[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 788 commits: ACMEEngine: check (!= null) when shutting down

Timo Aaltonen gitlab at salsa.debian.org
Fri Aug 14 07:53:58 BST 2020



Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki


Commits:
9fd7a1b8 by Fraser Tweedale at 2020-02-19T23:18:58+10:00
ACMEEngine: check (!= null) when shutting down

After ACME engine startup failure, the shutdown methods are invoked.
But due to the errors, the backend and/or database may not have been
initialised, and a NullPointerException occurs.  This adds extra
backtrace noise the log/journal.  Add a (!= null) check to avoid
this.

- - - - -
bf0fc39a by Alexander Scheel at 2020-02-19T12:21:29-06:00
Remove sslget -V option

Since we haven't used SVN in a while, $Revision$ and $Date$
no longer update. Remove the -V option instead of passing in
a valid version number.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f19554e1 by Dinesh Prasanth M K at 2020-02-21T13:27:46-05:00
JSON Parser (part) for Certificate Transparency (#326)

This patch adds a JSON parser skeleton that is suitable
for Certificate Transparency prototype.

This patch includes:
- CTParser: which generates JSON as per CT standard
- CTResponse: which acts as a mapper class to map JSON response
              from CT log server

Partly Resolves: BZ1805541 - (part) CT JSON Parser prototype

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
bb9f405e by Dinesh Prasanth M K at 2020-02-24T11:36:07-05:00
Re-enable pytest-runner in spec file

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6955d2cf by Endi S. Dewata at 2020-02-24T13:25:02-06:00
Updated version number to 10.9.0-a1

- - - - -
12229ac4 by Endi S. Dewata at 2020-02-24T13:25:47-06:00
Reorganized .classpath

The source folders in .classpath have been reorganized
according to the dependencies.

- - - - -
feae2415 by Alexander Scheel at 2020-02-24T17:10:12-05:00
Remove MD4 and MD5 from default configuration

We remove MD4- and MD5-based algorithms in favor of more modern SHA-2
suite algorithms. We replace them in:
 - In the default CS.cfg
 - In the default caTransportCert.cfg
 - In the ca agent updateCRL html and template,
 - In EnrollProfile

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
55148664 by Stephen Coady at 2020-02-24T17:10:28-05:00
Remove bashisms

Signed-off-by: Stephen Coady <scoady at redhat.com>

- - - - -
fca6d89d by Christina Fu at 2020-02-24T16:02:15-08:00
Bug1805541 -CT cert issuance prototype (part) of [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp.

This contains my CT prototype code for issuing CT certs with Embedded Signed Certificate Time stamp;
It currently only handles one CT log (googletube);

Example profiles are caServerCertWithSCT.cfg and caECServerCertWithSCT.cfg
Usage is to enroll through those profiles with
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=SignedCertificateTimestampListExtDefaultImpl
policyset.serverCertSet.13.default.name=Certificate Transparency Poison Extension Default

It also contains addition of build and run time requirement for apache-commons-net

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
57db6ca7 by Endi S. Dewata at 2020-02-24T20:46:53-06:00
Merged pki-nsutil.jar into pki-cmsutil.jar

The pki-nsutil.jar contains only 8 classes and it is always
used together with pki-cmsutil.jar. To simplify the maintenance
it has been merged into pki-cmsutil.jar.

- - - - -
7e20fc20 by Endi S. Dewata at 2020-02-25T15:14:31-06:00
Added apache-commons-net.jar into .classpath

- - - - -
cc40c3f0 by Fraser Tweedale at 2020-02-26T10:23:23+10:00
CMSEngine.getPasswordStore: extract to static method

The ACME service is not a CMS subsystem.  But for convenience, the
ACME LDAP database backend can read database and password
configuration from CS.cfg.

In order to support this, provide a static variant of
CMSEngine.getPasswordStore(), which is explicitly passed a subsystem
ID and config store.

- - - - -
115d87bd by Endi S. Dewata at 2020-02-26T11:01:18-06:00
Added pki-server-acme(8) man page

- - - - -
0d2ac2b0 by Dinesh Prasanth M K at 2020-02-26T12:56:05-05:00
Convert multiline script to use literal style scalar (#330)

The literal style scalar | preserve newlines while folded
scalar > replaces newlines with space. As a result unintended
exit codes can occur

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
1fc86af8 by Dinesh Prasanth M K at 2020-02-26T19:41:23-05:00
Migrate away from deployer.* to pki.util.* in pkidestroy (#333)

Since pki.util.* is more generic, this patch migrates pkidestroy
scripts to use:
- pki.util.rmtree() instead of deployer.directory.delete()
- pki.util.remove() instead of deployer.file.delete()
- pki.util.unlink() instead of deployer.symlink.delete()

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8455b705 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed missing token name in serverCertNick.conf

The serverCertNick.conf is used to store the nickname and
the token name of the SSL server certificate.

Previously in HSM cases the token name was missing from this
file due to mishandling, causing the installation to fail.

The SystemCertDataFactory.create() has been modified to pass
the token name properly. Also the configuration.py has been
modified to normalize the token name and use the default token
name if it's not available before storing it into the file.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
6fd1dc0c by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed KRA clone configuration

Previously the security_databases.py would only configure the
KRA properties that stores the system certificate nicknames and
tokens in HSM cases only. For non-HSM cases it would rely on
Configurator.updateConfigEntries() to set the properties with
values from KRA master.

The security_databases.py has been modified such that it
configures KRA properties in both HSM and non-HSM cases without
using the values from KRA master.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
d8d8e725 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed missing token names during KRA cloning

During replica installation, KRA certificate nicknames and
token names (if available) are normally stored in the
following properties:
- kra.transportUnit.nickName
- kra.storageUnit.nickName

Previously the Configurator.updateConfigEntries() would
incorrectly overwrite those properties with nicknames from
KRA master without the token names.

In non-HSM cases this was not a problem since there were no
token names involved. However, in HSM cases the token names
became missing so the certificates could not be found and
the installation would fail.

The Configurator.updateConfigEntries() has been modified to
no longer overwrite these properties.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
27fd676c by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed HSM module registration

The security_databases.py has been modified to register the
HSM module using NSSDatabase.add_module() which handles the
warning generated by modutil silently.

The Modutil class is no longer used so it has been removed.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
64122840 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Added docs on CA, KRA, OCSP cloning with HSM

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
aacbb2c1 by Endi S. Dewata at 2020-02-28T15:30:28-06:00
Fixed security domain authentication

Previously pkispawn would only connect to a security domain
when installing a new subsystem that joins the security domain
(pki_security_domain_type == existing). It also would only
authenticate against the security domain if it's not skipping
security domain verification (pki_skip_sd_verify == False),
which is the default.

When installing a subordinate CA with a new security (sub)domain
it would have pki_security_domain_type == new, so it would not
connect to nor authenticate against the parent security domain,
and it would not be able to get the installation token required
to complete the installation.

The code has been modified such that pkispawn will connect to a
security domain when installing a subsystem to join the security
domain (pki_security_domain_type == existing) as before, but also
when installing a subordinate CA (pki_subordinate == True). It
will also authenticate against the security domain regardless of
the pki_skip_sd_verify since the authenitcation is required to
obtain the installation token. The surrounding try-catch block
has also been removed since the original exception will have more
detailed information (i.e. the exact URL) about the problem.

https://bugzilla.redhat.com/show_bug.cgi?id=1807421

- - - - -
1888eae1 by Endi S. Dewata at 2020-02-28T16:08:45-06:00
Added PKIDeployer.setup_cert()

The code that sets up system certificates has been moved into
PKIDeployer.setup_cert().

- - - - -
470cb717 by Endi S. Dewata at 2020-02-28T16:08:51-06:00
Removed unused CertUtil.privateKeyExistsOnToken()

- - - - -
8de89c78 by Endi S. Dewata at 2020-02-28T16:08:55-06:00
Reformatted CryptoUtil.createX509CertInfo()

- - - - -
f28adddd by Endi S. Dewata at 2020-02-28T19:34:32-06:00
Refactored CertUtil.getPKCS10()

The CertUtil.getPKCS10() has been modified to get the private
key directly from the provided key pair instead of to find it
using the private key ID.

- - - - -
4984d82e by Endi S. Dewata at 2020-02-28T19:34:38-06:00
Refactored Configurator.generateCertRequest()

The Configurator.generateCertRequest() has been modified to get
the private key directly from the provided key pair instead of
to find it using the private key ID.

- - - - -
8865b623 by Endi S. Dewata at 2020-02-28T20:02:56-06:00
Refactored CertUtil.createLocalCert()

The CertUtil.createLocalCert() has been modified to get the CA
signing private key directly instead of to find it using the
private key ID.

- - - - -
e96b25e4 by Endi S. Dewata at 2020-02-28T22:12:57-06:00
Removed unused preop.cert.<tag>.privkey.id

The preop.cert.<tag>.privkey.id properties are no longer used
so they no longer need to be stored in CS.cfg.

- - - - -
e426a0c0 by Dinesh Prasanth M K at 2020-02-29T13:42:25+05:30
Refactor CTResponse (#336)

This patch refactors CTResponse class to accommodate certificate transparency prototype. 

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
843982ed by Endi S. Dewata at 2020-03-02T07:34:28-06:00
Removed unused preop.cert.<tag>.pubkey.encoded

The preop.cert.<tag>.pubkey.encoded properties are no longer
used so they no longer need to be stored in CS.cfg.

- - - - -
74f37737 by Endi S. Dewata at 2020-03-02T07:34:35-06:00
Removed unused preop.cert.<tag>.pubkey.exponent

The preop.cert.<tag>.pubkey.exponent properties are no longer
used so they no longer need to be stored in CS.cfg.

- - - - -
1a197522 by Endi S. Dewata at 2020-03-02T07:34:37-06:00
Removed unused preop.cert.<tag>.pubkey.modulus

The preop.cert.<tag>.pubkey.modulus properties are no longer
used so they no longer need to be stored in CS.cfg.

- - - - -
7776b605 by Endi S. Dewata at 2020-03-02T08:56:41-06:00
Refactored Configurator.storeKeyPair()

The code that configures the following properties
has been moved into from Configurator.storeKeyPair()
to security_database.py:
- ca.signing.defaultSigningAlgorithm
- ca.crl.MasterCRL.signingAlgorithm
- ca.ocsp_signing.defaultSigningAlgorithm
- ocsp.signing.defaultSigningAlgorithm
- kra.transportUnit.signingAlgorithm

- - - - -
e278f997 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Cleaned up Configurator.updateConfigEntries()

The following properties are already configured during
installation so it's no longer necessary to clone them
from master:
- ca.signing.defaultSigningAlgorithm
- ca.crl.MasterCRL.signingAlgorithm
- ca.ocsp_signing.defaultSigningAlgorithm
- ocsp.signing.defaultSigningAlgorithm
- kra.transportUnit.signingAlgorithm

- - - - -
a7379c18 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Removed unused cloning.<tag>.keyalgorithm

The cloning.<tag>.keyalgorithm properties are no longer used so
they no longer need to be stored in CS.cfg.

- - - - -
8bb088b5 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Removed unused cloning.<tag>.keytype

The cloning.<tag>.keytype properties are no longer used so
they no longer need to be stored in CS.cfg.

- - - - -
02923685 by Alexander Scheel at 2020-03-02T10:40:35-05:00
Remove unused, unnecessary RADIUS implementation

This RADIUS implementation is not used by the Dogtag and thus should be
removed from the distribution.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
870503b6 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Removed unused GetTokenInfo

The GetTokenInfo servlet is no longer used so it has been
removed.

- - - - -
66431222 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Added PKIDeployer.setup_admin()

The code that configures the admin user has been moved into
PKIDeployer.setup_admin().

- - - - -
bed36af1 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Moved preop.cert.admin.dn

The code that configures preop.cert.admin.dn has been moved
into security_databases.py.

- - - - -
ba38607e by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Refactored ConfigClient.retrieve_existing_subsystem_cert()

The ConfigClient.retrieve_existing_subsystem_cert() has been
modified to get the subsystem certificate's nickname, token
name, and subject DN from the deployment configuration.

- - - - -
39d5ceac by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Removed unused cloning.<tag>.dn

The cloning.<tag>.dn properties are no longer used so
they no longer need to be stored in CS.cfg.

- - - - -
28a3a11d by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed NSSDatabase.module_exists()

The search pattern in NSSDatabase.module_exists() has been
modified to allow matching module names at the end of line.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
766011eb by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed missing subsystem cert token name

The code that configures the shared secret between TKS and TPS
has been modified to use the subsystem certificate token name
if it is specified in the deployment configuration. This is
needed to install TPS with HSM.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
61de999c by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed TPS connector removal

The TPSConnector.execute_using_pki() has been modified to
use -f <password file> instead of -c <password> in order to
work properly with HSM and for better security. It has also
been modified to use -U <URL> to specify the TKS location.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
43e7c142 by Endi S. Dewata at 2020-03-04T10:57:49-06:00
Reorganized PKI ACME sources

PKI ACME sources have been moved from base/acme/src into
base/acme/src/main/java to support Maven in the future.

- - - - -
da66119b by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed preop.cert.<tag>.nickname cloning

The admin is responsible to provide consistent replica
deployment configuration, so it is no longer necessary to
copy preop.cert.<tag>.nickname properties from master.

- - - - -
6a73e682 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused preop.master.<tag>.nickname

The admin is responsible to provide consistent replica
deployment configuration, so it is no longer necessary
to use preop.master.<tag>.nickname properties.

- - - - -
8095fc22 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.<tag>.nickname

The cloning.<tag>.nickname properties are no longer used
so they no longer need to be stored in CS.cfg.

- - - - -
84ee873c by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.module.token

The cloning.module.token property is no longer used so
it no longer needs to be stored in CS.cfg.

- - - - -
8918d5ab by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.list

The cloning.list property is no longer used so it no longer
needs to be stored in CS.cfg.

- - - - -
f2e61642 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed internaldb.basedn cloning

The admin is responsible to provide consistent replica
deployment configuration, so it's no longer necessary
to copy internaldb.basedn from master.

- - - - -
39462615 by Endi S. Dewata at 2020-03-04T18:55:51-06:00
Updated log messages in TransportKeyUnit

- - - - -
b2a4ec53 by Endi S. Dewata at 2020-03-04T18:58:37-06:00
Removed unused Configurator.restoreCertsFromP12()

- - - - -
16dd634a by Endi S. Dewata at 2020-03-04T18:59:35-06:00
Removed unused Configurator.importKeyCert()

- - - - -
fddbe76d by Endi S. Dewata at 2020-03-04T19:00:36-06:00
Removed unused Configurator.deleteExistingCerts()

- - - - -
5cf8f9ce by Endi S. Dewata at 2020-03-04T19:01:29-06:00
Removed unused Configurator.getMasterCertKeyList()

- - - - -
0fe78500 by Endi S. Dewata at 2020-03-04T19:02:38-06:00
Removed unused Configurator.importRequired()

- - - - -
99acc705 by Endi S. Dewata at 2020-03-04T19:03:28-06:00
Removed unused Configurator.getX509Cert()

- - - - -
895accd5 by Endi S. Dewata at 2020-03-04T19:04:26-06:00
Removed unused Configurator.isCASigningCert()

- - - - -
991dd374 by Endi S. Dewata at 2020-03-04T19:05:20-06:00
Removed unused Configurator.getX509CertFromToken()

- - - - -
681b0a7c by Endi S. Dewata at 2020-03-04T19:06:00-06:00
Removed unused Configurator.isAuditSigningCert()

- - - - -
f3b4185f by Endi S. Dewata at 2020-03-04T22:55:59-06:00
Removed instanceId cloning

The instanceId property is provided by the deployment
configuration so it no longer needs to be copied from master.

- - - - -
b0c189fb by Endi S. Dewata at 2020-03-04T22:57:47-06:00
Removed unused cloning.token

The cloning.token property is no longer used so
it has been removed.

- - - - -
254aa364 by Endi S. Dewata at 2020-03-04T23:01:28-06:00
Removed preop.ca.httpport cloning

The preop.ca.httpport property is no longer used so
it no longer needs to be copied from master.

- - - - -
69485c39 by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.httpsport cloning

The preop.ca.httpsport property is provided by the deployment
configuration so it no longer needs to be copied from master.

- - - - -
86db661a by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.list cloning

The preop.ca.list is no longer used so it no longer needs
to be copied from master.

- - - - -
72d56a1a by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.pkcs7 cloning

The preop.ca.pkcs7 property is set during installation so
it no longer needs to be copied from master.

- - - - -
9fb7d8b8 by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.hostname cloning

The preop.ca.hostname property is provided by the deployment
configuration so it no longer needs to be copied from master.

- - - - -
f26c7e6c by Endi S. Dewata at 2020-03-05T10:49:46-06:00
Fixed IKeyRecord hierarchy

- - - - -
3e114d1d by Endi S. Dewata at 2020-03-05T10:59:33-06:00
Fixed generic type for IDBSession.createVirtualList()

The generic type for IDBSession.createVirtualList() has been
modified to extend IDBObj.

- - - - -
06a5db9b by Endi S. Dewata at 2020-03-05T10:59:40-06:00
Fixed generic type for IDBVirtualList

The generic type for IDBVirtualList has been modified to
extend IDBObj.

- - - - -
2c79d8b6 by Endi S. Dewata at 2020-03-05T13:38:08-06:00
Updated log messages in DBVirtualList.getEntries()

- - - - -
b7220066 by Endi S. Dewata at 2020-03-05T15:01:52-06:00
Cleaned up CertUtil.createLocalCert()

- - - - -
dd60bab1 by Endi S. Dewata at 2020-03-05T15:01:52-06:00
Removed unused CryptoUtil.createX509CertInfo()

- - - - -
5d34beb3 by Endi S. Dewata at 2020-03-06T10:36:34-06:00
Cleaned up cert nickname and token configuration

The code that configures certificate nicknames and tokens
in Configuration.updateConfig() has been moved into
security_databases.py.

- - - - -
7ee2f454 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Removed redundant SystemConfigService.updateConfiguration()

The SystemConfigService.updateConfiguration() has been
removed since the properties are already configured earlier
in security_database.py.

- - - - -
9c6e9a32 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Cleaned up Configurator.getConfigEntriesFromMaster()

The code that configures the certificate nicknames in
Configurator.getConfigEntriesFromMaster() has been removed
since the nicknames are already configured earlier in
security_database.py.

- - - - -
fb799762 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Updated Configuration.updateDomainXML()

The Configuration.updateDomainXML() has been modified to use
the <subsystem>.cert.subsystem.nickname which already includes
the token name.

- - - - -
659c0d68 by Endi S. Dewata at 2020-03-06T10:40:01-06:00
Cleaned up CA and OCSP signing certs configuration

The code that configures CA and OCSP signing certificates
in Configurator.updateConfig() has been moved into
security_databases.py.

- - - - -
40329fe0 by Endi S. Dewata at 2020-03-06T14:37:21-06:00
Cleaned up KRA certs configuration (part 1)

The code that configures KRA certificates in security_databases.py
has been simplified.

- - - - -
0c3f0643 by Endi S. Dewata at 2020-03-06T14:37:52-06:00
Cleaned up KRA certs configuration (part 2)

The code that configures KRA certificates in
Configurator.updateConfig() has been moved into
security_database.py.

- - - - -
77e49ac8 by Endi S. Dewata at 2020-03-06T14:45:42-06:00
Cleaned up audit signing certs configuration

The code that configures audit signing certificates in
Configurator.updateConfig() has been moved into
security_database.py.

- - - - -
08f86385 by Endi S. Dewata at 2020-03-06T15:07:40-06:00
Removed Configurator.updateConfig()

The remaining code in Configurator.updateConfig() has
been moved out so the method is no longer needed.

- - - - -
685d11a8 by Endi S. Dewata at 2020-03-09T17:02:19-05:00
Updated NSSDatabase.import_pkcs12()

The NSSDatabase.import_pkcs12() has been modified to support
password.conf file.

- - - - -
807c8aaa by Endi S. Dewata at 2020-03-09T19:29:32-05:00
Updated PKISubsystem.export_system_cert()

The PKISubsystem.export_system_cert() has been modified to
support exporting a system certificate without the key.

- - - - -
374d0837 by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Updated pki-server <subsystem>-clone-prep

The pki-server <subsystem>-clone-prep commands have been
modified to support --no-key option.

- - - - -
060254ab by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Added pki pkcs11-cert-export

The pki pkcs11-cert-export has been added to export a certificate
via PKCS #11 interface.

- - - - -
356d33ac by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Updated pki pkcs12-import

The pki pkcs12-import command has been modified to support
password.conf.

- - - - -
347396dc by Endi S. Dewata at 2020-03-09T22:46:49-05:00
Added NSSDatabase.show_cert()

The code that shows certificate information in get
NSSDatabase.get_cert() has been moved into show_cert().

- - - - -
bf7256b7 by Endi S. Dewata at 2020-03-09T22:46:49-05:00
Updated NSSDatabase.get_cert_info()

The NSSDatabase.get_cert_info() has been modified to specify
the token from which to get the certificate.

- - - - -
58cb0870 by Alexander Scheel at 2020-03-10T17:04:39+10:00
Add warning about CVE-2020-1938

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
695053e8 by Fraser Tweedale at 2020-03-11T11:36:21+10:00
ACMEAuthorizationService: handle empty list of challenges

ACMEAuthorizationService creates challenges for an ACMEAuthorization
if .getChallenges() == null.  But the return type of
ACMEAuthorization.getChallenges is Collection<ACMEChallenge>, so it
is reasonble (and arguably more correct and safer) for the database
implementation that loads the authorisation object to set an empty
list of challenges, if there are no challenges, rather than leaving
it as null.

Indeed, that is what the forthcoming LDAP database implementation
does.  And that has exposed this bug, i.e. that although 'null' is
handled, and empty list is not, resulting in issuance failure (the
order cannot be finalised).

So treat '.size() <= 0' the same as '== null'.

- - - - -
1351d968 by Fraser Tweedale at 2020-03-11T14:15:34+11:00
startedByNuxwdog(): extract common code to class

Several classes have duplicated the startedByNuxwdog subroutine.
Extract it to a utility class.

- - - - -
07bd2042 by Fraser Tweedale at 2020-03-11T14:29:09+11:00
getPasswordStore(): extract to IPasswordStore

The ACME LDAP database driver needs an IPasswordStore.  But we don't
want to depend on CMSEngine, where getPasswordStore() is defined.

