[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream-next] 239 commits: Add new healthcheck - CA System cert expiry
Timo Aaltonen
gitlab at salsa.debian.org
Thu Aug 13 11:38:42 BST 2020
Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / dogtag-pki
Commits:
9beafcf5 by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - CA System cert expiry
This patch adds a new healthcheck to test whether CA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
a2fd414b by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - KRA System cert expiry
This patch adds a new healthcheck to test whether KRA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
964a701f by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Move the cert expiry calculation logic to generic method
This patch creates a reusable method that returns the pre-filled Result
object, that carries the Cert expiration status. The method can process
only 1 cert at a time.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
4b81e951 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Added CertUtil.toPEM() for PKCS10
The code that converts a PKCS10 object into a PEM string has
been moved into CertUtil.toPEM().
- - - - -
a8a6416b by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Removed deprecated methods in ClientConfig
- - - - -
43197691 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored MainCLI.getNSSDatabase()
The MainCLI.getNSSDatabase() has been modified to return
an NSSDatabase object.
- - - - -
313b57b1 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 1)
The code that imports a CA cert with a nickname has been moved
out of ClientCertImportCLI.importCACert().
- - - - -
3933b160 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 2)
The ClientCertImportCLI.importCACert() has been converted
into NSSDatabase.addCertificate().
- - - - -
3de6843e by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCert()
The ClientCertImportCLI.importCert() has been converted into
NSSDatabase.addCertificate().
- - - - -
c701cf62 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Cleaned up ACME doc
- - - - -
ab386a98 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - OCSP System Cert Expiry
This patch adds new healthcheck to test the expiration
of OCSP system certs
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
80054053 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TKS System Cert Expiry
This patch adds a new healthcheck to test the expiration
of TKS system certs
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
235cfe1a by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TPS System cert expiration
This patch adds a new healthcheck to check the expiration
of system certs in TPS
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d206ef17 by Endi S. Dewata at 2020-06-11T18:49:53-05:00
Fixed NSSDatabase.create()
The NSSDatabase.create() has been modified to create the
NSS database with the internal token password.
- - - - -
2dea4a76 by Endi S. Dewata at 2020-06-11T18:50:40-05:00
Added NSSDatabase.addPEMCertificate()
The NSSDatabase.addPEMCertificate() methods have been added
to import certificate files in PEM format.
- - - - -
a755dc78 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Added pki nss-cert-import
The pki nss-cert-import has been added to replace
pki client-cert-import --cert and --ca-cert.
- - - - -
95366b70 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Simplified pki pkcs12-import options
- - - - -
0d59b969 by Endi S. Dewata at 2020-06-11T19:03:58-05:00
Added PostgreSQL database doc
- - - - -
8f75debd by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs7-import options
- - - - -
804d827a by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs12-export options
- - - - -
9f4f293f by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Updated CMSEngine.configureAutoShutdown() (part 1)
A try-catch block in CMSEngine.configureAutoShutdown() has
been removed to expose all exceptions generated by the code.
- - - - -
057ce47d by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 2)
A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in finding the audit signing cert.
The CMSEngine.init() has also been modified to call the method
only after the audit signing cert has been created.
- - - - -
37927738 by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 3)
A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in removing existing auto-shutdown
crumb file.
- - - - -
7a31f28f by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createRequest()
The NSSDatabase.createRequest() has been added to create a
certificate signing request using a local NSS database.
- - - - -
99793a50 by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createCertificate()
The NSSDatabase.createCertificate() has been added to issue
a certificate using a CA signing certificate stored in a local
NSS database.
- - - - -
0b4ba07c by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-request
The pki nss-cert-request have been added to create a certificate
signing request using a local NSS database.
- - - - -
3d82cdfe by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-issue
The pki nss-cert-issue have been added to issue a certificate
using a CA signing certificate stored in a local NSS database.
- - - - -
21528f49 by Endi S. Dewata at 2020-06-16T14:01:11-05:00
Cleaned up ACMEEngine log messages
- - - - -
85b7b89e by dependabot[bot] at 2020-06-16T20:32:47-05:00
Bump xercesImpl from 2.11.0 to 2.12.0
Bumps xercesImpl from 2.11.0 to 2.12.0.
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
0011cfbe by Christina Fu at 2020-06-18T15:53:12+10:00
Bug 1805541 improvement over verifySCT - [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch made some more attempt to improve on verifySCT
(though still not working; lack of the signed blob from sender
makes it a bit challenging)
It adds the following:
- Include code to use LinkedHashMap instead of Hashtable (requires jss fix)
- Added debugging code to be sure that the extensions didn’t get out of order through manipulation
- Allow for CT lg connection issue, but disallow for failed CT verification (though still temporarily disable failure for signature verification)
- For verifySCT
- Added missing 3 byte length for tbsCert
- Added processing for extensions, though most likely not needed for some time
Note: the global on/off is rigid at this point without "per-profile" control;
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
f183aa0d by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: decode signature value properly
The CT signature is TLS-encoded structure with 4 leading bytes. The
rest of the signature is the signature value, which is a DER-encoded
ECDSA-Sig-Value per https://tools.ietf.org/html/rfc5480. This is
exactly what JSS needs, so only drop the first 4 bytes.
With this change, SCT signature verification now works.
- - - - -
43466bf0 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: cleanups
- - - - -
85fdca4b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: tidy up "allow failed SCT verification" control
The "allow failed SCT verification" behaviour was a bit buggy. If
it got a boolean verification result it "correctly" ignored failed
verification, but if an exception was thrown (e.g. due to malformed
log server response) it returned 'false', aborting issuance.
Extract the "allow failed verification" check out of verifySCT to
the call site. A single boolean now controls the behaviour. It
should be further extracted to a config knob in a future commit.
For now the default remains to ignore failed verification.
- - - - -
62b8df1b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: createSCTextension: handle SCT extensions properly
To handle possible future extensions, read the extensions from the
log server response(s) and copy them into the SCT extension.
- - - - -
decf1192 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: extract "write fixed-width length field" method
Define 'intToFixedWidthBytes' which encapsulates the logic of
writing a length as a fixed-width big-endian uint. This avoids
repetition and makes things easier to follow at call sites.
- - - - -
e39d5978 by Christian Heimes at 2020-06-18T11:33:12-04:00
Enable TLS 1.3 post handshake auth
TLS 1.3 no longer supports renegotiations. Clients must announce support for
post handshake authentication to support conditional authentication with
client certs.
The fix is required to make Dogtag work with FreeIPA and TLS 1.3 enabled
Apache HTTPd proxy.
n.b.: rebased by Alexander Scheel, enabled PHA
Change-Id: I07da8779e233f6e77526df30e29da575676ac0e9
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
50c23ec1 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Enable certificate verification in PKIConnection
To PKIConnection's initialization handler, we introduce a new argument,
cert_paths, which takes a string or iterable; each unit of which is
treated as a capath or cafile depending on whether or not it is a
directory. See ssl.SSLContext.load_verify_locations for more
information. This enables both PKI and IPA to specify independent CA
file locations at the same time and have fallback if this does not work.
Because some users might've already loaded the CA certificate into the
system-wide CA certificate store (if they're running Dogtag in
production), we also inclue the global trust store.
