[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master-next] 150 commits: Add new healthcheck - CA System cert expiry

Timo Aaltonen gitlab at salsa.debian.org
Thu Aug 6 17:20:08 BST 2020



Timo Aaltonen pushed to branch master-next at FreeIPA packaging / dogtag-pki


Commits:
9beafcf5 by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - CA System cert expiry

This patch adds a new healthcheck to test whether CA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a2fd414b by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - KRA System cert expiry

This patch adds a new healthcheck to test whether KRA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
964a701f by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Move the cert expiry calculation logic to generic method

This patch creates a reusable method that returns the pre-filled Result
object, that carries the Cert expiration status. The method can process
only 1 cert at a time.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
4b81e951 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Added CertUtil.toPEM() for PKCS10

The code that converts a PKCS10 object into a PEM string has
been moved into CertUtil.toPEM().

- - - - -
a8a6416b by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Removed deprecated methods in ClientConfig

- - - - -
43197691 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored MainCLI.getNSSDatabase()

The MainCLI.getNSSDatabase() has been modified to return
an NSSDatabase object.

- - - - -
313b57b1 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 1)

The code that imports a CA cert with a nickname has been moved
out of ClientCertImportCLI.importCACert().

- - - - -
3933b160 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 2)

The ClientCertImportCLI.importCACert() has been converted
into NSSDatabase.addCertificate().

- - - - -
3de6843e by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCert()

The ClientCertImportCLI.importCert() has been converted into
NSSDatabase.addCertificate().

- - - - -
c701cf62 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Cleaned up ACME doc

- - - - -
ab386a98 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - OCSP System Cert Expiry

This patch adds new healthcheck to test the expiration
of OCSP system certs

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
80054053 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TKS System Cert Expiry

This patch adds a new healthcheck to test the expiration
of TKS system certs

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
235cfe1a by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TPS System cert expiration

This patch adds a new healthcheck to check the expiration
of system certs in TPS

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d206ef17 by Endi S. Dewata at 2020-06-11T18:49:53-05:00
Fixed NSSDatabase.create()

The NSSDatabase.create() has been modified to create the
NSS database with the internal token password.

- - - - -
2dea4a76 by Endi S. Dewata at 2020-06-11T18:50:40-05:00
Added NSSDatabase.addPEMCertificate()

The NSSDatabase.addPEMCertificate() methods have been added
to import certificate files in PEM format.

- - - - -
a755dc78 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Added pki nss-cert-import

The pki nss-cert-import has been added to replace
pki client-cert-import --cert and --ca-cert.

- - - - -
95366b70 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Simplified pki pkcs12-import options

- - - - -
0d59b969 by Endi S. Dewata at 2020-06-11T19:03:58-05:00
Added PostgreSQL database doc

- - - - -
8f75debd by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs7-import options

- - - - -
804d827a by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs12-export options

- - - - -
9f4f293f by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Updated CMSEngine.configureAutoShutdown() (part 1)

A try-catch block in CMSEngine.configureAutoShutdown() has
been removed to expose all exceptions generated by the code.

- - - - -
057ce47d by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 2)

A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in finding the audit signing cert.

The CMSEngine.init() has also been modified to call the method
only after the audit signing cert has been created.

- - - - -
37927738 by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 3)

A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in removing existing auto-shutdown
crumb file.

- - - - -
7a31f28f by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createRequest()

The NSSDatabase.createRequest() has been added to create a
certificate signing request using a local NSS database.

- - - - -
99793a50 by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createCertificate()

The NSSDatabase.createCertificate() has been added to issue
a certificate using a CA signing certificate stored in a local
NSS database.

- - - - -
0b4ba07c by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-request

The pki nss-cert-request have been added to create a certificate
signing request using a local NSS database.

- - - - -
3d82cdfe by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-issue

The pki nss-cert-issue have been added to issue a certificate
using a CA signing certificate stored in a local NSS database.

- - - - -
21528f49 by Endi S. Dewata at 2020-06-16T14:01:11-05:00
Cleaned up ACMEEngine log messages

- - - - -
85b7b89e by dependabot[bot] at 2020-06-16T20:32:47-05:00
Bump xercesImpl from 2.11.0 to 2.12.0

Bumps xercesImpl from 2.11.0 to 2.12.0.

