at 2018-06-26T20:36:01Z
Added support for pre-release phases
The build script and spec templates have been modified to support
pre-release phases (e.g. a1, b2).
Change-Id: I8410126d280fa8958e12e86faaf92ed35bd37c80
- - - - -
f2caa294 by Endi S. Dewata at 2018-06-26T21:46:24Z
Removed unused private methods
Change-Id: Ib2f970c24da7c3219a0fd7df868285eafb9afaae
- - - - -
ca0919b9 by Endi S. Dewata at 2018-06-26T23:17:31Z
Added support for custom spec file
The build script has been modified to provide an option to use
a custom spec file.
Change-Id: I2188430ad3fac32638f3fa06ccc1caccd6367a05
- - - - -
9c8e15e2 by Endi S. Dewata at 2018-06-26T23:32:32Z
Updated version number to 10.6.3
Change-Id: Iabcca3c2c5b71ebd4921c8a6935243dbfe5a23c4
- - - - -
f917433f by Christina Fu at 2018-06-26T23:47:42Z
Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response
This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
In addition, CMCResponse has been improved to handle CMC simple response.
fixes https://pagure.io/dogtagpki/issue/2992
Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a
- - - - -
baf67e4a by Endi S. Dewata at 2018-06-27T15:05:19Z
Updated build process in Travis CI
The Travis CI configuration has been modified to use the build.sh
instead of the compose scripts to build PKI packages.
Change-Id: I886cbc76b1312d8566ef6a83f30672abf7fdbdfe
- - - - -
02f186a0 by Endi S. Dewata at 2018-06-27T17:30:03Z
Cleaned up spec templates
The spec templates have been modified to work properly on all
supported platforms.
Change-Id: I86ecac418fcf7d835534a0f52668643e48d46b1a
- - - - -
2308efef by Endi S. Dewata at 2018-06-27T18:21:05Z
Updated build script
The build script has been modified to keep the original macros
before substition for clarity.
Change-Id: I2c59e4084b478b634f3c5ea3a082c27845207e88
- - - - -
c0584406 by Endi S. Dewata at 2018-06-27T20:08:30Z
Updated spec template to support branding
The spec template has been modified to generate theme and meta
packages that match the spec file name to support branding.
Change-Id: Iea9f483b5082df09bd71920f9a1e91bc747e4750
- - - - -
c68b42ce by Endi S. Dewata at 2018-06-27T21:44:48Z
Cleaned up conditional macros
The conditional macros in pki.spec.in have been cleaned up for
consistency.
Change-Id: I760f28957de20967052b36456b515bca047d9491
- - - - -
174bf99d by Endi S. Dewata at 2018-06-27T22:39:36Z
Synchronized spec template changes
The changes in pki.spec.in have been synchronized into
pki-core.spec.in and dogtag-pki.spec.in.
Change-Id: Id413f03f4de94abb48eea0fa25f592cb633abfa7
- - - - -
11fa1e2c by John Morris at 2018-06-28T00:45:23Z
server deployment: don't fail if /proc/sys/crypto/fips_enabled absent
Running `sysctl crypto.fips_enabled -bn` on a system where
`/proc/sys/crypto/fips_enabled` doesn't exist needlessly raises an
exception.
This patch checks if that file is absent and returns gracefully if so.
Fixes #3039.
- - - - -
eedf40c1 by Amol Kahat at 2018-06-28T00:55:43Z
Added man pages. (#14)
* Documented --renewal option in pki cert man page.
Pagure issue: 2900
BZ: 1532579
Signed-off-by: Amol Kahat <akahat at redhat.com>
* Added pki-server ca, kra, ocsp, tks, tps man pages.
Signed-off-by: Amol Kahat <akahat at redhat.com>
* Added man page documentation for:
pki-server <subsystem>-audit-event-enable
pki-server <subsystem>-audit-event-modify
pki-server <subsystem>-audit-event-diable
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
9a8e54ab by Christina Fu at 2018-06-28T01:20:47Z
Ticket #2959 Address pkispawn ECC profile overrides
This patch enables proper ECC profiles to be automatically applied during
pkispawn.
