[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 150 commits: added tests for few bugzillas, tps-config, tps-activity CLIs and added .ide directory to .gitignore
Timo Aaltonen
gitlab at salsa.debian.org
Tue Oct 9 20:47:49 BST 2018
Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki
Commits:
a5fbfe8e by Sumedh Sidhaye at 2018-08-15T13:10:24Z
added tests for few bugzillas, tps-config, tps-activity CLIs and added .ide directory to .gitignore
Signed-off-by: Sumedh Sidhaye <ssidhaye at sumedhs.englab.pnq.redhat.com>
- - - - -
121017d3 by Sumedh Sidhaye at 2018-08-15T13:56:38Z
added CI jobs for tps-config, tps-activity and ca-bugzillas
Signed-off-by: Sumedh Sidhaye <ssidhaye at sumedhs.englab.pnq.redhat.com>
- - - - -
e469e669 by Sumedh Sidhaye at 2018-08-15T14:42:55Z
added BZ-1465103 automation and CI job
Signed-off-by: Sumedh Sidhaye <ssidhaye at sumedhs.englab.pnq.redhat.com>
- - - - -
f28ab22c by Sumedh Sidhaye at 2018-08-16T12:55:36Z
removed references from Requirement doc string
Signed-off-by: Sumedh Sidhaye <ssidhaye at sumedhs.englab.pnq.redhat.com>
- - - - -
25f3f07b by Endi S. Dewata at 2018-08-18T02:28:05Z
Removed redundant ConfigurationResponse.status
The ConfigurationResponse.status field has been removed since it
does not provide useful information. If the configuration fails
the error will be returned as HTTP response instead of via
ConfigurationResponse object.
Change-Id: I7f300b2e3d3b5cd93a9e5ff9adafaa4a4c1e1fcb
- - - - -
2671e91a by Endi S. Dewata at 2018-08-18T02:29:48Z
Refactored SystemConfigService.finalizeConfiguration() (part 1)
The SystemConfigService.finalizeConfiguration() has been modified
such that it only contains the finalization and cleanup steps of
the configuration process.
Change-Id: I4aafde2fc07de8621b91e71d9afc65b88f893b52
- - - - -
fa7f1440 by Endi S. Dewata at 2018-08-18T02:30:22Z
Refactored SystemConfigService.finalizeConfiguration() (part 2)
The SystemConfigService.finalizeConfiguration() has been modified
such that it will be called separately by the client.
Change-Id: Ica59791fad1e6001566345a18e2bdd45311cab21
- - - - -
86af43d8 by Endi S. Dewata at 2018-08-18T02:41:37Z
Refactored SystemConfigService.setupDatabaseUser()
The code that sets up database user has been moved into
SystemConfigService.setupDatabaseUser() which will be
called separately by the client.
Change-Id: Ie0e969ac69cf8a4d3760580e9ff5feeb04a9c426
- - - - -
4d2034b3 by Endi S. Dewata at 2018-08-18T03:08:52Z
Refactored SystemConfigService.setupSecurityDomain()
The code that sets up security domain has been moved into
SystemConfigService.setupSecurityDomain() which will be
called separately by the client.
Change-Id: I1521d0776c80f7984e761647412a0e01b16db6a9
- - - - -
e841dc9e by aakkiang at 2018-08-19T21:41:49Z
Merge pull request #30 from ssidhaye/add-downstream-tests-to-upstream
added tests for few bugzillas, tps-config, tps-activity CLIs and added .idea directory to .gitignore
- - - - -
2758de12 by Amol Kahat at 2018-08-20T14:27:54Z
Added ca auth plugins job.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
b307ed3c by Amol Kahat at 2018-08-20T14:28:57Z
Added pytest-ansible automation of pki securitydomain cli.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
02abea43 by Amol Kahat at 2018-08-20T14:28:57Z
Modified docstrings in the test_securitydomain.py file.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
d7960b0f by Amol Kahat at 2018-08-20T14:29:38Z
Added job for securitydomain in .gitlab-ci.yml file.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
d7976407 by Amol Kahat at 2018-08-20T14:29:39Z
Added template in .gitlab-ci.yml file.
Modified the jobs in the .gitlab-ci.yaml file.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
916d9bb8 by Endi S. Dewata at 2018-08-20T16:08:28Z
Removed redundant ConfigurationUtils.loginToken()
The ConfigurationUtils.loginToken() has been removed since token
authentication has been done earlier by TomcatJSS during startup.
The SystemConfigService.loginToken() has been renamed into
configureToken().
Change-Id: I5f9ed906cabb4953c198942a0834f8ac063c0ec9
- - - - -
3eb5e9e4 by aakkiang at 2018-08-20T19:43:44Z
Merge pull request #27 from amolkahat/securitydomain
Added pytest-ansible automation of `pki securitydomain` cli.
- - - - -
f7851b52 by aakkiang at 2018-08-20T19:51:03Z
Merge pull request #29 from amolkahat/minor_canges
Added ca auth plugins job.
- - - - -
f8c9566b by Endi S. Dewata at 2018-08-20T20:01:17Z
Fixed admin cert encoding for external KRA/OCSP installation
The ConfigClient.set_admin_parameters() has been modified to
export the admin certificate as text such that it can be encoded
properly in JSON request.
https://pagure.io/dogtagpki/issue/3052
Change-Id: Ib76e7dd1e0e88d88c3de84a06e3a9c31f0e7402b
- - - - -
13dfbee7 by Amol Kahat at 2018-08-20T20:01:52Z
Added automation of pki pkcs12 CLI
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
38565440 by Jack Magne at 2018-08-20T23:21:08Z
Coverity "important" fixes for pki-core.