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
0011cfbe by Christina Fu at 2020-06-18T15:53:12+10:00
Bug 1805541 improvement over verifySCT - [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch made some more attempt to improve on verifySCT
  (though still not working; lack of the signed blob from sender
   makes it a bit challenging)

It adds the following:
  - Include code to use LinkedHashMap instead of Hashtable (requires jss fix)
  - Added debugging code to be sure that the extensions didn’t get out of order through manipulation
  - Allow for CT lg connection issue, but disallow for failed CT verification (though still temporarily disable failure for signature verification)
  - For verifySCT
     - Added missing 3 byte length for tbsCert
     - Added processing for extensions, though most likely not needed for some time

Note: the global on/off is rigid at this point without "per-profile" control;

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
f183aa0d by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: decode signature value properly

The CT signature is TLS-encoded structure with 4 leading bytes.  The
rest of the signature is the signature value, which is a DER-encoded
ECDSA-Sig-Value per https://tools.ietf.org/html/rfc5480.  This is
exactly what JSS needs, so only drop the first 4 bytes.

With this change, SCT signature verification now works.

- - - - -
43466bf0 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: cleanups

- - - - -
85fdca4b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: tidy up "allow failed SCT verification" control

The "allow failed SCT verification" behaviour was a bit buggy.  If
it got a boolean verification result it "correctly" ignored failed
verification, but if an exception was thrown (e.g. due to malformed
log server response) it returned 'false', aborting issuance.

Extract the "allow failed verification" check out of verifySCT to
the call site.  A single boolean now controls the behaviour.  It
should be further extracted to a config knob in a future commit.
For now the default remains to ignore failed verification.

- - - - -
62b8df1b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: createSCTextension: handle SCT extensions properly

To handle possible future extensions, read the extensions from the
log server response(s) and copy them into the SCT extension.

- - - - -
decf1192 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: extract "write fixed-width length field" method

Define 'intToFixedWidthBytes' which encapsulates the logic of
writing a length as a fixed-width big-endian uint.  This avoids
repetition and makes things easier to follow at call sites.

- - - - -
e39d5978 by Christian Heimes at 2020-06-18T11:33:12-04:00
Enable TLS 1.3 post handshake auth

TLS 1.3 no longer supports renegotiations. Clients must announce support for
post handshake authentication to support conditional authentication with
client certs.

The fix is required to make Dogtag work with FreeIPA and TLS 1.3 enabled
Apache HTTPd proxy.

n.b.: rebased by Alexander Scheel, enabled PHA

Change-Id: I07da8779e233f6e77526df30e29da575676ac0e9
Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
50c23ec1 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Enable certificate verification in PKIConnection

To PKIConnection's initialization handler, we introduce a new argument,
cert_paths, which takes a string or iterable; each unit of which is
treated as a capath or cafile depending on whether or not it is a
directory. See ssl.SSLContext.load_verify_locations for more
information. This enables both PKI and IPA to specify independent CA
file locations at the same time and have fallback if this does not work.

Because some users might've already loaded the CA certificate into the
system-wide CA certificate store (if they're running Dogtag in
production), we also inclue the global trust store.

Resolves: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8705ebeb by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make healthcheck check CA certificate

When running healthcheck, use the CA certificate in PEM form at
/etc/pki/<instance>/alias/ca.crt to verify connections with
PKIConnection. This is because the healthcheck tool is run on the
server, not on a remote client system.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e5793704 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make PKI server operations verify CA certificate

We create a path ~/.dogtag/nssdb/ca.crt which contains the PEM-encoded
CA certificate in the NSS DB. When setting up PKI server authentication,
check for this CA file and use it when present. If we're performing
cert-based auth, we're dumping the CA certificate into the .p12 file, so
we can extract just the CA certificate to create it if it is missing.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
de680af2 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Check CA Certificate in Security Domain

When checking a Security Domain connection, we should ensure the CA
certificate is already provisioned to this machine prior to attempting
this call.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7fba9a16 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Secure PKIConnection during pkispawn, add CA cert

When the CA certificate is missing in PEM form in the NSS DB (but is
present from the pki_ca_cert_path parameter in the spawn configuration,
add it to this instance's alias prior to using PKIConnection.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
614846ec by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate from clone PKCS#12 file

When creating a cloned subsystem, export the CA certificate into the
expected location prior to continuing subsystem installation. This
should ensure we provision the CA certificate prior to any calls to
PKIConnection.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
35c52586 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Ignore certificate validation during status checks

When waiting for a subsystem to come up, we initialize a new
PKIConnection. However, we don't necessarily need to validate this
certificate: it is a status check and spoofing the result at worst
causes us to fail somewhere else, later, if the server isn't yet alive
and/or the connection was spoofed. Since this is primarily used in
pkispawn, it should be safe to ignore any certificate validation
failures and set verify=False here.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c4a3454e by Alexander Scheel at 2020-06-18T11:33:12-04:00
Verify CA certificate when destroying KRA