Resolves: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
8705ebeb by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make healthcheck check CA certificate
When running healthcheck, use the CA certificate in PEM form at
/etc/pki/<instance>/alias/ca.crt to verify connections with
PKIConnection. This is because the healthcheck tool is run on the
server, not on a remote client system.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e5793704 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make PKI server operations verify CA certificate
We create a path ~/.dogtag/nssdb/ca.crt which contains the PEM-encoded
CA certificate in the NSS DB. When setting up PKI server authentication,
check for this CA file and use it when present. If we're performing
cert-based auth, we're dumping the CA certificate into the .p12 file, so
we can extract just the CA certificate to create it if it is missing.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
de680af2 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Check CA Certificate in Security Domain
When checking a Security Domain connection, we should ensure the CA
certificate is already provisioned to this machine prior to attempting
this call.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
7fba9a16 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Secure PKIConnection during pkispawn, add CA cert
When the CA certificate is missing in PEM form in the NSS DB (but is
present from the pki_ca_cert_path parameter in the spawn configuration,
add it to this instance's alias prior to using PKIConnection.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
614846ec by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate from clone PKCS#12 file
When creating a cloned subsystem, export the CA certificate into the
expected location prior to continuing subsystem installation. This
should ensure we provision the CA certificate prior to any calls to
PKIConnection.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
35c52586 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Ignore certificate validation during status checks
When waiting for a subsystem to come up, we initialize a new
PKIConnection. However, we don't necessarily need to validate this
certificate: it is a status check and spoofing the result at worst
causes us to fail somewhere else, later, if the server isn't yet alive
and/or the connection was spoofed. Since this is primarily used in
pkispawn, it should be safe to ignore any certificate validation
failures and set verify=False here.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c4a3454e by Alexander Scheel at 2020-06-18T11:33:12-04:00
Verify CA certificate when destroying KRA
When destroying a KRA instance, we query a list of all CAs this KRA
instance is registerred to. When querying this list, verify the
certificate on the remote peer.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
00fdf77f by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate after NSS DB migration
In order to ensure all subsystems continue to function with enforced CA
validity checking, export the CA after NSS DB migration. This should
ensure we always get the latest CA certificate (as the CA would
presumably be restarted after a new CA certificate has been issued).
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
dc5b3e78 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Add documentation on PKI certificate validation
This documents utilizing the pki_cert_chain_path to configure an
existing CA certificate into the NSS DB. We also document proper CLI
setup procedures, including mentioning that the CA certificates must be
imported.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
578f682e by Endi S. Dewata at 2020-06-18T10:35:28-05:00
Added auto-reconnect for PostgreSQL database
The PostgreSQLDatabase.connect() has been added to create
the initial connection, validate the current connection,
and reestablish the connection if it's closed.
- - - - -
b235c0f3 by Dinesh Prasanth M K at 2020-06-18T13:38:04-04:00
Fix XSS in PathLength attribute in CA agent web page
- The input type is set to number when "integer" is encountered
- The server error message is html escaped, before it gets displayed in client browser
Resolves: BZ#1710171
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6c43dd30 by Endi S. Dewata at 2020-06-18T13:03:09-05:00
Added certificate storage in ACME database
The ACMEDatabase has been modified to provide a certificate
storage for ACME issuers that do not have their own storage.
- - - - -
56b8375e by Dinesh Prasanth M K at 2020-06-18T20:02:18-04:00
Fix reflected XSS attack when hitting getCookie endpoint
This patch sanitizes the Server generated error message, to escape
the HTML tags if any present.
Resolves: BZ#1789907
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
50585c65 by Pritam Singh at 2020-06-19T10:05:10-04:00
Added client-side prevention for XSS in recoveryID endpoint
Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
835f1dcd by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Simplified pki pkcs12-cert-find options
- - - - -
73da2085 by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Added default ACME validators configuration
The ACMEEngine.loadValidatorsConfig() has been modified to
load the default validators.conf if the configuration file
is not available.
The pki-server acme-create command has been modified to no
longer create validators.conf so the ACME responder will
use the default one.
- - - - -
edff88c9 by Endi S. Dewata at 2020-06-19T10:17:21-05:00
Added non-blocking ACME validation
The ACMEChallengeProcessor has been added to perform the
ACME validation using a separate thread such that it does
not block the main thread.
- - - - -
426d5f73 by Christina Fu at 2020-06-19T12:02:06-07:00
Bug1629025: KRA transporCert nick: Server-Side keygen Enrollment for EE
This patch fixes the issue where CA attempts to get
ca.ca.connector.KRA.transportCertNickname
instead of
ca.connector.KRA.transportCertNickname
from it's CS.cfg
https://bugzilla.redhat.com/show_bug.cgi?id=1629025
- - - - -
63a75f81 by Timo Aaltonen at 2020-06-19T15:12:47-04:00
Fix javadoc build on Debian
Tried to build 10.9.0-a1 on Debian, but it fails building javadoc:
[ 98%] Generating Javadoc for pki-javadoc
cd /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc && /usr/lib/jvm/java-11-openjdk-amd64/bin/javadoc -d /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc/javadoc/pki-10.9.0 -windowtitle 'pki-javadoc' -doctitle '<h1>PKI Javadoc</h1>' -author -use -version -quiet -Xdoclint:none -sourcepath :/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/javadoc:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/util/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/common/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/java-tools/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/server/src -classpath :/usr/share/java/slf4j-api.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/xalan2.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/commons-cli.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/velocity.jar:/usr/share/java/servlet-api-3.1.jar:/usr/share/java/tomcat9-catalina.jar:/usr/share/java/tomcat9-util.jar:/usr/share/java/httpclient.jar:/usr/share/java/httpcore.jar:/usr/share/java/jaxrs-api.jar:/usr/share/java/jackson-annotations.jar:/usr/share/java/jackson-databind.jar:/usr/share/java/jackson-module-jaxb-annotations.jar:/usr/share/java/resteasy-jaxrs.jar:/usr/share/java/resteasy-atom-provider.jar:/usr/share/java/resteasy-client.jar:/usr/share/java/jss4.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/symkey.jar:/usr/share/java/tomcatjss.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cmsutil.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-certsrv.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tools.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tomcat.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cms.jar -subpackages :com.netscape.cmsutil:com.netscape.certsrv:com.netscape.cmstools:org.dogtagpki:com.netscape.cms
javadoc: error - No source files for package com.netscape.cmsutil
I believe base/javadoc/CMakeLists.txt needs to be updated..
it was quite simple
Resolves: https://www.pagure.io/dogtagpki/issue/3176
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
364de389 by Endi S. Dewata at 2020-06-19T14:53:54-05:00
Cleaned up ACME doc
- - - - -
0447bd72 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added NSSExtensionGenerator
The NSSExtensionGenerator has been added to create certificate
extension objects from a configuration file. Initially it only
supports BasicConstraintsExtension.
The NSSDatabase has been modified to support creating certificate
request or issuing certificates with extensions.
- - - - -
57e97b2b by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthorityKeyIdentifierExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthorityKeyIdentifierExtension.
- - - - -
302edc84 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for SubjectKeyIdentifierExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support SubjectKeyIdentifierExtension.
- - - - -
6e28f76a by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthInfoAccessExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthInfoAccessExtension.
- - - - -
3e035de6 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for KeyUsageExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support KeyUsageExtension.
- - - - -
bec9b60e by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for ExtendedKeyUsageExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support for ExtendedKeyUsageExtension.
- - - - -
923e1e12 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for CertificatePoliciesExtension
The NSSDatabase and NSSExtensionGenerator have been modified
to support CertificatePoliciesExtension.