So extract getPasswordStore() to a static method on the
IPasswordStore interface.  (Static methods on interfaces are
supported since Java 8).  This requires one small change: cmsutil
does not depend on on cmscore so the config store must be passed as
a Map<String, String> instead of a PropConfigStore.

- - - - -
c996d859 by Fraser Tweedale at 2020-03-11T18:17:29+10:00
ACMEEngine: extract order checks to method

ACMEEngine.validateOrder() throws an exception if something is wrong
with the order (e.g. order does not match account ID, or order is
expired).  But it is useful to have a variation that does not throw
an exception and just returns the check result as a value.

Extract this logic to the 'checkOrder()' method.

- - - - -
078c3a01 by Fraser Tweedale at 2020-03-11T18:17:29+10:00
ACME: process all associated pending orders on authz finalisation

In the ACME data model an authorization may be associated with zero,
one or multiple orders.  So when finalising an authorization, we
should process *all* pending orders associated with the completed
authorisation, to see if those orders are now also complete (i.e.
all authorisations have been completed).

To implement this, change the "get order by authz" methods to return
a Collection of orders with a the specified authz ID and status, and
update the ACMEChallengeService to process all returned orders.

- - - - -
f9a19bc3 by Endi S. Dewata at 2020-03-11T21:04:53-05:00
Renamed securityDomain.installToken

The securityDomain.installToken property in acl.properties has
been renamed into securityDomain.read for consistency.

- - - - -
9b47b625 by Endi S. Dewata at 2020-03-12T00:50:26-05:00
Removed securitydomain.store

The securitydomain.store property in CS.cfg has been removed
since the value is hard-coded to 'ldap'. The unused code that
stores security domain info into XML file has been removed from
UpdateDomainXML.process().

- - - - -
66d8cfa1 by Endi S. Dewata at 2020-03-12T00:52:59-05:00
Refactored SecurityDomainProcessor.addEntry()

The code that constructs the LDAP entry for a new security domain
host has been moved into SecurityDomainProcessor.addEntry() which
has been renamed into addHost().

- - - - -
a56d880c by Endi S. Dewata at 2020-03-12T00:56:10-05:00
Refactored SecurityDomainProcessor.removeHost()

The code that constructs the LDAP DN for the security
domain host to be removed has been moved into
SecurityDomainProcessor.removeHost().

- - - - -
7bbf80f8 by Endi S. Dewata at 2020-03-12T10:09:47-05:00
Cleaned up SecurityDomain.deregister()

The unused code that updates the security domain with install
token in SecurityDomain.deregister() has been removed.

- - - - -
65996495 by Endi S. Dewata at 2020-03-12T10:43:01-05:00
Cleaned up DN construction in SecurityDomainProcessor

The code that constructs the DNs in SecurityDomainProcessor
has been simplified since separate admin and agent ports are
no longer supported.

- - - - -
f6040548 by Endi S. Dewata at 2020-03-13T11:53:41-05:00
Updated variable names in ACME services

- - - - -
00a6fdaa by Endi S. Dewata at 2020-03-13T13:38:19-05:00
Fixed typos in ACME user guide

- - - - -
9aa6cf2d by Endi S. Dewata at 2020-03-16T10:33:58-05:00
Merged CryptoUtil.signECCCert()

The CryptoUtil.signECCCert() has been merged into
CryptoUtil.signCert() since they are identical.

- - - - -
27dbecae by Endi S. Dewata at 2020-03-16T10:34:03-05:00
Refactored CryptoUtil.signCert()

The CryptoUtil.signCert() has been modified to take
a java.security.PrivateKey parameter instead of
org.mozilla.js.crypto.PrivateKey.

- - - - -
a0b41362 by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Refactored CryptoUtil.createCertificationRequest()

The CryptoUtil.createCertificationRequest() has been
modified to take a java.security.PrivateKey parameter
instead of a org.mozilla.jss.crypto.PrivateKey.

- - - - -
0efedbcd by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Refactored Configurator.configRemoteCert()

The the code that generates the PKCS #10 request has been
moved outside of Configurator.configRemoteCert().

- - - - -
4206f6fc by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Removed CertUtil.getPKCS10()

The code in CertUtil.getPKCS10() has been merged into
Configurator.configCert().

- - - - -
e79e316f by Endi S. Dewata at 2020-03-16T11:02:20-05:00
Refactored Configurator.configLocalCert()

The Configurator.configLocalCert() has been modified to remove
the unused X509CertImpl parameters.

- - - - -
4df0db18 by Endi S. Dewata at 2020-03-16T11:15:55-05:00
Refactored Configurator.configCert()

The Configurator.configCert() has been modified to return
the newly created X509CertImpl object.

- - - - -
9b3af422 by Endi S. Dewata at 2020-03-16T11:20:41-05:00
Refactored CertUtil.updateLocalRequest()

The code that gets the request ID from the pre-op configuration
has been moved out of CertUtil.updateLocalRequest().

- - - - -
e68b84a7 by Endi S. Dewata at 2020-03-16T11:21:16-05:00
Refactored CertUtil.getAdminProfileAlgorithm()

The code that reads the configuration parameters has been moved
out of CertUtil.getAdminProfileAlgorithm().

- - - - -
95bd3464 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Added CertUtil.createCertInfo()

The code that creates X509CertInfo has been moved from
CertUtil.createLocalCert() into createCertInfo().

- - - - -
26f193f9 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 1)

The code that creates CertInfoProfile has been moved out of
CertUtil.createLocalCert().

- - - - -
e1bc9037 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 2)

The code that creates the request object has been moved out of
CertUtil.createLocalCert().

- - - - -
44682336 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 3)

The code that reads the configuration parameters has been
moved out of CertUtil.createLocalCert().

- - - - -
b4f4286e by Endi S. Dewata at 2020-03-16T11:54:57-05:00
Refactored CertUtil.createCertInfo()

The code that reads the configuration parameters has been
moved out of CertUtil.createCertInfo()

- - - - -
6a28ec56 by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Added ACMEDatabase.getOrderByCertificate()

The ACMEDatabase.getOrderByCertificate() has been added to
return the order that generated a given certificate.

- - - - -
3a6c791c by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Added ACMERevokeCertificateService

The ACMERevokeCertificateService has been added to revoke
a certificate.

- - - - -
d276a7cd by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Updated ACME user guide

The ACME user guide has been modified to include certificate
revocation and other updates.

- - - - -
47df4e04 by Dinesh Prasanth M K at 2020-03-19T15:56:40-04:00
Remove MAX_NUM_POLICIES hardcoded limit on cerpolicy extension

(This patch is a forward port of #349)

There are cases where an user will like to add more than 20 policies to a cert. RFC 5280
does not impose any hard limit on the number of policies. This patch removes
the hardcoded limit from the code. The user can now specify unlimited policies

This patch also fixes a minor bug to the method signature: `createUserNotice()` (ie)
the noticeNums and noticeText params have been interchanged based on the usage
in other parts of the code.

Resolves: BZ#1768718

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
4b8c7149 by Endi S. Dewata at 2020-03-20T09:09:47-05:00
Fixed typo in getOrderByCertificate

- - - - -
420bc70a by Endi S. Dewata at 2020-03-20T10:10:16-05:00
Reorganized PKI Symkey sources

PKI Symkey sources have been moved from base/symkey/src into
base/symkey/src/main/java to support Maven in the future.

- - - - -
65c1869b by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-find

The pki securitydomain-host-find command has been added to
list hosts in security domain.

- - - - -
b3a5f0c6 by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-show

The pki securitydomain-host-show has been added to show the
host details in security domain.

- - - - -
afe59acb by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-add

The pki securitydomain-host-add command has been added to
add a host into security domain.

- - - - -
6310c263 by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-del

The pki securitydomain-host-del command has been added to
remove a host from security domain.

- - - - -
3b5ffaa1 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up Configurator.getSubsystemCert()

The Configurator.getSubsystemCert() has been simplified and
modified to return an X509CertImpl.

- - - - -
1607b907 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up Configurator.setupClientAuthUser()

- - - - -
f01bbbf8 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up CertUtil.addUserCertificate()

- - - - -
5f32e6e5 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Refactored CertUtil.addUserCertificate()

The code that sets up the user, certificate, and group
has been moved from Configurator.setupClientAuthUser()
into setupUser().

The CertUtil.addUserCertificate() has been moved into
Configurator class and modified to use setupUser().

- - - - -
f674a865 by Endi S. Dewata at 2020-03-23T12:05:56-05:00
Removed unused CryptoUtil.getPKCS10FromKey()

- - - - -
753b6661 by Endi S. Dewata at 2020-03-23T12:11:46-05:00
Merged Configurator.loadCertRequest()

- - - - -
0e771ccc by Endi S. Dewata at 2020-03-23T12:11:46-05:00
Merged CertUtil.injectSANextensionIntoRequest()

- - - - -
6e99d9a4 by Endi S. Dewata at 2020-03-23T12:35:37-05:00
Refactored Configurator.createGenericExtensions()

The code that reads the configuration parameters have been
moved out of Configurator.createGenericExtensions().

- - - - -
f1149818 by Endi S. Dewata at 2020-03-23T12:35:55-05:00
Refactored CertUtil.createLocalRequest()

The code that reads the configuration properties has been
moved out of CertUtil.createLocalRequest().

- - - - -
da1a4208 by Endi S. Dewata at 2020-03-23T17:31:34-05:00
Cleaned up CryptoUtil.createCertificationRequest()

- - - - -
23e68fc6 by Endi S. Dewata at 2020-03-23T18:43:45-05:00
Refactored Configurator.createCertRecord() (part 1)

The code that reads the configuration properties has been
moved out of Configurator.createCertRecord().

- - - - -
40191036 by Endi S. Dewata at 2020-03-23T18:43:54-05:00
Refactored Configurator.createCertRecord() (part 2)

The code that updates the configuration properties has been
moved out of Configurator.createCertRecord().

- - - - -
bde0858a by Endi S. Dewata at 2020-03-24T17:25:24+10:00
Refactored ACMEBackend

Some ACME backends might support only one cert authority, so
the serial number of the certs will be unique. However, some
other backends might support multiple cert authorities so the
serial number by itself might not be unique. The ACMEBackend
needs to be able to generate backend-specific unique ID for
the certs if necessary.

Some ACME backends use two-step cert enrollment: issuance and
retrieval. These steps match the ACME protocol. However, some
other backends use only one-step enrollment. In that case the
server will need to store the issued cert in ACME database for
a later retrieval.

To support the above requirements, the code has been modified
as follows:

- The ACMEBackend.getCertificateID() has been added to create
  a unique ID for a cert. By default it will generate a unique
  ID based on the serial number. A subclass can override this
  method to generate a backend-specific unique ID.

- The ACMEBackend.generateCertificate() has been added to
  generate a certificate in one step. By default this method
  is not implemented. A subclass can override this method to
  implement backend-specific one-step enrollment.

- The ACMEBackend.issueCertificate() has been modified to
  return a cert unique ID instead of the serial number. By
  default this method will call generateCertificate(), then
  call getCertificateID(). A subclass can override this method
  to implement a backend-specific cert issuance.

The ACMEBackend.getCertificateChain() has not been modififed,
but a subclass can override this method either to retrieve the
cert from ACME database (for one-step enrollment) or from the
ACME backend (for two-step enrollment).

- - - - -
b48a8f1a by Fraser Tweedale at 2020-03-24T17:27:25+10:00
acme: add LDAP schema for ACME service db

- - - - -
89555737 by Fraser Tweedale at 2020-03-24T17:27:25+10:00
acme: add LDAPDatabase backend

- - - - -
6eb8e96c by Endi S. Dewata at 2020-03-24T17:25:30-05:00
Reorganized PKI Util sources

PKI Util sources have been reorganized to support Maven in the
future. Here are the changes:
- base/util/src -> base/util/src/main/java
- base/util/src/pki-cmsutil.mf -> base/util/src/main/resources/META-INF/MANIFEST.MF
- base/util/PKICertImport.bash -> base/util/src/main/shell/PKICertImport.bash
- base/util/test -> base/util/src/test/java
- base/util/test/PKICertImport/certs -> base/util/src/test/resources/certs
- base/util/test/PKICertImport/runtest.bash -> base/util/src/test/shell/test_PKICertImport.bash

- - - - -
f4fcae53 by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added ACMEDatabase.getRevocationAuthorizations()

The ACMEDatabase.getRevocationAuthorizations() has been added
to return all valid and non-expired authorization records
belonging to an account.

- - - - -
e207aadc by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added ACMEDatabase.hasRevocationAuthorization()

The ACMEDatabase.hasRevocationAuthorization() has been added
to check whether the account has a valid and non-expired
authorization record for a particular identifier.

- - - - -
ae4de576 by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added revocation with authorization records

The ACMEEngine.validateRevocation() has been modified to support
validating revocation request using the account's authorization
records.

- - - - -
6cd2ce6a by Dinesh Prasanth M K at 2020-03-25T16:02:15-04:00
Patch ECAdminCertProfile upgrade script (#355)

* Patch ECAdminCertProfile upgrade script

The caECAdminCert profile was added 2 years ago but was never patched
to be added to the CS.cfg. Hence, when a user tries to upgrade, the path
did not exist and so, the upgrade failed. This patch adds the missing
attribute to ensure smooth upgradation process

Resolves: BZ#1814242
Upstream: https://pagure.io/dogtagpki/issue/3168

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

* Addressing comments in PR

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d5fd230e by Endi S. Dewata at 2020-03-25T15:04:42-05:00
Refactored Configurator.configLocalCert()

The Configurator.configLocalCert() has been modified to call
createRequest() to create the request object.

- - - - -
22e644a4 by Endi S. Dewata at 2020-03-25T15:04:42-05:00
Merged Configurator.configLocalCert()

The Configurator.configLocalCert() has been merged into
configCert().

- - - - -
fca8e7a1 by Endi S. Dewata at 2020-03-25T16:06:58-05:00
Removed redundant SystemConfigService.updateCloneConfiguration()

The SystemConfigService.updateCloneConfiguration() is no longer
making any changes to the server so it has been removed.

- - - - -
df8235ca by Endi S. Dewata at 2020-03-25T20:03:49-05:00
Replaced preop.cert.*.enable

The preop.cert.*.enable is only set to false for certs on replica
except the sslserver cert. The code has been modified to check
for that condition before calling SystemConfigClient.setupCert()
instead of using the properties.

- - - - -
ec05ca86 by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed unused preop.cert.*.enable

- - - - -
150d689e by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed CertificateSetupRequest.generateServerCert

The code has been modified to call SystemConfigClient.setupCert()
for sslserver certificate only for the first subsystem in the
instance.

- - - - -
e963ad2d by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed CertificateSetupRequest.generateSubsystemCert

The code has been modified to call SystemConfigClient.setupCert()
for subsystem certificate only for the first subsystem in the
instance.

- - - - -
e6f254a5 by Dinesh Prasanth M K at 2020-03-26T12:42:05-04:00
Move 10.8.2 upgrade script to 10.8.3

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8b98421e by Fraser Tweedale at 2020-03-27T09:27:49+10:00
acme: fix LDAPDatabase.removeExpiredNonces

A nonce is expired when its 'acmeExpires' attribute is less than
(before) the current time.  But the LDAP search for expired nonces
was returning non-expired nonces (acmeExpires>=$NOW).  Fix the
search filter expression.

- - - - -
ec3cc76b by Fraser Tweedale at 2020-03-27T09:30:40+10:00
acme: add SANToCNDefault to registry

ACME profiles need the SANToCNDefault profile component in the
registry.  This commit will add it for new installations.  A future
change (perhaps in FreeIPA rather than Dogtag) will address adding
the component to the registry on upgrade.

- - - - -
18a921d6 by Fraser Tweedale at 2020-03-27T09:38:08+10:00
acme: add LDAP indices

- - - - -
e39ba74d by Endi S. Dewata at 2020-03-27T09:41:13+10:00
Renamed ACME backend to issuer

The term "backend" is too generic and might be confused with
"database backend" so it has been replaced with "issuer". The
code, config files, and docs have been updated accordingly.

- - - - -
d118b3ad by Tom Stellard at 2020-03-27T09:42:36+10:00
Silence -Wc++11-narrowing warnings

Clang treats these as errors by default, so this fixes the build with clang.

Example of one of the warnings:

/builddir/build/BUILD/pki-10.8.3/base/tps-client/src/processor/RA_Processor.cpp:3237:28:
error: non-constant-expression cannot be narrowed from type 'int' to
'BYTE' (aka 'unsigned char') in initializer list [-Wc++11-narrowing]

            BYTE nv[2] = { v, 0x01 };

- - - - -
911a8201 by Endi S. Dewata at 2020-03-26T22:20:19-05:00
Fixed pki-server acme-create

- - - - -
79a1a967 by Endi S. Dewata at 2020-03-27T13:04:27-05:00
Cleaned up PKISubsystem.load() and save()

The PKISubsystem.load() and save() have been modified to
use pki.util.load_properties() and store_properties().

- - - - -
999e6941 by Endi S. Dewata at 2020-03-27T14:25:41-05:00
Added PKISubsystem.registry

The PKISubsystem has been modified to load and store
the plugin registry in registry.cfg.

The unused CASubsystem.load_profile_registry() has been
removed.

- - - - -
43fcca64 by Endi S. Dewata at 2020-03-27T21:48:01-05:00
Removed interactive upgrade process

The interactive upgrade process has been removed since
all upgrade steps must be completed before the server
can run. The --silent option is no longer needed so it
has been removed.

- - - - -
e656f127 by Endi S. Dewata at 2020-03-27T21:48:01-05:00
Fixed PKIUpgrader.scriptlets()

The PKIUpgrader.scriptlets() has been modified to use
a more reliable way to mark the last scriptlet in the
list.

- - - - -
4af5f40d by Endi S. Dewata at 2020-03-30T12:25:38+10:00
Changed ACME config file format

The ACME config file format has been changed from JSON to
simple properties which will be more user-friendly and
support comments.

- - - - -
97c724f1 by Fraser Tweedale at 2020-03-30T12:31:43+10:00
acme: implement LDAPDatabase.hasRevocationAuthorization

- - - - -
273d3677 by Fraser Tweedale at 2020-03-30T10:41:20-05:00
acme: fix revocation checks when account did not issue certificate

ACME provides three ways to revoke a certificate:

- proof of possession of private key

- ACME account issued the certificate to be revoked

- ACME account holds authorizations for all identifiers on the
  certificate to be revoked

We recently implemented the third case, but we never reach that code
because an exception is thrown immediately if the current account
did not issue the certificate to be revoked.  Fix the code by not
throwing an exception and instead fall through to the code for the
third case.

- - - - -
d98e3402 by Endi S. Dewata at 2020-04-01T12:24:10+10:00
Added upgrade script for SANToCNDefault

An upgrade script has been added to add SANToCNDefault into
existing registry.cfg. The ACME installation doc has been
updated to no longer require adding SANToCNDefault manually.

- - - - -
ab2f2b38 by Endi S. Dewata at 2020-04-01T17:34:09-05:00
Added handlers to capture CI install logs

- - - - -
6deb112d by Alexander Scheel at 2020-04-02T13:14:34-04:00
Temporarily disable PKI COPR repo for SSLEngine

Having a SSLContext implementation is confusing Tomcat, resulting in PKI
CI failing. Temporarily disable PKI's COPR repo, preventing a newer JSS
from being pulled in.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
82df48c7 by Endi S. Dewata at 2020-04-03T12:31:48-05:00
Added pki-server run --with-valgrind

The --with-valgrind option has been added to pki-server run
command to run the server with valgrind.

- - - - -
abea77b1 by dpuniaredhat at 2020-04-06T11:53:36+05:30
Certificate Enrollment Performance Test script (#370)

* Certificate Enrollment Performance Test script

Signed-off-by: Deepak Punia <dpunia at redhat.com>

* Fixed indentation

* Renamed --url to --hostname

* Removed deprecated subsystem name parameter

* Cleaned up output

Co-authored-by: Endi S. Dewata <edewata at redhat.com>
- - - - -
1ab4a584 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Fixed upgrade warnings

- - - - -
a8ef2c08 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed interactive upgrade process (part 2)

This is a continuation of 43fcca6431bd709ba92aee315a24c9a62648dd48.

- - - - -
80630e61 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIUpgrader.index

- - - - -
b4536e14 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIUpgrader.version

- - - - -
55eb3e25 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIServerUpgrader.instance_version

- - - - -
f2900ccc by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIServerUpgrader.subsystemName

- - - - -
2a0de2a0 by Fraser Tweedale at 2020-04-07T11:10:21+10:00
acme: PKIIssuer: support reading password from file

It may be desirable to put the PKIIssuer password configuration in a
different file, e.g. /etc/pki/pki-tomcat/password.conf.  Add support
for this via the 'passwordFile' config.

- - - - -
856ccf3d by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIServerUpgrader.instanceName

The PKIServerUpgrader.instanceName has been replaced with
a list of instances provided by the caller.

- - - - -
6fb014e8 by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIServerUpgrader.subsystems()

The code that calls PKIServerUpgrader.subsystems() has been
modified to get the subsystems from the instance directly.

- - - - -
c8800dad by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIUpgradeScriptlet.upgrade()

The PKIUpgradeScriptlet.upgrade() has been replaced with
PKIUpgrader.run_scriptlet().

- - - - -
e1fb07c9 by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIUpgradeScriptlet.init()

The PKIUpgradeScriptlet.init() has been replaced with
PKIUpgrader.init_scriptlet().

- - - - -
c1cda5d8 by Endi S. Dewata at 2020-04-06T20:46:32-05:00
Refactored PKIServerUpgradeScriptlet.upgrade_subsystems()

The PKIServerUpgradeScriptlet.upgrade_subsystems() has been
replaced with PKIUpgrader.upgrade_subsystems().

- - - - -
3fa929b2 by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIServerUpgradeScriptlet.update_server_tracker()

The PKIServerUpgradeScriptlet.update_server_tracker() has been
replaced with PKIServerUpgrader.update_server_tracker().

- - - - -
064f598d by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIServerUpgradeScriptlet.can_upgrade_server()

The PKIServerUpgradeScriptlet.can_upgrade_server() has been
replaced with PKIServerUpgrader.can_upgrade_server().