When destroying a KRA instance, we query a list of all CAs this KRA
instance is registerred to. When querying this list, verify the
certificate on the remote peer.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
00fdf77f by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate after NSS DB migration

In order to ensure all subsystems continue to function with enforced CA
validity checking, export the CA after NSS DB migration. This should
ensure we always get the latest CA certificate (as the CA would
presumably be restarted after a new CA certificate has been issued).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dc5b3e78 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Add documentation on PKI certificate validation

This documents utilizing the pki_cert_chain_path to configure an
existing CA certificate into the NSS DB. We also document proper CLI
setup procedures, including mentioning that the CA certificates must be
imported.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
578f682e by Endi S. Dewata at 2020-06-18T10:35:28-05:00
Added auto-reconnect for PostgreSQL database

The PostgreSQLDatabase.connect() has been added to create
the initial connection, validate the current connection,
and reestablish the connection if it's closed.

- - - - -
b235c0f3 by Dinesh Prasanth M K at 2020-06-18T13:38:04-04:00
Fix XSS in PathLength attribute in CA agent web page

- The input type is set to number when "integer" is encountered
- The server error message is html escaped, before it gets displayed in client browser

Resolves: BZ#1710171

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6c43dd30 by Endi S. Dewata at 2020-06-18T13:03:09-05:00
Added certificate storage in ACME database

The ACMEDatabase has been modified to provide a certificate
storage for ACME issuers that do not have their own storage.

- - - - -
56b8375e by Dinesh Prasanth M K at 2020-06-18T20:02:18-04:00
Fix reflected XSS attack when hitting getCookie endpoint

This patch sanitizes the Server generated error message, to escape
the HTML tags if any present.

Resolves: BZ#1789907

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
50585c65 by Pritam Singh at 2020-06-19T10:05:10-04:00
Added client-side prevention for XSS in recoveryID endpoint

Signed-off-by: Pritam Singh <prisingh at redhat.com>

- - - - -
835f1dcd by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Simplified pki pkcs12-cert-find options

- - - - -
73da2085 by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Added default ACME validators configuration

The ACMEEngine.loadValidatorsConfig() has been modified to
load the default validators.conf if the configuration file
is not available.

The pki-server acme-create command has been modified to no
longer create validators.conf so the ACME responder will
use the default one.

- - - - -
edff88c9 by Endi S. Dewata at 2020-06-19T10:17:21-05:00
Added non-blocking ACME validation

The ACMEChallengeProcessor has been added to perform the
ACME validation using a separate thread such that it does
not block the main thread.

- - - - -
426d5f73 by Christina Fu at 2020-06-19T12:02:06-07:00
Bug1629025: KRA transporCert nick: Server-Side keygen Enrollment for EE

This patch fixes the issue where CA attempts to get
ca.ca.connector.KRA.transportCertNickname
instead of
ca.connector.KRA.transportCertNickname
from it's CS.cfg

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
63a75f81 by Timo Aaltonen at 2020-06-19T15:12:47-04:00
Fix javadoc build on Debian

Tried to build 10.9.0-a1 on Debian, but it fails building javadoc:

[ 98%] Generating Javadoc for pki-javadoc
cd /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc && /usr/lib/jvm/java-11-openjdk-amd64/bin/javadoc -d /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc/javadoc/pki-10.9.0 -windowtitle 'pki-javadoc' -doctitle '<h1>PKI Javadoc</h1>' -author -use -version -quiet -Xdoclint:none -sourcepath :/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/javadoc:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/util/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/common/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/java-tools/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/server/src -classpath :/usr/share/java/slf4j-api.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/xalan2.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/commons-cli.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/velocity.jar:/usr/share/java/servlet-api-3.1.jar:/usr/share/java/tomcat9-catalina.jar:/usr/share/java/tomcat9-util.jar:/usr/share/java/httpclient.jar:/usr/share/java/httpcore.jar:/usr/share/java/jaxrs-api.jar:/usr/share/java/jackson-annotations.jar:/usr/share/java/jackson-databind.jar:/usr/share/java/jackson-module-jaxb-annotations.jar:/usr/share/java/resteasy-jaxrs.jar:/usr/share/java/resteasy-atom-provider.jar:/usr/share/java/resteasy-client.jar:/usr/share/java/jss4.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/symkey.jar:/usr/share/java/tomcatjss.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cmsutil.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-certsrv.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tools.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tomcat.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cms.jar -subpackages :com.netscape.cmsutil:com.netscape.certsrv:com.netscape.cmstools:org.dogtagpki:com.netscape.cms
javadoc: error - No source files for package com.netscape.cmsutil

I believe base/javadoc/CMakeLists.txt needs to be updated..

it was quite simple

Resolves: https://www.pagure.io/dogtagpki/issue/3176

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
364de389 by Endi S. Dewata at 2020-06-19T14:53:54-05:00
Cleaned up ACME doc

- - - - -
0447bd72 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added NSSExtensionGenerator

The NSSExtensionGenerator has been added to create certificate
extension objects from a configuration file. Initially it only
supports BasicConstraintsExtension.