This patch would eliminate the need for the workaround documented here:
http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround
The idea is to use the % replacement strings as part of the profile names
in the default.cfg file for pkispawn,
and change the profile names to mach the format. So for example:
%(pki_admin_key_type)AdminCert.profile
would either be translated to rsaAdminCert.profile or eccAdminCert.profile
depending on the value in pki_admin_key_type
fixes https://pagure.io/dogtagpki/issue/2959
Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95
- - - - -
dfc71ca3 by Endi S. Dewata at 2018-06-28T19:31:42Z
Fixed Python-related macros
The spec templates have been modified to evaluate Python-related
macros (i.e. with_python2, with_python3, and with_python3_default)
properly.
Change-Id: Ifc4d3194f2d9fbca8ccb5a6e3ef6088fb22ba421
- - - - -
e4dd55d1 by Christina Fu at 2018-06-28T22:41:55Z
Ticket 2865 X500Name.directoryStringEncodingOrder overridden by CSR encoding
This patch allows profile to have control over whether to override the subjectDN
encoding in the CSR with the encoding set by the system.
New parameter in profile:
policyset.<policy set>.<#>.default.params.useSysEncoding=true
where "true" means to override the subjectdn with the system default order or
the order set by X500Name.directoryStringEncodingOrder in CS.cfg
by default, without useSysEncoding in profile, it is treated as false.
fixes https://pagure.io/dogtagpki/issue/2865
Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1
- - - - -
43bc63dd by Endi S. Dewata at 2018-06-29T02:00:17Z
Added pki pkcs11-cert-show and pki pkcs11-key-show
New CLIs have been added to show the details of a cert/key in
a PKCS #11 token.
Change-Id: I85fff753ef1d57195d63c95d15d21eac07997989
- - - - -
0c0fe02d by Endi S. Dewata at 2018-06-29T02:00:17Z
Added pki pkcs11-cert-del and pki pkcs11-key-del
New CLIs have been added to remove a cert/key from a PKCS #11
token.
Change-Id: I089c36855f0f74d3be26461618ec6912d3d41c1d
- - - - -
e6347753 by Amol Kahat at 2018-07-02T20:13:53Z
Added CLI for enable/disable audit signing.
Change-Id: I9320e9ecd1081d60fd1673d408558ef1603e8655
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
1becf0cc by Endi S. Dewata at 2018-07-03T18:02:45Z
Added support for custom package name
The build.sh has been modified to support custom package name
which will be used to create the working directory and as the
spec file name. The source tarball and patch file generated by
build.sh will continue to use pki- prefix to match the upstream
project name.
Change-Id: I1c2aa09240f0ac56319fc1e40a0113a998987e75
- - - - -
f674d2e2 by Endi S. Dewata at 2018-07-03T18:02:45Z
Merged PKI source packages
Currently PKI uses four source packages on Fedora: pki-core,
pki-console, dogtag-pki-theme, and dogtag-pki. To simplify
maintenance the console and theme source packages have been
merged into the other source packages.
The pki-core.spec.in has been replaced with pki.spec.in that has
been customized with the following command:
$ ./build.sh \
--name=pki-core \
--with-pkgs=base,server,ca,kra,ocsp,tks,tps,javadoc,console,debug \
spec
The new spec will generate all binary packages except the theme
and meta packages.
The dogtag-pki.spec.in has been replaced with pki.spec.in that has
been customized with the following command:
$ ./build.sh \
--name=dogtag-pki \
--with-pkgs=theme,meta,debug \
spec
The new spec will only generate the theme and meta packages.