Ticket #1719 Coverity Issues: pki-core https://pagure.io/dogtagpki/issue/1719.
Change-Id: I630ffe32125b5c90fe36ffe81504a96405853fd3
- - - - -
c1c2ff7a by bhavikbhavsar at 2018-08-21T06:56:58Z
Merge pull request #31 from amolkahat/pkcs12
Added automation of pki pkcs12 CLI
- - - - -
a367a974 by bbhavsar at 2018-08-21T17:36:53Z
fix ldap create - use dscreate cli new python implementation instead of setup-ds.pl
Signed-off-by: bbhavsar <bbhavsar at redhat.com>
- - - - -
274af0c7 by aakkiang at 2018-08-21T18:11:07Z
Merge pull request #32 from bhavikbhavsar/fix_ldap_create
fix for ldap create using dscreate cli replacement for setup-ds.pl
- - - - -
970bdb56 by Endi S. Dewata at 2018-08-21T20:32:56Z
Fixed admin cert format in configuration response
The SystemConfigService has been modified to return base64-encoded admin
cert in a single line for consistency.
Change-Id: I43d3b55a8a0b786c7f5ad784ffcc6df42864b447
- - - - -
3e39237a by Endi S. Dewata at 2018-08-22T21:02:22Z
Updated pki.nssdb to support multiple CSR delimiters types
The pki.nssdb module has been modified to support both standard
and legacy CSR delimiters as defined in RFC 7468.
Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7
- - - - -
de81164a by Endi S. Dewata at 2018-08-22T21:02:34Z
Removed default CSR paths
The default.cfg has been modified to remove default CSR paths.
The code that validates the configuration file has been modified
to no longer require CSR path parameters.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2
- - - - -
c1d00aae by Endi S. Dewata at 2018-08-22T21:02:39Z
Added support installing KRA/OCSP with existing CSRs
The installation code has been modified to import existing CSRs
for KRA and OCSP system certicates if provided.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188
- - - - -
247a75f7 by Endi S. Dewata at 2018-08-23T02:59:01Z
Fixed installation summary
The pkispawn has been modified to display the proper message
in case the key and CSR generation has been disabled.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c
- - - - -
3b4896a9 by bbhavsar at 2018-08-27T12:35:56Z
Added pexpect python module for pytest-ansible
Signed-off-by: bbhavsar <bbhavsar at redhat.com>
- - - - -
2b006edb by Amol Kahat at 2018-08-27T13:03:36Z
Merge pull request #34 from bhavikbhavsar/banner-fix-01
Added pexpect python module for pytest-ansible
- - - - -
477b5ef8 by Endi S. Dewata at 2018-08-27T14:20:22Z
Fixed pki client-cert-import to accept PKCS #7 CA cert chain
The pki client-cert-import has been modified to support importing
CA cert chain in PKCS #7 format.
The Cert.parseCertificate() has been modified to parse PKCS #7
cert chain properly.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1
- - - - -
4cb83960 by Endi S. Dewata at 2018-08-27T19:22:58Z
Fixed NSSDatabase.add_cert()
The NSSDatabase.add_cert() has been modified to accept both single
certificates and PKCS #7 certificate chains in PEM format.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ie05594fb308e51df8a1a0070961b83161ee6421b
- - - - -
ff41ed71 by Endi S. Dewata at 2018-08-27T21:19:26Z
Added docs for installation with custom keys
https://pagure.io/dogtagpki/issue/3053
Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5
- - - - -
2a989e0c by Endi S. Dewata at 2018-08-27T21:34:17Z
Fixed links in KRA and OCSP docs
https://pagure.io/dogtagpki/issue/3053
Change-Id: I4da552b288a6b9805f7caedf30a40a3221dccdc0
- - - - -
5bb91c78 by Endi S. Dewata at 2018-08-28T00:30:23Z
Renamed CA, KRA, OCSP docs
https://pagure.io/dogtagpki/issue/3053
Change-Id: I1921fd9b4e490b5b6de04eb746def27df46cce93
- - - - -
d6dc95b4 by Amol Kahat at 2018-08-28T07:31:55Z
Changed installation config file.
changes in configuration param:
- pki_ssl_server_* -> pki_sslserver_*
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
af626954 by Timo Aaltonen at 2018-08-28T15:01:32Z
server.postinst: Server migration has been moved to the systemd unit/initfile, drop it from here.
- - - - -
3af26a54 by Endi S. Dewata at 2018-08-29T01:53:52Z
Fixed import_system_cert()
The import_system_cert() has been modified not to fail
if certificate path is missing since the certificate can
also be provided via a PKCS #12 file.
https://pagure.io/dogtagpki/issue/3053
Change-Id: I64804502fc654c93dbd5f6569b2c8a433746b4a1
- - - - -
d10cb176 by Endi S. Dewata at 2018-08-29T01:53:58Z
Added inline comments for clarity
Change-Id: I8421203cece18f0ae9810e451a269804e67efe37
- - - - -
a12dea71 by Endi S. Dewata at 2018-08-29T01:54:08Z
Cleaned up log messages
Change-Id: Ife1b84333b437959bb5259402cc95a98db581ffa
- - - - -
8972b2a3 by Sumedh Sidhaye at 2018-08-29T07:17:00Z
push downstream common library changes to updatream
Signed-off-by: Sumedh Sidhaye <ssidhaye at sumedhs.englab.pnq.redhat.com>
- - - - -
a72c2bdf by Amol Kahat at 2018-08-29T07:50:59Z
Merge pull request #38 from ssidhaye/role-user-creation-changes
push downstream common library changes to upstream
- - - - -
5d20a86f by Dinesh Prasanth M K at 2018-08-30T01:45:53Z
Fixed the space in the token-label (#35)
* password.conf included an unintended '=' if
a space is present in the token label.