- - - - -
74918419 by Alexander Scheel at 2020-06-19T16:42:44-04:00
Use password during NSS DB creation
In most instances, MainCLI has already parsed options prior to executing
MainCLI.init(). Require the caller to ensure this holds. When a NSS DB
password has been provided, use it to create the NSS DB when one doesn't
yet exists. This matches users's expectations.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1843537
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3a92a1db by Endi S. Dewata at 2020-06-19T18:09:04-05:00
Added NSSIssuer
The NSSIssuer has been added to provide an embedded
CA for the ACME responder using a local NSS database.
- - - - -
ca428b43 by Alexander Scheel at 2020-06-19T19:36:10-04:00
Set -Dcom.redhat.fips=false in Tomcat config
FIPS mode in OpenJDK shipped on RHEL-like platforms uses SunPKCS11 to
provide cryptographic primitives for SunJSSE (including SSLEngine and
SSLSocket) and other high-level providers. However, because SunPKCS11
uses NSS, we'd have a race between JSS and SunPKCS11. This isn't good,
because when Tomcat loads up, SunPKCS11 will consistently load before
TomcatJSS initialization, starving JSS's chance to become the default
provider. By setting -Dcom.redhat.fips=false unconditionally, we
decrease the JDK's reliance on SunPKCS11, decreasing the chance it'll
load. Indeed, prior to the changes to follow system FIPS mode, we've not
encountered any issues with SunPKCS11 loading ahead of JSS.
This change adds -Dcom.redhat.fips=false to the Tomcat configuration
unless the key is already present.
Because JSS is FIPS conforming, and provides a SSLEngine and SSLSocket
implementation since JSS 4.7.0, this is safe to do. In the future,
java.security can be used to ensure only JSS is loaded, preventing any
non-FIPS operations completely.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1655466
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1759335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1780335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1821851
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1830090
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
43a2738c by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Added PKIServer.nssdb_link
The code in PKIInstance that creates and removes the link
to the NSS database has been moved into PKIServer.
- - - - -
41e1590b by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME database files
The ACME database files have been moved into acme/database
to simplify the paths.
- - - - -
b20f0803 by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME issuer files
The ACME issuer files have been moved into acme/issuer
to simplify the paths.
- - - - -
b04097fc by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Simplified pki pkcs12-cert-mod options
- - - - -
abc01031 by Endi S. Dewata at 2020-06-22T11:38:38-05:00
Updated version number to 10.9.0-0.3 (beta 1)
- - - - -
412b3150 by Endi S. Dewata at 2020-06-22T15:12:37-05:00
Renamed issuer parameter in NSSIssuer
The issuer parameter in NSSIssuer has been renamed to
nickname for clarity.
- - - - -
606aa7b9 by Endi S. Dewata at 2020-06-22T15:13:12-05:00
Added default value for NSSIssuer nickname
- - - - -
4f3db1ae by Endi S. Dewata at 2020-06-22T15:13:13-05:00
Added default value for NSSIssuer extensions
- - - - -
4f47a2f6 by Dinesh Prasanth M K at 2020-06-23T18:00:23-04:00
Require python3-setuptools explicitly
python3-setuptools is required to setup PKI healthcheck tool. There
was a request submitted by setuptools developers to specify BR directly
rather than using tranisitive dependency (ie) python3-devel pull
python3-setuptools currently
Ref: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GCPGM34ZGEOVUHSBGZTRYR5XKHTIJ3T7/
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
1b4558bf by Alexander Scheel at 2020-06-24T11:53:59-04:00
Fix extraction of CA certificate
openssl pkcs12 gets annoyed when the CA certificate already exists.
Remove it before exporting on each migration.
This manifests itself as a failure during pki-tomcatd startup:
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: Export complete
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21375]: ERROR: Command: openssl pkcs12 -in /tmp/tmpfn_vr9yx/sslserver.p12 -out /etc/pki/pki-tomcat/alias/ca.crt -nodes -nokeys -passin pass::6|xZFEk8Dog
See also: https://github.com/freeipa/freeipa/pull/4820#issuecomment-648729659
Related: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
deca1c87 by Dinesh Prasanth M K at 2020-06-24T17:12:26-04:00
Healthcheck: Ignore SSL verification in connectivity check
The connectivity check's motive is to test whether the given
subsystem is up and able to respond. Strict SSL validation is not
required. This patch turns it off for the COnnectivity Healthcheck.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
a21bd28c by Alexander Scheel at 2020-06-25T12:35:23-04:00
Provision CA certificate for Security Domain check
When checking the Security Domain during pkispawn, we enforce
certificate validation. This is because we're also checking the
username/password given to us. This should go over a secured connection,
so simply setting verify=False would be a bad fix. Instead, ask the user
for a pki_cert_chain_path if one isn't given and use that to validate
the security domain's connection when the ca.crt path isn't already
populated.
This manifests itself as the following error:
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 930, in <module>
main(sys.argv)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 544, in main
check_security_domain()
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 716, in check_security_domain
info = deployer.get_domain_info()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 270, in get_domain_info
self.domain_info = sd_client.get_domain_info()
File "/usr/lib/python3.6/site-packages/pki/system.py", line 270, in get_domain_info
response = self.connection.get(self.domain_info_url, headers=headers)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 55, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 259, in get
timeout=timeout,
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='pki1.example.com', port=20443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
Related: rh-bz#1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
57fdb9bb by Endi S. Dewata at 2020-06-25T14:33:23-05:00
Refactored EnrollDefault.deleteExtension() (part 1)
The EnrollDefault.deleteExtension() has been modified to
throw a generic exception.
- - - - -
16269168 by Endi S. Dewata at 2020-06-25T14:34:16-05:00
Refactored EnrollDefault.deleteExtension() (part 2)
The EnrollDefault.deleteExtension() has been modified to use
a separate loop to avoid ConcurrentModificationException.
- - - - -
b2388e9a by Endi S. Dewata at 2020-06-25T15:00:50-05:00
Refactored CAProcessor.saveAuthToken() (part 1)
The code that checks that the authentication token and the
request are not null in CAProcessor.saveAuthToken() has been
moved to the caller.
- - - - -
134f20ba by Endi S. Dewata at 2020-06-25T15:22:05-05:00
Refactored CAProcessor.saveAuthToken() (part 2)
The variable names and log messages in CAProcessor.saveAuthToken()
have been modified for clarity.
- - - - -
e131adc0 by Endi S. Dewata at 2020-06-25T16:53:35-05:00
Updated version number to 10.9.0-0.4 (beta 2)
- - - - -
3073c64a by Christina Fu at 2020-06-25T19:31:17-07:00
Bug1805541-parseAlgs-[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch parses the CT response for hashing and signing algorithms.
There is plan to fine-tune the CT code later.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
2a0dae85 by Endi S. Dewata at 2020-06-29T10:55:05-05:00
Removed default user/group in pki-server create
The hard-coded default user/group in pki-server create has
been removed such that it's going to be determined by the
type of instance being created.
- - - - -
6c18b47f by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up log messages in PKIIssuer
- - - - -
4ce3a7e4 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up main web.xml
The main web.xml has been modified to map .properties
files to text/plain to avoid syntax errors in Firefox.
https://github.com/jquery-i18n-properties/jquery-i18n-properties
- - - - -
7ab7f731 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up ACME's web.xml
- - - - -
33f4893c by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME Dockerfile
- - - - -
0682f553 by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME deployment config for OpenShift
- - - - -
93732b52 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Add method to load dogtag specific config values
This patch adds a reusable method to load dogtag specific values
specified in the config file. Note that each registry calls this
method but, the values are read only once. The registry initialization
is handled by the underlying 'pkg_resources' library and there was no
particular order.