The compose script for the meta package has also been modified
to generate a source tarball for the theme packages.
https://pagure.io/dogtagpki/issue/2978
Change-Id: Iecb23c006c91caad3ed504c2d370989dc9769351
- - - - -
4bb50eb2 by Endi S. Dewata at 2018-07-05T21:35:17Z
Updated references to CertificateUsage
Change-Id: I2dcd2695d096897cefe37d8d01987b6cb442a22d
- - - - -
cf097374 by Endi S. Dewata at 2018-07-05T21:35:56Z
Updated references to NotInitializedException
Change-Id: I61c4dbb278474d9a4fd668ffa1edffce4bcf41a2
- - - - -
b815c8b9 by Endi S. Dewata at 2018-07-05T21:36:57Z
Updated references to NicknameConflictException
Change-Id: I75d44a5cd1302629dcee434774550ddeb90ed38b
- - - - -
63848823 by Endi S. Dewata at 2018-07-05T21:36:58Z
Updated references to UserCertConflictException
Change-Id: I7057ed7223d5135f893bde83502ef23407df221c
- - - - -
c5b25878 by Endi S. Dewata at 2018-07-05T21:36:58Z
Updated references to InitializationValues
Change-Id: I5c926e0fff84e6b89618fc32d480fb0f775aa634
- - - - -
f36cf6c0 by Endi S. Dewata at 2018-07-05T21:36:59Z
Updated spec templates
The spec templates have been updated to require the latest JSS
and TomcatJSS.
Change-Id: I35c61e0e806b25e48de8370603656ca6abd3b0ae
- - - - -
c03b1d77 by gkapoor at 2018-07-06T14:36:06Z
Added ExternalCA Automation for dogtag,openssl and nssdb.
Change-Id: I72ed48122ef93d903b7014b296c95d44d741c046
Signed-off-by: gkapoor <gkapoor at redhat.com>
- - - - -
3ec850bc by Christina Fu at 2018-07-12T21:15:59Z
Bugzilla 1548203 LDAP password from console update in audit
This patch replace ldap passwords with "(sensitive)" in audit log.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203
Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a
- - - - -
0329387a by bbhavsar at 2018-07-13T15:56:18Z
added .gitlab-ci.yml and some changes for fedora28
Change-Id: Iac74cd48216bb3b951a85bcfdfec8f773b24f8c3
Signed-off-by: bbhavsar <bbhavsar at redhat.com>
- - - - -
bf36dcb7 by Endi S. Dewata at 2018-07-21T01:09:39Z
Fixed pylint issues
Change-Id: I0a0707d5b4be97f95fa10e5a5b6b7c9da03aaf11
- - - - -
c2c4f6fa by Endi S. Dewata at 2018-07-21T02:38:02Z
Fixed SLF4J dependency
Change-Id: Ic83a0f201825220a49e4fc2af0c58b0ce7013710
- - - - -
521099ea by Endi S. Dewata at 2018-07-21T02:38:31Z
Updated version number to 10.6.4
The JSS and TomcatJSS dependencies have been updated. The unused
spec templates and build scripts have been removed.
Change-Id: I81ddc3835610aa3c35cea60863c928c7211efcc0
- - - - -
e11b24fb by Endi S. Dewata at 2018-07-25T02:01:05Z
Updated Eclipse classpath
Change-Id: I1d741af7b46cc60008c4d45b6847ca16dc0c4231
- - - - -
d7e1ecab by bbhavsar at 2018-07-26T11:49:18Z
fix for password file for certutil
Change-Id: Ia321c4fd3bae593a091c102b08f28f8f87b22423
Signed-off-by: bbhavsar <bbhavsar at redhat.com>
- - - - -
70094107 by bbhavsar at 2018-07-26T14:48:54Z
Added installation sanity job in gitlab-ci
Change-Id: Id5d5db6c30a2f3671e6a2f1433e227bdd60f47d4
- - - - -
accb6bba by Fraser Tweedale at 2018-07-26T15:22:14Z
Merge remote-tracking branch 'gerrit/master'
Change-Id: Ic88d84a89c8fa2512cd14be2e72597e2bc75bc8d
- - - - -
588fe37f by Roshni Pattath at 2018-07-26T21:05:29Z
Automation of BZ 1523410 and 1534030
Change-Id: I2f78c2bc1458c15cfaf53c35a87541daf53c0bf6
- - - - -
c87d7820 by Jack Magne at 2018-07-27T23:05:53Z
Test fix for TPS server side key gen for only identity cert problem.
Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d
- - - - -
724866d2 by Endi S. Dewata at 2018-07-31T22:45:36Z
Getting version number from installed Tomcat
The spec template has been modified to get the Tomcat version
from the installed Tomcat instead of pre-defined constant. This
allows PKI to be built with non-standard Tomcat package.
Change-Id: I50ca2209180854f0cbc916ba373efd3f06263f42
- - - - -
26093834 by Christina Fu at 2018-08-01T17:44:48Z
Bug 1601071 Certificate generation happens with partial attributes in CMCRequest file
This patch addresses the issue where when a cmcSelfSisnged profile is used
in a cmcUserSigned case, the certificate is issued.
A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
to verify.
In additional, all profiles that authenticate through CMCUserSignedAuth are
turned off by default to allow site administrators to make conscious decision
on their own for these features.
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
Change-Id: I8405b2e83f7ea3e3da98164cbc87762cdfa7475f
- - - - -
efe9bf15 by Christina Fu at 2018-08-01T22:22:03Z
Bug 1593805 Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC
This patch removes the outdated reference to EC environment variable
NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
More info in the usage are updated as well for correctness and clarity.
Change-Id: I60fc56eee1e94c73f401a5d46ea3ea9f1aa0a4c0
- - - - -
8147769f by Alexander Bokovoy at 2018-08-02T07:29:43Z
ReplicationUtil: support new format for nsds5replicaLastInitStatus value
pkispawn is reading the attribute nsds5replicaLastInitStatus in
cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
tree,cn=config in order to find the replication status. The new format
(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update
succeeded" but pkispawn is expecting "0 Total update succeeded"
389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629
- - - - -
2bb0624f by Endi S. Dewata at 2018-08-03T16:21:53Z
Cleaned up IPA test
The ipa-test.sh has been modified to remove the redundant
--developer-mode option for ipa-docker-test-runner.
The ipa-test.yaml has been modified to remove the redundant
--setup-dns option for ipa-server-install.
The curl commands have been moved from ipa-test.yaml to
ipa-test.sh such that the ipa-docker-test-runner can be
run locally without uploading the logs.
Change-Id: Iefb3ae0097632bccf06e2ee57b0b67c9be445a5e
- - - - -
94f28d4d by Christina Fu at 2018-08-03T18:15:40Z
Bug1608375 - CMC Revocations throws exception with same reqIssuer & certissuer
This patch resolves the possible encoding mismatch between the actual CA cert
and the X500Name gleaned from the CMC revocation request.
Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
- - - - -
dfa1b02a by Fraser Tweedale at 2018-08-06T14:47:48Z
CLI: avoid improper escaping of profile config
Profile configuration in the `pki ca-profile` CLI is currently
handled using java.util.Properties. This class eagerly escapes some
characters in values (e.g. ':'), resulting in incorrect or broken
profile configurations.
This issue is similar to https://pagure.io/dogtagpki/issue/2909,
which was resolved in e634316eb7f2aedc65fe528fb572b15e1bdc1eb2.
Handle the profile configurations as byte[], only converting to
Properties for high-level syntax validation and inspecting fields
like 'profileId' and 'enabled'.
Fixes: https://pagure.io/dogtagpki/issue/3029
Change-Id: I3446e2a5dd47e597989441b5d498e6321338caab
- - - - -
e4da86f9 by Endi S. Dewata at 2018-08-06T15:39:02Z
Updated version number to 10.6.5
Change-Id: I5147424819c1d6684a53ebc3b18032ccc1a26aa6
- - - - -
a96aefb6 by Endi S. Dewata at 2018-08-06T19:03:28Z
Cleaned up server.xml
An upgrade script has been added to clean up upgraded server.xml
such that it is more consistent with newly created server.xml.