* Syncing password parser with python code
* Charset is set to default
* jUnit for PlainPasswordFile added
https://pagure.io/dogtagpki/issue/3054
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6f7c0a53 by Endi S. Dewata at 2018-08-30T03:13:11Z
Removed unused imports
Change-Id: I18a61caf4a95bae8a5b8fe6e65374222c9583fa4
- - - - -
ae857117 by Endi S. Dewata at 2018-08-30T03:15:37Z
Removed unused private variables
Various classes have been modified to remove unused private
variables as reported by Eclipse.
Change-Id: I4b8ab572f592542ef03da4fcafa4f67ea67518fe
- - - - -
60de49b1 by Amol Kahat at 2018-08-30T07:26:25Z
Added pki-server ca, kra, ocsp cli jobs.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
b8d6c6ce by Amol Kahat at 2018-08-30T07:26:25Z
Added pytest-ansible automation of following CLI:
- pki-server db-*
- pki-server instance-*
- pki-server migrate
- pki-server subsystem-*
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
15c341f3 by Amol Kahat at 2018-08-30T07:26:25Z
Added pki-server cli automation Job.
Modified pki-pkcs12 cli automation Job.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
b29fbe0b by Amol Kahat at 2018-08-30T07:26:25Z
Fixed pipeline failures in the .gitlab-ci.yml file.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
f58f41ae by Amol Kahat at 2018-08-30T07:26:25Z
Added NSSDB variable in the constants file.
Modified jobs in the .gitlab-ci.yaml file.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
26d1a430 by Amol Kahat at 2018-08-30T07:26:25Z
Minor changes in the CA role user creation.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
16cba4b3 by Amol Kahat at 2018-08-30T07:35:13Z
Changed value of NSSDB in the constants.py files.
Signed-off-by: Amol Kahat <akahat at redhat.com>
- - - - -
b9318340 by bhavikbhavsar at 2018-08-30T09:25:39Z
Merge pull request #36 from amolkahat/minor_changes
Changed installation config file.
- - - - -
4bb725f4 by Dinesh Prasanth M K at 2018-08-30T20:55:38Z
Fixed the space in the token-label - Part 2 (#39)
- This is a continuation of patch #35. The commit needs to be
re-written (instead of using the Properties.store()
- The password.conf is being overwritten at multiple places
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
288e9a4c by Endi S. Dewata at 2018-09-04T15:39:54Z
Renamed server NSS database parameters
The following parameters have been renamed for consistency:
* pki_database_path -> pki_server_database_path
* pki_pin -> pki_server_database_password
The old parameters are still usable but they have been
deprecated.
The pki_client_pin is redundant so it has been removed.
https://pagure.io/dogtagpki/issue/3053
Change-Id: I243a01b360f573a16a160e9a415f786e38681603
- - - - -
0fc0ec4a by Endi S. Dewata at 2018-09-04T15:39:59Z
Moved server installation docs
The installation docs have been moved into
base/server/docs/installation folder and included
in the pki-server package.
https://pagure.io/dogtagpki/issue/3053
Change-Id: I002562ba9aa765a393f46528b130eb82b4f06912
- - - - -
58fca340 by bhavikbhavsar at 2018-09-05T08:58:28Z
Merge pull request #33 from amolkahat/pki_server
Pki server CLI automation in pytest-ansible
- - - - -
c6f75cfc by Endi S. Dewata at 2018-09-05T20:36:26Z
Updated default key length in pki client-cert-request
The pki client-cert-request CLI has been modified to use the same
default key length (i.e. 2048) as in PKCS10Client.
https://pagure.io/dogtagpki/issue/3056
Change-Id: I853f4dcab938cc877b2ef041125d1c9454e9beb0
- - - - -
a6d38628 by Endi S. Dewata at 2018-09-05T20:42:14Z
Refactored PKCS10Client (part 1)
The PKCS10Client has been modified to use the existing
CryptoUtil.generateRSAKeyPair() to generate RSA key pair.
Change-Id: Ie6fa4113123d1f3ef0cab5662ed0092a6170b4e1
- - - - -
afda5498 by Endi S. Dewata at 2018-09-05T20:44:49Z
Refactored PKCS10Client (part 2)
The PKCS10Client has been modified to use the existing
PKCS10.print() to generate the CSR in PEM format.
Change-Id: Idbbb85cfff359ccb85782ef5612d3e7ae9f08781
- - - - -
533a7878 by Endi S. Dewata at 2018-09-05T21:27:35Z
Refactored JssSubsystem.getKeyPair()
The JssSubsystem.getKeyPair() has been modified to take a
CryptoToken object instead of String token name.
Change-Id: Ia6ab74a82432ced65567b5692032152479639547
- - - - -
b2fbf0d0 by Endi S. Dewata at 2018-09-06T03:10:48Z
Refactored JssSubsystem.getECCKeyPair()
The JssSubsystem.getECCKeyPair() has been modified to take a
CryptoToken object instead of String token name.
Change-Id: I19d5f3cdd592db9cb453a496795294ffea25b507
- - - - -
e1515dd0 by Endi S. Dewata at 2018-09-06T03:52:06Z
Cleaned up CryptoUtil.generateRSAKeyPair()
The CryptoUtil.generateRSAKeyPair() that takes a String token name
has been replaced with the same method that takes a CryptoToken
object.
Change-Id: Ie7bcd66a6353fb5f8fafa49f567f5e31589ce717
- - - - -
4c203c47 by Endi S. Dewata at 2018-09-06T03:57:09Z
Cleaned up CryptoUtil.generateECCKeyPair()
The CryptoUtil.generateECCKeyPair() that takes a String token name
has been replaced with the same method that takes a CryptoToken
object.