- - - - -
b305919a by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIUpgradeScriptlet.update_tracker()

The PKIUpgradeScriptlet.update_tracker() has been replaced
with PKIUpgrader.update_tracker().

- - - - -
074702c9 by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIUpgradeScriptlet.can_upgrade()

The PKIUpgradeScriptlet.can_upgrade() has been replaced
with PKIUpgrader.can_upgrade().

- - - - -
7c970fcb by Endi S. Dewata at 2020-04-07T18:27:53-05:00
Added pki-server run --agentpath

The pki-server run command has been modified to provide
an option to specify the agent path for Java.

- - - - -
5a3f3f73 by Endi S. Dewata at 2020-04-07T22:35:00-05:00
Fixed CertUtil.createCertInfo()

The CertUtil.createCertInfo() broke when it was cleaned up
in commit b7220066354a177b973ef9279da22f09b6a72d37 causing
a problem in CA installation with external CA signing cert.
The code has been reverted to work properly.

https://pagure.io/dogtagpki/issue/3162

- - - - -
f66b7639 by Endi S. Dewata at 2020-04-08T20:24:22-05:00
Added pki-tests package

A new pki-tests package has been added for PKI test suite.
Currently it is empty. The content will be added later.

- - - - -
c46d63a9 by Endi S. Dewata at 2020-04-08T20:52:53-05:00
Fixed PKIServerUpgrader.get_server_tracker()

The PKIServerUpgrader.get_server_tracker() has been modified
to fix incorrect subsystem tracker name.

- - - - -
d3824107 by Endi S. Dewata at 2020-04-08T20:59:41-05:00
Fixed PKIUpgradeTracker.__init__()

The PKIUpgradeTracker.__init__() has been modified to run all
scriptlets for each upgrade version regardless of previous
upgrade status.

- - - - -
bcb160d4 by Endi S. Dewata at 2020-04-08T20:59:45-05:00
Fixed PKIServerUpgrader.upgrade_subsystems()

The PKIServerUpgrader.upgrade_subsystems() has been modified
to reload the subsystem configuration to synchronize tracker
changes in CS.cfg.

- - - - -
2fa58b5b by Endi S. Dewata at 2020-04-09T20:10:09-05:00
Fixed warnings in PKIUpgradeScriptlet.backup()

- - - - -
62dbebf8 by Endi S. Dewata at 2020-04-09T20:14:37-05:00
Cleaned up log messages in PKIUpgrader.upgrade()

- - - - -
f6af950f by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Cleaned up log messages in PKIUpgrader.revert()

- - - - -
9adaeccc by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Removed PKIServerUpgrader.can_upgrade_server()

The PKIServerUpgrader.can_upgrade_server() method and the
PKIUpgrader.can_upgrade() method are no longer needed since
all scriptlets for an upgrade version will be executed, so
they have been removed.

- - - - -
423f0d72 by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Removed subsystem upgrade trackers

The PKIServerUpgrader has been modified to no longer use
subsystem upgrade trackers.

- - - - -
adf0ad35 by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Cleaned up PKIServerUpgrader.get_server_tracker()

The PKIServerUpgrader.get_server_tracker() has been modified
to no longer create subsystem upgrade tracker objects.

- - - - -
62923b01 by Endi S. Dewata at 2020-04-10T00:04:14-05:00
Refactored PKIServerUpgrader.__init__()

The PKIServerUpgrader.__init__() has been modified to
take a single instance instead of a list of instances.

- - - - -
2ee49ed9 by Endi S. Dewata at 2020-04-10T00:04:14-05:00
Refactored PKIServerUpgrader.instances

The list of instances in PKIServerUpgrader has been
replaced with a single instance.

- - - - -
4b944ebd by Endi S. Dewata at 2020-04-10T00:13:33-05:00
Refactored PKIServerUpgrader.get_server_tracker()

The PKIServerUpgrader.get_server_tracker() has been
renamed into get_tracker().

- - - - -
c8ab5ad6 by Endi S. Dewata at 2020-04-13T12:42:55-05:00
Moved PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS

The PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS has been moved to
pki.server.DEFAULT_DIR_MODE.

- - - - -
bc71461f by Endi S. Dewata at 2020-04-13T12:43:07-05:00
Moved PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS

The PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS has been moved to
pki.server.DEFAULT_FILE_MODE.

- - - - -
a93ec6f1 by Endi S. Dewata at 2020-04-13T12:43:15-05:00
Updated PKIServer.makedirs()

The PKIServer.makedirs() has been updated to set the modes of
the new directories.

- - - - -
8ceb7a5f by Endi S. Dewata at 2020-04-13T12:43:21-05:00
Updated PKIServer.copyfile()

The PKIServer.copyfile() has been updated to set the mode of
the new file.

- - - - -
798b3a78 by Endi S. Dewata at 2020-04-13T12:43:25-05:00
Updated PKIServer.copy()

The PKIServer.copy() has been updated to set the modes of the
new directories and files.

- - - - -
086806f6 by Endi S. Dewata at 2020-04-13T15:42:18-05:00
Cleaned up import statements in pkispawn/pkidestroy

- - - - -
d9948c7b by Endi S. Dewata at 2020-04-13T15:42:55-05:00
Cleaned up pkispawn/pkidestroy help messages

- - - - -
873d5439 by Endi S. Dewata at 2020-04-13T15:43:02-05:00
Removed unused pkispawn/pkidestroy properties

- - - - -
67189324 by Endi S. Dewata at 2020-04-13T15:43:10-05:00
Refactored start_logging() in pkispawn

- - - - -
de217557 by Endi S. Dewata at 2020-04-13T15:43:19-05:00
Removed pki_log_level global variable

- - - - -
384bf0ee by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Removed pki_log_name global variable

- - - - -
4900b203 by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Removed pki_log_dir global variable

- - - - -
0102d836 by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Added --debug option for pkispawn/pkidestroy

- - - - -
773a2da8 by Endi S. Dewata at 2020-04-13T17:44:41-05:00
Added PKIServer.exists()

The PKIServer.exists() has been added to replace is_valid().

- - - - -
cc140e0d by Endi S. Dewata at 2020-04-13T17:44:41-05:00
Added PKIServer.touch()

The PKIServer.touch() has been added to create a file with
the proper permissions.

- - - - -
d930c3ab by Endi S. Dewata at 2020-04-15T20:44:13-05:00
Cleaned up PKIServerUpgrader.upgrade_subsystems()

- - - - -
55582f6e by Endi S. Dewata at 2020-04-15T20:45:45-05:00
Cleaned up PKIServerUpgrader.run_scriptlet()

- - - - -
02f3c9fb by Endi S. Dewata at 2020-04-15T21:13:42-05:00
Removed tracker methods from PKIServerUpgrader

The tracker methods in PKIServerUpgrader have been removed
since they are identical to the ones in PKIUpgrader.

- - - - -
35478b2c by Endi S. Dewata at 2020-04-15T21:14:26-05:00
Merged PKIServerUpgrader.get_current_version()

The PKIServerUpgrader.get_current_version() has been merged
with the one in PKIUpgrader.

- - - - -
183bbc2c by Endi S. Dewata at 2020-04-15T22:51:55-05:00
Fixed javadoc warnings

- - - - -
ec044119 by Endi S. Dewata at 2020-04-15T23:17:22-05:00
Removed deprecated ClientResponseType

- - - - -
5b3ac481 by Endi S. Dewata at 2020-04-15T23:18:07-05:00
Added PKIServer.copydirs()

- - - - -
391dccf7 by Endi S. Dewata at 2020-04-16T15:38:18-05:00
Refactored PKIInstance.get_subsystems()

The PKIInstance.get_subsystems() has been moved into
PKIServer class.

- - - - -
7916b404 by Endi S. Dewata at 2020-04-16T15:38:33-05:00
Updated log messages in pki.server

- - - - -
7df26d23 by Endi S. Dewata at 2020-04-16T15:38:35-05:00
Updated log messages in pki.server.deployment

- - - - -
798fa33b by Endi S. Dewata at 2020-04-16T15:38:36-05:00
Updated log messages in pki.server.instance

- - - - -
52ec771a by Endi S. Dewata at 2020-04-16T15:38:37-05:00
Updated log messages in pki.server.subsystem

- - - - -
af0c7fdd by Endi S. Dewata at 2020-04-16T15:38:38-05:00
Updated log messages in pkihelper.py

- - - - -
5e7c3492 by Endi S. Dewata at 2020-04-16T16:46:00-05:00
Updated log messages in infrastructure_layout.py

- - - - -
b49867ae by Endi S. Dewata at 2020-04-16T16:46:24-05:00
Updated log messages in instance_layout.py

- - - - -
7b2ff7f6 by Endi S. Dewata at 2020-04-16T16:48:09-05:00
Updated log messages in security_databases.py

- - - - -
b849cd10 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Refactored PKIUpgradeScriptlet.backup()

The PKIUpgradeScriptlet.backup() has been moved into
PKIUpgrader class.

- - - - -
2bcb68a0 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Cleaned up pkidaemon log messages

- - - - -
f5dbb1d9 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Cleaned up pki-server migrate log messages

- - - - -
527a97c0 by Endi S. Dewata at 2020-04-16T21:45:03-05:00
Cleaned up pki-server upgrade log messages

- - - - -
98544f99 by Endi S. Dewata at 2020-04-17T10:22:56-05:00
Updated log messages in subsystem_layout.py

- - - - -
7dafa3bf by Endi S. Dewata at 2020-04-17T14:36:15-05:00
Added PKIServer.get_subsystems()

- - - - -
55cb5e4b by Endi S. Dewata at 2020-04-17T16:44:25-05:00
Refactored PKIServer.subsystems

The PKIServer.subsystems has been changed from a list to
a dictionary.

- - - - -
6d60732c by Endi S. Dewata at 2020-04-17T16:44:34-05:00
Cleaned up AbstractBasePkiScriptlet

- - - - -
8259178a by Endi S. Dewata at 2020-04-17T16:44:34-05:00
Added AbstractBasePkiScriptlet.instance

- - - - -
96642fa5 by Endi S. Dewata at 2020-04-17T17:06:07-05:00
Cleaned up enable_pki_logger()

- - - - -
ee54af52 by Endi S. Dewata at 2020-04-17T17:32:30-05:00
Display upgrade errors on console

- - - - -
918612e8 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to jquery v3.4.1

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
49728af0 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to jquery-i18n-properties v1.2.7

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4f5e2676 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to backbone v1.4.0

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5dd8e345 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Upgrade to bootstrap v3.4.1

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b46f6611 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Upgrade to underscore v1.9.2

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d0dacd14 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to patternfly v3.59.3

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
aa6afbf2 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update Patternfly fonts

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1e7d4af0 by Alexander Scheel at 2020-04-21T21:45:07-04:00
Include new ecj.jar path in pki.policy

Resolves: rhbz#1755634

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3a314aa1 by Endi S. Dewata at 2020-04-22T15:20:40-05:00
Added wildcard support for ACME responder

The ACME responder has been modified to support wildcards for
enrollment and revocation using in-memory and PostgresSQL
databases. The support for LDAP database will be added later.

- - - - -
f8729b87 by Fraser Tweedale at 2020-04-23T12:22:36-04:00
acme: fix NPE ACMEEngine.validateCSR()

validateCSR() reads authz.getWildcard() and uses the result in a
condition.  But this routine returns Boolean, and if the result is
null (not set; implying false) then NullPointerException occurs.

Avoid the NPE by first testing != null.

- - - - -
396d419f by Fraser Tweedale at 2020-04-23T12:22:52-04:00
acme: avoid vacuous revocation authorisation

If there are no identifiers to check authorisation will be vacuously
authorised.  Certificate use cases where there might be no ACME
identifiers include user or CA certificates.  Prevent revocation
unless there is at least one ACME identifier to check.

- - - - -
7af607b8 by Dinesh Prasanth M K at 2020-04-23T13:29:38-04:00
Add GH actions to CI (#383)

This Patch:

- Adds Github Actions to CI
- reuses scripts under ./travis/ (requires improvement)
- Uploads artifacts to GH by removing dependency on transfer.sh
- Uploads built rpms (auto-deleted every 90 days)
- Runs build job on container provisioned by GH actions (ie)
  not necessary to meddle with docker/podman commands manually
- Run PKI test job on self-provisioned container (room for improvement
  by running on service containers by combining with Docker GH actions)
- Gathers logs of IPA and PKI and corresponding journalctl
  logs and uploads it as a GH action artifact

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
3544aef7 by Dinesh Prasanth M K at 2020-04-23T17:15:06-04:00
Clean up GH actions code

Update self executed container to ensure
we run with latest set of packages

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
0db1749f by Fraser Tweedale at 2020-04-24T12:23:02+10:00
acme: prevent revocation of wrong certificate

For the PKIIssuer we must retrieve and compare the full certificate
against the certificate from the revocation request.  Otherwise a
certificate from a different issuer or a maliciously altered
certificate that otherwise passes revocation authorisation checks
will cause the PKIIssuer to revoke the serial number of the
presented certificate.

- - - - -
214f3b6c by Fraser Tweedale at 2020-04-24T12:23:02+10:00
acme: document ACMEIssuer.revokeCert security requirements

- - - - -
08d4c547 by jmagne at 2020-04-24T15:20:53-07:00
Apply contributed patch - TPS - Searching the certificate DB for a brand new token takes too long. Bad search filter (#390)

Resolves:
Bug 1710975 - TPS - Searching the certificate DB for a band new token takes too long. Bad search filter.
Submitted by RHCS-Maint
- - - - -
c396b44f by Endi S. Dewata at 2020-04-27T16:02:51-05:00
Always run workflows regardless of branch

- - - - -
dadc7433 by Endi S. Dewata at 2020-04-27T16:45:56-05:00
Updated PKIUpgrader.copyfile()

The PKIUpgrader.copyfile() has been updated to provide a
force option.

- - - - -
9dbe1a2b by Endi S. Dewata at 2020-04-27T16:45:56-05:00
Refactored PKIUpgradeScriptlet.revert()

The PKIUpgradeScriptlet.revert() has been moved into
PKIUpgrader class.

- - - - -
56c21c22 by Endi S. Dewata at 2020-04-27T16:47:02-05:00
Updated pki.util.makedirs()

The pki.util.makedirs() has been updated to provide an
exist_ok as in os.makedirs().

- - - - -
1d78cebb by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Added PKIServer.store_properties()

The PKIServer.store_properties() has been added to store
property files with the proper ownership.

- - - - -
9abe18d2 by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Updated log messages in subsystem_layout.py

- - - - -
20a6fdf3 by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Refactored subsystem_layout.py

The subsystem_layout.py has been modified to create the
subsystem files using PKIServer methods.

- - - - -
ac1d229a by Endi S. Dewata at 2020-04-28T12:18:25-05:00
Updated registry.cfg creation

The deployment scriptlet has been modified to create the
registry.cfg consistently for all subsystems.

- - - - -
637e9e66 by Endi S. Dewata at 2020-04-28T14:11:40-05:00
Changed CertService.authority type

The CertService.authority has been modified to use
CertificateAuthority instead of ICertificateAuthority.

- - - - -
d0c5a7ef by Endi S. Dewata at 2020-04-28T14:11:44-05:00
Updated exception handling in CertService.getCertChainData()

The CertService.getCertChainData() has been modified not to
catch any exception and let the caller handle it.

- - - - -
97a142d3 by Endi S. Dewata at 2020-04-28T14:11:44-05:00
Removed null checks in CertService.getCertChainData()

The null checks for mCACerts in CertService.getCertChainData()
are unnecessary so they have been removed.

- - - - -
e6019dfc by Endi S. Dewata at 2020-04-28T14:54:02-05:00
Updated exception handling in CAEngine.getPKCS7()

The CAEngine.getPKCS7() has been modified not to catch
any exception and to let the caller handle it.

- - - - -
f76fc230 by Endi S. Dewata at 2020-04-28T14:55:31-05:00
Refactored CAEngine.getPKCS7()

The CAEngine.getPKCS7() has been converted into getCertChain()
which returns an array of X509Certificates.

- - - - -
5a28baf6 by Endi S. Dewata at 2020-04-28T14:56:32-05:00
Cleaned up CAEngine.getCertChain()

- - - - -
899d1c34 by Endi S. Dewata at 2020-04-28T17:20:34-05:00
Refactored CertService.getCertChainData()

The CertService.getCertChainData() has been converted into
getCertChain() which returns an array of X509Certificates.

- - - - -
68fefe33 by Endi S. Dewata at 2020-04-28T17:27:39-05:00
Cleaned up PKCS7.encodeSignedData() calls

- - - - -
c17fa904 by Endi S. Dewata at 2020-04-28T19:57:26-05:00
Added CertUtils.certInCertChain()

The code that checks if a cert is already in a cert chain
has been moved into CertUtils.certInCertChain().

- - - - -
19b936da by Endi S. Dewata at 2020-04-28T20:06:54-05:00
Simplified CertService.getCertChain()

- - - - -
3d610cd8 by Endi S. Dewata at 2020-04-28T20:13:48-05:00
Merged CertService.getCertChain()

The CertService.getCertChain() has been merged into
CAEngine.getCertChain().

- - - - -
8540b5a2 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Fixed Password.get_password()

- - - - -
eef48da5 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Moved ClientCertImportCLI.setTrustAttributes()

The ClientCertImportCLI.setTrustAttributes() has been moved
into CryptoUtil.setTrustFlags().

- - - - -
e9b82e4f by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Added CryptoUtil.importPKCS7()

The code that imports PKCS #7 certificates into NSS database
has been moved into CryptoUtil.importPKCS7().

- - - - -
25db7f31 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Added pki pkcs7-import

The pki pkcs7-import command has been added to import
PKCS #7 certificate chain into NSS database.

- - - - -
eb6bb2f1 by Endi S. Dewata at 2020-04-29T19:56:05-05:00
Added TransportKeyUnit.getChain()

The TransportKeyUnit.getChain() has been added to provide
the certificate chain for the transport certificate.

- - - - -
62540fcd by Endi S. Dewata at 2020-04-29T20:20:16-05:00
Updated KRASystemCertService

The KRASystemCertService has been modified to provide
the certificate chain for KRA transport certificate.

- - - - -
78fb45d9 by Endi S. Dewata at 2020-04-29T20:20:39-05:00
Updated CASystemCertService

The CASystemCertService has been modified to provide the
certificate chains for CA signing certificate and the
transport certificate for the KRA connector.

- - - - -
1593608a by Endi S. Dewata at 2020-04-29T20:20:45-05:00
Removed unused preop.<subsystem>.certchain.*

- - - - -
425ccd3e by Endi S. Dewata at 2020-04-29T20:54:05-05:00
Refactored pki_one_time_pin

The code that generates pki_one_time_pin has been moved into
subsystem_layout.py. The code that loads pki_one_time_pin
has been moved into configuration.py.

- - - - -
f96023d3 by Fraser Tweedale at 2020-04-30T14:48:07+10:00
acme: reject CSR with unknown indentifiers

Unknown identifiers must be treated as unauthorised.  Otherwise a
CSR with only authorised DNS names but e.g. *also* an RFC822 name,
would be passed through to the CA and (under a standard profile
configuration) issued with the unrecognised name.

This is an unacceptable security flaw and also violates RFC 8555
§7.4.

- - - - -
cadf100b by Fraser Tweedale at 2020-04-30T14:48:07+10:00
acme: ensure all identifiers from order appear in CSR

RFC 8555 §7.4 states:

   The CSR MUST indicate the exact same
   set of requested identifiers as the initial newOrder request.

We were already checking that unauthorised DNS names were not
present in the CSR.  But we did not check that /all/ the names from
the order were present in the CSR.  Add this check.

- - - - -
aa186769 by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add config to disable entire service

Read the (optional) `engine.conf' to enable or disable the entire
ACME engine.  If the file is missing or if its 'enabled=' knob is
not present, the default is to enable the service (preserving
existing behaviour).

The status is enforced by the ACMERequestFilter which will result in
status 503 Service Unavailable if the engine is disabled.

- - - - -
d5374dfa by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add dynamic enable/disable of ACME service

Update ACME configuration system to support dynamically
enabling/disabling the ACME service.

This patch implements two providers: one that just supplies default
configuration (ACME service is uncondtionally enabled) and another
that reads the configuration from a file, and also watches that file
and reloads the configuration when the file is modified.

The engine configuration source and its parameters are defined in
'configsources.conf'.  When using ACMEEngineConfigFileSource the
file to read is configurable; 'engine.conf' is suggested.

Other parts of the ACME service configuration may eventually be made
configurable, e.g. validator configuration, backend configuration,
etc.  When we implement those features, 'configsources.conf' should
be used to configure those config sources too.

The FreeIPA implementation of ACME sercice will require LDAP-based
dynamic reconfiguration (i.e. so the ACME service can be
enabled/disabled deployment-wide with a single modification in
replicated LDAP database).  This patch does not implement an LDAP
configuration provider (that will come in a later patch).  But it is
a proof of the interfaces and may be useful for other ACME
deployments.  Some other parts of the configuration, e.g. which
challenges are enabled, may also require a similar capability so
this patch also serves as a reference implementation of the concept.

- - - - -
da9d0260 by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add example configsources.conf and engine.conf

- - - - -
d9cf715f by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: ACMEEngineConfigFileSource: cache values

Cache config values to avoid spurious updates.  Use of the caches
ensures we only send a value if it actually changed, instead of
every time the file gets re-read.

- - - - -
befad485 by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki ca-cert-signing-export --pkcs7 option

The pki ca-cert-signing-export has been modified to provide
an option to export the CA signing certificate chain.

- - - - -
8c9fa74a by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki ca-cert-transport-export --pkcs7 option

The pki ca-cert-transport-export has been modified to provide
an option to export the transport certificate chain for the KRA
connector.

- - - - -
b7028e52 by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki kra-cert-transport-export --pkcs7 option

The pki kra-cert-transport-export has been modified to provide
an option to export the KRA transport certificate chain.

- - - - -
45cd1ad1 by Endi S. Dewata at 2020-04-30T11:37:26-05:00
Refactored NSSDatabase.import_pkcs7() (part 1)

The NSSDatabase.import_pkcs7() has been modified to no longer
return the nickname of the imported certificate chain.