The NSSDatabase has been modified to support creating certificate
request or issuing certificates with extensions.

- - - - -
57e97b2b by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthorityKeyIdentifierExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthorityKeyIdentifierExtension.

- - - - -
302edc84 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for SubjectKeyIdentifierExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support SubjectKeyIdentifierExtension.

- - - - -
6e28f76a by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthInfoAccessExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthInfoAccessExtension.

- - - - -
3e035de6 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for KeyUsageExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support KeyUsageExtension.

- - - - -
bec9b60e by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for ExtendedKeyUsageExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support for ExtendedKeyUsageExtension.

- - - - -
923e1e12 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for CertificatePoliciesExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support CertificatePoliciesExtension.

- - - - -
74918419 by Alexander Scheel at 2020-06-19T16:42:44-04:00
Use password during NSS DB creation

In most instances, MainCLI has already parsed options prior to executing
MainCLI.init(). Require the caller to ensure this holds. When a NSS DB
password has been provided, use it to create the NSS DB when one doesn't
yet exists. This matches users's expectations.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1843537

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3a92a1db by Endi S. Dewata at 2020-06-19T18:09:04-05:00
Added NSSIssuer

The NSSIssuer has been added to provide an embedded
CA for the ACME responder using a local NSS database.

- - - - -
ca428b43 by Alexander Scheel at 2020-06-19T19:36:10-04:00
Set -Dcom.redhat.fips=false in Tomcat config

FIPS mode in OpenJDK shipped on RHEL-like platforms uses SunPKCS11 to
provide cryptographic primitives for SunJSSE (including SSLEngine and
SSLSocket) and other high-level providers. However, because SunPKCS11
uses NSS, we'd have a race between JSS and SunPKCS11. This isn't good,
because when Tomcat loads up, SunPKCS11 will consistently load before
TomcatJSS initialization, starving JSS's chance to become the default
provider. By setting -Dcom.redhat.fips=false unconditionally, we
decrease the JDK's reliance on SunPKCS11, decreasing the chance it'll
load. Indeed, prior to the changes to follow system FIPS mode, we've not
encountered any issues with SunPKCS11 loading ahead of JSS.

This change adds -Dcom.redhat.fips=false to the Tomcat configuration
unless the key is already present.

Because JSS is FIPS conforming, and provides a SSLEngine and SSLSocket
implementation since JSS 4.7.0, this is safe to do. In the future,
java.security can be used to ensure only JSS is loaded, preventing any
non-FIPS operations completely.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1655466
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1759335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1780335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1821851
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1830090

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
43a2738c by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Added PKIServer.nssdb_link

The code in PKIInstance that creates and removes the link
to the NSS database has been moved into PKIServer.

- - - - -
41e1590b by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME database files

The ACME database files have been moved into acme/database
to simplify the paths.

- - - - -
b20f0803 by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME issuer files

The ACME issuer files have been moved into acme/issuer
to simplify the paths.

- - - - -
b04097fc by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Simplified pki pkcs12-cert-mod options

- - - - -
abc01031 by Endi S. Dewata at 2020-06-22T11:38:38-05:00
Updated version number to 10.9.0-0.3 (beta 1)

- - - - -
412b3150 by Endi S. Dewata at 2020-06-22T15:12:37-05:00
Renamed issuer parameter in NSSIssuer

The issuer parameter in NSSIssuer has been renamed to
nickname for clarity.

- - - - -
606aa7b9 by Endi S. Dewata at 2020-06-22T15:13:12-05:00
Added default value for NSSIssuer nickname

- - - - -
4f3db1ae by Endi S. Dewata at 2020-06-22T15:13:13-05:00
Added default value for NSSIssuer extensions

- - - - -
4f47a2f6 by Dinesh Prasanth M K at 2020-06-23T18:00:23-04:00
Require python3-setuptools explicitly

python3-setuptools is required to setup PKI healthcheck tool. There
was a request submitted by setuptools developers to specify BR directly
rather than using tranisitive dependency (ie) python3-devel pull
python3-setuptools currently

Ref: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GCPGM34ZGEOVUHSBGZTRYR5XKHTIJ3T7/

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
1b4558bf by Alexander Scheel at 2020-06-24T11:53:59-04:00
Fix extraction of CA certificate

openssl pkcs12 gets annoyed when the CA certificate already exists.
Remove it before exporting on each migration.