Change-Id: I10462e4a6d2aec5c038bce544b31d7f3129aba31
- - - - -
261222b3 by Christina Fu at 2018-09-06T17:37:46Z
ticket #2879 audit events for CA acting as TLS client
This patch provides code for ticket 2879, adding audit events for CS when
acting as a TLS client.
For a running CS system, there are two cases when this happens:
1. When one CS subsystem is talking to another CS subsystem
In this case: HttpClient is used
2. When a CS subsystem is talking to an ldap syste
In this case: PKISocketFactory is used
Events added are:
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
https://pagure.io/dogtagpki/issue/2879
Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8
- - - - -
67bb08b6 by Christina Fu at 2018-09-07T01:50:30Z
Ticket2960 add SHA384 ciphers and cleanup profiles
This patch adds SHA384 ciphers to the cipher lists (RSA & EC)
CryptoUtil.java contains changes to clientECCiphers:
- RSA ciphers comemented out
- SHA384 ciphers are added but RSA ones commented out
Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed.
In addition, a few cleanups are done:
- all MD2, MD5 from allowed signing key algs from profiles
- server profiles:
* removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles
* fixed a couple KU's (RSA vs EC) that had true/false flipped
- caCMCkraStorageCert.cfg
* removed EKU (funny it had clientAuth)
- caCMCkraTransportCert.cfg
* removed EKU (funny it had clientAuth)
- base/ca/shared/conf/eccServerCert.profile
* added the missing CommonNameToSANDefault
Tested with the following:
- installation of an RSA CA and a KRA (strip down to only SHA384 ciphers)
* performed successful agent access
* tested key archival
- installation of an EC CA (strip down to only SHA384 ciphers)
* performed successful agent access
* tested an agent-signed CMC request and submitted/issued successfully
using HttpClient
The above tests showed:
- The SHA384 ciphers work out of box
- The TLS server and client profiles changes did not break any TLS connections.
- The KRA storage and transport profile changes did not break anything.
fixes https://pagure.io/dogtagpki/issue/2960
Change-Id: I6f5cc90ba0eb4a5bfb85d86abbe2c28882cbc6ca
- - - - -
30f0f07d by Endi S. Dewata at 2018-09-07T16:20:12Z
Fixed password generation in pkispawn
Previously the NSS database passwords were generated in
pkiparser.py. Under certain scenarios the password may be
overwritten by a subsequent code in pkispawn. To avoid the
problem the code that generates the NSS database passwords
has been moved into the initialization scriptlet.
https://pagure.io/dogtagpki/issue/3061
Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb
- - - - -
1ed4f712 by Endi S. Dewata at 2018-09-07T17:57:12Z
Cleaned up log messages
Change-Id: I7fa6c593ef266b4a9965ff83145d8ab358e78880
- - - - -
8cbf8f74 by Christina Fu at 2018-09-07T22:16:06Z
Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS mode
This patch disables the TLS_RSA_* ciphers by default because they do not work
with HSMs in FIPS mode.
ciphers.info is also updated to reflect the changes.
fixes https://pagure.io/dogtagpki/issue/3027
Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172
- - - - -
2f958743 by Endi S. Dewata at 2018-09-08T04:12:01Z
Remove unnecessary casts
Various classes have been modified to remove unnecessary casts
as reported by Eclipse.
Change-Id: I757f2a08018d883c03926402aa047d4447a547ba
- - - - -
8472e3de by Endi S. Dewata at 2018-09-10T17:53:32Z
Added basic installation docs
Change-Id: I5d31e41c725dbaa72ad5ed173d3b9dc758aba601
- - - - -
95b1694e by Endi S. Dewata at 2018-09-10T19:26:34Z
Updated docs on installation with custom keys
Change-Id: Ife853c7744292e5a8e058ff676d7f2fe1328bf78
- - - - -
fe1cca9b by Dinesh Prasanth M K at 2018-09-10T19:36:14Z
Removing ipa-docker-test-runner tool and custom docker images (#45)
- Removed the usage of 'ipa-docker-test-runner' tool
(https://pagure.io/dogtagpki/issue/3059)
- Removed the deps on custom docker image (uses vanilla Fedora img)
(https://pagure.io/dogtagpki/issue/3058)
- Enabled IPA test on F28
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
00348e53 by Endi S. Dewata at 2018-09-11T04:08:35Z
Refactored SystemConfigService.backupKeys()
The SystemConfigService.backupKeys() has been modified such that
it will be called directly by the configuration scriptlet to
simplify troubleshooting.
Change-Id: I987e2365f53a23c4c7e2290dea221c154705091c
- - - - -
61839da5 by Endi S. Dewata at 2018-09-11T04:08:36Z
Removed unused ConfigurationRequest.backupKeys
Change-Id: Ia85abfd5b405f542a0cc73b0c2e6bb3f543db81c
- - - - -
f7a036de by Endi S. Dewata at 2018-09-11T04:08:36Z
Removed SystemConfigService.getCertList()
The SystemConfigService.getCertList() has been replaced by a
code that reads directly from preop.cert.list parameter.
Change-Id: Ida1856637cf44de9cca2a68c4372b94b8e6ae056
- - - - -
329e340b by Endi S. Dewata at 2018-09-11T04:08:37Z
Fixed password handling in pki-server CLI
The pki-server ca-cert-chain-export and pki-server
<subsystem>-clone-prepare commands have been modified
to handle PKCS #12 passwords as binaries.