- - - - -
fb7270d3 by Endi S. Dewata at 2020-04-30T11:37:49-05:00
Refactored NSSDatabase.import_pkcs7() (part 2)

The NSSDatabase.import_pkcs7() has been modified to no longer
return the imported certificate chain.

- - - - -
7fa4f3fd by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Refactored NSSDatabase.import_pkcs7() (part 3)

The NSSDatabase.import_pkcs7() has been modified to support
importing certificate chain without a nickname.

- - - - -
2141e8ee by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Removed Configurator.importCertChain()

The code in Configurator.importCertChain() has been moved
into configureCACertChain() and setupClone().

- - - - -
e688337b by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Added get_cert_chain() in configuration.py

The get_cert_chain() has been added into configuration.py
to retrieve the signing certificate chain from the CA.

- - - - -
ca4384ac by Dinesh Prasanth M K at 2020-04-30T19:29:46-04:00
Refactor Certificate Transparency request - JSON parameter (#398)

This patch:

- Generates JSON for certificate Transparency using jackson
- Create wrapper class for CTRequest
- Sorts the certificate chain, from subCA to rootCA, before
  embedding on the JSON request

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6ac70e58 by Endi S. Dewata at 2020-05-01T18:33:50-05:00
Updated CryptoUtil.importPKCS7() (part 1)

The CryptoUtil.importPKCS7() has been modified to trust
the root CA certificate.

- - - - -
4aa1d8bc by Endi S. Dewata at 2020-05-01T18:33:53-05:00
Updated CryptoUtil.importPKCS7() (part 2)

The CryptoUtil.importPKCS7() has been modified to support
setting the nickname of the leaf certificate.

- - - - -
81a67b72 by Endi S. Dewata at 2020-05-01T18:33:58-05:00
Updated CryptoUtil.importPKCS7() (part 3)

The CryptoUtil.importPKCS7() has been modified to support
setting the trust flags of the leaf certificate.

- - - - -
091afb4e by Endi S. Dewata at 2020-05-01T19:07:52-05:00
Updated pki pkcs7-import (part 1)

The pki pkcs7-import has been modified to accept an optional
nickname for the leaf certificate.

- - - - -
e8122e46 by Endi S. Dewata at 2020-05-01T19:07:56-05:00
Updated pki pkcs7-import (part 2)

The --input-file option in pki pkcs7-import has changed to
become optional. If it's not specified the command will read
the PKCS #7 from standard input.

- - - - -
c6918ecd by Endi S. Dewata at 2020-05-01T19:21:47-05:00
Updated pki pkcs7-import (part 3)

The --trust-flags in pki pkcs7-import has been modified to
set the trust flags for the leaf certificate.

- - - - -
f08372bd by Endi S. Dewata at 2020-05-01T20:06:38-05:00
Cleaned up ClientCertImportCLI.importPKCS7()

The ClientCertImportCLI.importPKCS7() has been modified to reuse
CryptoUtil.importPKCS7().

- - - - -
88cb3279 by Endi S. Dewata at 2020-05-01T20:09:38-05:00
Deprecated pki client-cert-import --pkcs7

The pki client-cert-import --pkcs7 has been replaced with
pki pkcs7-import.

- - - - -
87abed71 by Viktor Ashirov at 2020-05-04T10:17:03-05:00
Update ACIs with the correct syntax

The value of the first character in target* keywords
is expected to be a double quote.

Fixes: https://pagure.io/dogtagpki/issue/3173

Signed-off-by: Viktor Ashirov <vashirov at redhat.com>

- - - - -
26ffde4f by Endi S. Dewata at 2020-05-04T13:36:34-05:00
Updated PKIClient

The PKIClient has been updated to provide a new constructor,
get(), post(), and getInfo() methods.

- - - - -
cc7eff9b by Endi S. Dewata at 2020-05-04T14:10:27-05:00
Updated MainCLI

The MainCLI has been modified to call PKIClient.getInfo()
to get the server information.

- - - - -
390c9aea by Endi S. Dewata at 2020-05-04T14:10:31-05:00
Updated InfoCLI

The InfoCLI has been modified to call PKIClient.getInfo()
to get the server information.

- - - - -
e7a8125c by Endi S. Dewata at 2020-05-04T14:10:38-05:00
Replaced Configurator.get()

The Configurator.get() has been replaced with PKIClient.get().

- - - - -
a1e301f4 by Endi S. Dewata at 2020-05-04T14:10:38-05:00
Replaced Configurator.post()

The Configurator.post() has been replaced with PKIClient.post().

- - - - -
8fd74e49 by Endi S. Dewata at 2020-05-04T22:12:02-05:00
Refactored Configurator.getCertChain()

The Configurator.getCertChain() has been modified to use the
PKIClient provided by the caller.

- - - - -
5d9d09b6 by Endi S. Dewata at 2020-05-04T22:12:28-05:00
Moved Configurator.getCertChain()

The Configurator.getCertChain() has been moved into CAClient.

- - - - -
4b3d8d5b by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Moved SystemCertService.createCertificateData()

The SystemCertService.createCertificateData() has been moved
into CertData.fromCertChain().

- - - - -
af6114b5 by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Updated CASystemCertClient.getSigningCert()

The CASystemCertClient.getSigningCert() has been modified to
fallback to legacy servlet if the REST service is not available.

- - - - -
d8d50efc by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Updated pki client-cert-import --ca-server

The pki client-cert-import --ca-server has been modified to
use CAClient.getCertChain().

- - - - -
10db1f44 by Fraser Tweedale at 2020-05-05T19:05:55+10:00
acme: make acmeAuthorizationWildcard a required attribute

Having acmeAuthorizationWildcard as a required attribute will make
identifier queries for revocation authorisation checking much
simpler.  Therefore make it a required attribute and ensure we set
it when creating authorization objects.

Note also:

* The ACME authorization (JSON) objects MUST include the
  "wildcard" member ONLY when the value is true, otherwise
  the "wildcard" member MUST NOT be included.  Therefore
  there is no change to the implementation when reading
  authorization objects from LDAP.

* The wildcard attribute is, at this time, only used for DNS
  identifier authorisations.  If we implement other kinds of
  identifiers, now that it is a mandatory LDAP attribute it
  a value will still have to be assigned for this attribute.
  Intuitively, FALSE would seem a reasonable value to use, but we
  should decide carefully for each identifier type and document
  the reasons.

- - - - -
8259b5e4 by Fraser Tweedale at 2020-05-05T19:05:55+10:00
acme: update LDAPDatabase to handle wildcard revocation

- - - - -
7e2d1d9b by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Fixed PKIClient constructor

- - - - -
93113f53 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Removed PKIClient.downloadCACertChain()

The PKIClient.downloadCACertChain() is no longer used so it
has been removed.

- - - - -
024cad46 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Removed SystemCertService

The SystemCertService no longer contains useful code so it
has been removed.

- - - - -
e8af3cf5 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki ca-cert-signing-export

- - - - -
635ab59f by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki ca-cert-transport-export

- - - - -
3d4dac79 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki kra-cert-transport-export

- - - - -
c011d6b1 by Dinesh Prasanth M K at 2020-05-05T22:12:58-04:00
Remove the exception on debug log while deferring approval (#402)

This patch removes the java exception stacktrace when a certificate
request submitted gets deferred for manual approval.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d77dc10a by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Updated NSSDatabase.import_pkcs7()

The NSSDatabase.import_pkcs7() has been updated to support
importing PKCS #7 data already loaded in memory.

- - - - -
4da4af54 by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored preop.ca.pkcs7 creation

The code that stores the signing cert chain from the issuing CA
into preop.ca.pkcs7 has been moved into configuration.py.

- - - - -
2e3a1d9e by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored preop.clone.pkcs7 creation

The code that stores the signing cert chain from the CA master
into preop.clone.pkcs7 has been moved into configuration.py.

- - - - -
303c9216 by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored cert chain import (part 1)

The code that imports the signing cert chain from the issuing CA
has been moved into configuration.py.

- - - - -
97ea599c by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored cert chain import (part 2)

The code that imports the signing cert chain from the CA master
has been moved into configuration.py.

- - - - -
f40c47ea by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Removed Configurator.configureCACertChain()

The Configurator.configureCACertChain() no longer contains
useful code so it has been removed.

- - - - -
6f28e12c by Alexander Scheel at 2020-05-07T13:01:00-04:00
Move from %doc -> %license for LICENSE files

See: https://pagure.io/packaging-committee/issue/411
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2b21552f by Alexander Scheel at 2020-05-07T16:55:24-04:00
Enforce ACME wildcard policy

ACME (in RFC 8555 Section 7.1.3) restricts wildcard issuance to only
identifiers beginning with a wildcard and containing no other
wildcards. Introduce a new class for enforcing ACME policy.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
624d36cc by Alexander Scheel at 2020-05-07T17:24:51-04:00
Update to jQuery v3.5.1

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2e673ee8 by Alexander Scheel at 2020-05-07T17:24:51-04:00
Mark bundled JS as bundled

See: https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a8b37675 by Endi S. Dewata at 2020-05-07T22:09:23-05:00
Removed "External CA" literals

The deployment tool has been modified to check whether it's an
external or standalone deployment scenario instead of using the
"External CA" literals.

- - - - -
7ff83563 by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored preop.ca.type configuration

The code that configures preop.ca.type has been moved into
subsystem_layout.py.

- - - - -
a789750c by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored Configurator.configRemoteCert() (part 1)

The Configurator.configRemoteCert() has been modified to use the
parameters provided by the caller instead of reading the preop
parameters directly.

- - - - -
6aff2fbc by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored Configurator.configRemoteCert() (part 2)

The Configurator.configRemoteCert() has been simplified to handle
all cases with the same code.

- - - - -
b424bc8a by Endi S. Dewata at 2020-05-08T15:04:33-05:00
Cleaned up Configurator.configCert()

- - - - -
dc2a742e by Endi S. Dewata at 2020-05-08T16:30:48-05:00
Refactored preop.cert.signing.type configuration

The code that configures preop.cert.signing.type has been
moved into subsystem_layout.py.

- - - - -
df6730af by Endi S. Dewata at 2020-05-08T16:31:50-05:00
Refactored preop.cert.signing.profile configuration

The code that configures preop.cert.signing.profile has been
moved into subsystem_layout.py.

- - - - -
00056dbe by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored preop.cert.sslserver.type configuration

The code that configures preop.cert.sslserver.type has been
moved into subsystem_layout.py.

- - - - -
b03f2280 by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored preop.cert.sslserver.profile configuration

The code that configures preop.cert.sslserver.profile has been
moved into subsystem_layout.py.

- - - - -
db8951ee by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 1)

The Configurator.configCert() has been modified to remove
duplicate code.

- - - - -
12752abc by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 2)

The Configurator.configCert() has been modified to remove
unnecessary changes to preop.ca.type.

- - - - -
bf78951a by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 3)

The Configurator.configCert() has been modified to no longer
use sign_clone_sslserver_cert_using_master.

- - - - -
a51dce68 by Fraser Tweedale at 2020-05-09T09:08:54+10:00
acme: include Location header in finalize response

mod_md fails when the finalize response does not include a Location
header.  For details see https://github.com/icing/mod_md/issues/216.

Work around the mod_md bug by including the Location header in the
finalize response.  This also brings us into line with the Boulder
(Let's Encrypt) behaviour, although this behaviour is not required
by RFC 8555.

- - - - -
c518571c by Endi S. Dewata at 2020-05-08T20:23:27-05:00
Refactored preop.cert.subsystem.profile configuration

The code that configures preop.cert.subsystem.profile has been
moved into subsystem_layout.py.

- - - - -
3323ea9a by Endi S. Dewata at 2020-05-11T09:09:11-05:00
Refactored preop.cert.subsystem.profile for ECC

The code that configures preop.cert.subsystem.profile for ECC
has been moved into subsystem_layout.py.

- - - - -
c6c4152b by Endi S. Dewata at 2020-05-11T09:09:50-05:00
Refactored preop.cert.sslserver.profile for ECC

The code that configures preop.cert.sslserver.profile for ECC
has been moved into subsystem_layout.py.

- - - - -
505f77fb by Endi S. Dewata at 2020-05-11T09:17:05-05:00
Cleaned up Configurator.updateConfigEntries()

- - - - -
b7dff0f3 by Endi S. Dewata at 2020-05-11T09:19:37-05:00
Cleaned up Configurator.getConfigEntriesFromMaster()

- - - - -
bcd3d1ef by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Clean up CI scripts

This patch:
- Removes travis as we completely rely on GH actions
- Rename CI related scripts dir
- Update OS matrix (since F30 reached EOL)

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
711c2f1b by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Remove transfer.sh dependency

We upload all PKI and IPA related logs as GH artifacts and
no longer depend on transfer.sh to upload our logs.
This patch cleans up the code that collects and uploads
the logs to transfer.sh

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
70705209 by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Update paths + use dscreate

This patch migrates from the use of legacy DS
installation and uses the latest `dscreate`.

This patch also cleans up the path in the scripts

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
be8aba2b by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed Configurator.getSystemCertProfileID()

- - - - -
15f2161a by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed Configurator.configureSecurityDomain()

- - - - -
0d73d86f by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed SystemConfigService.configure()

- - - - -
333add54 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigClient.create_config_request()

- - - - -
af4ba498 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigClient.set_issuing_ca_parameters()

- - - - -
ba2c6ffa by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.isClone

- - - - -
e10c5f28 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.issuingCA

- - - - -
1d8cb100 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.systemCertsImported

- - - - -
2d7657d3 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.securityDomainType

- - - - -
b75d7252 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.pin

- - - - -
6d8a8185 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest constants

- - - - -
3242ab37 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest

- - - - -
d9c2437c by Endi S. Dewata at 2020-05-11T12:03:15-05:00
Added Range class

The Range class has been added to encapsulate request ID, serial
number, and replica ID ranges.

- - - - -
9a9eab2e by Endi S. Dewata at 2020-05-11T12:03:51-05:00
Refactored Configurator.updateNumberRange() (part 1)

The Configurator.updateNumberRange() has been modified to
take a PKIClient object and session ID, then construct the
content Map.

- - - - -
2c0466b1 by Endi S. Dewata at 2020-05-11T17:43:49-05:00
Refactored Configurator.updateNumberRange() (part 2)

The Configurator.updateNumberRange() has been converted
into requestRange() which returns a Range object.

- - - - -
62ebae9b by Endi S. Dewata at 2020-05-11T17:44:04-05:00
Moved Configurator.requestRange()

The Configurator.requestRange() has been moved into
SubsystemClient.

- - - - -
eeeb347a by Endi S. Dewata at 2020-05-11T17:44:04-05:00
Refactored Configurator.setupNumberRanges()

The Configurator.setupNumberRanges() has been converted into
updateRanges() which takes a PKIClient object.

- - - - -
dd14200b by Endi S. Dewata at 2020-05-11T17:48:18-05:00
Added CertificateSetupRequest.masterURL

The CertificateSetupRequest.masterURL has been added to
replace master.hostname and master.httpsport properties.

- - - - -
5598ef52 by Endi S. Dewata at 2020-05-11T17:49:26-05:00
Removed unused master.httpsadminport property

- - - - -
31611e29 by Endi S. Dewata at 2020-05-11T21:21:19-05:00
Added pki ca/kra-range-request

The pki ca/kra-range-request has been added to request a
request ID, serial number, or replica ID range from master.

- - - - -
ca95d661 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Refactored Configurator.updateRanges()

The Configurator.updateRanges() has been converted into
PKISubsystem.update_ranges().

- - - - -
5b524944 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Added pki-server ca/kra-range-show

The pki-server ca/kra-range-show has been added to display
the number range configuration.

- - - - -
99961000 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Added pki-server ca/kra-range-update

The pki-server ca/kra-range-update has been added to update
the request ID, serial number, and replica ID ranges.

- - - - -
1a488909 by Endi S. Dewata at 2020-05-12T22:15:44-05:00
Updated loggers in Python code

- - - - -
270ad809 by Endi S. Dewata at 2020-05-13T11:18:04-05:00
Updated PKIUpgrader.makedirs()

The PKIUpgrader.makedirs() has been updated to support
exist_ok parameter.

- - - - -
6fd1553a by Endi S. Dewata at 2020-05-13T11:34:59-05:00
Updated file/folder creation in PKIServerUpgrader

The PKIServerUpgrader has been modified to use instance
methods to create files/folders with proper permissions.

- - - - -
0cdc3c59 by Endi S. Dewata at 2020-05-13T11:35:22-05:00
Added PKIUpgrader.touch()

The PKIUpgrader.touch() has been added to create files
with the proper permissions.

- - - - -
89608275 by Alexander Scheel at 2020-05-14T09:41:44-04:00
Build PKI in %build, not %install

We build PKI in the %install section of the RPM Spec file currently; we
should move the build to the %build section so tooling works correctly.

Resolves: rh-bz#1792252

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
49c14dda by Alexander Scheel at 2020-05-14T09:41:44-04:00
Fix recompile issue

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5129d424 by Endi S. Dewata at 2020-05-14T11:42:24-05:00
Updated PKI server upgrade process

Previously when the pki-server RPM package is updated
it will upgrade all PKI server instances on the system.
However, the PKI subsystem packages (e.g. pki-ca) has
a dependency on pki-server, so it is not possible to
create an upgrade scriptlet in pki-server package that
installs new files from PKI subsystem packages.

To address the problem, the pki.spec has been modified
to no longer call pki-server upgrade command. Instead,
the systemd unit file has been modified to call the
command to upgrade just the instance being started. At
that point all RPM packages are already installed so
new files from those packages can now be installed.

Since the upgrade process now runs during startup as
pkiuser, the upgrade backup directory has been moved
into /var/log/pki/<instance>/backup.

- - - - -
fe5b3a34 by Endi S. Dewata at 2020-05-14T11:42:24-05:00
Added upgrade script for ACME server cert profile

The ACME server cert profile (acmeServerCert.cfg) has
been moved into /usr/share/pki/ca/profiles/ca such that
it will be included in new CA installations.

An upgrade script has been added to deploy the profile
into existing instances and update the CS.cfg when the
server is restarted.

- - - - -
95a17fcb by Dinesh Prasanth M K at 2020-05-14T13:19:43-04:00
Bump min cmake version

With PR#339, we need at least cmake 3.0.2
to compile PKI project. This patch bumps the
min requirement

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
b40ac8f6 by Dinesh Prasanth M K at 2020-05-14T13:35:03-04:00
Move CT related classes into new package

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
f39e4a1d by Dinesh Prasanth M K at 2020-05-14T13:35:03-04:00
Load config values from CS.cfg

This patch:
- Loads CT log server configurations from CS.cfg
- Can submit precertificates to multiple log servers
- Creates CT relevant java packages

TODO:
Refactor code to:
- Embed multiple SCT responses onto certificate
- accommodate REST structure
- Move CT related code into it's related java package

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
310f3d3b by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Fixed getopt in upgrade tools

The pki-upgrade and pki-server upgrade commands have
been modified to use getopt.gnu_getopt for consistency
with other commands.

- - - - -
5923897f by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Removed stderr piping

The stderr piping in some places has been removed to allow
error messages to appear on the console.

- - - - -
fb7a8ef9 by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Refactored PKISubsystem.update_ranges()

The PKISubsystem.update_ranges() has been updated to take
an install token object instead of a session ID.

- - - - -
c9966f3d by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Refactored TPS config classes

The TPS config classes in com.netscape.certsrv.tps.config
have been moved into org.dogtagpki.common so they can be
used by other subsystems.

- - - - -
6d8391be by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Cleaned up ConfigCLI.getConfigClient()

The ConfigCLI.getConfigClient() has been modified to create
the ConfigClient object only when needed.

- - - - -
1ee06c61 by Endi S. Dewata at 2020-05-14T14:12:13-05:00
Added JSON converter for ConfigData

- - - - -
8c3b0656 by Endi S. Dewata at 2020-05-14T14:22:51-05:00
Refactored Configurator.updateConfigEntries()

The Configurator.updateConfigEntries() has been converted
into getConfig() which returns a ConfigData object.

- - - - -
9b4ea632 by Endi S. Dewata at 2020-05-14T15:08:21-05:00
Refactored Configurator.getConfig()

The Configurator.getConfig() has been moved into ConfigClient.

- - - - -
73e57542 by Endi S. Dewata at 2020-05-14T15:08:29-05:00
Refactored ConfigCLI (part 1)

The TPS-specific code in ConfigCLI has been moved into
TPSConfigCLI.

- - - - -
14edcf75 by Endi S. Dewata at 2020-05-14T15:08:29-05:00
Refactored ConfigCLI (part 2)

The ConfigCLI has been moved from com.netscape.cmstools.tps.config
into com.netscape.cmstools.config.

- - - - -
fea377ac by Endi S. Dewata at 2020-05-14T15:53:44-05:00
Added pki <subsystem>-config-export

The pki <subsystem>-config-export has been added to export
the configuration properties required for cloning.

- - - - -
156f49ae by Endi S. Dewata at 2020-05-14T17:08:14-05:00
Refactored Configurator.getConfigEntries() (part 1)

The code in Configurator.getConfigEntries() that retrieves
and updates the configuration properties has been moved into
PKISubsystem.retrieve_config() and update_config().

- - - - -
b17e3adc by Endi S. Dewata at 2020-05-14T17:08:14-05:00
Refactored Configurator.getConfigEntries() (part 2)

The remaining code in Configurator.getConfigEntries() that
validates the master and replica internal databases has been
moved into PKISubsystem.update_config().

- - - - -
0b1267dd by Christina Fu at 2020-05-15T14:39:23-07:00
Bug 1629025 Server-Side Kyegen Enrollment

This patch contains the code that provides the Server-Side Keygen Enrollment feature for both RSA and EC keys.

KRA must be installed along with CA.

This patch contains mainly the following pieces:

input:
  The new input plugin ServerKeygenInput.java, which works with the
midified ProfileSelect.template to
  - accept the p12 passwd that will be used to compose the p12 once the keys are generated on KRA and cert issued by the CA.
  - accept the keyType: RSA/ECC
  - accept the keySize: RSA key sizes or ECC curves

Profile default plugin:
  - The new default plugin: ServerKeygenUserKeyDefault.java, which inserts temporary fake keys so code won't blow up down the road; Such fake key will be replaced later when KRA generates the new keys

Profiles
  Both of the new profiles below allows one to enable/disable key archival.
  - The new caServerKeygen_UserCert.cfg profile which utilizes the new input and output;  This profile requires manual approval from a CA agent
  - The new caServerKeygen_DirUserCert.cfg profile which utilizes the new input and output; This profile requires directory-auth setup in CS.cfg;  It allows for automatic approval without specific agent approval.

output:
  Working in conjunction with the modified profile servlets, the new output plugin PKCS12Output.java, which contains the p12 to be sent back to the browser when the request has been approved.