This manifests itself as a failure during pki-tomcatd startup:

    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: Export complete
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21375]: ERROR: Command: openssl pkcs12 -in /tmp/tmpfn_vr9yx/sslserver.p12 -out /etc/pki/pki-tomcat/alias/ca.crt -nodes -nokeys -passin pass::6|xZFEk8Dog

See also: https://github.com/freeipa/freeipa/pull/4820#issuecomment-648729659
Related: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
deca1c87 by Dinesh Prasanth M K at 2020-06-24T17:12:26-04:00
Healthcheck: Ignore SSL verification in connectivity check

The connectivity check's motive is to test whether the given
subsystem is up and able to respond. Strict SSL validation is not
required. This patch turns it off for the COnnectivity Healthcheck.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a21bd28c by Alexander Scheel at 2020-06-25T12:35:23-04:00
Provision CA certificate for Security Domain check

When checking the Security Domain during pkispawn, we enforce
certificate validation. This is because we're also checking the
username/password given to us. This should go over a secured connection,
so simply setting verify=False would be a bad fix. Instead, ask the user
for a pki_cert_chain_path if one isn't given and use that to validate
the security domain's connection when the ca.crt path isn't already
populated.

This manifests itself as the following error:

      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 930, in <module>
        main(sys.argv)
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 544, in main
        check_security_domain()
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 716, in check_security_domain
        info = deployer.get_domain_info()
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 270, in get_domain_info
        self.domain_info = sd_client.get_domain_info()
      File "/usr/lib/python3.6/site-packages/pki/system.py", line 270, in get_domain_info
        response = self.connection.get(self.domain_info_url, headers=headers)
      File "/usr/lib/python3.6/site-packages/pki/client.py", line 55, in wrapper
        return func(self, *args, **kwargs)
      File "/usr/lib/python3.6/site-packages/pki/client.py", line 259, in get
        timeout=timeout,
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
        return self.request('GET', url, **kwargs)
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
        resp = self.send(prep, **send_kwargs)
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
        r = adapter.send(request, **kwargs)
      File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
        raise SSLError(e, request=request)
    requests.exceptions.SSLError: HTTPSConnectionPool(host='pki1.example.com', port=20443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Related: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
57fdb9bb by Endi S. Dewata at 2020-06-25T14:33:23-05:00
Refactored EnrollDefault.deleteExtension() (part 1)

The EnrollDefault.deleteExtension() has been modified to
throw a generic exception.

- - - - -
16269168 by Endi S. Dewata at 2020-06-25T14:34:16-05:00
Refactored EnrollDefault.deleteExtension() (part 2)

The EnrollDefault.deleteExtension() has been modified to use
a separate loop to avoid ConcurrentModificationException.

- - - - -
b2388e9a by Endi S. Dewata at 2020-06-25T15:00:50-05:00
Refactored CAProcessor.saveAuthToken() (part 1)

The code that checks that the authentication token and the
request are not null in CAProcessor.saveAuthToken() has been
moved to the caller.

- - - - -
134f20ba by Endi S. Dewata at 2020-06-25T15:22:05-05:00
Refactored CAProcessor.saveAuthToken() (part 2)

The variable names and log messages in CAProcessor.saveAuthToken()
have been modified for clarity.

- - - - -
e131adc0 by Endi S. Dewata at 2020-06-25T16:53:35-05:00
Updated version number to 10.9.0-0.4 (beta 2)

- - - - -
3073c64a by Christina Fu at 2020-06-25T19:31:17-07:00
Bug1805541-parseAlgs-[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch parses the CT response for hashing and signing algorithms.
There is plan to fine-tune the CT code later.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
2a0dae85 by Endi S. Dewata at 2020-06-29T10:55:05-05:00
Removed default user/group in pki-server create

The hard-coded default user/group in pki-server create has
been removed such that it's going to be determined by the
type of instance being created.

- - - - -
6c18b47f by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up log messages in PKIIssuer

- - - - -
4ce3a7e4 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up main web.xml

The main web.xml has been modified to map .properties
files to text/plain to avoid syntax errors in Firefox.

https://github.com/jquery-i18n-properties/jquery-i18n-properties

- - - - -
7ab7f731 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up ACME's web.xml

- - - - -
33f4893c by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME Dockerfile

- - - - -
0682f553 by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME deployment config for OpenShift

- - - - -
93732b52 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Add method to load dogtag specific config values

This patch adds a reusable method to load dogtag specific values
specified in the config file. Note that each registry calls this
method but, the values are read only once. The registry initialization
is handled by the underlying 'pkg_resources' library and there was no
particular order.