Change-Id: I4a5f25841a25573b017a15b35d45e7a6ea554926
- - - - -
878cb08f by Dinesh Prasanth M K at 2018-09-11T15:53:22Z
Reorganizing CI script for nightly (#47)
- PKI build env setup is not needed for nightly. It
is specific to per commit pki build.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8b357e59 by Endi S. Dewata at 2018-09-11T21:24:43Z
Added docs on installation with external certificates
Change-Id: I79b9a1c702a2f2ed7195ce392996b17f1a4bcdfc
- - - - -
d738cc6a by Endi S. Dewata at 2018-09-13T14:39:08Z
Refactored SystemConfigService.configureAdministrator() (part 1)
The SystemConfigService.configureAdministrator() has been
modified to return the admin certificate as an X509CertImpl
object.
Change-Id: I5989d243c4b05ca96224778e94a61f855059a7e7
- - - - -
09581eea by Endi S. Dewata at 2018-09-13T14:39:09Z
Refactored SystemConfigService.configureAdministrator() (part 2)
The SystemConfigService.configureAdministrator() has been renamed
into createAdminCert(). The code that creates the admin user has
been moved into createAdminUser(). The code that updates the admin
user cert has been moved into updateAdminUsercert().
Change-Id: I163992f315d9fc8d0d1809509febe153c110e19c
- - - - -
17f0d4e2 by Endi S. Dewata at 2018-09-13T14:39:10Z
Added SystemConfigService.configureCerts()
The code that configures the system and admin certificates
in SystemConfigService.configure() has been moved into
configureCerts().
Change-Id: I9f60295eaa1227d98ae6996609cd50265f01191e
- - - - -
ef1fe72a by Matthew Harmsen at 2018-09-15T01:19:23Z
Ticket 2865 X500Name.directoryStringEncodingOrder overridden by CSR encoding
https://pagure.io/dogtagpki/issue/2865 coverity fixes
- - - - -
107a7cdb by Endi S. Dewata at 2018-09-18T20:40:10Z
Updated exception messages in DBSSession
The DBSSession has been modified to provide more descriptive
exception messages.
Change-Id: If362d87e724d7fdceef7a6fce8a9444fe74920bd
- - - - -
3b012605 by Endi S. Dewata at 2018-09-18T20:40:10Z
Merged SystemConfigService.handleCerts()
The SystemConfigService.handleCerts() has been merged into
processCerts().
Change-Id: Ifc53bbbfcd3afcc9f1e43d742f1a23d8fd6773d5
- - - - -
a6ad5514 by Endi S. Dewata at 2018-09-18T20:40:10Z
Added SystemConfigService.authenticateRequest()
The code that authenticates the configuration request with one
time pin in SystemConfigService.validaterequest() has been moved
into authenticateRequest() and called from all methods that can
be called directly by the client.
Change-Id: I7a750329dc257581150b3ed897267e5d4b8af244
- - - - -
8fbb6d4e by Endi S. Dewata at 2018-09-18T20:40:11Z
Cleaned up password.conf creation
The create_password_conf() and create_hsm_password_conf() in
pkihelper.py has been modified to remove duplicate code and to
normalize the token name.
Change-Id: I88cf94c2a5b10fcd5ccd8158480008dd93fb2b37
- - - - -
a418e088 by Endi S. Dewata at 2018-09-18T23:56:35Z
Refactored generate_csr()
The generate_csr() in configuration.py has been modified to no
longer get the token name from the certificate object. Instead,
the caller is now required to provide an NSSDatabase object that
has been opened with the proper token.
Change-Id: I20fd1d6aaf37d15e0121b487d61b9a9b53541586
- - - - -
a8c55fde by Endi S. Dewata at 2018-09-18T23:56:36Z
Added token name fallback mechanism
The installation tool has beed modified to use the global token
name if there is no certificate-specific token name provided.
Change-Id: I9873741b9f340b533202a8f23acd5816133cbf1f
- - - - -
17677ae4 by Endi S. Dewata at 2018-09-18T23:56:36Z
Updated default token name
The installation tool has been modified to use blank as default
token name instead of "internal" or "Internal Key Storage Token".
Change-Id: I6312d9873f68779337173df8c2b3fd13fd710e01
- - - - -
3a16e90f by Endi S. Dewata at 2018-09-18T23:56:36Z
Updated installation log messages
The installation tool has been modified to provide better log
messages to troubleshoot installation issues.
Change-Id: Ie80d8610bf82acf366c1e8cb85dac7571a979d4f
- - - - -
f3f16ca3 by Endi S. Dewata at 2018-09-19T02:29:39Z
Fixed token name fallback for sslserver cert
The import_perm_sslserver_cert() has been modified to use a
token name fallback mechanism when installing the permanent
SSL server certificate.
Change-Id: Ifcc6e6ccf7717e7a368c29f41cbe144612b12062
- - - - -
fd985ade by Endi S. Dewata at 2018-09-19T04:43:20Z
Fixed examples in installation docs
Change-Id: I2d94f4f22aabdbf1d3cfb28ac7085b34fc7f0055
- - - - -
3ccfeea1 by Endi S. Dewata at 2018-09-19T04:44:12Z
Added docs on installation with HSM
Change-Id: Ia4a69f4da6b56f3ae7818632ff513830f34198cb
- - - - -
adbeb1cb by mharmsen99 at 2018-09-19T17:01:06Z
Merge pull request #48 from mharmsen99/ticket-2865
X500Name.directoryStringEncodingOrder overridden by CSR encoding
- - - - -
d79a93b3 by Endi S. Dewata at 2018-09-20T18:00:55Z
Updated installation loggers
The loggers in installation scriptlets have been replaced with
LoggerAdapters in order to log the scriptlet name properly.