Note: the new audit events implemented are
   - SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
   - SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
   - SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
   - SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED
where SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED is not yet added

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
b98a2323 by Endi S. Dewata at 2020-05-18T13:32:38-05:00
Fixed PKIServer.get_subsystems() to return a list

- - - - -
93fa1514 by Endi S. Dewata at 2020-05-18T13:32:45-05:00
Refactored DBSchemaUpgradeCLI.update_schema()

The code that imports an LDIF file into LDAP database in
DBSchemaUpgradeCLI.update_schema() has been moved into
PKIServer.import_ldif().

- - - - -
26e9cd2a by dpuniaredhat at 2020-05-19T11:33:31+05:30
Update performance test (#400)

Updated certificate revocation after every 100 certificate enrollemnt
Added Throughput calculation for reporting purpose

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
acc2a256 by Endi S. Dewata at 2020-05-19T21:15:26-05:00
Fixed 01-AddSANToCNDefault.py

The 01-AddSANToCNDefault.py upgrade script for PKI 10.9.0 has
been modified to add defaultPolicy.sanToCNDefaultImpl.class.

- - - - -
9bfa832e by Dinesh Prasanth M K at 2020-05-20T14:55:16-04:00
Add symlink to apache-commons-net jar

Dependency to apache-commons-net was introduced in the commit:
https://github.com/dogtagpki/pki/commit/fca6d89dcd2b9e6592879c85a2f2278ed1a28e2f
The symlink to JARs need to be created for new instance installations as well as
existing instances.

This patch adds symlink to the new dependency.

TODO: The upgrade script to add symlinks to existing instances. This effort
should be coupled when CT moves out of prototype phase.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
50867042 by Dinesh Prasanth M K at 2020-05-20T14:55:16-04:00
Fix getting publicKey of LogServer

In PR #406 a new LogServer object was introduced to store Log Server
information. However, the public key of Log Server was never used.
This patch removes the usage of hardcoded Public Key and uses the
one defined in CS.cfg

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
5bcaeb78 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Refactored HTTPConnectorCLI.set_param()

The code that modifies XML element attributes in
HTTPConnectorCLI.set_param() has been moved into
pki.util.set_property().

- - - - -
f4c13565 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Cleaned up pki.util.read_text()

The pki.util.read_text() has been modified to simplify
the code.

- - - - -
a0aa0647 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 1)

The pki.util.read_text() has been modified to accept
an empty input if a default value is specified. The
allow_empty option is no longer used so it has been
removed.

- - - - -
e54c5d09 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 2)

The pki.util.read_text() has been modified to provide
an option to read a password without showing the value.

- - - - -
94768a86 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 3)

The pki.util.read_text() has been modified to return the
default value if it accepts an empty value, and return an
empty string if it accepts a blank.

- - - - -
dc38f8ec by Alexander Scheel at 2020-05-21T13:57:28-04:00
Bump JSS and TomcatJSS dependencies

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6ec0b77e by Alexander Scheel at 2020-05-21T13:57:28-04:00
Re-enable COPR repo in build jobs

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4d83dbad by Endi S. Dewata at 2020-05-21T15:06:48-05:00
Updated pki.util.read_text() (part 4)

The pki.util.read_text() has been modified to provide
an option to require a non-empty input.

- - - - -
c51fd2bc by Dinesh Prasanth M K at 2020-05-21T20:16:39-04:00
Minor bug fix to SystemCertClient and subsystem

Add param `subsystem` to SystemCertClient as specifying
subsystem in connection has been deprecated in 10.8

Fix the import error

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6d902657 by Dinesh Prasanth M K at 2020-05-21T20:56:16-04:00
Avoid printing INFO level log messages while running healthcheck tool

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
183a8ea6 by Endi S. Dewata at 2020-05-21T20:26:11-05:00
Removed redundant default values for dict.get()

- - - - -
3c0c2f16 by Endi S. Dewata at 2020-05-22T10:17:23-05:00
Refactored ConfigClient.create_clone_setup_request()

The code that initializes the clone replication port in
ConfigClient.create_clone_setup_request() has been moved
into Configurator.setupReplication().

- - - - -
d65435ef by Endi S. Dewata at 2020-05-22T10:18:32-05:00
Added LdapBoundConnection.connectionFactory

The LdapBoundConnection.connectionFactory has been added to
keep track of the connection's factory. The BoundConnection
class is no longer used to it has been removed.

- - - - -
4db4de4f by Endi S. Dewata at 2020-05-22T10:27:26-05:00
Refactored LDAPConfigurator constructors

The LDAPConfigurator constructors have been modified to require
an LDAPConfig object.

- - - - -
17a81c24 by Endi S. Dewata at 2020-05-22T10:27:32-05:00
Refactored LDAPConfigurator.customizeFile()

The LDAPConfigurator.customizeFile() has been modified to
construct the parameter map when needed.

- - - - -
6af63e89 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.enableReplication()

The LDAPConfigurator.enableReplication() has been converted
into createReplicaObject() that generates the replica DN from
base DN and returns true if the replica object was created
successfully.

- - - - -
99c9b799 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.createReplicationAgreement()

The LDAPConfigurator.createReplicationAgreement() has been
modified to generate the replica DN from base DN.

- - - - -
6d28d4f9 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.initializeConsumer()

The LDAPConfigurator.initializeConsumer() has been modified to
generate the replica DN from base DN.

- - - - -
a889b951 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.createChangeLog()

The LDAPConfigurator.createChangeLog() has been modified to
use a fixed changelog directory.

- - - - -
c463c710 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored Configurator.setupReplicationAgreements()

The code that uses the configuration parameters in
Configurator.setupReplicationAgreements() has been moved
outside the method.

- - - - -
d37658f7 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Added LDAPConfigurator.setupReplicationAgreement()

The code that creates the replication agreements for master
and replica in Configurator.setupReplicationAgreements() has
been merged into LDAPConfigurator.setupReplicationAgreement().

- - - - -
b6ff324b by Endi S. Dewata at 2020-05-22T12:39:42-05:00
Added pki-server acme-metadata commands

The pki-server acme-metadata commands have been added to
manage ACME metadata configuration.

- - - - -
7cc72178 by Endi S. Dewata at 2020-05-22T13:20:35-05:00
Added pki-server acme-database commands

The pki-server acme-database commands have been added to
manage ACME database configuration.

- - - - -
bd085c8b by Endi S. Dewata at 2020-05-22T13:55:03-05:00
Added pki-server acme-issuer commands

The pki-server acme-issuer commands have been added to
manage ACME issuer configuration.

- - - - -
3454878a by Dinesh Prasanth M K at 2020-05-22T22:17:43-04:00
Add a new healthcheck to test CA connectivity to PKI server

This patch adds a new healthcheck to test whether the CA is accessible
by trying to list 1 cert (ie) similar to running `pki ca-cert-find --size 1`

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
617a3c1d by Dinesh Prasanth M K at 2020-05-22T22:17:43-04:00
Add a new healthcheck to test KRA connectivity to PKI server

This patch adds a new healthcheck to test whether the KRA is accessible
by trying to show KRA's transport cert (ie) similar to running
`pki kra-cert-transport-show`

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ad266ddd by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Reorganized ACME schema

The /usr/share/pki/server/conf/schema.ldif has been
modified such that it only contains only the original
PKI schema. The ACME schema has been moved into
/usr/share/pki/acme/conf/database/ldap/schema.ldif.

The LDAPConfigurator.setupSchema() has been modified
to import both PKI schema and ACME schema during the
initial installation.

The pki-server db-schema-upgrade has been modified to
import both PKI schema and ACME schema during manual
database upgrade.

- - - - -
9a5f4b69 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Added ACME LDAP database config

A sample create.ldif and database.conf has been added
to initialize and configure an LDAP database for ACME.

The LDAPDatabase class has been modified to obtain the
configuration parameters and password from database.conf
in standalone ACME deployment scenario (without CA).

- - - - -
a5570323 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Reorganized ACME docs

The ACME installation doc and user guide have been moved
into "acme" subfolders.

- - - - -
8687c4a9 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Added ACME database configuration doc

A new doc has been added to describe ACME database
configuration using in-memory database and LDAP
database.

- - - - -
da18f355 by Endi S. Dewata at 2020-05-26T17:37:36-05:00
Cleaned up pki.spec

- - - - -
b970a72d by Fraser Tweedale at 2020-05-26T21:28:41-05:00
acme: remove redundant schema file

ACME LDAP schema has been extracted as a modify LDIF.  I tested the
FreeIPA schema update machinery and it works fine with a modify
LDIF.  So the other schema LDIF, which is not an update object but a
plain entry, can be removed.

We could do likewise for LWCA and profile schema, but that is for
another day.

- - - - -
a589107d by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: log in CAClient when submitting certificate request

It is possible to use a lower-privileged RA account to issue
certificates, if the target profile is set up to allow it.
Therefore log in the user before submitting the certificate request.

- - - - -
bd237455 by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: PKIIssuer: handle immediate issuance

Depending on profile configuration and user privileges, the cert
could be immediately issued.  Furthermore the user may not have
agent permissions to review/approve a request, but a profile
configuration could allow immediate issuance for particular
users/groups.

Therefore we must detect when the certificate was immediately issued
and if so, skip the review/approve behaviour.

- - - - -
96eed116 by Timo Aaltonen at 2020-05-28T02:12:33+03:00
Merge tag 'v10.8.3' into m-n

- - - - -
76bdc703 by Timo Aaltonen at 2020-05-28T02:15:30+03:00
Merge branch 'master' into m-n

- - - - -
3f632e4c by Timo Aaltonen at 2020-05-28T02:15:58+03:00
bump the version

- - - - -
4c78348f by Timo Aaltonen at 2020-05-28T02:15:58+03:00
watch: Updated.

- - - - -
926e42ee by Timo Aaltonen at 2020-05-28T02:15:58+03:00
patches: Refreshed.

- - - - -
aa608095 by Timo Aaltonen at 2020-05-28T02:15:58+03:00
control, rules: Build with default-jdk, bump jss, tomcatjss dependencies. (Closes: #920725, #921926)

- - - - -
5965a18a by Timo Aaltonen at 2020-05-28T02:15:58+03:00
control: Add libcommons-net-java to depends.

- - - - -
5b70ceed by Timo Aaltonen at 2020-05-28T02:15:58+03:00
fix-javadoc-build.diff: Fix building the javadoc.

- - - - -
6c01c9c4 by Timo Aaltonen at 2020-05-28T02:15:58+03:00
install: Updated, nsutil got folded in cmsutil.

- - - - -
0d1dd69a by Timo Aaltonen at 2020-05-28T02:15:58+03:00
copyright: Don't exclude the fonts.

- - - - -
7ee687a8 by Timo Aaltonen at 2020-05-28T02:17:00+03:00
releasing package dogtag-pki version 10.9.0~a1-1

- - - - -
a88a0b07 by Timo Aaltonen at 2020-05-28T09:20:05+03:00
rules: Fix java version in pki.conf.

- - - - -
26c607eb by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add OCSP connectivity healthcheck

This patch adds a new OCSP connectivity check. This check
tries to hit the API enpoint: /ocsp/admin/ocsp/getStatus

However, note that this only checks for whether the OCSP subsystem
is running and doesn't actually try to fetch any data from LDAP.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
675c2ded by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck for TKS connectivity

This patch checks if the TKS is up and running by trying to
hit the REST api enpoint: /tks/admin/tks/getStatus

Note that healthcheck does not perform any operation that
involves LDAP. It just checks if the subsystem is up and running

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
26a0be84 by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck to test TPS connectivity

This patch adds a new healthcheck to test the connectivity
of TPS subsystem by trying to hit the endpoint: /tps/admin/tps/getStatus

Note that this healthcheck does not perform any operations involving
LDAP. It just checks if the TPS subsystem itself is up and running

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ae8f5129 by Fraser Tweedale at 2020-05-29T14:00:18+10:00
acme: ACMEEngineConfigFileSource: restart file watching on error

Vi(m) file write on the watched file caused an exception due to bad
permissions.  I'm not sure if this is due to behaviour of vi(m), or
something more fundamental.  Whatever the reason, it was an ordinary
administrator action so we must gracefully handle the situation.

A naïve approach is simply to delay a moment before reading the
file.  A 1000ms sleep seems to do the trick.  For robustness, we
also restart file watching if an exception occurs, with exponential
backoff, and attempting to read the file again each time before
reconfiguring the watch service.

- - - - -
95435709 by Christina Fu at 2020-05-29T16:10:49-07:00
Bug 1805541 [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch adds additionl work to the prototype code checked in:
commit fca6d89dcd2b9e6592879c85a2f2278ed1a28e2f

It
  - added support for multiple CT log for createSCTextension
  - got one of the two verification methods working in verifySCT

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
0b6ccf3c by jmagne at 2020-05-29T16:29:51-07:00
Address Bug 1710109 - add RSA PSS support. (#416)

Upstream portion of pki part of RSA-PSS signing algorithm support. (#356)

    This fix conincides with another ticket providing RSA PSS signature support for JSS,
    which is required for this to work.

    This is designed for simple usage. If one wants to say create a CA or KRA with RSA PSS signature
    support, simply place the following line in the pkispawn script file:

    pki_use_pss_rsa_signing_algorithm=True

    This will instruct the process to take whatever signing algorithm of the form (
    SHAxxxwithRSA signing algorithms are specified and promote them to the corresponding
    PSS algorithm such as: SHS256withRSA/PSS.

    If one ONLY puts that value in the script file, all the algs, which have a default of
    SHA256withRSA will be promoted to SHA256withRSA/PSS.

    This fix also provides support , if desired, for SHA384, and SHA512 versions of PSS.
    In order to get this to work, the pkispawn config will have to explcitly enumerate
    each applicable signing algorithm as such ex:  pki_ca_signing_signing_algorithm=SHA384withRSA.
    Also the explicit alg of say SHA384withRSA/PSS can be used for each setting.

    Tested with a basic CA and KRA. Also tested with a non PSS CA and a no PSS ca with ECC so far.
    The goal is to not interfere with any existing functionality if PSS support is not desired.

Added fix  to the CMCRespone tool.

The tool currently does not initialize the CryptoManager.
Doing so is necessary to register the JSS Provider which provides the
encoding / parsing support for the RSAPSS algorithm parameters.

Co-authored-by: Jack Magne <jmagne at test.host.com>

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
Co-authored-by: Jack Magne <jmagne at test.host.com>
- - - - -
333b9c4f by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Move pylint from buildtime to a separate CI job

This patch moves python code linting from RPM build
to a separate CI job.

Note that this new job runs on INSTALLED python files due to
lack of setuptools [1].

[1] https://pagure.io/dogtagpki/issue/3175

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
e84ffda9 by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Package lint script into pki-tests package

This patch adds the pki-lint script to pki-tests package.
This patch also improves the pki-lint script to accept
custom config files to execute pylint and flake8 linters.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d900dc21 by Christina Fu at 2020-06-01T18:04:04-07:00
Bug 1805541 added comments and error handling for [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch mostly simply adds some comments and error handlings for CT.
verifySCT signature size is hardcoded to SHA256withEC for now (will be
improved on later)

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
7b2baf57 by Timo Aaltonen at 2020-06-02T10:18:03+03:00
Drop pki-server upgrade from postinst, and drop --validate option from the systemd service as it's gone.

- - - - -
82964212 by Fraser Tweedale at 2020-06-03T15:24:29+10:00
acme: handle file rename in ACMEEngineConfigFileSource

Renames are not handled as ENTRY_MODIFY but rather as a pair of
ENTRY_DELETE and ENTRY_CREATE events.  Update the file watching to
process ENTRY_CREATE events so the modify-by-rename scenario is
handled.

- - - - -
34c85d39 by Fraser Tweedale at 2020-06-04T14:47:22+10:00
spec: set Requires among pki RPMs to depend on same release

Currently the Requires depends only on pki-foo = %{version}.
This can result in problems where, e.g. a package that depends on
'pki-ca = 10.9.0-0.1.TIMESTAMP.DIGEST' ends up with Dogtag packages
from mismatched builds (same version, different %{release}).

Update the spec file to ensure that Dogtag RPMs that depend on other
Dogtag RPMs depend on the exact same build.

Note that prior to 4966ebf0759a0d9f5de54e9f731393a14ef4558f, all
intra-spec dependencies were pegged to the %{release}.  This was
removed because of problems caused by some packages being built in
different modules.  Removing /all/ such pegging was going a bit too
far.  So among packages we know will be built in the same module it
is OK to add the %{release} back into the Requires directives.

- - - - -
45d3c46c by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Rename registry names in setup.py to allow additional plugins

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8a386dee by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check CA System Cert trust flag

This patch:
- adds a new healthcheck to check the Trust flag
  present in CA's nssdb
- Adds a reusable method to get trust flags of system
  certs from NSSDB or HSM

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8d108d98 by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check KRA's system cert trust flags

This patch adds a new healthcheck to test the System Cert
trust flag of all KRA's system certificates.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8093b4d2 by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Fixed NPE in PostgreSQLDatabase.close()

- - - - -
794f85ab by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Added ACMEIssuerConfig.getParameterNames(parent)

The ACMEIssuerConfig.getParameterNames(parent) has been
added to return the relative names of the parameters under
the specified parent parameter.

- - - - -
df2548ef by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Reorganized ACME docs

The doc that describes ACME issuer configuration has been
moved into Configuring_ACME_Issuer.md.

- - - - -
5220c401 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for OCSP system cert trust flag

This patch adds a OCSP healthcheck to test whether the trust flag
of its system certs match the expected value

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
3e339461 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for TKS system cert trust flags

This patch adds a new healthcheck to check the trust
flag of TKS's System certs with known good value

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6f3c5a7a by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healtcheck to test TPS system cert trust flag

This patch adds a new healthcheck to compare the trust flags
of TPS's systemc certs with known trust flags.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
649a8a38 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Change log level for unconfigured subsystems

PKI healthcheck reports results to IPA healthcheck automatically.
As a result, RHCS specific tests (like OCSPSystemCertTrustFlagCheck)
report a SUCCESS. This can be quite misleading to the users.

This patch adds INFO data to inform users that the subsystem is
unconfigured, when using --verbose

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
84b9b2b5 by Dinesh Prasanth M K at 2020-06-04T17:21:59-04:00
Include trust flag info in pki-server cert-* operation

This patch includes trust flags when running cert-show or cert-find
in its output, to provide more information to the user

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
54d32449 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_WEB_SERVER_TYPE

The PKI_WEB_SERVER_TYPE was hardcoded so the variable has
been removed.

- - - - -
d217e77f by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_UNCONFIGURED_PKI_ENTRIES

The TOTAL_UNCONFIGURED_PKI_ENTRIES is no longer needed since
pkispawn will always complete the instance configuration.

- - - - -
74eb6de2 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Mandatory instance name for pkidaemon

The pkidaemon has been modified such that the instance name
must be specified.

- - - - -
acd29cb9 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_PKI_REGISTRY_ENTRIES

Since the instance name must be specified when calling
pkidaemon, the TOTAL_PKI_REGISTRY_ENTRIES will always be 1
so the variable is no longer needed.

- - - - -
8b2d3c25 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_REGISTRY_ENTRIES

Since the instance name must be specified when calling
pkidaemon, the PKI_REGISTRY_ENTRIES will only contain 1
entry, so it has been replaced with PKI_REGISTRY_ENTRY.

- - - - -
f7c103dc by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_TYPE

The PKI_TYPE was hardcoded so the variable has been removed.

- - - - -
2945f571 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused Instance.tomcat_instances()

The Instance.tomcat_instances() was not used so it has
been removed.

- - - - -
226cf16e by Endi S. Dewata at 2020-06-05T22:01:52-05:00
Added user/group option for pki-server create

The pki-server create command has been modified to provide
options to specify the user and group for PKI server.

- - - - -
122d2e04 by Endi S. Dewata at 2020-06-05T22:19:09-05:00
Refactored NSSDatabase.directory

The NSSDatabase.directory has been replaced with a path.

- - - - -
0a60992c by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Added NSSDatabase.passwordStore

The NSSDatabase.passwordStore has been added to store
the NSS database passwords.

- - - - -
a829d72a by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEEngine.validateCSR()

The ACMEEngine.validateCSR() has been modified to take a
PKCS #10 object.

- - - - -
3fb78aa3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.issueCertificate()

The ACMEIssuer.issueCertificate() has been modified to
take a PKCS #10 object.

- - - - -
bc6254a3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.revokeCert()

The ACMEIssuer.revokeCert() has been renamed to
revokeCertificate().

- - - - -
e9721b9c by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createRemoteCert()

The CertUtil.createRemoteCert() has been moved into CertUtils.

- - - - -
278e4568 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.buildSANSSLserverURLExtension()

The CertUtil.buildSANSSLserverURLExtension() has been moved
into CertUtils.

- - - - -
b890b0ae by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalRequest()

The CertUtil.createLocalRequest() has been moved into
CertUtils.

- - - - -
0b3116a1 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.updateLocalRequest()

The CertUtil.updateLocalRequest() has been moved into
CertUtils.

- - - - -
5fafadce by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.getAdminProfileAlgorithm()

The CertUtil.getAdminProfileAlgorithm() has been moved into
CertUtils.

- - - - -
a2506418 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertInfo()

The CertUtil.createCertInfo() has been moved into CertUtils.

- - - - -
1ca6075b by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertRecord()

The CertUtil.createCertRecord() has been moved into
CertUtils.

- - - - -
dad09cb5 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalCert()

The CertUtil.createLocalCert() has been moved into CertUtils.

- - - - -
c311ab56 by Endi S. Dewata at 2020-06-08T18:28:22-05:00
Moved CertUtil

The CertUtil has been moved into pki-util.

- - - - -
d81097f4 by Endi S. Dewata at 2020-06-08T18:29:00-05:00
Refactored CertUtils.normalizeCertReq()

The CertUtils.normalizeCertReq() has been moved and converted
into CertUtil.parseCSR() which returns the CSR binaries.