TODO: This is a temporary patch and the parsing method should be
moved into the ipa-healthcheck-core library

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
bb0739e0 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Refactor DogtagCertsConfigCheck to accommodate other subsystems

This patch refactors DogtagCertsConfigCheck to accommodate other
subsystems: OCSP, TKS and TPS. This patch also uses the config names
mentioned in the healthcheck config file.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
400a5a8f by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Allow healthchecks to load custom named instances

This patch allows the Healthchecks to use the custom instance
names provided via the pki specific healthcheck config file. This
will allow healthcheck to be executed in standalone Dogtag PKI
environments.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a8f7eede by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Update PKI-healthcheck documentation

Add documentation related to /etc/pki/healthcheck.conf

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
7fcb8993 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Minor improvements to config and expiration check

This patch:

* Uses expiration day value specified in config to report warnings
  during the System Certificate Expiration Check

* Prior to this commit, if a custom instance name is specified for a
  subsystem, ALL subsystem's instance names needed to be specified. This
  patch removes that restriction.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d6c91ee4 by Christian Heimes at 2020-06-30T12:05:57-04:00
pki password fix for FIPS

NSS DB in FIPS mode seems to require a password in all cases. When pki
attemps to open NSS DB without password in FIPS mode, it blocks with a
prompt to enter a password. This breaks installation in FIPS mode:

    Enter password for NSS FIPS 140-2 User Private Key

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
573f574e by Alexander Scheel at 2020-06-30T17:59:38-04:00
Add separate bootstrap CSS file

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
01d46248 by Alexander Scheel at 2020-06-30T17:59:38-04:00
Link in new Bootstrap CSS file

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
021b273c by Endi S. Dewata at 2020-06-30T18:19:22-05:00
Removed tech preview notifications

- - - - -
5e5dba62 by Timo Aaltonen at 2020-07-01T07:05:51+03:00
Merge branch 'upstream-next' into master-next

- - - - -
eb87e0cc by Timo Aaltonen at 2020-07-01T07:06:28+03:00
bump the version

- - - - -
627425ac by Timo Aaltonen at 2020-07-01T07:07:09+03:00
fix-javadoc-build.diff: Dropped, upstream.

- - - - -
44a6c53c by Endi S. Dewata at 2020-06-30T23:16:50-05:00
Renamed TPS profile service

The ProfileService for TPS has been renamed into
TPSProfileService for clarity.

- - - - -
f9db0af1 by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Cleaned up log messages in TPSProfileService

- - - - -
f306fa8a by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ProfileData.profileID

The ProfileData.profileID has been added to store the ID
before the profile is added into the database.

- - - - -
a4336bad by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ErrorDialog.htmlContent

The ErrorDialog has been modified to provide an option to
display HTML content.

- - - - -
8884b434 by Alexander Scheel at 2020-07-01T11:30:30-04:00
Replace CMSTemplate custom sanitization with lang2

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f770c4e5 by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Refactored EntryPage.save()

The EntryPage.save() has been renamed to saveEntry() for clarity.

- - - - -
8734909b by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Updated ErrorDialog.close()

The ErrorDialog.close() has been modified to trigger an event.

- - - - -
02e3f1e5 by Endi S. Dewata at 2020-07-01T11:25:00-05:00
Cleaned up log messages in TokenService

- - - - -
1dbb07f8 by Endi S. Dewata at 2020-07-01T15:47:32-05:00
Added input validation for TPS

The TPSProfileService has been modified to validate the
profile ID and profile property names received via REST API.

The TPS UI has been modified to validate profile ID and
profile property names before they are sent to the server.

The TableItem.renderColumn() has been modified to escape
the value already stored in the database before displaying
it in the UI.

https://bugzilla.redhat.com/show_bug.cgi?id=1791099
https://bugzilla.redhat.com/show_bug.cgi?id=1793076
https://bugzilla.redhat.com/show_bug.cgi?id=1725129

- - - - -
da7d9cc3 by Endi S. Dewata at 2020-07-02T11:16:09-05:00
Updated version number to 10.9.0-0.5.unstable (beta 3)

- - - - -
c1098bb1 by Endi S. Dewata at 2020-07-02T16:23:51-05:00
Updated build.sh to generate UTC timestamp

The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.