Change-Id: I674f59ade5e22de2472c249885992a2d33a0c437
- - - - -
5ad1607a by Endi S. Dewata at 2018-08-06T19:51:16Z
Removed PKI_AGENT_CLIENTAUTH parameter
The PKI_AGENT_CLIENTAUTH parameter is not customizable so it has
been replaced with the actual value.
Change-Id: Id6026615a11abfb9e8ec41687c82eab0fef9bdb0
- - - - -
0e96c701 by Endi S. Dewata at 2018-08-06T19:51:43Z
Removed unused parameters
Change-Id: I64e40798be9cb62e2db0d1fdbdbb49a99ba7e039
- - - - -
e08209ad by Endi S. Dewata at 2018-08-06T22:47:35Z
Added SSLHostConfig for Tomcat 8.5
The server.xml for Tomcat 8.5 has been modified to use the new
SSLHostConfig. The migration tool has been modified to move some
attributes from Connector to SSLHostConfig.
Change-Id: I60e3d967a530e794877dd11fe052debe314412e4
- - - - -
9c11419d by Endi S. Dewata at 2018-08-08T03:09:25Z
Updated JSS and TomcatJSS dependencies
Change-Id: Ie5acde9e5afb26abacf3aa36dad3c2cc10dcaab5
- - - - -
e550502e by Endi S. Dewata at 2018-08-08T03:09:48Z
Removed unused spec files
Change-Id: Ibf31a1fe80dac1a5262c29281a7ffdd4f6fa92c8
- - - - -
7c937639 by Alexander Bokovoy at 2018-08-08T16:42:58Z
Do not override system-wide crypto policy
System-wide crypto policy may dictate use of TLS 1.3. Instead of
overriding existing crypto policy, bound our requirements by the system
policy itself.
Note that both jss and pki-core define SSLVersion class which Java
compilers see as two different classes. As result, we have to convert
via integer values (getMinEnum() / getMaxEnum()) between them at the
moment.
- - - - -
9a367fe8 by Alexander Bokovoy at 2018-08-08T16:43:02Z
Add TLS 1.3 ciphers
- - - - -
10501872 by Dinesh Prasanth M K at 2018-08-09T14:42:32Z
Adding build status icon (#28)
Build status icon is loaded from https://travis-ci.org/dogtagpki/pki-nightly-test
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
07a82189 by Christina Fu at 2018-08-10T00:24:41Z
Ticket #3041 Enable all config audit events
This patch enables the audit events concerning role actions (mostly config)
by default.
Two additional minor issues are also addressed:
1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
(bugzilla #1610718)
2. removing unrecommended signing algorithms
fixes: https://pagure.io/dogtagpki/issue/3041
Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
- - - - -
df287935 by Endi S. Dewata at 2018-08-10T23:15:40Z
Moved Dogtag theme into themes folder
Change-Id: I1f577d670b505723bda9cc9dd331e87cb71f65d5
- - - - -
9c4788ad by Christina Fu at 2018-08-11T01:52:05Z
Ticket #2481 ECC keys not supported for signing audit logs
This patch adds support for ECC audit log signing key.
All enrollment profiles for audit signing certificate are updated to allow that.
fixes https://pagure.io/dogtagpki/issue/2481
Change-Id: I3785365b152690f57c3904c15dfa7b2999048930
- - - - -
01e440db by Endi S. Dewata at 2018-08-11T02:57:46Z
Removed outdated Provides/Obsoletes/Conflicts
Change-Id: I1da6dce362b38a57b21ebef856f52530340c0201
- - - - -
41682a78 by Endi S. Dewata at 2018-08-11T03:01:45Z
Added RPM macro for branding
An RPM macro has been added to define the prefix of the meta
and theme packages and to define theme folder name.
Change-Id: I7b989955ecdf5750edd19302ca15b1879ac4a1ad
- - - - -
6e9f59bb by Endi S. Dewata at 2018-08-11T03:04:38Z
Removed cipher map in CryptoUtil
The code that translates cipher name into cipher ID using a map
in CryptoUtil has been replaced with SSLCipher.valueOf().