TODO: This is a temporary patch and the parsing method should be
moved into the ipa-healthcheck-core library
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
bb0739e0 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Refactor DogtagCertsConfigCheck to accommodate other subsystems
This patch refactors DogtagCertsConfigCheck to accommodate other
subsystems: OCSP, TKS and TPS. This patch also uses the config names
mentioned in the healthcheck config file.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
400a5a8f by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Allow healthchecks to load custom named instances
This patch allows the Healthchecks to use the custom instance
names provided via the pki specific healthcheck config file. This
will allow healthcheck to be executed in standalone Dogtag PKI
environments.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
a8f7eede by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Update PKI-healthcheck documentation
Add documentation related to /etc/pki/healthcheck.conf
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
7fcb8993 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Minor improvements to config and expiration check
This patch:
* Uses expiration day value specified in config to report warnings
during the System Certificate Expiration Check
* Prior to this commit, if a custom instance name is specified for a
subsystem, ALL subsystem's instance names needed to be specified. This
patch removes that restriction.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d6c91ee4 by Christian Heimes at 2020-06-30T12:05:57-04:00
pki password fix for FIPS
NSS DB in FIPS mode seems to require a password in all cases. When pki
attemps to open NSS DB without password in FIPS mode, it blocks with a
prompt to enter a password. This breaks installation in FIPS mode:
Enter password for NSS FIPS 140-2 User Private Key
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
573f574e by Alexander Scheel at 2020-06-30T17:59:38-04:00
Add separate bootstrap CSS file
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
01d46248 by Alexander Scheel at 2020-06-30T17:59:38-04:00
Link in new Bootstrap CSS file
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
021b273c by Endi S. Dewata at 2020-06-30T18:19:22-05:00
Removed tech preview notifications
- - - - -
44a6c53c by Endi S. Dewata at 2020-06-30T23:16:50-05:00
Renamed TPS profile service
The ProfileService for TPS has been renamed into
TPSProfileService for clarity.
- - - - -
f9db0af1 by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Cleaned up log messages in TPSProfileService
- - - - -
f306fa8a by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ProfileData.profileID
The ProfileData.profileID has been added to store the ID
before the profile is added into the database.
- - - - -
a4336bad by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ErrorDialog.htmlContent
The ErrorDialog has been modified to provide an option to
display HTML content.
- - - - -
8884b434 by Alexander Scheel at 2020-07-01T11:30:30-04:00
Replace CMSTemplate custom sanitization with lang2
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f770c4e5 by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Refactored EntryPage.save()
The EntryPage.save() has been renamed to saveEntry() for clarity.
- - - - -
8734909b by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Updated ErrorDialog.close()
The ErrorDialog.close() has been modified to trigger an event.
- - - - -
02e3f1e5 by Endi S. Dewata at 2020-07-01T11:25:00-05:00
Cleaned up log messages in TokenService
- - - - -
1dbb07f8 by Endi S. Dewata at 2020-07-01T15:47:32-05:00
Added input validation for TPS
The TPSProfileService has been modified to validate the
profile ID and profile property names received via REST API.
The TPS UI has been modified to validate profile ID and
profile property names before they are sent to the server.
The TableItem.renderColumn() has been modified to escape
the value already stored in the database before displaying
it in the UI.
https://bugzilla.redhat.com/show_bug.cgi?id=1791099
https://bugzilla.redhat.com/show_bug.cgi?id=1793076
https://bugzilla.redhat.com/show_bug.cgi?id=1725129
- - - - -
da7d9cc3 by Endi S. Dewata at 2020-07-02T11:16:09-05:00
Updated version number to 10.9.0-0.5.unstable (beta 3)
- - - - -
c1098bb1 by Endi S. Dewata at 2020-07-02T16:23:51-05:00
Updated build.sh to generate UTC timestamp
The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.
- - - - -
fd3e3dea by Endi S. Dewata at 2020-07-02T17:05:00-05:00
Cleaned up log messages in CertRequestService
- - - - -
9de45c28 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Cleaned up log messages in PKIRealm
- - - - -
44c34cc1 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added UserClient constructor
- - - - -
62e86aa2 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added GroupClient constructor
- - - - -
bd46b1a5 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added setter/getter for CertEnrollmentRequest.serverSideKeygenP12Passwd
- - - - -
14ece271 by Endi S. Dewata at 2020-07-02T18:47:27-05:00
Deprecated PKIInstance.server_cert_nick_conf()
The PKIInstance.get_sslserver_cert_nickname() has been modified
to get the SSL server cert nickname from the server.xml. The
PKIInstance.server_cert_nick_conf() is no longer used so it has
been deprecated.
- - - - -
68e7c3b5 by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Cleaned up basic PKI server install doc
The doc for installing basic PKI server has been
modified to use the default instance name.
- - - - -
59f58e7e by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Updated basic PKI server install doc with NSS database
The doc for installing basic PKI server with NSS database
has been modified to use pki nss commands.
- - - - -
5d97b91a by Endi S. Dewata at 2020-07-06T22:52:48-05:00
Reorganized basic PKI server install doc
- - - - -
f3780794 by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Fixed NSSExtensionGenerator.createAIAExtension()
The NSSExtensionGenerator.createAIAExtension() has been modified
to call AuthInfoAccessExtension.encode() in order to populate its
extensionValue field. Otherwise, the null extensionValue will
cause an NPE in CertificateExtensions.parseExtension().
- - - - -
3493f58d by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Added PostgreSQL.setup()
The PostgreSQL.setup() has been added to automatically create
the tables when the server initially connects to the database.
This eliminates the requirement to create the tables manually.
The docs have been updated accordingly.
- - - - -
fa9d5a4c by Christina Fu at 2020-07-08T17:09:41-07:00
Bug1629025-handle large keys-ServerSideKeygen
This patch addresses the issue that for ServerSideKeygen enrollments,
if the RSA keys are larger (3072 or 4096), the enrollment would fail.
It may very well have to do with Apache's limit on HTTP header.
While there might exist a better way to resolve this, I'm opting
to remove a duplicated "issued cert" entry in the request itself which
effectively resolves the issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1629025
- - - - -
0067bada by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added JUL logging options for PKI console
The PKI console has been modified to provide CLI options
to set the log level for java.util.logging.
- - - - -
d6a511b2 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added ACMEEngine.start()/stop()
The code that starts and stops the ACME engine in
ACMEEngine.contextInitialized() and contextDestroyed() has
been moved into start() and stop().
- - - - -
0215655f by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 1)
The setEnabled and setWildcard fields in ACMEEngineConfigSource
have been renamed into enabledConsumer and wildcardConsumer for
clarity. Setters/getters have also been added for these fields.
- - - - -
c369ffa1 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 2)
The ACMEEngineConfigSource.init() has been modified such that
the caller is responsible to initialize the consumers.
- - - - -
1223d8b9 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAccountContacts()
The PostgreSQLDatabase.deleteAccountContacts() has been converted
into removeAccountContacts() which takes an account ID.
- - - - -
5b56a967 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAuthorizationChallenges()
The PostgreSQLDatabase.deleteAuthorizationChallenges() has been
converted into removeAuthorizationChallenges() which takes an
authorization ID.
- - - - -
7b9b3c6c by Alexander Scheel at 2020-07-09T10:49:00-04:00
Measure individual test execution time
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3702d4a1 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEScheduler
The ACMEScheduler has been added to schedule tasks to run
periodically in the background.
- - - - -
8cb34a77 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEMaintenanceTask
The ACMEMaintenanceTask has been added to clean up ACME
database. Initially it is used to clean up expired nonces
every 5 minutes.