- - - - -
30f8447b by Endi S. Dewata at 2020-06-09T12:47:47-05:00
Refactored CertUtils.getEncodedCert() (part 1)

The CertUtils.getEncodedCert() has been modified to throw
a generic Exception.

- - - - -
7a6b6822 by Endi S. Dewata at 2020-06-09T14:30:30-05:00
Refactored CertUtils.getEncodedCert() (part 2)

The CertUtils.getEncodedCert() has been moved and renamed
into CertUtil.toPEM().

- - - - -
ce67604c by Endi S. Dewata at 2020-06-09T14:30:41-05:00
Cleaned up NSSKeyCLI

- - - - -
ea3d5ef3 by Fraser Tweedale at 2020-06-10T06:44:18+10:00
CT: handle missing config

If Certificate Transparency config is not defined in CS.cfg, all
certificate issuance fails.  This situation can arise in upgrade
scenarios.

Tolerate the absense of the certTransparency.enable CS.cfg
directive, defaulting to false.

- - - - -
b3514113 by jmagne at 2020-06-09T15:06:21-07:00
Address CVE-2020-1721. (#434)

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
76820004 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Introduce pki_ajp_secret configuration parameter

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1bd84062 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Add migration logic for 8.5 -> 9.0.31

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e2ee6e1e by Alexander Scheel at 2020-06-09T18:47:15-04:00
Make pki_ajp_secret a random password by default

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
737fc097 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Always gather journalctl logs, instance config

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
741c7982 by Alexander Scheel at 2020-06-09T19:33:54-04:00
Remove Tomcat 7.0, Tomcat 8.0 specific configs

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f7cd25bc by Endi S. Dewata at 2020-06-10T11:47:50-05:00
Updated version number to 10.9.0-0.2 (alpha 2)

- - - - -
9beafcf5 by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - CA System cert expiry

This patch adds a new healthcheck to test whether CA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a2fd414b by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Add new healthcheck - KRA System cert expiry

This patch adds a new healthcheck to test whether KRA's
system certs have expired. It throws a WARNING if the
certificates are about to expire.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
964a701f by Dinesh Prasanth M K at 2020-06-11T14:45:50-04:00
Move the cert expiry calculation logic to generic method

This patch creates a reusable method that returns the pre-filled Result
object, that carries the Cert expiration status. The method can process
only 1 cert at a time.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
4b81e951 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Added CertUtil.toPEM() for PKCS10

The code that converts a PKCS10 object into a PEM string has
been moved into CertUtil.toPEM().

- - - - -
a8a6416b by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Removed deprecated methods in ClientConfig

- - - - -
43197691 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored MainCLI.getNSSDatabase()

The MainCLI.getNSSDatabase() has been modified to return
an NSSDatabase object.

- - - - -
313b57b1 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 1)

The code that imports a CA cert with a nickname has been moved
out of ClientCertImportCLI.importCACert().

- - - - -
3933b160 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCACert() (part 2)

The ClientCertImportCLI.importCACert() has been converted
into NSSDatabase.addCertificate().

- - - - -
3de6843e by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Refactored ClientCertImportCLI.importCert()

The ClientCertImportCLI.importCert() has been converted into
NSSDatabase.addCertificate().

- - - - -
c701cf62 by Endi S. Dewata at 2020-06-11T14:52:50-05:00
Cleaned up ACME doc

- - - - -
ab386a98 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - OCSP System Cert Expiry

This patch adds new healthcheck to test the expiration
of OCSP system certs

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
80054053 by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TKS System Cert Expiry

This patch adds a new healthcheck to test the expiration
of TKS system certs

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
235cfe1a by Dinesh Prasanth M K at 2020-06-11T16:06:21-04:00
Add new healthcheck - TPS System cert expiration

This patch adds a new healthcheck to check the expiration
of system certs in TPS

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d206ef17 by Endi S. Dewata at 2020-06-11T18:49:53-05:00
Fixed NSSDatabase.create()

The NSSDatabase.create() has been modified to create the
NSS database with the internal token password.

- - - - -
2dea4a76 by Endi S. Dewata at 2020-06-11T18:50:40-05:00
Added NSSDatabase.addPEMCertificate()

The NSSDatabase.addPEMCertificate() methods have been added
to import certificate files in PEM format.

- - - - -
a755dc78 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Added pki nss-cert-import

The pki nss-cert-import has been added to replace
pki client-cert-import --cert and --ca-cert.

- - - - -
95366b70 by Endi S. Dewata at 2020-06-11T19:03:57-05:00
Simplified pki pkcs12-import options

- - - - -
0d59b969 by Endi S. Dewata at 2020-06-11T19:03:58-05:00
Added PostgreSQL database doc

- - - - -
70c8d130 by Timo Aaltonen at 2020-06-15T19:02:22+03:00
Merge branch 'upstream-next' into master-next

- - - - -
7e965bbe by Timo Aaltonen at 2020-06-15T19:02:52+03:00
bump the version

- - - - -
8f75debd by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs7-import options

- - - - -
804d827a by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Simplified pki pkcs12-export options

- - - - -
9f4f293f by Endi S. Dewata at 2020-06-15T12:45:55-05:00
Updated CMSEngine.configureAutoShutdown() (part 1)

A try-catch block in CMSEngine.configureAutoShutdown() has
been removed to expose all exceptions generated by the code.

- - - - -
057ce47d by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 2)

A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in finding the audit signing cert.

The CMSEngine.init() has also been modified to call the method
only after the audit signing cert has been created.

- - - - -
37927738 by Endi S. Dewata at 2020-06-15T13:29:13-05:00
Updated CMSEngine.configureAutoShutdown() (part 3)

A try-catch block in CMSEngine.configureAutoShutdown() has been
removed to expose any problem in removing existing auto-shutdown
crumb file.

- - - - -
7a31f28f by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createRequest()

The NSSDatabase.createRequest() has been added to create a
certificate signing request using a local NSS database.

- - - - -
99793a50 by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added NSSDatabase.createCertificate()

The NSSDatabase.createCertificate() has been added to issue
a certificate using a CA signing certificate stored in a local
NSS database.

- - - - -
0b4ba07c by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-request

The pki nss-cert-request have been added to create a certificate
signing request using a local NSS database.

- - - - -
3d82cdfe by Endi S. Dewata at 2020-06-15T19:32:25-05:00
Added pki nss-cert-issue

The pki nss-cert-issue have been added to issue a certificate
using a CA signing certificate stored in a local NSS database.

- - - - -
0ca3548c by Timo Aaltonen at 2020-06-16T15:50:28+03:00
patches: Refreshed.

- - - - -
3836dc33 by Timo Aaltonen at 2020-06-16T20:34:14+03:00
releasing package dogtag-pki version 10.9.0~a2-1

- - - - -
21528f49 by Endi S. Dewata at 2020-06-16T14:01:11-05:00
Cleaned up ACMEEngine log messages

- - - - -
85b7b89e by dependabot[bot] at 2020-06-16T20:32:47-05:00
Bump xercesImpl from 2.11.0 to 2.12.0

Bumps xercesImpl from 2.11.0 to 2.12.0.

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f212aa82 by Timo Aaltonen at 2020-06-17T14:04:31+03:00
server.install: Updated.

- - - - -
ac78c2b0 by Timo Aaltonen at 2020-06-17T14:04:48+03:00
releasing package dogtag-pki version 10.9.0~a2-2

- - - - -
0011cfbe by Christina Fu at 2020-06-18T15:53:12+10:00
Bug 1805541 improvement over verifySCT - [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch made some more attempt to improve on verifySCT
  (though still not working; lack of the signed blob from sender
   makes it a bit challenging)

It adds the following:
  - Include code to use LinkedHashMap instead of Hashtable (requires jss fix)
  - Added debugging code to be sure that the extensions didn’t get out of order through manipulation
  - Allow for CT lg connection issue, but disallow for failed CT verification (though still temporarily disable failure for signature verification)
  - For verifySCT
     - Added missing 3 byte length for tbsCert
     - Added processing for extensions, though most likely not needed for some time

Note: the global on/off is rigid at this point without "per-profile" control;

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
f183aa0d by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: decode signature value properly

The CT signature is TLS-encoded structure with 4 leading bytes.  The
rest of the signature is the signature value, which is a DER-encoded
ECDSA-Sig-Value per https://tools.ietf.org/html/rfc5480.  This is
exactly what JSS needs, so only drop the first 4 bytes.

With this change, SCT signature verification now works.

- - - - -
43466bf0 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: cleanups

- - - - -
85fdca4b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: tidy up "allow failed SCT verification" control

The "allow failed SCT verification" behaviour was a bit buggy.  If
it got a boolean verification result it "correctly" ignored failed
verification, but if an exception was thrown (e.g. due to malformed
log server response) it returned 'false', aborting issuance.

Extract the "allow failed verification" check out of verifySCT to
the call site.  A single boolean now controls the behaviour.  It
should be further extracted to a config knob in a future commit.
For now the default remains to ignore failed verification.

- - - - -
62b8df1b by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: createSCTextension: handle SCT extensions properly

To handle possible future extensions, read the extensions from the
log server response(s) and copy them into the SCT extension.

- - - - -
decf1192 by Fraser Tweedale at 2020-06-18T15:53:12+10:00
CT: extract "write fixed-width length field" method

Define 'intToFixedWidthBytes' which encapsulates the logic of
writing a length as a fixed-width big-endian uint.  This avoids
repetition and makes things easier to follow at call sites.

- - - - -
e39d5978 by Christian Heimes at 2020-06-18T11:33:12-04:00
Enable TLS 1.3 post handshake auth

TLS 1.3 no longer supports renegotiations. Clients must announce support for
post handshake authentication to support conditional authentication with
client certs.

The fix is required to make Dogtag work with FreeIPA and TLS 1.3 enabled
Apache HTTPd proxy.

n.b.: rebased by Alexander Scheel, enabled PHA

Change-Id: I07da8779e233f6e77526df30e29da575676ac0e9
Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
50c23ec1 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Enable certificate verification in PKIConnection

To PKIConnection's initialization handler, we introduce a new argument,
cert_paths, which takes a string or iterable; each unit of which is
treated as a capath or cafile depending on whether or not it is a
directory. See ssl.SSLContext.load_verify_locations for more
information. This enables both PKI and IPA to specify independent CA
file locations at the same time and have fallback if this does not work.

Because some users might've already loaded the CA certificate into the
system-wide CA certificate store (if they're running Dogtag in
production), we also inclue the global trust store.

Resolves: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8705ebeb by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make healthcheck check CA certificate

When running healthcheck, use the CA certificate in PEM form at
/etc/pki/<instance>/alias/ca.crt to verify connections with
PKIConnection. This is because the healthcheck tool is run on the
server, not on a remote client system.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e5793704 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Make PKI server operations verify CA certificate

We create a path ~/.dogtag/nssdb/ca.crt which contains the PEM-encoded
CA certificate in the NSS DB. When setting up PKI server authentication,
check for this CA file and use it when present. If we're performing
cert-based auth, we're dumping the CA certificate into the .p12 file, so
we can extract just the CA certificate to create it if it is missing.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
de680af2 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Check CA Certificate in Security Domain

When checking a Security Domain connection, we should ensure the CA
certificate is already provisioned to this machine prior to attempting
this call.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7fba9a16 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Secure PKIConnection during pkispawn, add CA cert

When the CA certificate is missing in PEM form in the NSS DB (but is
present from the pki_ca_cert_path parameter in the spawn configuration,
add it to this instance's alias prior to using PKIConnection.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
614846ec by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate from clone PKCS#12 file

When creating a cloned subsystem, export the CA certificate into the
expected location prior to continuing subsystem installation. This
should ensure we provision the CA certificate prior to any calls to
PKIConnection.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
35c52586 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Ignore certificate validation during status checks

When waiting for a subsystem to come up, we initialize a new
PKIConnection. However, we don't necessarily need to validate this
certificate: it is a status check and spoofing the result at worst
causes us to fail somewhere else, later, if the server isn't yet alive
and/or the connection was spoofed. Since this is primarily used in
pkispawn, it should be safe to ignore any certificate validation
failures and set verify=False here.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c4a3454e by Alexander Scheel at 2020-06-18T11:33:12-04:00
Verify CA certificate when destroying KRA

When destroying a KRA instance, we query a list of all CAs this KRA
instance is registerred to. When querying this list, verify the
certificate on the remote peer.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
00fdf77f by Alexander Scheel at 2020-06-18T11:33:12-04:00
Export CA certificate after NSS DB migration

In order to ensure all subsystems continue to function with enforced CA
validity checking, export the CA after NSS DB migration. This should
ensure we always get the latest CA certificate (as the CA would
presumably be restarted after a new CA certificate has been issued).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dc5b3e78 by Alexander Scheel at 2020-06-18T11:33:12-04:00
Add documentation on PKI certificate validation

This documents utilizing the pki_cert_chain_path to configure an
existing CA certificate into the NSS DB. We also document proper CLI
setup procedures, including mentioning that the CA certificates must be
imported.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
578f682e by Endi S. Dewata at 2020-06-18T10:35:28-05:00
Added auto-reconnect for PostgreSQL database

The PostgreSQLDatabase.connect() has been added to create
the initial connection, validate the current connection,
and reestablish the connection if it's closed.

- - - - -
b235c0f3 by Dinesh Prasanth M K at 2020-06-18T13:38:04-04:00
Fix XSS in PathLength attribute in CA agent web page

- The input type is set to number when "integer" is encountered
- The server error message is html escaped, before it gets displayed in client browser

Resolves: BZ#1710171

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6c43dd30 by Endi S. Dewata at 2020-06-18T13:03:09-05:00
Added certificate storage in ACME database

The ACMEDatabase has been modified to provide a certificate
storage for ACME issuers that do not have their own storage.

- - - - -
56b8375e by Dinesh Prasanth M K at 2020-06-18T20:02:18-04:00
Fix reflected XSS attack when hitting getCookie endpoint

This patch sanitizes the Server generated error message, to escape
the HTML tags if any present.

Resolves: BZ#1789907

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
50585c65 by Pritam Singh at 2020-06-19T10:05:10-04:00
Added client-side prevention for XSS in recoveryID endpoint

Signed-off-by: Pritam Singh <prisingh at redhat.com>

- - - - -
835f1dcd by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Simplified pki pkcs12-cert-find options

- - - - -
73da2085 by Endi S. Dewata at 2020-06-19T10:16:40-05:00
Added default ACME validators configuration

The ACMEEngine.loadValidatorsConfig() has been modified to
load the default validators.conf if the configuration file
is not available.

The pki-server acme-create command has been modified to no
longer create validators.conf so the ACME responder will
use the default one.

- - - - -
edff88c9 by Endi S. Dewata at 2020-06-19T10:17:21-05:00
Added non-blocking ACME validation

The ACMEChallengeProcessor has been added to perform the
ACME validation using a separate thread such that it does
not block the main thread.

- - - - -
426d5f73 by Christina Fu at 2020-06-19T12:02:06-07:00
Bug1629025: KRA transporCert nick: Server-Side keygen Enrollment for EE

This patch fixes the issue where CA attempts to get
ca.ca.connector.KRA.transportCertNickname
instead of
ca.connector.KRA.transportCertNickname
from it's CS.cfg

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
63a75f81 by Timo Aaltonen at 2020-06-19T15:12:47-04:00
Fix javadoc build on Debian

Tried to build 10.9.0-a1 on Debian, but it fails building javadoc:

[ 98%] Generating Javadoc for pki-javadoc
cd /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc && /usr/lib/jvm/java-11-openjdk-amd64/bin/javadoc -d /home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/base/javadoc/javadoc/pki-10.9.0 -windowtitle 'pki-javadoc' -doctitle '<h1>PKI Javadoc</h1>' -author -use -version -quiet -Xdoclint:none -sourcepath :/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/javadoc:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/util/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/common/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/java-tools/src:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/base/server/src -classpath :/usr/share/java/slf4j-api.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/xalan2.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/commons-cli.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/velocity.jar:/usr/share/java/servlet-api-3.1.jar:/usr/share/java/tomcat9-catalina.jar:/usr/share/java/tomcat9-util.jar:/usr/share/java/httpclient.jar:/usr/share/java/httpcore.jar:/usr/share/java/jaxrs-api.jar:/usr/share/java/jackson-annotations.jar:/usr/share/java/jackson-databind.jar:/usr/share/java/jackson-module-jaxb-annotations.jar:/usr/share/java/resteasy-jaxrs.jar:/usr/share/java/resteasy-atom-provider.jar:/usr/share/java/resteasy-client.jar:/usr/share/java/jss4.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/symkey.jar:/usr/share/java/tomcatjss.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cmsutil.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-certsrv.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tools.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-tomcat.jar:/home/tjaalton/src/pkg-freeipa/dogtag-pki.git/build/core/dist/pki-cms.jar -subpackages :com.netscape.cmsutil:com.netscape.certsrv:com.netscape.cmstools:org.dogtagpki:com.netscape.cms
javadoc: error - No source files for package com.netscape.cmsutil

I believe base/javadoc/CMakeLists.txt needs to be updated..

it was quite simple

Resolves: https://www.pagure.io/dogtagpki/issue/3176

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
364de389 by Endi S. Dewata at 2020-06-19T14:53:54-05:00
Cleaned up ACME doc

- - - - -
0447bd72 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added NSSExtensionGenerator

The NSSExtensionGenerator has been added to create certificate
extension objects from a configuration file. Initially it only
supports BasicConstraintsExtension.

The NSSDatabase has been modified to support creating certificate
request or issuing certificates with extensions.

- - - - -
57e97b2b by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthorityKeyIdentifierExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthorityKeyIdentifierExtension.

- - - - -
302edc84 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for SubjectKeyIdentifierExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support SubjectKeyIdentifierExtension.

- - - - -
6e28f76a by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for AuthInfoAccessExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support AuthInfoAccessExtension.

- - - - -
3e035de6 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for KeyUsageExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support KeyUsageExtension.

- - - - -
bec9b60e by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for ExtendedKeyUsageExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support for ExtendedKeyUsageExtension.

- - - - -
923e1e12 by Endi S. Dewata at 2020-06-19T15:00:44-05:00
Added support for CertificatePoliciesExtension

The NSSDatabase and NSSExtensionGenerator have been modified
to support CertificatePoliciesExtension.

- - - - -
74918419 by Alexander Scheel at 2020-06-19T16:42:44-04:00
Use password during NSS DB creation

In most instances, MainCLI has already parsed options prior to executing
MainCLI.init(). Require the caller to ensure this holds. When a NSS DB
password has been provided, use it to create the NSS DB when one doesn't
yet exists. This matches users's expectations.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1843537

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3a92a1db by Endi S. Dewata at 2020-06-19T18:09:04-05:00
Added NSSIssuer

The NSSIssuer has been added to provide an embedded
CA for the ACME responder using a local NSS database.

- - - - -
ca428b43 by Alexander Scheel at 2020-06-19T19:36:10-04:00
Set -Dcom.redhat.fips=false in Tomcat config

FIPS mode in OpenJDK shipped on RHEL-like platforms uses SunPKCS11 to
provide cryptographic primitives for SunJSSE (including SSLEngine and
SSLSocket) and other high-level providers. However, because SunPKCS11
uses NSS, we'd have a race between JSS and SunPKCS11. This isn't good,
because when Tomcat loads up, SunPKCS11 will consistently load before
TomcatJSS initialization, starving JSS's chance to become the default
provider. By setting -Dcom.redhat.fips=false unconditionally, we
decrease the JDK's reliance on SunPKCS11, decreasing the chance it'll
load. Indeed, prior to the changes to follow system FIPS mode, we've not
encountered any issues with SunPKCS11 loading ahead of JSS.

This change adds -Dcom.redhat.fips=false to the Tomcat configuration
unless the key is already present.

Because JSS is FIPS conforming, and provides a SSLEngine and SSLSocket
implementation since JSS 4.7.0, this is safe to do. In the future,
java.security can be used to ensure only JSS is loaded, preventing any
non-FIPS operations completely.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1655466
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1759335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1780335
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1821851
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1830090

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
43a2738c by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Added PKIServer.nssdb_link

The code in PKIInstance that creates and removes the link
to the NSS database has been moved into PKIServer.

- - - - -
41e1590b by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME database files

The ACME database files have been moved into acme/database
to simplify the paths.

- - - - -
b20f0803 by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Reorganized ACME issuer files

The ACME issuer files have been moved into acme/issuer
to simplify the paths.

- - - - -
b04097fc by Endi S. Dewata at 2020-06-22T10:49:21-05:00
Simplified pki pkcs12-cert-mod options

- - - - -
abc01031 by Endi S. Dewata at 2020-06-22T11:38:38-05:00
Updated version number to 10.9.0-0.3 (beta 1)

- - - - -
412b3150 by Endi S. Dewata at 2020-06-22T15:12:37-05:00
Renamed issuer parameter in NSSIssuer

The issuer parameter in NSSIssuer has been renamed to
nickname for clarity.

- - - - -
606aa7b9 by Endi S. Dewata at 2020-06-22T15:13:12-05:00
Added default value for NSSIssuer nickname

- - - - -
4f3db1ae by Endi S. Dewata at 2020-06-22T15:13:13-05:00
Added default value for NSSIssuer extensions

- - - - -
4f47a2f6 by Dinesh Prasanth M K at 2020-06-23T18:00:23-04:00
Require python3-setuptools explicitly

python3-setuptools is required to setup PKI healthcheck tool. There
was a request submitted by setuptools developers to specify BR directly
rather than using tranisitive dependency (ie) python3-devel pull
python3-setuptools currently

Ref: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GCPGM34ZGEOVUHSBGZTRYR5XKHTIJ3T7/

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
1b4558bf by Alexander Scheel at 2020-06-24T11:53:59-04:00
Fix extraction of CA certificate

openssl pkcs12 gets annoyed when the CA certificate already exists.
Remove it before exporting on each migration.