- - - - -
fd3e3dea by Endi S. Dewata at 2020-07-02T17:05:00-05:00
Cleaned up log messages in CertRequestService

- - - - -
9de45c28 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Cleaned up log messages in PKIRealm

- - - - -
44c34cc1 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added UserClient constructor

- - - - -
62e86aa2 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added GroupClient constructor

- - - - -
bd46b1a5 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added setter/getter for CertEnrollmentRequest.serverSideKeygenP12Passwd

- - - - -
14ece271 by Endi S. Dewata at 2020-07-02T18:47:27-05:00
Deprecated PKIInstance.server_cert_nick_conf()

The PKIInstance.get_sslserver_cert_nickname() has been modified
to get the SSL server cert nickname from the server.xml. The
PKIInstance.server_cert_nick_conf() is no longer used so it has
been deprecated.

- - - - -
68e7c3b5 by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Cleaned up basic PKI server install doc

The doc for installing basic PKI server has been
modified to use the default instance name.

- - - - -
59f58e7e by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Updated basic PKI server install doc with NSS database

The doc for installing basic PKI server with NSS database
has been modified to use pki nss commands.

- - - - -
5d97b91a by Endi S. Dewata at 2020-07-06T22:52:48-05:00
Reorganized basic PKI server install doc

- - - - -
f3780794 by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Fixed NSSExtensionGenerator.createAIAExtension()

The NSSExtensionGenerator.createAIAExtension() has been modified
to call AuthInfoAccessExtension.encode() in order to populate its
extensionValue field. Otherwise, the null extensionValue will
cause an NPE in CertificateExtensions.parseExtension().

- - - - -
3493f58d by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Added PostgreSQL.setup()

The PostgreSQL.setup() has been added to automatically create
the tables when the server initially connects to the database.
This eliminates the requirement to create the tables manually.
The docs have been updated accordingly.

- - - - -
fa9d5a4c by Christina Fu at 2020-07-08T17:09:41-07:00
Bug1629025-handle large keys-ServerSideKeygen

This patch addresses the issue that for ServerSideKeygen enrollments,
if the RSA keys are larger (3072 or 4096), the enrollment would fail.
It may very well have to do with Apache's limit on HTTP header.
While there might exist a better way to resolve this, I'm opting
to remove a duplicated "issued cert" entry in the request itself which
effectively resolves the issue.

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
0067bada by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added JUL logging options for PKI console

The PKI console has been modified to provide CLI options
to set the log level for java.util.logging.

- - - - -
d6a511b2 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added ACMEEngine.start()/stop()

The code that starts and stops the ACME engine in
ACMEEngine.contextInitialized() and contextDestroyed() has
been moved into start() and stop().

- - - - -
0215655f by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 1)

The setEnabled and setWildcard fields in ACMEEngineConfigSource
have been renamed into enabledConsumer and wildcardConsumer for
clarity. Setters/getters have also been added for these fields.

- - - - -
c369ffa1 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 2)

The ACMEEngineConfigSource.init() has been modified such that
the caller is responsible to initialize the consumers.

- - - - -
1223d8b9 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAccountContacts()

The PostgreSQLDatabase.deleteAccountContacts() has been converted
into removeAccountContacts() which takes an account ID.

- - - - -
5b56a967 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAuthorizationChallenges()

The PostgreSQLDatabase.deleteAuthorizationChallenges() has been
converted into removeAuthorizationChallenges() which takes an
authorization ID.

- - - - -
7b9b3c6c by Alexander Scheel at 2020-07-09T10:49:00-04:00
Measure individual test execution time

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3702d4a1 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEScheduler

The ACMEScheduler has been added to schedule tasks to run
periodically in the background.

- - - - -
8cb34a77 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEMaintenanceTask

The ACMEMaintenanceTask has been added to clean up ACME
database. Initially it is used to clean up expired nonces
every 5 minutes.

- - - - -
337cff96 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Copy missing profiles between 10.5 and current version (10.9)

This patch copies all missing profiles introduced from 10.6+
and configures the CS.cfg in existing deployments. This ensures
that the old deployments (<=10.5) can use the latest profiles

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ec859b40 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Remove duplicate entries from CS.cfg

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
21a8f05f by Deepak Punia at 2020-07-10T09:03:57-05:00
Adding downstream tier0-sanity job to upstream

installation-acme
role-user-creation-topo-02
topo-01-role-user-creation

Signed-off-by: Deepak Punia <dpunia at redhat.com>

- - - - -
1df72734 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored PostgreSQLDatabase.getExpiredNonces()

The PostgreSQLDatabase.getExpiredNonces() has been modified
to only return the nonce values.