- - - - -
337cff96 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Copy missing profiles between 10.5 and current version (10.9)
This patch copies all missing profiles introduced from 10.6+
and configures the CS.cfg in existing deployments. This ensures
that the old deployments (<=10.5) can use the latest profiles
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
ec859b40 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Remove duplicate entries from CS.cfg
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
21a8f05f by Deepak Punia at 2020-07-10T09:03:57-05:00
Adding downstream tier0-sanity job to upstream
installation-acme
role-user-creation-topo-02
topo-01-role-user-creation
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
1df72734 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored PostgreSQLDatabase.getExpiredNonces()
The PostgreSQLDatabase.getExpiredNonces() has been modified
to only return the nonce values.
- - - - -
eca5c926 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored ACMEChallengeProcessor.processChallenge()
The code that finalizes valid and invalid authorizations in
ACMEChallengeProcessor.processChallenge() has been moved into
finalizeValidAuthorization() and finalizeInvalidAuthorization().
- - - - -
020a3b30 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Added log messages in LDAPDatabase
- - - - -
d0d803c8 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Updated version number to 10.9.0-0.6.unstable (beta 4)
- - - - -
4ae9c7b1 by Endi S. Dewata at 2020-07-10T09:42:48-05:00
Fixed PostgreSQL orders.expires constraints
The PostgreSQL orders.expires column has been modified
to become optional.
- - - - -
69e9d81b by Endi S. Dewata at 2020-07-10T09:42:53-05:00
Fixed PostgreSQL authorizations.expires constraints
The PostgreSQL authorizations.expires column has been
modified to become optional.
- - - - -
fed60474 by Christina Fu at 2020-07-10T15:02:54-07:00
Bug 1805541-refactor:[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch reafactors the Certificate Transparency code.
More refinement to come, but for this patche:
- the majority of the CT v1 code originally in CAService.java now goes
into CTEngine.java;
- some utility methods go into CertUtils.java
- new CT enablement logic is introduced to replace the original one:
The logic of whether SCT extension is to be added to the issued
cert or not now goes like this:
IN CS.cfg
* CT mode is controlled by ca.certTransparency.mode
* There are three CT modes:
* disabled: issued certs will not carry SCT extension
* enabled: issued certs will carry SCT extension
* perProfile: certs enrolled through those profiles
* that contain the following policyset
* will carry SCT extension
* SignedCertificateTimestampListExtDefaultImpl
* default is true
* if unknow mode then error will be thrown.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
0fa50bb9 by Dinesh Prasanth M K at 2020-07-13T15:47:32-04:00
CI: Build custom Fedora image that has systemd installed
With latest Fedora container images (starting from fedora:30) it seems
that the systemd script files have been removed. This patch builds a custom
fedora container image with systemd package installed, giving us the right
systemd-enabled environment to run PKI tests
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
cdbbb079 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Removed default max/min LDAP connections
- - - - -
43e4cd0f by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-show
The pki-server acme-database-show has been modified to support
LDAP database.
- - - - -
5ce46a35 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-mod
The pki-server acme-database-mod has been modified to support
LDAP database.
- - - - -
280c2c37 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-show
The pki-server acme-issuer-show has been modified to support
NSS issuer.
- - - - -
6eec2d3a by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-mod
The pki-server acme-issuer-mod has been modified to support
NSS issuer.
- - - - -
6f94b0d7 by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized CA install docs
- - - - -
2bd40bdf by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized KRA install docs
- - - - -
b17883de by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized OCSP install docs
- - - - -
3b6cbc7d by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TKS install docs
- - - - -
3b58dcda by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TPS install docs
- - - - -
f946a3e3 by Endi S. Dewata at 2020-07-14T15:16:46-05:00
Fixed podman deployment doc
- - - - -
9170acf2 by Christina Fu at 2020-07-14T16:50:31-07:00
Bug1856368- pki cli kra-key-generate request is failing
This patch fixes the issue with failed kra-key-generate from pki cli.
Investigation revealed that the underlying JSS changes where
base64encodeSingleLine call into
Base64.getEncoder().encodeToString(bytes);
does not tolerate null parameter.
Reference: Remove code dependency on Apache Commons Codec
https://github.com/dogtagpki/jss/commit/8de4440c5652f6f1af5b4b923a15730ba84f29e1#diff-b2e907677520a5d671a037de2e60e656L376
in PKI, since the caller for generateAsymmetricKey() in KeyClient.java
deliberately passed in "null" for transWrappedSessionKey, it is
safe to just skip over the following line when transWrappedSessionKey is null:
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey, false));
the CRMF issue reported in the same bug is very likley a separate issue
and should be filed in a separate bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1856368
- - - - -
9ffb9925 by Endi S. Dewata at 2020-07-14T19:19:49-05:00
Fixed error handling in PKIRealm
In commit 9de45c2812e9eaddaeef50dd422117cf57820581 the PKIRealm was
modified to wrap all exceptions that happen during authentication
and rethrow them as RuntimeExceptions in order to preserve the stack
trace for troubleshooting.
However, because of that when a client tries to authenticate with a
revoked certificate the server incorrectly reports it as an internal
server error instead of authentication failure.
To fix the problem, the PKIRealm has been modified to modified to
handle authentication failures (e.g. EInvalidCredentials) differently
from other internal server errors (e.g. LDAP exceptions).
For authentication failures PKIRealm will return null as described
in RealmBase documentation:
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/realm/RealmBase.html
For internal server errors it will log the stack trace and to wrap
the exception and rethrow it as RuntimeException for troubleshooting.
- - - - -
180d42e9 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME authorization status
The ACMEChallengeProcessor.processChallenge() has been modified
to set the authorization status to invalid if the client fails
to fulfill the challenge.
- - - - -
db7b73a4 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME order status
The ACMEChallengeProcessor.processInvalidChallenge() has been
modified to set the order status to invalid if at least one of
the authorizations is invalid.
- - - - -
8feeea95 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Fixed LDAPDatabase.getAuthorizationByChallenge()
The LDAPDatabase.getAuthorizationByChallenge() has been
modified to return the complete authorization data such
that if the authorization is updated and saved into the
database it will not unintentionally lose data.
- - - - -
71fced30 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Removing incomplete ACME challenges
The code that finalizes ACME authorizations has been modified
to retain the completed challenge (either valid or invalid) and
remove the incomplete ones.
- - - - -
ce689dfa by Endi S. Dewata at 2020-07-15T11:40:14-05:00
Cleaned up log messages in MessageFormatInterceptor
- - - - -
d23240d0 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEAuthorization.expirationTime handling
The code that uses ACMEAuthorization.expirationTime has been
modified to handle a possible null value.
- - - - -
8edae309 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEOrder.expirationTime handling
The code that uses ACMEOrder.expirationTime has been modified
to handle a possible null value.
- - - - -
ec9b4485 by Endi S. Dewata at 2020-07-15T19:10:37-05:00
Updated ACME database configuration doc
- - - - -
885ba3f6 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME authorization expiration time
Previously the expirationTime field in ACMEAuthorization is
always set when the object is created. According to RFC 8555
the value is only required when the authorization is valid,
so the code has been updated accordingly.
- - - - -
2443d08a by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME order expiration time
Previously the expirationTime field in ACMEOrder is always set
when the object is created. According to RFC 8555 the value is
only required when the order is valid or pending, so the code
has been updated accordingly.
- - - - -
91889f16 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredAuthorizations()
The ACMEDatabase.removeExpiredAuthorizations() has been added
to remove expired authorization records from ACME database.