This manifests itself as a failure during pki-tomcatd startup:

    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: Export complete
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21402]: ---------------
    Jun 24 06:05:59 host-10-0-137-221.ipa.example pki-server[21375]: ERROR: Command: openssl pkcs12 -in /tmp/tmpfn_vr9yx/sslserver.p12 -out /etc/pki/pki-tomcat/alias/ca.crt -nodes -nokeys -passin pass::6|xZFEk8Dog

See also: https://github.com/freeipa/freeipa/pull/4820#issuecomment-648729659
Related: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
deca1c87 by Dinesh Prasanth M K at 2020-06-24T17:12:26-04:00
Healthcheck: Ignore SSL verification in connectivity check

The connectivity check's motive is to test whether the given
subsystem is up and able to respond. Strict SSL validation is not
required. This patch turns it off for the COnnectivity Healthcheck.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a21bd28c by Alexander Scheel at 2020-06-25T12:35:23-04:00
Provision CA certificate for Security Domain check

When checking the Security Domain during pkispawn, we enforce
certificate validation. This is because we're also checking the
username/password given to us. This should go over a secured connection,
so simply setting verify=False would be a bad fix. Instead, ask the user
for a pki_cert_chain_path if one isn't given and use that to validate
the security domain's connection when the ca.crt path isn't already
populated.

This manifests itself as the following error:

      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 930, in <module>
        main(sys.argv)
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 544, in main
        check_security_domain()
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 716, in check_security_domain
        info = deployer.get_domain_info()
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 270, in get_domain_info
        self.domain_info = sd_client.get_domain_info()
      File "/usr/lib/python3.6/site-packages/pki/system.py", line 270, in get_domain_info
        response = self.connection.get(self.domain_info_url, headers=headers)
      File "/usr/lib/python3.6/site-packages/pki/client.py", line 55, in wrapper
        return func(self, *args, **kwargs)
      File "/usr/lib/python3.6/site-packages/pki/client.py", line 259, in get
        timeout=timeout,
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
        return self.request('GET', url, **kwargs)
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
        resp = self.send(prep, **send_kwargs)
      File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
        r = adapter.send(request, **kwargs)
      File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
        raise SSLError(e, request=request)
    requests.exceptions.SSLError: HTTPSConnectionPool(host='pki1.example.com', port=20443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Related: rh-bz#1426572

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
57fdb9bb by Endi S. Dewata at 2020-06-25T14:33:23-05:00
Refactored EnrollDefault.deleteExtension() (part 1)

The EnrollDefault.deleteExtension() has been modified to
throw a generic exception.

- - - - -
16269168 by Endi S. Dewata at 2020-06-25T14:34:16-05:00
Refactored EnrollDefault.deleteExtension() (part 2)

The EnrollDefault.deleteExtension() has been modified to use
a separate loop to avoid ConcurrentModificationException.

- - - - -
b2388e9a by Endi S. Dewata at 2020-06-25T15:00:50-05:00
Refactored CAProcessor.saveAuthToken() (part 1)

The code that checks that the authentication token and the
request are not null in CAProcessor.saveAuthToken() has been
moved to the caller.

- - - - -
134f20ba by Endi S. Dewata at 2020-06-25T15:22:05-05:00
Refactored CAProcessor.saveAuthToken() (part 2)

The variable names and log messages in CAProcessor.saveAuthToken()
have been modified for clarity.

- - - - -
e131adc0 by Endi S. Dewata at 2020-06-25T16:53:35-05:00
Updated version number to 10.9.0-0.4 (beta 2)

- - - - -
3073c64a by Christina Fu at 2020-06-25T19:31:17-07:00
Bug1805541-parseAlgs-[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch parses the CT response for hashing and signing algorithms.
There is plan to fine-tune the CT code later.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
2a0dae85 by Endi S. Dewata at 2020-06-29T10:55:05-05:00
Removed default user/group in pki-server create

The hard-coded default user/group in pki-server create has
been removed such that it's going to be determined by the
type of instance being created.

- - - - -
6c18b47f by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up log messages in PKIIssuer

- - - - -
4ce3a7e4 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up main web.xml

The main web.xml has been modified to map .properties
files to text/plain to avoid syntax errors in Firefox.

https://github.com/jquery-i18n-properties/jquery-i18n-properties

- - - - -
7ab7f731 by Endi S. Dewata at 2020-06-29T10:55:48-05:00
Cleaned up ACME's web.xml

- - - - -
33f4893c by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME Dockerfile

- - - - -
0682f553 by Endi S. Dewata at 2020-06-29T14:20:23-05:00
Added ACME deployment config for OpenShift

- - - - -
93732b52 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Add method to load dogtag specific config values

This patch adds a reusable method to load dogtag specific values
specified in the config file. Note that each registry calls this
method but, the values are read only once. The registry initialization
is handled by the underlying 'pkg_resources' library and there was no
particular order.

TODO: This is a temporary patch and the parsing method should be
moved into the ipa-healthcheck-core library

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
bb0739e0 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Refactor DogtagCertsConfigCheck to accommodate other subsystems

This patch refactors DogtagCertsConfigCheck to accommodate other
subsystems: OCSP, TKS and TPS. This patch also uses the config names
mentioned in the healthcheck config file.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
400a5a8f by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Allow healthchecks to load custom named instances

This patch allows the Healthchecks to use the custom instance
names provided via the pki specific healthcheck config file. This
will allow healthcheck to be executed in standalone Dogtag PKI
environments.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a8f7eede by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Update PKI-healthcheck documentation

Add documentation related to /etc/pki/healthcheck.conf

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
7fcb8993 by Dinesh Prasanth M K at 2020-06-30T11:20:15-04:00
Healthcheck: Minor improvements to config and expiration check

This patch:

* Uses expiration day value specified in config to report warnings
  during the System Certificate Expiration Check

* Prior to this commit, if a custom instance name is specified for a
  subsystem, ALL subsystem's instance names needed to be specified. This
  patch removes that restriction.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d6c91ee4 by Christian Heimes at 2020-06-30T12:05:57-04:00
pki password fix for FIPS

NSS DB in FIPS mode seems to require a password in all cases. When pki
attemps to open NSS DB without password in FIPS mode, it blocks with a
prompt to enter a password. This breaks installation in FIPS mode:

    Enter password for NSS FIPS 140-2 User Private Key

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
573f574e by Alexander Scheel at 2020-06-30T17:59:38-04:00
Add separate bootstrap CSS file

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
01d46248 by Alexander Scheel at 2020-06-30T17:59:38-04:00
Link in new Bootstrap CSS file

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
021b273c by Endi S. Dewata at 2020-06-30T18:19:22-05:00
Removed tech preview notifications

- - - - -
5e5dba62 by Timo Aaltonen at 2020-07-01T07:05:51+03:00
Merge branch 'upstream-next' into master-next

- - - - -
eb87e0cc by Timo Aaltonen at 2020-07-01T07:06:28+03:00
bump the version

- - - - -
627425ac by Timo Aaltonen at 2020-07-01T07:07:09+03:00
fix-javadoc-build.diff: Dropped, upstream.

- - - - -
44a6c53c by Endi S. Dewata at 2020-06-30T23:16:50-05:00
Renamed TPS profile service

The ProfileService for TPS has been renamed into
TPSProfileService for clarity.

- - - - -
f9db0af1 by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Cleaned up log messages in TPSProfileService

- - - - -
f306fa8a by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ProfileData.profileID

The ProfileData.profileID has been added to store the ID
before the profile is added into the database.

- - - - -
a4336bad by Endi S. Dewata at 2020-06-30T23:17:17-05:00
Added ErrorDialog.htmlContent

The ErrorDialog has been modified to provide an option to
display HTML content.

- - - - -
8884b434 by Alexander Scheel at 2020-07-01T11:30:30-04:00
Replace CMSTemplate custom sanitization with lang2

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f770c4e5 by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Refactored EntryPage.save()

The EntryPage.save() has been renamed to saveEntry() for clarity.

- - - - -
8734909b by Endi S. Dewata at 2020-07-01T10:42:04-05:00
Updated ErrorDialog.close()

The ErrorDialog.close() has been modified to trigger an event.

- - - - -
02e3f1e5 by Endi S. Dewata at 2020-07-01T11:25:00-05:00
Cleaned up log messages in TokenService

- - - - -
1dbb07f8 by Endi S. Dewata at 2020-07-01T15:47:32-05:00
Added input validation for TPS

The TPSProfileService has been modified to validate the
profile ID and profile property names received via REST API.

The TPS UI has been modified to validate profile ID and
profile property names before they are sent to the server.

The TableItem.renderColumn() has been modified to escape
the value already stored in the database before displaying
it in the UI.

https://bugzilla.redhat.com/show_bug.cgi?id=1791099
https://bugzilla.redhat.com/show_bug.cgi?id=1793076
https://bugzilla.redhat.com/show_bug.cgi?id=1725129

- - - - -
da7d9cc3 by Endi S. Dewata at 2020-07-02T11:16:09-05:00
Updated version number to 10.9.0-0.5.unstable (beta 3)

- - - - -
c1098bb1 by Endi S. Dewata at 2020-07-02T16:23:51-05:00
Updated build.sh to generate UTC timestamp

The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.

- - - - -
fd3e3dea by Endi S. Dewata at 2020-07-02T17:05:00-05:00
Cleaned up log messages in CertRequestService

- - - - -
9de45c28 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Cleaned up log messages in PKIRealm

- - - - -
44c34cc1 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added UserClient constructor

- - - - -
62e86aa2 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added GroupClient constructor

- - - - -
bd46b1a5 by Endi S. Dewata at 2020-07-02T17:11:14-05:00
Added setter/getter for CertEnrollmentRequest.serverSideKeygenP12Passwd

- - - - -
14ece271 by Endi S. Dewata at 2020-07-02T18:47:27-05:00
Deprecated PKIInstance.server_cert_nick_conf()

The PKIInstance.get_sslserver_cert_nickname() has been modified
to get the SSL server cert nickname from the server.xml. The
PKIInstance.server_cert_nick_conf() is no longer used so it has
been deprecated.

- - - - -
68e7c3b5 by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Cleaned up basic PKI server install doc

The doc for installing basic PKI server has been
modified to use the default instance name.

- - - - -
59f58e7e by Endi S. Dewata at 2020-07-02T21:28:13-05:00
Updated basic PKI server install doc with NSS database

The doc for installing basic PKI server with NSS database
has been modified to use pki nss commands.

- - - - -
5d97b91a by Endi S. Dewata at 2020-07-06T22:52:48-05:00
Reorganized basic PKI server install doc

- - - - -
f3780794 by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Fixed NSSExtensionGenerator.createAIAExtension()

The NSSExtensionGenerator.createAIAExtension() has been modified
to call AuthInfoAccessExtension.encode() in order to populate its
extensionValue field. Otherwise, the null extensionValue will
cause an NPE in CertificateExtensions.parseExtension().

- - - - -
3493f58d by Endi S. Dewata at 2020-07-08T09:30:50-05:00
Added PostgreSQL.setup()

The PostgreSQL.setup() has been added to automatically create
the tables when the server initially connects to the database.
This eliminates the requirement to create the tables manually.
The docs have been updated accordingly.

- - - - -
fa9d5a4c by Christina Fu at 2020-07-08T17:09:41-07:00
Bug1629025-handle large keys-ServerSideKeygen

This patch addresses the issue that for ServerSideKeygen enrollments,
if the RSA keys are larger (3072 or 4096), the enrollment would fail.
It may very well have to do with Apache's limit on HTTP header.
While there might exist a better way to resolve this, I'm opting
to remove a duplicated "issued cert" entry in the request itself which
effectively resolves the issue.

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
0067bada by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added JUL logging options for PKI console

The PKI console has been modified to provide CLI options
to set the log level for java.util.logging.

- - - - -
d6a511b2 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Added ACMEEngine.start()/stop()

The code that starts and stops the ACME engine in
ACMEEngine.contextInitialized() and contextDestroyed() has
been moved into start() and stop().

- - - - -
0215655f by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 1)

The setEnabled and setWildcard fields in ACMEEngineConfigSource
have been renamed into enabledConsumer and wildcardConsumer for
clarity. Setters/getters have also been added for these fields.

- - - - -
c369ffa1 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored ACMEEngineConfigSource (part 2)

The ACMEEngineConfigSource.init() has been modified such that
the caller is responsible to initialize the consumers.

- - - - -
1223d8b9 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAccountContacts()

The PostgreSQLDatabase.deleteAccountContacts() has been converted
into removeAccountContacts() which takes an account ID.

- - - - -
5b56a967 by Endi S. Dewata at 2020-07-08T21:36:44-05:00
Refactored PostgreSQLDatabase.deleteAuthorizationChallenges()

The PostgreSQLDatabase.deleteAuthorizationChallenges() has been
converted into removeAuthorizationChallenges() which takes an
authorization ID.

- - - - -
7b9b3c6c by Alexander Scheel at 2020-07-09T10:49:00-04:00
Measure individual test execution time

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3702d4a1 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEScheduler

The ACMEScheduler has been added to schedule tasks to run
periodically in the background.

- - - - -
8cb34a77 by Endi S. Dewata at 2020-07-09T15:52:34-05:00
Added ACMEMaintenanceTask

The ACMEMaintenanceTask has been added to clean up ACME
database. Initially it is used to clean up expired nonces
every 5 minutes.

- - - - -
337cff96 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Copy missing profiles between 10.5 and current version (10.9)

This patch copies all missing profiles introduced from 10.6+
and configures the CS.cfg in existing deployments. This ensures
that the old deployments (<=10.5) can use the latest profiles

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ec859b40 by Dinesh Prasanth M K at 2020-07-09T17:51:37-04:00
Remove duplicate entries from CS.cfg

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
21a8f05f by Deepak Punia at 2020-07-10T09:03:57-05:00
Adding downstream tier0-sanity job to upstream

installation-acme
role-user-creation-topo-02
topo-01-role-user-creation

Signed-off-by: Deepak Punia <dpunia at redhat.com>

- - - - -
1df72734 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored PostgreSQLDatabase.getExpiredNonces()

The PostgreSQLDatabase.getExpiredNonces() has been modified
to only return the nonce values.

- - - - -
eca5c926 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Refactored ACMEChallengeProcessor.processChallenge()

The code that finalizes valid and invalid authorizations in
ACMEChallengeProcessor.processChallenge() has been moved into
finalizeValidAuthorization() and finalizeInvalidAuthorization().

- - - - -
020a3b30 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Added log messages in LDAPDatabase

- - - - -
d0d803c8 by Endi S. Dewata at 2020-07-10T09:11:41-05:00
Updated version number to 10.9.0-0.6.unstable (beta 4)

- - - - -
4ae9c7b1 by Endi S. Dewata at 2020-07-10T09:42:48-05:00
Fixed PostgreSQL orders.expires constraints

The PostgreSQL orders.expires column has been modified
to become optional.

- - - - -
69e9d81b by Endi S. Dewata at 2020-07-10T09:42:53-05:00
Fixed PostgreSQL authorizations.expires constraints

The PostgreSQL authorizations.expires column has been
modified to become optional.

- - - - -
fed60474 by Christina Fu at 2020-07-10T15:02:54-07:00
Bug 1805541-refactor:[RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch reafactors the Certificate Transparency code.
 More refinement to come, but for this patche:
  - the majority of the CT v1 code originally in CAService.java now goes
    into CTEngine.java;
  - some utility methods go into CertUtils.java
  - new CT enablement logic is introduced to replace the original one:

The logic of whether SCT extension is to be added to the issued
cert or not now goes like this:

IN CS.cfg
     *  CT mode is controlled by ca.certTransparency.mode
     *  There are three CT modes:
     *      disabled: issued certs will not carry SCT extension
     *      enabled: issued certs will carry SCT extension
     *      perProfile: certs enrolled through those profiles
     *          that contain the following policyset
     *          will carry SCT extension
     *             SignedCertificateTimestampListExtDefaultImpl
     * default is true
     * if unknow mode then error will be thrown.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
0fa50bb9 by Dinesh Prasanth M K at 2020-07-13T15:47:32-04:00
CI: Build custom Fedora image that has systemd installed

With latest Fedora container images (starting from fedora:30) it seems
that the systemd script files have been removed. This patch builds a custom
fedora container image with systemd package installed, giving us the right
systemd-enabled environment to run PKI tests

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
cdbbb079 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Removed default max/min LDAP connections

- - - - -
43e4cd0f by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-show

The pki-server acme-database-show has been modified to support
LDAP database.

- - - - -
5ce46a35 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-mod

The pki-server acme-database-mod has been modified to support
LDAP database.

- - - - -
280c2c37 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-show

The pki-server acme-issuer-show has been modified to support
NSS issuer.

- - - - -
6eec2d3a by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-mod

The pki-server acme-issuer-mod has been modified to support
NSS issuer.

- - - - -
6f94b0d7 by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized CA install docs

- - - - -
2bd40bdf by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized KRA install docs

- - - - -
b17883de by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized OCSP install docs

- - - - -
3b6cbc7d by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TKS install docs

- - - - -
3b58dcda by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TPS install docs

- - - - -
f946a3e3 by Endi S. Dewata at 2020-07-14T15:16:46-05:00
Fixed podman deployment doc

- - - - -
9170acf2 by Christina Fu at 2020-07-14T16:50:31-07:00
Bug1856368- pki cli kra-key-generate request is failing

This patch fixes the issue with failed kra-key-generate from pki cli.
Investigation revealed that the underlying JSS changes where
base64encodeSingleLine call into
   Base64.getEncoder().encodeToString(bytes);
does not tolerate null parameter.
Reference: Remove code dependency on Apache Commons Codec
https://github.com/dogtagpki/jss/commit/8de4440c5652f6f1af5b4b923a15730ba84f29e1#diff-b2e907677520a5d671a037de2e60e656L376

in PKI, since the caller for generateAsymmetricKey() in KeyClient.java
deliberately passed in "null" for transWrappedSessionKey, it is
safe to just skip over the following line when transWrappedSessionKey is null:
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey, false));

the CRMF issue reported in the same bug is very likley a separate issue
and should be filed in a separate bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1856368

- - - - -
9ffb9925 by Endi S. Dewata at 2020-07-14T19:19:49-05:00
Fixed error handling in PKIRealm

In commit 9de45c2812e9eaddaeef50dd422117cf57820581 the PKIRealm was
modified to wrap all exceptions that happen during authentication
and rethrow them as RuntimeExceptions in order to preserve the stack
trace for troubleshooting.

However, because of that when a client tries to authenticate with a
revoked certificate the server incorrectly reports it as an internal
server error instead of authentication failure.

To fix the problem, the PKIRealm has been modified to modified to
handle authentication failures (e.g. EInvalidCredentials) differently
from other internal server errors (e.g. LDAP exceptions).

For authentication failures PKIRealm will return null as described
in RealmBase documentation:
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/realm/RealmBase.html

For internal server errors it will log the stack trace and to wrap
the exception and rethrow it as RuntimeException for troubleshooting.

- - - - -
180d42e9 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME authorization status

The ACMEChallengeProcessor.processChallenge() has been modified
to set the authorization status to invalid if the client fails
to fulfill the challenge.

- - - - -
db7b73a4 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME order status

The ACMEChallengeProcessor.processInvalidChallenge() has been
modified to set the order status to invalid if at least one of
the authorizations is invalid.

- - - - -
8feeea95 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Fixed LDAPDatabase.getAuthorizationByChallenge()

The LDAPDatabase.getAuthorizationByChallenge() has been
modified to return the complete authorization data such
that if the authorization is updated and saved into the
database it will not unintentionally lose data.

- - - - -
71fced30 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Removing incomplete ACME challenges

The code that finalizes ACME authorizations has been modified
to retain the completed challenge (either valid or invalid) and
remove the incomplete ones.

- - - - -
ce689dfa by Endi S. Dewata at 2020-07-15T11:40:14-05:00
Cleaned up log messages in MessageFormatInterceptor

- - - - -
d23240d0 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEAuthorization.expirationTime handling

The code that uses ACMEAuthorization.expirationTime has been
modified to handle a possible null value.

- - - - -
8edae309 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEOrder.expirationTime handling

The code that uses ACMEOrder.expirationTime has been modified
to handle a possible null value.

- - - - -
ec9b4485 by Endi S. Dewata at 2020-07-15T19:10:37-05:00
Updated ACME database configuration doc

- - - - -
885ba3f6 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME authorization expiration time

Previously the expirationTime field in ACMEAuthorization is
always set when the object is created. According to RFC 8555
the value is only required when the authorization is valid,
so the code has been updated accordingly.

- - - - -
2443d08a by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME order expiration time

Previously the expirationTime field in ACMEOrder is always set
when the object is created. According to RFC 8555 the value is
only required when the order is valid or pending, so the code
has been updated accordingly.

- - - - -
91889f16 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredAuthorizations()

The ACMEDatabase.removeExpiredAuthorizations() has been added
to remove expired authorization records from ACME database.

- - - - -
eec64fc4 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredOrders()

The ACMEDatabase.removeExpiredOrders() has been added to remove
expired order records from ACME database.

- - - - -
b2215b72 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Updated ACME maintenance task

The ACME maintenance task has been updated to periodically remove
expired authorization and order records from ACME database.

- - - - -
87c0aef6 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-database-mod

The pki-server acme-database-mod has been modified to provide
a silent mode for configuring ACME database.

- - - - -
8cee2f93 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-issuer-mod

The pki-server acme-issuer-mod has been modified to provide a
silent mode for configuring ACME issuer.

- - - - -
95e338ca by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Updated ACME database and issuer configuration docs

The ACME database and issuer configuration docs have
been modified to use the slient mode.

- - - - -
f1e86ff0 by Endi S. Dewata at 2020-07-20T10:28:50-05:00
Refactored ACMEEngine.loadMetadata()

The ACMEEngine.loadMetadata() has been renamed into
initMetadata().

- - - - -
7eb2fc48 by Endi S. Dewata at 2020-07-20T10:29:38-05:00
Refactored ACMEEngine.loadDatabaseConfig()

The ACMEEngine.loadDatabaseConfig() has been merged into
initDatabase().

- - - - -
6772ba8e by Endi S. Dewata at 2020-07-20T10:30:22-05:00
Refactored ACMEEngine.loadValidatorsConfig()

The ACMEEngine.loadValidatorsConfig() has been merged into
initValidators().

- - - - -
0c1916ea by Endi S. Dewata at 2020-07-20T10:30:45-05:00
Refactored ACMEEngine.loadIssuerConfig()

The ACMEEngine.loadIssuerConfig() has been merged into
initIssuer().