- - - - -
eca5c926 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored ACMEChallengeProcessor.processChallenge()

The code that finalizes valid and invalid authorizations in
ACMEChallengeProcessor.processChallenge() has been moved into
finalizeValidAuthorization() and finalizeInvalidAuthorization().

- - - - -
020a3b30 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Added log messages in LDAPDatabase

- - - - -
d0d803c8 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Updated version number to 10.9.0-0.6.unstable (beta 4)

- - - - -
4ae9c7b1 by Endi S. Dewata at 2020-07-10T09:42:48-05:00
Fixed PostgreSQL orders.expires constraints

The PostgreSQL orders.expires column has been modified
to become optional.

- - - - -
69e9d81b by Endi S. Dewata at 2020-07-10T09:42:53-05:00
Fixed PostgreSQL authorizations.expires constraints

The PostgreSQL authorizations.expires column has been
modified to become optional.

- - - - -
fed60474 by Christina Fu at 2020-07-10T15:02:54-07:00
Bug 1805541-refactor:[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch reafactors the Certificate Transparency code.
 More refinement to come, but for this patche:
  - the majority of the CT v1 code originally in CAService.java now goes
    into CTEngine.java;
  - some utility methods go into CertUtils.java
  - new CT enablement logic is introduced to replace the original one:

The logic of whether SCT extension is to be added to the issued
cert or not now goes like this:

IN CS.cfg
     *  CT mode is controlled by ca.certTransparency.mode
     *  There are three CT modes:
     *      disabled: issued certs will not carry SCT extension
     *      enabled: issued certs will carry SCT extension
     *      perProfile: certs enrolled through those profiles
     *          that contain the following policyset
     *          will carry SCT extension
     *             SignedCertificateTimestampListExtDefaultImpl
     * default is true
     * if unknow mode then error will be thrown.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
7e5db5d6 by Timo Aaltonen at 2020-07-28T17:56:02+03:00
Merge branch 'upstream-next' into master-next

- - - - -
17eeac2b by Timo Aaltonen at 2020-07-28T17:57:29+03:00
bump the version

- - - - -
d67babb5 by Timo Aaltonen at 2020-07-28T20:48:09+03:00
server.install: Updated.

- - - - -
6ad317cc by Timo Aaltonen at 2020-07-28T22:03:08+03:00
fix-upgrade-script.diff: Fix hardcoding /etc/sysconfig on an upgrade script.

- - - - -
1adc8225 by Timo Aaltonen at 2020-07-30T21:28:18+03:00
WIP add xml-apis

- - - - -


30 changed files:

- base/acme/CMakeLists.txt
- + base/acme/Dockerfile
- + base/acme/conf/scheduler.conf
- base/acme/conf/database/in-memory/database.conf → base/acme/database/in-memory/database.conf
- base/acme/conf/database/ldap/create.ldif → base/acme/database/ldap/create.ldif
- base/acme/conf/database/ldap/database.conf → base/acme/database/ldap/database.conf
- base/acme/conf/database/ldap/schema.ldif → base/acme/database/ldap/schema.ldif
- base/acme/conf/database/postgresql/create.sql → base/acme/database/postgresql/create.sql
- base/acme/conf/database/postgresql/database.conf → base/acme/database/postgresql/database.conf
- base/acme/conf/database/postgresql/drop.sql → base/acme/database/postgresql/drop.sql
- base/acme/conf/database/postgresql/statements.conf → base/acme/database/postgresql/statements.conf
- + base/acme/issuer/nss/ca_signing.conf
- + base/acme/issuer/nss/issuer.conf
- + base/acme/issuer/nss/sslserver.conf
- base/acme/conf/issuer/pki/issuer.conf → base/acme/issuer/pki/issuer.conf
- + base/acme/openshift/pki-acme-certs.yaml
- + base/acme/openshift/pki-acme-database.yaml
- + base/acme/openshift/pki-acme-deployment.yaml
- + base/acme/openshift/pki-acme-is.yaml
- + base/acme/openshift/pki-acme-issuer.yaml
- + base/acme/openshift/pki-acme-metadata.yaml
- + base/acme/openshift/pki-acme-route.yaml
- + base/acme/openshift/pki-acme-svc.yaml
- + base/acme/sbin/pki-acme-run
- base/acme/src/main/java/org/dogtagpki/acme/database/ACMEDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/InMemoryDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLDatabase.java
- + base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/ac78c2b0d6650a6e5a8047fe7c84a0fb02292dba...1adc82257e6015af3ace7de8faa868db8ccc6310

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/ac78c2b0d6650a6e5a8047fe7c84a0fb02292dba...1adc82257e6015af3ace7de8faa868db8ccc6310
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200806/b3ef36ab/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list