Change-Id: Ib30d859aa71559fecb97b7009acf9d6dce38f233
- - - - -
9b402ff3 by Endi S. Dewata at 2018-09-20T18:20:17Z
Refactored configuration.py
The code that creates the client NSS database in configuration.py
has been moved into security_databases.py. The code that generates
the keys of the system and admin certificates have been moved into
keygen.py.
Change-Id: Ie0df4131e770163a32ebb21fa6d666a8d564b580
- - - - -
9f52807a by Endi S. Dewata at 2018-09-21T14:06:55Z
Removed references to Log4j
PKI does not actually use Log4j, so all references to Log4j in
various files have been removed. The link to log4j.properties
will automatically be removed on upgrade.
Change-Id: Ie94fbc6fe6bd92697b66b269a9dcf6cce74f8288
- - - - -
6e7567a9 by Endi S. Dewata at 2018-09-21T19:11:44Z
Refactored serial number range parameters
The pki_serial_number_range_start and pki_serial_number_range_end
parameters have been modified such that they can be configured in
the second step of installation.
Change-Id: I3a0b03f6870e2b01fb51912fc70f16b906b26e7d
- - - - -
c4a9528a by Endi S. Dewata at 2018-09-21T19:11:45Z
Refactored request number range parameters
The pki_request_number_range_start and pki_request_number_range_end
parameters have been modified such that they can be configured in
the second step of installation.
Change-Id: I184d519796748c4c8b563c909153eb3f58bd3cd9
- - - - -
c2c40a34 by Endi S. Dewata at 2018-09-21T19:11:45Z
Refactored replica number range parameters
The pki_replica_number_range_start and pki_replica_number_range_end
parameters have been modified such that they can be configured in
the second step of installation.
Change-Id: I2e499fa443289573d3ee2cc587e35b24d3625800
- - - - -
d4c66bd6 by Endi S. Dewata at 2018-09-21T19:12:56Z
Added docs on installation with existing keys
Change-Id: I4c14b2f27f585d15b955a717c0fd7065d0be4f82
- - - - -
41a492aa by Dinesh Prasanth M K at 2018-09-21T19:31:31Z
Fixe Log rotation issue (#50)
Since we use slf4j to do log rotation, we need to
allow permissions for the corresponding slf4j.jar.
Ticket: https://pagure.io/dogtagpki/issue/3034
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d5f8e930 by Endi S. Dewata at 2018-09-22T00:55:23Z
Fixed dbs.endReplicaNumber
Fixed incorrect change to dbs.endReplicaNumber made in
commit c2c40a34be4224bd4f472ce2d6eaaad0dc13eb0c.
- - - - -
94ea6756 by Endi S. Dewata at 2018-09-22T00:59:08Z
Updated log messages in UpdateNumberRange
The UpdateNumberRange has been modified to provide more
descriptive log messages to help troubleshooting.
- - - - -
ab55160a by Endi S. Dewata at 2018-09-24T15:17:57Z
Removed unused code in configuration.py
The configuration.py has been modified to remove unused code
for external/standalone installation step 1.
- - - - -
db4163e2 by Endi S. Dewata at 2018-09-24T15:19:16Z
Refactored SystemConfigClient
The methods in SystemConfigClient have been modified to take
a Python object and convert it into a JSON string.
- - - - -
9bdbab9b by Endi S. Dewata at 2018-09-24T16:59:34Z
Refactored SystemConfigService.authenticateRequest().
The SystemConfigService.authenticateRequest() has been renamed into
validatePin() and modified to take the configuration PIN instead of
the entire ConfigurationRequest object.
- - - - -
1ebdcd41 by Endi S. Dewata at 2018-09-24T20:14:57Z
Refactored SystemConfigService.createAdminCert()
The SystemConfigService.createAdminCert() has been modified to
return early for clarity.
- - - - -
4a4eb401 by Endi S. Dewata at 2018-09-24T21:02:41Z
Added exit handler in ipa-test.sh
The ipa-test.sh has been modified to always save the logs when
the script exits to the system.
- - - - -
8330d5ae by Endi S. Dewata at 2018-09-24T21:31:33Z
Fixed admin profile ID handling
The code that determines the admin profile ID has been
moved from ConfigurationRequest.getAdminProfileID() into
SystemConfigService.createAdminCert().
Previously the code was using the subsystem cert's key
type to determine the profile ID. Now it the code will
use the admin's own key type.
- - - - -
14112b35 by Endi S. Dewata at 2018-09-24T22:56:58Z
Added SystemConfigService.setupAdmin().
The code that creates the admin user and its certificate
has been moved into SystemConfigService.setupAdmin().
- - - - -
7d867a5f by Endi S. Dewata at 2018-09-24T22:59:40Z
Refactored SystemConfigService.setupAdmin()
The SystemConfigService.setupAdmin() has been modified
such that it will not be called when installing a clone.
The code that updates TPS admin has been moved into
TPSInstallerService.setupAdmin() as well.
- - - - -
a970ac12 by Endi S. Dewata at 2018-09-25T14:37:02Z
Refactored SystemConfigService.validateRequest()
The code that validates admin parameters in
SystemConfigService.validateRequest() has been
moved into configureAdmin().
- - - - -
dcfbb8cd by Endi S. Dewata at 2018-09-25T14:37:02Z
Added request/response classes for admin setup
New AdminSetupRequest/Response classes have been added to store
request and response params for SystemConfigService.setupAdmin().
- - - - -
74f2be07 by Endi S. Dewata at 2018-09-25T16:41:59Z
Removed admin params from ConfigurationRequest
The admin params have been removed from ConfigurationRequest
since they have been moved into AdminSetupRequest.