- - - - -
eec64fc4 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredOrders()
The ACMEDatabase.removeExpiredOrders() has been added to remove
expired order records from ACME database.
- - - - -
b2215b72 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Updated ACME maintenance task
The ACME maintenance task has been updated to periodically remove
expired authorization and order records from ACME database.
- - - - -
87c0aef6 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-database-mod
The pki-server acme-database-mod has been modified to provide
a silent mode for configuring ACME database.
- - - - -
8cee2f93 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-issuer-mod
The pki-server acme-issuer-mod has been modified to provide a
silent mode for configuring ACME issuer.
- - - - -
95e338ca by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Updated ACME database and issuer configuration docs
The ACME database and issuer configuration docs have
been modified to use the slient mode.
- - - - -
f1e86ff0 by Endi S. Dewata at 2020-07-20T10:28:50-05:00
Refactored ACMEEngine.loadMetadata()
The ACMEEngine.loadMetadata() has been renamed into
initMetadata().
- - - - -
7eb2fc48 by Endi S. Dewata at 2020-07-20T10:29:38-05:00
Refactored ACMEEngine.loadDatabaseConfig()
The ACMEEngine.loadDatabaseConfig() has been merged into
initDatabase().
- - - - -
6772ba8e by Endi S. Dewata at 2020-07-20T10:30:22-05:00
Refactored ACMEEngine.loadValidatorsConfig()
The ACMEEngine.loadValidatorsConfig() has been merged into
initValidators().
- - - - -
0c1916ea by Endi S. Dewata at 2020-07-20T10:30:45-05:00
Refactored ACMEEngine.loadIssuerConfig()
The ACMEEngine.loadIssuerConfig() has been merged into
initIssuer().
- - - - -
3bda0a4f by Endi S. Dewata at 2020-07-20T10:31:52-05:00
Refactored ACMEEngine.loadSchedulerConfig()
The ACMEEngine.loadSchedulerConfig() has been merged into
initScheduler().
- - - - -
87ab6e3c by Endi S. Dewata at 2020-07-20T10:38:23-05:00
Refactored ACMEEngine.loadEngineConfig()
The ACMEEngine.loadEngineConfig() has been converted into
initMonitors().
- - - - -
249fae10 by Alexander Scheel at 2020-07-20T13:45:59-04:00
Fix build with CMake out-of-source build change
Fedora 33 has introduced the following change proposal:
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
This makes CMake do out-of-source builds by default. However, Fedora has
opted to use the %{_vpath_builddir} macro as the location of the default
build directory, instead of the more standard (in the CMake community)
build/ directory. %{_vpath_builddir} expands to %{_target_platform},
giving a per-architecture build directory.
Replace build/ references with %{_vpath_builddir} in the RPM spec. In
the future, we could move %{__make} to %cmake_build instead.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
11024cd3 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Fixed pki-server acme-metadata/database/issuer-mod commands
The pki-server acme-metadata/database/issuer-mod commands have
been modified to use PKIServer.store_properties() instead of
pki.util.store_properties() to ensure the file permission is
set correctly.
- - - - -
a3ef1aa8 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Added default ACME metadata.conf
The ACMEEngine and pki-server acme-metadata commands have
been modified to use the shared metadata.conf by default.
- - - - -
bc899bec by Endi S. Dewata at 2020-07-20T14:36:59-05:00
Added runtime dependency on systemd
The pki-server package has been modified to explicitly require
systemd as runtime dependency since systemd is no longer part
of Fedora container image:
https://docs.fedoraproject.org/en-US/minimization/
- - - - -
9ddb3832 by Alexander Scheel at 2020-07-20T15:45:07-04:00
Support JDK8 and JDK11 RPM builds
Fedora 33 is moving to Java 11 as the default JDK version:
https://fedoraproject.org/wiki/Changes/Java11
This will make JDK11 the default JDK in this release of Fedora.
We need to support a generic JAVA_HOME based on OpenJDK, so move to
/usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided,
regardless of whether or not the JDK or JRE is installed. Additionally,
we set the minimum Java version based on what is available on the
system.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1bc74857 by Endi S. Dewata at 2020-07-20T19:20:24-05:00
Fixed JAVA_OPTS parsing in PKISubsystem.run()
The PKISubsystem.run() parses JAVA_OPTS into a list of strings
and uses it as Java arguments. In some cases the list might
contain empty strings which can cause problems. The code has
been modified to remove empty strings from the list.
- - - - -
3de067cf by Endi S. Dewata at 2020-07-21T09:01:38-05:00
Simplified ACME LDAP database parameters
The LDAPDatabase parameters have been simplified:
- basedn -> baseDN
- internaldb.ldapconn.host,port,secureConn -> url
- internaldb.ldapauth.authtype -> authType
- internaldb.ldapauth.bindDN -> bindDN
- internaldb.ldapauth.clientCertNickname -> nickname
- password.internaldb -> bindPassword
The old basedn parameter will continue to work but it has
been deprecated.
The internaldb.ldapauth.bindPWPrompt is no longer used so
it has been removed.
- - - - -
ec612dbd by Coty Sutherland at 2020-07-21T16:51:42-04:00
Fix HTTP Request formatting in AdminConnection
AdminConnection's processRequest method creates a hand-rolled HTTP
request to the remote server. This is used by PKI Console when
authenticated as an administrator. Because of the recent CVE fix in
Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed)
terminated requests and headers, and instead reject them as a bad
request. We fix this by adding the missing and required CR, per HTTP
specification.
This fixes the following exception in PKIConsole:
java.io.IOException: 400
at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537)
at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497)
at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411)
at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788)
at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681)
at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646)
at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379)
at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128)
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
0c41ac72 by Alexander Scheel at 2020-07-21T16:52:53-04:00
Support exporting CA certificate from HSM installs
When installing an installation with subsystem SSL certificate residing
on the HSM, export will fail because the NSS DB isn't opened with the
specified HSM token. When the subsystem SSL certificate resides on the
HSM, when we go to export the CA certificate, we must explicitly specify
this token.
Otherwise, subsystem startup will fail with an error like:
systemd[1]: Starting PKI Tomcat Server topology-02-CA...
pki-server[72759]: Enter password for NHSM6000-OCS
pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA
pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA
systemd[1]: pki-tomcatd at topology-02-CA.service: Control process exited, code=exited status=255
systemd[1]: pki-tomcatd at topology-02-CA.service: Failed with result 'exit-code'.
This is related to the earlier PR enforcing certificate verification
in PKIConnection, pr-#443.
Resolves: rh-bz#1857933
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
382de723 by Dinesh Prasanth M K at 2020-07-22T13:24:25-04:00
Fix pylint issue in healthcheck
This patch fixes the pylint issue caught in our CI. This
is a regression of change introduced in freeipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
75fed9db by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Print the SD name when executing pki-server status
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
08370498 by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Fix pki-server status CLI to accept nuxwdog enabled service
This patch fixes pki-server to pick up the right systemd unit file
name if the nuxwdog is enabled on the PKI server.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
951bad9d by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Added ACMEEngineConfig
The ACMEEngineConfig has been added to encapsulate ACME engine
configuration such as the enabled flag.
- - - - -
2a8e25fb by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Refactored ACMEPolicy
The ACMEPolicy has been moved into org.dogtagpki.acme.server.
The enableWildcardIssuance field has been moved into a new
ACMEPolicyConfig class. The wildcard property in engine.conf
has been renamed into policy.wildcard.