Change-Id: I8506bd1b5e20ecf249eed23ded41348d55b5991b
- - - - -
425c5da4 by Endi S. Dewata at 2018-08-11T03:22:05Z
Cleaned up cipher array in JssSubsystem
The array of integer cipher IDs in JssSubsystem has been
replaced with array of SSLCiphers.
Change-Id: I221eaf963b6491ea0c5325a95759d48e883f0c65
- - - - -
915816c9 by Endi S. Dewata at 2018-08-11T04:01:57Z
Refactored CMake variables for theme
The BUILD_DOGTAG_PKI_THEME and BUILD_REDHAT_PKI_THEME variables
have been replaced with a single THEME variable. If not specifed,
it will default to "dogtag". If it's empty, the theme packages
will not be build. If it's not empty, the theme packages will be
built with the specified theme.
Change-Id: I913fa670a41795da61746c2acddac981c2f84a84
- - - - -
1043ebd3 by Endi S. Dewata at 2018-08-13T15:58:04Z
Removed redundant %defattr directives
Change-Id: I9199974de6fd3c52d7d891d298c9a0d2f369b5a7
- - - - -
1aee1b8f by Endi S. Dewata at 2018-08-13T17:27:11Z
Fixed meta package
The spec template has been modified such that it generates
dogtag-pki meta package properly regardless of the name of the
spec file.
Change-Id: I7de3246b97de971cebdddd1be00556ce37a22167
- - - - -
82e89a7d by Endi S. Dewata at 2018-08-13T18:20:05Z
Moved pki.spec.in
The pki.spec.in has been moved into the top-level directory and
renamed into pki.spec for consistency with other projects.
Change-Id: I90c8fa3cbc955ce9eadcfb101c1f029e7f782c31
- - - - -
3cc549b2 by Endi S. Dewata at 2018-08-13T23:33:33Z
Updated version number to 10.6.6
The RPM spec template has been modified to update jss, tomcatjss,
and ldapjdk dependencies, also to remove redundant dependencies.
Change-Id: I1b0e066965697e28a2b7b1e9676f692146fe2f86
- - - - -
30 changed files:
- .classpath
- .gitignore
- .travis.yml
- − .travis/20-install-rpms
- − .travis/40-spawn-ca
- − .travis/50-spawn-kra
- − .travis/99-destroy
- − .travis/py3rewrite
- CMakeLists.txt
- COPYING → LICENSE
- − README
- + README.md
- base/CMakeLists.txt
- base/ca/CMakeLists.txt
- base/ca/functional/src/com/netscape/cms/servlet/test/CATest.java
- base/ca/shared/conf/CS.cfg
- + base/ca/shared/conf/ECadminCert.profile
- + base/ca/shared/conf/ECserverCert.profile
- + base/ca/shared/conf/ECsubsystemCert.profile
- + base/ca/shared/conf/eccAdminCert.profile
- + base/ca/shared/conf/eccServerCert.profile
- + base/ca/shared/conf/eccSubsystemCert.profile
- − base/ca/shared/conf/jk2.manifest
- − base/ca/shared/conf/jk2.properties
- − base/ca/shared/conf/jkconf.ant.xml
- − base/ca/shared/conf/jkconfig.manifest
- base/ca/shared/conf/registry.cfg
- base/ca/shared/conf/adminCert.profile → base/ca/shared/conf/rsaAdminCert.profile
- base/ca/shared/conf/serverCert.profile → base/ca/shared/conf/rsaServerCert.profile
- base/ca/shared/conf/subsystemCert.profile → base/ca/shared/conf/rsaSubsystemCert.profile
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/5f11c35787f97f64dcaaeb03f56e120a78aacede...3cc549b2a6ced0c6ae54369f22e52d79667a7a1a
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/5f11c35787f97f64dcaaeb03f56e120a78aacede...3cc549b2a6ced0c6ae54369f22e52d79667a7a1a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180823/903e1dcf/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list