- - - - -
3307f877 by Endi S. Dewata at 2018-09-25T16:41:59Z
Added request classes for key backup
A new KeyBackupRequest class has been added to store request
params for SystemConfigService.backupKeys().
- - - - -
9b5890c5 by Endi S. Dewata at 2018-09-25T16:42:00Z
Removed backup params from ConfigurationRequest
The backup params have been removed from ConfigurationRequest
since they have been moved into KeyBackupRequest.
- - - - -
f0a2ce6f by Christina Fu at 2018-09-25T18:28:00Z
Bug1628410 CMC: add config to allow non-clientAuth
This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
to allow agents to bypass clientAuth requirement in CMCAuth.
Default value for cmc.bypassClientAuth is false.
In addition, CMC enrollment profile caCMCUserCert "visible" value is
set to false.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410
Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc
- - - - -
d3479245 by Dinesh Prasanth M K at 2018-09-25T18:39:53Z
Fixes the 'byte to string' issue due to subprocess (#54)
The subprocess command returns a 'byte string' instead of
the 'string' type. The output should be decoded using the
default "utf-8" type for common operations including (but not
limited to) updating of flat files like CS.cfg
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
03a2c0a6 by Christina Fu at 2018-09-25T18:56:56Z
Merge branch 'master' of github.com:dogtagpki/pki
Change-Id: I4b4610b91108e90768b4bb7541c8bbfd9036983e
- - - - -
2dcc2d56 by Endi S. Dewata at 2018-09-25T21:00:17Z
Fixed pki-server tps-clone-prepare
The pki-server tps-clone-prepare has been modified not to export
'signing' certificate since TPS doesn't have such certificate.
- - - - -
f6567a02 by Endi S. Dewata at 2018-09-25T21:00:18Z
Added log messages in pki.server module
- - - - -
6c6b3541 by Endi S. Dewata at 2018-09-25T21:04:10Z
Added docs on cloning
New docs have been added to install CA, KRA, and TPS clones.
- - - - -
c3ad2447 by Dinesh Prasanth M K at 2018-09-26T15:03:12Z
cert-create --serial option takes both hex and int
`pki-server cert-create --serial <serial>` option now accepts both hex
and int. This patch syncs up with other modules on processing the user
provided --serial option
Ticket: https://pagure.io/dogtagpki/issue/3067
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
62efc332 by Dinesh Prasanth M K at 2018-09-26T15:03:12Z
Fix trust flags for audit and ca signing cert
The audit_signing and ca_signing require special flags to be set
in nssdb to render it useful. This patch fixes this issue.
Ticket: https://pagure.io/dogtagpki/issue/3066
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
4cd2c203 by Endi S. Dewata at 2018-09-28T17:53:40Z
Refactored PKCS12Util.loadCertInfoFromNSS()
The PKCS12Util.loadCertInfoFromNSS() has been simplified
and renamed into createCertInfoFromNSS() which will return
a PKCS12CertInfo object.
- - - - -
296b148b by Endi S. Dewata at 2018-09-28T17:53:54Z
Refactored PKCS12Util.loadKeyInfoFromNSS()
The PKCS12Util.loadKeyInfoFromNSS() has been simplified
and renamed into createKeyInfoFromNSS() which will return
a PKCS12KeyInfo object.
- - - - -
7fec59fd by Endi S. Dewata at 2018-09-29T03:30:17Z
Fixed encapsulation in PKCS12CertInfo and PKCS12KeyInfo
The fields in PKCS12CertInfo and PKCS12KeyInfo have been modified
to become private. All code using the fields have been modified
to use the getter/setter methods.
- - - - -
a50e3c53 by Endi S. Dewata at 2018-10-01T14:46:54Z
Updated log messages in PKCS12Util
- - - - -
8abc2517 by Endi S. Dewata at 2018-10-01T18:56:38Z
Refactored PKCS12Util.createCertInfoFromNSS()
The code that generates the certificate ID from SHA-1 hash has
been moved into PKCS12Util.createCertInfoFromNSS().
- - - - -
77f79962 by Endi S. Dewata at 2018-10-01T19:19:01Z
Updated log messages in PKCS12Util
- - - - -
a1913d15 by Endi S. Dewata at 2018-10-01T23:05:03Z
Splitting cert and key IDs in PKCS12Util
Previously PKCS12Util used the same ID to link a cert to its key
in the PKCS #12 file that it generated. This could become a problem
if there are multiple certs using the same key or if there are keys
without certs in the PKCS #12 file.
To solve the issue, a separated key ID field has been added into
PKCSCertInfo which will be used to link the cert to its key. The
cert ID will contain the SHA-1 hash of the certificate and the key
ID will contain the NSS key ID.
- - - - -
3d6b1fae by Dinesh Prasanth M K at 2018-10-01T23:25:07Z
Fixes password leak of Auth plugins to Audit Logs (#57) (#59)
* Auth plugin adds `(sensitive)` instead of plain passwords to AuditLogs
* Added generic `isSensitive()` to identify Passwords before logging
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
a46572d9 by Endi S. Dewata at 2018-10-02T20:33:57Z
Updated pki-server subsystem-cert-validate output
The pki-server subsystem-cert-validate CLI has been modified to
show the actual message generated by NSS if the validation fails.
- - - - -
7dbd650c by Endi S. Dewata at 2018-10-02T21:19:06Z
Fixed CA signing cert importation
The pki_ca_signing_cert_path param has been modified to have
an empty value by default.