- - - - -
5cc193e6 by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Removed hard-coded ACME validity policies
The ACMEValidityConfig has been added to encapsulate the
validity configuration of ACME objects including nonces,
authorizations, and orders.
The hard-coded validity policies for ACME nonces, valid
authorizations, pending and valid orders have been
replaced with configurable properties in engine.conf.
- - - - -
a93a65be by Alexander Scheel at 2020-07-22T17:02:50-04:00
Re-fix sanitization in CMSTemplate
When fixing CVE-2019-10179 originally in
8884b4344225bd6656876d9e2a58b3268e9a899b,
I had switched to Apache Commons Lang2's
sanitization framework. However, I didn't
enable the HTML sanitization necessary to
fix this CVE.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
db703d1d by Endi S. Dewata at 2020-07-22T18:44:10-05:00
Added sample ACME database URLs
- - - - -
6e108331 by Endi S. Dewata at 2020-07-22T19:48:35-05:00
Fixed ACME scheduler
The ACMEScheduler has been modified to no longer throw a
RuntimeException if a task execution fails such that the
task will be executed again in the next scheduled time.
- - - - -
eb213bd0 by Endi S. Dewata at 2020-07-23T12:58:06-05:00
Add sample PKI issuer URL and profile
- - - - -
8c41352a by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated ACME install doc
- - - - -
6f18a954 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Fixed InMemoryDatabase.getOrdersByAuthorizationAndStatus()
The InMemoryDatabase.getOrdersByAuthorizationAndStatus() has
been modified to use String.equals() to compare order status.
- - - - -
40bd67c3 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated pki-server acme-database/issuer-mod
The pki-server acme-database/issuer-mod commands have been
modified to load the database.conf/issuer.conf template if
the database/issuer type was changed.
- - - - -
f2641150 by Endi S. Dewata at 2020-07-23T20:35:53-05:00
Fixed PKIServerFactory.create()
The PKIServerFactory.create() has been modified to check
whether the /etc/sysconfig/<instance> file exists before
trying to open it.
- - - - -
28e19202 by Endi S. Dewata at 2020-07-23T20:44:00-05:00
Reorganized PKI server install docs
- - - - -
41b0226a by Endi S. Dewata at 2020-07-27T17:12:24-05:00
Updated log messages in PostgreSQLDatabase
- - - - -
46a66d65 by Endi S. Dewata at 2020-07-27T17:12:33-05:00
Reorganized ACME deployment on OpenShift doc
- - - - -
bf225105 by Alexander Scheel at 2020-07-28T14:52:20-04:00
Add TPS auditor
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
9da92ed3 by Alexander Scheel at 2020-07-28T14:54:12-04:00
Move PrettyPrint{Cert,Crl} to PKI_LIB classpath
JDK since v1.6 supports passing a directory with a glob (*) after it to
include all JARs in that given directory on the classpath. That is the
mechanism used by pki_java_command_wrapper.in which we should reuse for
the two CLIs which don't use that wrapper.
Resolves: rh-bz#1854043
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
fd522210 by Dinesh Prasanth M K at 2020-07-29T15:31:10-04:00
CI: Collect journalctl logs always during IPA tests
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
c8c55f98 by Endi S. Dewata at 2020-07-29T16:45:07-05:00
Added openshift-acme deployment doc
A new doc has been added for deploying openshift-acme with
PKI ACME responder as the certificate issuer.
- - - - -
a0a06387 by Endi S. Dewata at 2020-07-29T17:45:10-05:00
Fixed CAInfoService.getKRAInfoClient()
The CAInfoService.getKRAInfoClient() and
CAService.getConnector() have been modified to use the
client certificate specified in the CA's KRA connector to
access KRA. If the client certificate is missing, it will
use the subsystem certificate instead.
The CAInfoService has also been modified to propagate
any exception during the above operation to the caller.
https://bugzilla.redhat.com/show_bug.cgi?id=1861911
- - - - -
03801285 by Endi S. Dewata at 2020-07-29T22:18:44-05:00
Reorganized ACME user doc
- - - - -
7b184486 by 06shalini at 2020-07-30T20:59:57+05:30
Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages (#393)
* Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages
- Changes includes:
- Change in .gitlab_ci.yml to spawn instance by using latest osp_provision.py
[with PSI resource issues].
- Change in .gitlab_ci.yml to use Fedora 32 image.
- Addition of post_provision.yml to get latest repo.
Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>
* Code cleanup of osp_provision.py
Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>
Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
23ae8b29 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Refactored ACMEPolicyConfig
The retention policies in ACMEPolicyConfig have been moved
into ACMERetentionConfig. The configuration properties have
been renamed into policy.retention.<name>.<param>. The
ACMEValidityConfig has been renamed into ACMERetention.
- - - - -
64b37227 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME authorizations
The ACME responder has been modified to support retention
policies for pending and invalid authorizations.
- - - - -
769069bb by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME orders
The ACME responder has been modified to support retention
policies for invalid, ready, and processing orders.
- - - - -
64a83f58 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMEDatabase.removeExpiredCertificates()
The ACMEDatabase.removeExpiredCertificates() has been added
to remove expired certificates from ACME database.
- - - - -
0c1cac72 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMECertificate
The ACMECertificate has been added to encapsulate certificate
records in ACME database.
- - - - -
d3957e6c by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policy for ACME certificates
The ACME responder has been modified to support retention policy
for certificate records in ACME database.
- - - - -
4bbb201c by Stanislav Levin at 2020-07-30T10:59:56-05:00
Add missing required targets for pki-acme-classes target
Parallel build fails because of the races caused by the missing
(not yet built) jars.
Fixes: https://pagure.io/dogtagpki/issue/3196
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
0cff9cd5 by Stanislav Levin at 2020-07-30T13:08:14-05:00
Fix instance nssdb directory ownership
There was a typo in code which sets the ownership
of NSSdb directory and its content. This results
in the group with the same gid as pkiuser uid
can control this directory.
Fixes: https://pagure.io/dogtagpki/issue/3195
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
34807cb7 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Refactored PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS
The PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS has been
replaced with pki.server.DEFAULT_LINK_MODE.
- - - - -
0aeacb09 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated log messages in PKIInstance
- - - - -
268c08ea by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME Podman doc
- - - - -
a287c3a0 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME install doc
- - - - -
e4c35cbc by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated links to ACME config doc
- - - - -
fc95262d by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Restored ACME tech preview notification
- - - - -
bedf1adc by Endi S. Dewata at 2020-07-30T22:06:05-05:00
Renamed value field in ACMENonce
The value field in ACMENonce has been renamed to id
for consistency.
- - - - -
183558fa by Endi S. Dewata at 2020-07-30T22:11:52-05:00
Renamed nonce value variables in ACMEDatabase
The nonce value variables in ACMEDatabase have been renamed
to nonceID for consistency.
- - - - -
63368b0f by Endi S. Dewata at 2020-07-30T22:11:57-05:00
Renamed nonce value column/attribute in ACME database
The nonce value column/attribute in ACME database
has been renamed to id for consistency.
- - - - -
a1235c3e by jmagne at 2020-07-31T10:20:48-07:00
Address Bug 1462291 - CRL autoupdate from CS.cfg (#503)
This fix allows the admin to request that a change to this crl CS.cfg setting:
ca.crl.MasterCRL.autoUpdateInterval=xxx
This fix will allow the system to attempt to use the new value of auto update
immediately. The previous longstanding behavior was to have the new interval take affect,
AFTER the currently scheduled nextUpdate time.