- - - - -
3bda0a4f by Endi S. Dewata at 2020-07-20T10:31:52-05:00
Refactored ACMEEngine.loadSchedulerConfig()

The ACMEEngine.loadSchedulerConfig() has been merged into
initScheduler().

- - - - -
87ab6e3c by Endi S. Dewata at 2020-07-20T10:38:23-05:00
Refactored ACMEEngine.loadEngineConfig()

The ACMEEngine.loadEngineConfig() has been converted into
initMonitors().

- - - - -
249fae10 by Alexander Scheel at 2020-07-20T13:45:59-04:00
Fix build with CMake out-of-source build change

Fedora 33 has introduced the following change proposal:

https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds

This makes CMake do out-of-source builds by default. However, Fedora has
opted to use the %{_vpath_builddir} macro as the location of the default
build directory, instead of the more standard (in the CMake community)
build/ directory. %{_vpath_builddir} expands to %{_target_platform},
giving a per-architecture build directory.

Replace build/ references with %{_vpath_builddir} in the RPM spec. In
the future, we could move %{__make} to %cmake_build instead.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
11024cd3 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Fixed pki-server acme-metadata/database/issuer-mod commands

The pki-server acme-metadata/database/issuer-mod commands have
been modified to use PKIServer.store_properties() instead of
pki.util.store_properties() to ensure the file permission is
set correctly.

- - - - -
a3ef1aa8 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Added default ACME metadata.conf

The ACMEEngine and pki-server acme-metadata commands have
been modified to use the shared metadata.conf by default.

- - - - -
bc899bec by Endi S. Dewata at 2020-07-20T14:36:59-05:00
Added runtime dependency on systemd

The pki-server package has been modified to explicitly require
systemd as runtime dependency since systemd is no longer part
of Fedora container image:
https://docs.fedoraproject.org/en-US/minimization/

- - - - -
9ddb3832 by Alexander Scheel at 2020-07-20T15:45:07-04:00
Support JDK8 and JDK11 RPM builds

Fedora 33 is moving to Java 11 as the default JDK version:

https://fedoraproject.org/wiki/Changes/Java11

This will make JDK11 the default JDK in this release of Fedora.

We need to support a generic JAVA_HOME based on OpenJDK, so move to
/usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided,
regardless of whether or not the JDK or JRE is installed. Additionally,
we set the minimum Java version based on what is available on the
system.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1bc74857 by Endi S. Dewata at 2020-07-20T19:20:24-05:00
Fixed JAVA_OPTS parsing in PKISubsystem.run()

The PKISubsystem.run() parses JAVA_OPTS into a list of strings
and uses it as Java arguments. In some cases the list might
contain empty strings which can cause problems. The code has
been modified to remove empty strings from the list.

- - - - -
3de067cf by Endi S. Dewata at 2020-07-21T09:01:38-05:00
Simplified ACME LDAP database parameters

The LDAPDatabase parameters have been simplified:
- basedn -> baseDN
- internaldb.ldapconn.host,port,secureConn -> url
- internaldb.ldapauth.authtype -> authType
- internaldb.ldapauth.bindDN -> bindDN
- internaldb.ldapauth.clientCertNickname -> nickname
- password.internaldb -> bindPassword

The old basedn parameter will continue to work but it has
been deprecated.

The internaldb.ldapauth.bindPWPrompt is no longer used so
it has been removed.

- - - - -
ec612dbd by Coty Sutherland at 2020-07-21T16:51:42-04:00
Fix HTTP Request formatting in AdminConnection

AdminConnection's processRequest method creates a hand-rolled HTTP
request to the remote server. This is used by PKI Console when
authenticated as an administrator. Because of the recent CVE fix in
Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed)
terminated requests and headers, and instead reject them as a bad
request. We fix this by adding the missing and required CR, per HTTP
specification.

This fixes the following exception in PKIConsole:

    java.io.IOException: 400
        at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537)
        at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497)
        at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411)
        at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646)
        at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379)
        at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128)

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0c41ac72 by Alexander Scheel at 2020-07-21T16:52:53-04:00
Support exporting CA certificate from HSM installs

When installing an installation with subsystem SSL certificate residing
on the HSM, export will fail because the NSS DB isn't opened with the
specified HSM token. When the subsystem SSL certificate resides on the
HSM, when we go to export the CA certificate, we must explicitly specify
this token.

Otherwise, subsystem startup will fail with an error like:

    systemd[1]: Starting PKI Tomcat Server topology-02-CA...
    pki-server[72759]: Enter password for NHSM6000-OCS
    pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA
    pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA
    systemd[1]: pki-tomcatd at topology-02-CA.service: Control process exited, code=exited status=255
    systemd[1]: pki-tomcatd at topology-02-CA.service: Failed with result 'exit-code'.

This is related to the earlier PR enforcing certificate verification
in PKIConnection, pr-#443.

Resolves: rh-bz#1857933

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
382de723 by Dinesh Prasanth M K at 2020-07-22T13:24:25-04:00
Fix pylint issue in healthcheck

This patch fixes the pylint issue caught in our CI. This
is a regression of change introduced in freeipa-healthcheck:

https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
75fed9db by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Print the SD name when executing pki-server status

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
08370498 by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Fix pki-server status CLI to accept nuxwdog enabled service

This patch fixes pki-server to pick up the right systemd unit file
name if the nuxwdog is enabled on the PKI server.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
951bad9d by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Added ACMEEngineConfig

The ACMEEngineConfig has been added to encapsulate ACME engine
configuration such as the enabled flag.

- - - - -
2a8e25fb by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Refactored ACMEPolicy

The ACMEPolicy has been moved into org.dogtagpki.acme.server.
The enableWildcardIssuance field has been moved into a new
ACMEPolicyConfig class. The wildcard property in engine.conf
has been renamed into policy.wildcard.

- - - - -
5cc193e6 by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Removed hard-coded ACME validity policies

The ACMEValidityConfig has been added to encapsulate the
validity configuration of ACME objects including nonces,
authorizations, and orders.

The hard-coded validity policies for ACME nonces, valid
authorizations, pending and valid orders have been
replaced with configurable properties in engine.conf.

- - - - -
a93a65be by Alexander Scheel at 2020-07-22T17:02:50-04:00
Re-fix sanitization in CMSTemplate

When fixing CVE-2019-10179 originally in
8884b4344225bd6656876d9e2a58b3268e9a899b,
I had switched to Apache Commons Lang2's
sanitization framework. However, I didn't
enable the HTML sanitization necessary to
fix this CVE.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
db703d1d by Endi S. Dewata at 2020-07-22T18:44:10-05:00
Added sample ACME database URLs

- - - - -
6e108331 by Endi S. Dewata at 2020-07-22T19:48:35-05:00
Fixed ACME scheduler

The ACMEScheduler has been modified to no longer throw a
RuntimeException if a task execution fails such that the
task will be executed again in the next scheduled time.

- - - - -
eb213bd0 by Endi S. Dewata at 2020-07-23T12:58:06-05:00
Add sample PKI issuer URL and profile

- - - - -
8c41352a by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated ACME install doc

- - - - -
6f18a954 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Fixed InMemoryDatabase.getOrdersByAuthorizationAndStatus()

The InMemoryDatabase.getOrdersByAuthorizationAndStatus() has
been modified to use String.equals() to compare order status.

- - - - -
40bd67c3 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated pki-server acme-database/issuer-mod

The pki-server acme-database/issuer-mod commands have been
modified to load the database.conf/issuer.conf template if
the database/issuer type was changed.

- - - - -
f2641150 by Endi S. Dewata at 2020-07-23T20:35:53-05:00
Fixed PKIServerFactory.create()

The PKIServerFactory.create() has been modified to check
whether the /etc/sysconfig/<instance> file exists before
trying to open it.

- - - - -
28e19202 by Endi S. Dewata at 2020-07-23T20:44:00-05:00
Reorganized PKI server install docs

- - - - -
41b0226a by Endi S. Dewata at 2020-07-27T17:12:24-05:00
Updated log messages in PostgreSQLDatabase

- - - - -
46a66d65 by Endi S. Dewata at 2020-07-27T17:12:33-05:00
Reorganized ACME deployment on OpenShift doc

- - - - -
7e5db5d6 by Timo Aaltonen at 2020-07-28T17:56:02+03:00
Merge branch 'upstream-next' into master-next

- - - - -
17eeac2b by Timo Aaltonen at 2020-07-28T17:57:29+03:00
bump the version

- - - - -
d67babb5 by Timo Aaltonen at 2020-07-28T20:48:09+03:00
server.install: Updated.

- - - - -
bf225105 by Alexander Scheel at 2020-07-28T14:52:20-04:00
Add TPS auditor

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9da92ed3 by Alexander Scheel at 2020-07-28T14:54:12-04:00
Move PrettyPrint{Cert,Crl} to PKI_LIB classpath

JDK since v1.6 supports passing a directory with a glob (*) after it to
include all JARs in that given directory on the classpath. That is the
mechanism used by pki_java_command_wrapper.in which we should reuse for
the two CLIs which don't use that wrapper.

Resolves: rh-bz#1854043

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6ad317cc by Timo Aaltonen at 2020-07-28T22:03:08+03:00
fix-upgrade-script.diff: Fix hardcoding /etc/sysconfig on an upgrade script.

- - - - -
fd522210 by Dinesh Prasanth M K at 2020-07-29T15:31:10-04:00
CI: Collect journalctl logs always during IPA tests

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c8c55f98 by Endi S. Dewata at 2020-07-29T16:45:07-05:00
Added openshift-acme deployment doc

A new doc has been added for deploying openshift-acme with
PKI ACME responder as the certificate issuer.

- - - - -
a0a06387 by Endi S. Dewata at 2020-07-29T17:45:10-05:00
Fixed CAInfoService.getKRAInfoClient()

The CAInfoService.getKRAInfoClient() and
CAService.getConnector() have been modified to use the
client certificate specified in the CA's KRA connector to
access KRA. If the client certificate is missing, it will
use the subsystem certificate instead.

The CAInfoService has also been modified to propagate
any exception during the above operation to the caller.

https://bugzilla.redhat.com/show_bug.cgi?id=1861911

- - - - -
03801285 by Endi S. Dewata at 2020-07-29T22:18:44-05:00
Reorganized ACME user doc

- - - - -
7b184486 by 06shalini at 2020-07-30T20:59:57+05:30
Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages (#393)

* Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages

- Changes includes:
- Change in .gitlab_ci.yml to spawn instance by using latest osp_provision.py
   [with PSI resource issues].
- Change in .gitlab_ci.yml to use Fedora 32 image.
- Addition of post_provision.yml to get latest repo.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Code cleanup of osp_provision.py

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
23ae8b29 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Refactored ACMEPolicyConfig

The retention policies in ACMEPolicyConfig have been moved
into ACMERetentionConfig. The configuration properties have
been renamed into policy.retention.<name>.<param>. The
ACMEValidityConfig has been renamed into ACMERetention.

- - - - -
64b37227 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME authorizations

The ACME responder has been modified to support retention
policies for pending and invalid authorizations.

- - - - -
769069bb by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME orders

The ACME responder has been modified to support retention
policies for invalid, ready, and processing orders.

- - - - -
64a83f58 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMEDatabase.removeExpiredCertificates()

The ACMEDatabase.removeExpiredCertificates() has been added
to remove expired certificates from ACME database.

- - - - -
0c1cac72 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMECertificate

The ACMECertificate has been added to encapsulate certificate
records in ACME database.

- - - - -
d3957e6c by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policy for ACME certificates

The ACME responder has been modified to support retention policy
for certificate records in ACME database.

- - - - -
4bbb201c by Stanislav Levin at 2020-07-30T10:59:56-05:00
Add missing required targets for pki-acme-classes target

Parallel build fails because of the races caused by the missing
(not yet built) jars.

Fixes: https://pagure.io/dogtagpki/issue/3196
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
0cff9cd5 by Stanislav Levin at 2020-07-30T13:08:14-05:00
Fix instance nssdb directory ownership

There was a typo in code which sets the ownership
of NSSdb directory and its content. This results
in the group with the same gid as pkiuser uid
can control this directory.

Fixes: https://pagure.io/dogtagpki/issue/3195
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
1adc8225 by Timo Aaltonen at 2020-07-30T21:28:18+03:00
WIP add xml-apis

- - - - -
34807cb7 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Refactored PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS

The PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS has been
replaced with pki.server.DEFAULT_LINK_MODE.

- - - - -
0aeacb09 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated log messages in PKIInstance

- - - - -
268c08ea by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME Podman doc

- - - - -
a287c3a0 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME install doc

- - - - -
e4c35cbc by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated links to ACME config doc

- - - - -
fc95262d by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Restored ACME tech preview notification

- - - - -
bedf1adc by Endi S. Dewata at 2020-07-30T22:06:05-05:00
Renamed value field in ACMENonce

The value field in ACMENonce has been renamed to id
for consistency.

- - - - -
183558fa by Endi S. Dewata at 2020-07-30T22:11:52-05:00
Renamed nonce value variables in ACMEDatabase

The nonce value variables in ACMEDatabase have been renamed
to nonceID for consistency.

- - - - -
63368b0f by Endi S. Dewata at 2020-07-30T22:11:57-05:00
Renamed nonce value column/attribute in ACME database

The nonce value column/attribute in ACME database
has been renamed to id for consistency.

- - - - -
a1235c3e by jmagne at 2020-07-31T10:20:48-07:00
Address Bug 1462291 - CRL autoupdate from CS.cfg (#503)

This fix allows the admin to request that a change to this crl CS.cfg setting:

ca.crl.MasterCRL.autoUpdateInterval=xxx

This fix will allow the system to attempt to use the new value of auto update
immediately. The previous longstanding behavior was to have the new interval take affect,
AFTER the currently scheduled nextUpdate time.

What this fix does is allow the use of a new CS.cfg parameter:

ca.crl.MasterCRL.autoUpdateInterval.effectiveAtStart=true

This parameter must be inserted before a restart to allow this behavior to take place at all.
Without the param everything should be working as normal.

After changing the CS.cfg value, the server must be restarted.

At this point the delay time for the next update will be calculated based on the new auto update interval.

Previously the code would simply ignore the new calculated value and take whatever is already encoded into the
"nextUpdate" field of the crl.

This fix allows the new value to be accepted. Here are some caveats on how this thing behaves:

1. If the autoUpdate interval is made smaller , this thing works as expected, having the next update take place
in roughly the amount of time in the new interval.

2. If making the interval smaller, makes the calculated next update in the past, the update will occur now and then the
nextUpdate will be calculated with the new schedule..

3. If the admin makes the autoUpdate interval larger, the behavior is a little different.
Due to the fact that the calculations made with the new interval, is based off of starting with the time stamp
for "yesterday" or the very first daily update from yesterday, the new nextUPdate time calculated may be less
than simply adding the the new interval to the last update.

This fix was coded by allowing the current very comnplicated algorithm to calculate the nextUpdate do it's thing
while at the end of the process, this code simply chooses what is calculated instead of what is already encoded within
the crl's nextUpdate field.

Therefore if the new param is never set, nothing changes. This param should be used with care.

If the agent goes to the display crl page, the new value can easily be viewed as well as the debug log.

4. After the operation takes place the flag inside the server will be cleared and this feature will no longer
be attempted while the server is running.

5. The admin must clear the schedulUpdated setting before the restart to assure normal operation after the next restart.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
607407e2 by Christina Fu at 2020-07-31T11:40:54-07:00
Bug1805541 Doc for Certificate Transparency with embedded SCT

Created CertificateTransparency.adoc which provides documentation for
the Certificate Transparency feature for the RHCS Administrator's guide.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
7b6b6aa8 by Christina Fu at 2020-07-31T16:39:21-07:00
CertificateTransparency.adoc default mode is "disabled" instead of "enabled"

- - - - -
0932b0ea by jmagne at 2020-07-31T17:02:54-07:00
Resolve: Bug 1454922 - [RFE] Need Ability to set the CRL This Update to be a Future Date when Generating a CRL. (#504)

This fix allows the admin to request this feature only by using the command line sslget utility to make such a request.

The result will be haviing the "thisUpdate" field of the generated crl set to some arbitrary date in the future.
The nextUpdate field will be calculated as normal by calculating that as an offset to the future thisUpdate value requested.

There is also a new CS.cfg value designed to simply disallow the use of the feature whateover:

ca.crl.MasterCRL=forbidFutureThisUpdateValue=true (which is by default)  will ignore any attempts to use this feature.

This feature does not as of yet support the GUI and will ONLY be available when ussing sslget to request a CRL update on demand.

Also there is a parameter to sslget that will allow the user to erase or cancel the whole custom future thisUpdate and
return crl processing to normal. Examples to follow:

Example 1, request an updated CRL with a custom future thisUpdateValue:

sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&customFutureThisUpdateDateValue=2020:9:22:13:0:0"  -v -d . -p ""  -r /ca/agent/ca/updateCRL localhost.localdomain:8443

Note the param for this feature is customFutureThisUpdateDateValue=<date>
The date format is this: 2020:9:22:13:0:0

The linux date utility can be used to make a date in this format. It's simply
year,month,day, hour, min ,sec, with min and sec optional.
The month is based on 1, with Jan = 1.

Example 2: clear the whole future thisUpdate an get back to normal:

sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&cancelCurCustomFutureThisUpdateValue=true"  -v -d . -p ""  -r /ca/agent/ca/updateCRL localhost.localdomain:8443

This will erase the current custom future thisUpdate and calculate the nextUpdate based on the actual current time.

This fix was done without affecting the complex calculations made to calculate update frequency. This only allows one, if they desire, to set thisUpdate to some futuristic time.

If a future thisUpdate time is chosen as in Ex 1, the nextUpdate time will be chosen based on that future date.

The Agent GUI can be used to display the CRL will reflect the new thisUpdate and nextUpdate values.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
55d8a652 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 1)

The PostgreSQLDatabase has been modified to store timestamps
in UTC time zone.

- - - - -
880a02d9 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 2)

The PostgreSQL ACME database has been modified to use
timestamps with time zone.

- - - - -
2a0a2fce by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed LDAP ACME database time zone

The LDAPDatabase ACME has been modified to store timestamps
in UTC time zone.

- - - - -
4cfd4cc1 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Cleaned up PostgreSQLDatabase

The PostgreSQLDatabase has been modified to call connect()
only in public methods implementing LDAPDatabase.

- - - - -
b047c132 by Endi S. Dewata at 2020-07-31T21:16:44-05:00
Updated version number to 10.9.0-1

- - - - -
c5db17c8 by Dinesh Prasanth M K at 2020-08-06T12:38:16-04:00
Fix Secure connection issue when server is down

When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.

This patch:

* allows passes instance's nssdb as the client nssdb to
  trust the SSL server created during cert-fix (offline
  cert renewal process).
* Gets the hostname using socket instead of from env
  variable

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
f4b72edb by Endi S. Dewata at 2020-08-06T11:55:45-05:00
Updated version number to 10.9.1

- - - - -
0522193e by Timo Aaltonen at 2020-08-13T13:35:38+03:00
Merge branch 'upstream-next' into master-next

- - - - -
fbf3dcc4 by Timo Aaltonen at 2020-08-13T13:38:10+03:00
bump the release

- - - - -
98bb5b17 by Timo Aaltonen at 2020-08-13T13:53:19+03:00
patches: Refreshed.

- - - - -
c0a8d666 by Timo Aaltonen at 2020-08-13T22:22:38+03:00
rules: Set PKI_JAVA_PATH.

- - - - -
78729468 by Timo Aaltonen at 2020-08-13T22:23:18+03:00
rules: Drop obsolete WITH_PYTHON options.

- - - - -
f8bb6c7a by Timo Aaltonen at 2020-08-13T23:44:59+03:00
revert-support-jdk8-jdk11-rpm-builds.diff: This commit breaks the java path.

- - - - -
f1d0bb60 by Timo Aaltonen at 2020-08-14T06:38:06+03:00
ci: Disable reprotest, it gets stuck and times out.

- - - - -
cc444158 by Timo Aaltonen at 2020-08-14T07:26:02+03:00
fold a patch in debian-support.diff

- - - - -
6c50cb77 by Timo Aaltonen at 2020-08-14T07:29:54+03:00
create-target-wants.diff: Add an entry to the log if this is triggered.

- - - - -
eb2173e8 by Timo Aaltonen at 2020-08-14T07:40:45+03:00
debian-support.diff: Fix more hardcodings of /etc/sysconfig.

- - - - -
3acf2a5e by Timo Aaltonen at 2020-08-14T08:51:29+03:00
Add a debianized service file for pki-tomcatd-nuxwdog.

- - - - -
33415f8b by Timo Aaltonen at 2020-08-14T09:41:31+03:00
releasing package dogtag-pki version 10.9.1-1

- - - - -


30 changed files:

- .classpath
- + .github/workflows/required-tests.yml
- − .travis.yml
- CMakeLists.txt
- base/CMakeLists.txt
- base/acme/CMakeLists.txt
- + base/acme/Dockerfile
- − base/acme/conf/backend.json
- − base/acme/conf/backend/pki/backend.json
- + base/acme/conf/configsources.conf
- + base/acme/conf/database.conf
- − base/acme/conf/database.json
- − base/acme/conf/database/in-memory/database.json
- − base/acme/conf/database/postgresql/database.json
- + base/acme/conf/engine.conf
- + base/acme/conf/issuer.conf
- + base/acme/conf/metadata.conf
- − base/acme/conf/metadata.json
- + base/acme/conf/scheduler.conf
- + base/acme/conf/validators.conf
- − base/acme/conf/validators.json
- + base/acme/database/in-memory/database.conf
- + base/acme/database/ldap/create.ldif
- + base/acme/database/ldap/database.conf
- + base/acme/database/ldap/schema.ldif
- base/acme/conf/database/postgresql/create.sql → base/acme/database/postgresql/create.sql
- + base/acme/database/postgresql/database.conf
- base/acme/conf/database/postgresql/drop.sql → base/acme/database/postgresql/drop.sql
- base/acme/conf/database/postgresql/statements.conf → base/acme/database/postgresql/statements.conf
- + base/acme/issuer/nss/ca_signing.conf


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/29e5d256beb7a5506f80624de4faac252773aede...33415f8b902d3d296d6bed332f1d8c64ff9a9bab

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/29e5d256beb7a5506f80624de4faac252773aede...33415f8b902d3d296d6bed332f1d8c64ff9a9bab
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200814/d5ef339f/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list