The import_ca_signing_cert() has been modified such that if
the param is not specified, it will return silently. If the
param contains an invalid path, the method will fail. If the
param contains a valid path to the CA signing cert, the cert
will be imported into the NSS database.
https://pagure.io/dogtagpki/issue/3040
- - - - -
b5ddac86 by Fraser Tweedale at 2018-10-03T00:51:51Z
getTheSerialNumber: only return null if next range not available
When cloning, if the master's current number range has been depleted
due to a previous UpdateNumberRange request,
Repository.getTheSerialNumber() returns null because the next serial
number is out of the current range, but the next range has not been
activated yet. NullPointerException ensues.
Update getTheSerialNumber() to return the next serial number even
when it exceeds the current number range, as long as there is a next
range. If there is no next range, return null (as before). It is
assumed that the next range is non-empty
Also do a couple of drive-by method extractions to improve
readability.
Part of: https://pagure.io/dogtagpki/issue/3055
- - - - -
8011d2d7 by Fraser Tweedale at 2018-10-03T00:51:51Z
Repository: handle depleted range in initCache()
Repository.initCache() does not handle the case where the current
range has been fully depleted, but the switch to the next range has
not occurred yet. This situation arises when the range has been
fully depleted by servicing UpdateNumberRange requests for clones.
Detect this situation and handle it by switching to the next range
(when available).
Part of: https://pagure.io/dogtagpki/issue/3055
- - - - -
3b57d324 by Fraser Tweedale at 2018-10-03T00:51:51Z
rename method getTheSerialNumber -> peekNextSerialNumber
Rename Repository.getTheSerialNumber -> peekNextSerialNumber to more
accurately reflect what it does: peek at the next serial number
without actually consuming it.
Part of: https://pagure.io/dogtagpki/issue/3055
- - - - -
925ef263 by Fraser Tweedale at 2018-10-03T00:51:51Z
checkRange: small refactor and add commentary
Add some commentary about the behaviour and proper usage of
Repository.checkRange(). Also perform a small refactor, avoiding
a redundant stringify and parse.
Part of: https://pagure.io/dogtagpki/issue/3055
- - - - -
44be5837 by Fraser Tweedale at 2018-10-03T00:51:51Z
UpdateNumberRange: improve logging, add commentary
Add substantial commentary and improve logging in the
UpdateNumberRange servlet. Also perform some small refactors of
this code.
Part of: https://pagure.io/dogtagpki/issue/3055
- - - - -
12862869 by Fraser Tweedale at 2018-10-03T00:51:51Z
Add missing synchronisation for range management
Several methods in Repository (and CertificateRepository) need
synchronisation on the intrisic lock. Make these methods
synchronised.
Also take the lock in UpdateNumberRange so that no serial numbers
can be handed out in other threads between peekNextSerialNumber()
and set(Next)?MaxSerial(). Without this synchronisation, it is
possible that the master instance will use some of the serial
numbers it transfers to the clone.
Fixes: https://pagure.io/dogtagpki/issue/3055
- - - - -
fadaeb13 by bhavikbhavsar at 2018-10-04T14:38:50Z
Added new openstack resource pool (#63)
Signed-off-by: Bhavik Bhavsar <bbhavsar at redhat.com>
- - - - -
3d7ff0b0 by Endi S. Dewata at 2018-10-04T15:45:40Z
Updated log messages on cert revocation
- - - - -
74f61463 by Alexander Scheel at 2018-10-04T19:55:54Z
Updated version number to 10.6.7
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ee92a50f by Alexander Scheel at 2018-10-04T20:16:24Z
Update arches to match downstream pki-core and esc
See: https://src.fedoraproject.org/rpms/esc/blob/master/f/esc.spec#_38
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
b87b2bb4 by Timo Aaltonen at 2018-10-08T08:28:33Z
Merge branch 'upstream'
- - - - -
44d21488 by Timo Aaltonen at 2018-10-08T08:28:55Z
bump the version
- - - - -
88d2d85d by Timo Aaltonen at 2018-10-09T19:26:27Z
releasing package dogtag-pki version 10.6.7-1
- - - - -
30 changed files:
- .gitignore
- .travis.yml
- base/ca/shared/conf/CS.cfg
- base/ca/shared/conf/eccAdminCert.profile
- base/ca/shared/conf/eccServerCert.profile
- base/ca/shared/conf/rsaAdminCert.profile
- base/ca/shared/profiles/ca/AdminCert.cfg
- base/ca/shared/profiles/ca/ECAdminCert.cfg
- base/ca/shared/profiles/ca/caAdminCert.cfg
- base/ca/shared/profiles/ca/caAgentFileSigning.cfg
- base/ca/shared/profiles/ca/caCMCECUserCert.cfg
- base/ca/shared/profiles/ca/caCMCECserverCert.cfg
- base/ca/shared/profiles/ca/caCMCUserCert.cfg
- base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
- base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
- base/ca/shared/profiles/ca/caCMCserverCert.cfg
- base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
- base/ca/shared/profiles/ca/caDirBasedDualCert.cfg
- base/ca/shared/profiles/ca/caDirPinUserCert.cfg
- base/ca/shared/profiles/ca/caDirUserCert.cfg
- base/ca/shared/profiles/ca/caDualCert.cfg
- base/ca/shared/profiles/ca/caDualRAuserCert.cfg
- base/ca/shared/profiles/ca/caECAdminCert.cfg
- base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
- base/ca/shared/profiles/ca/caECDirUserCert.cfg
- base/ca/shared/profiles/ca/caECDualCert.cfg
- base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
- base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
- base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
- base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/932e816155f6d8cdfe287dabae89cee02687e2c5...88d2d85d616a9fa1c9ec5e8aef30badca80a183e
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/932e816155f6d8cdfe287dabae89cee02687e2c5...88d2d85d616a9fa1c9ec5e8aef30badca80a183e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20181009/0290a8a6/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list