What this fix does is allow the use of a new CS.cfg parameter:
ca.crl.MasterCRL.autoUpdateInterval.effectiveAtStart=true
This parameter must be inserted before a restart to allow this behavior to take place at all.
Without the param everything should be working as normal.
After changing the CS.cfg value, the server must be restarted.
At this point the delay time for the next update will be calculated based on the new auto update interval.
Previously the code would simply ignore the new calculated value and take whatever is already encoded into the
"nextUpdate" field of the crl.
This fix allows the new value to be accepted. Here are some caveats on how this thing behaves:
1. If the autoUpdate interval is made smaller , this thing works as expected, having the next update take place
in roughly the amount of time in the new interval.
2. If making the interval smaller, makes the calculated next update in the past, the update will occur now and then the
nextUpdate will be calculated with the new schedule..
3. If the admin makes the autoUpdate interval larger, the behavior is a little different.
Due to the fact that the calculations made with the new interval, is based off of starting with the time stamp
for "yesterday" or the very first daily update from yesterday, the new nextUPdate time calculated may be less
than simply adding the the new interval to the last update.
This fix was coded by allowing the current very comnplicated algorithm to calculate the nextUpdate do it's thing
while at the end of the process, this code simply chooses what is calculated instead of what is already encoded within
the crl's nextUpdate field.
Therefore if the new param is never set, nothing changes. This param should be used with care.
If the agent goes to the display crl page, the new value can easily be viewed as well as the debug log.
4. After the operation takes place the flag inside the server will be cleared and this feature will no longer
be attempted while the server is running.
5. The admin must clear the schedulUpdated setting before the restart to assure normal operation after the next restart.
Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
607407e2 by Christina Fu at 2020-07-31T11:40:54-07:00
Bug1805541 Doc for Certificate Transparency with embedded SCT
Created CertificateTransparency.adoc which provides documentation for
the Certificate Transparency feature for the RHCS Administrator's guide.
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
7b6b6aa8 by Christina Fu at 2020-07-31T16:39:21-07:00
CertificateTransparency.adoc default mode is "disabled" instead of "enabled"
- - - - -
0932b0ea by jmagne at 2020-07-31T17:02:54-07:00
Resolve: Bug 1454922 - [RFE] Need Ability to set the CRL This Update to be a Future Date when Generating a CRL. (#504)
This fix allows the admin to request this feature only by using the command line sslget utility to make such a request.
The result will be haviing the "thisUpdate" field of the generated crl set to some arbitrary date in the future.
The nextUpdate field will be calculated as normal by calculating that as an offset to the future thisUpdate value requested.
There is also a new CS.cfg value designed to simply disallow the use of the feature whateover:
ca.crl.MasterCRL=forbidFutureThisUpdateValue=true (which is by default) will ignore any attempts to use this feature.
This feature does not as of yet support the GUI and will ONLY be available when ussing sslget to request a CRL update on demand.
Also there is a parameter to sslget that will allow the user to erase or cancel the whole custom future thisUpdate and
return crl processing to normal. Examples to follow:
Example 1, request an updated CRL with a custom future thisUpdateValue:
sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&customFutureThisUpdateDateValue=2020:9:22:13:0:0" -v -d . -p "" -r /ca/agent/ca/updateCRL localhost.localdomain:8443
Note the param for this feature is customFutureThisUpdateDateValue=<date>
The date format is this: 2020:9:22:13:0:0
The linux date utility can be used to make a date in this format. It's simply
year,month,day, hour, min ,sec, with min and sec optional.
The month is based on 1, with Jan = 1.
Example 2: clear the whole future thisUpdate an get back to normal:
sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&cancelCurCustomFutureThisUpdateValue=true" -v -d . -p "" -r /ca/agent/ca/updateCRL localhost.localdomain:8443
This will erase the current custom future thisUpdate and calculate the nextUpdate based on the actual current time.
This fix was done without affecting the complex calculations made to calculate update frequency. This only allows one, if they desire, to set thisUpdate to some futuristic time.
If a future thisUpdate time is chosen as in Ex 1, the nextUpdate time will be chosen based on that future date.
The Agent GUI can be used to display the CRL will reflect the new thisUpdate and nextUpdate values.
Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
55d8a652 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 1)
The PostgreSQLDatabase has been modified to store timestamps
in UTC time zone.
- - - - -
880a02d9 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 2)
The PostgreSQL ACME database has been modified to use
timestamps with time zone.
- - - - -
2a0a2fce by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed LDAP ACME database time zone
The LDAPDatabase ACME has been modified to store timestamps
in UTC time zone.
- - - - -
4cfd4cc1 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Cleaned up PostgreSQLDatabase
The PostgreSQLDatabase has been modified to call connect()
only in public methods implementing LDAPDatabase.
- - - - -
b047c132 by Endi S. Dewata at 2020-07-31T21:16:44-05:00
Updated version number to 10.9.0-1
- - - - -
c5db17c8 by Dinesh Prasanth M K at 2020-08-06T12:38:16-04:00
Fix Secure connection issue when server is down
When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.
This patch:
* allows passes instance's nssdb as the client nssdb to
trust the SSL server created during cert-fix (offline
cert renewal process).
* Gets the hostname using socket instead of from env
variable
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
f4b72edb by Endi S. Dewata at 2020-08-06T11:55:45-05:00
Updated version number to 10.9.1
- - - - -
30 changed files:
- .github/workflows/required-tests.yml
- CMakeLists.txt
- base/acme/CMakeLists.txt
- + base/acme/Dockerfile
- − base/acme/conf/database/ldap/database.conf
- base/acme/conf/engine.conf
- + base/acme/conf/scheduler.conf
- base/acme/conf/database/in-memory/database.conf → base/acme/database/in-memory/database.conf
- base/acme/conf/database/ldap/create.ldif → base/acme/database/ldap/create.ldif
- + base/acme/database/ldap/database.conf
- base/acme/conf/database/ldap/schema.ldif → base/acme/database/ldap/schema.ldif
- base/acme/conf/database/postgresql/create.sql → base/acme/database/postgresql/create.sql
- base/acme/conf/database/postgresql/database.conf → base/acme/database/postgresql/database.conf
- base/acme/conf/database/postgresql/drop.sql → base/acme/database/postgresql/drop.sql
- base/acme/conf/database/postgresql/statements.conf → base/acme/database/postgresql/statements.conf
- + base/acme/issuer/nss/ca_signing.conf
- + base/acme/issuer/nss/issuer.conf
- + base/acme/issuer/nss/sslserver.conf
- base/acme/conf/issuer/pki/issuer.conf → base/acme/issuer/pki/issuer.conf
- + base/acme/openshift/pki-acme-certs.yaml
- + base/acme/openshift/pki-acme-database.yaml
- + base/acme/openshift/pki-acme-deployment.yaml
- + base/acme/openshift/pki-acme-is.yaml
- + base/acme/openshift/pki-acme-issuer.yaml
- + base/acme/openshift/pki-acme-metadata.yaml
- + base/acme/openshift/pki-acme-route.yaml
- + base/acme/openshift/pki-acme-svc.yaml
- + base/acme/sbin/pki-acme-run
- + base/acme/src/main/java/org/dogtagpki/acme/ACMECertificate.java
- base/acme/src/main/java/org/dogtagpki/acme/ACMENonce.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/f7cd25bc03521876ed553ccb6584fad2004e30a9...f4b72edb5c703c0a8aae64ae07970407c83f656c
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/f7cd25bc03521876ed553ccb6584fad2004e30a9...f4b72edb5c703c0a8aae64ae07970407c83f656c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200813/672b961f/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list