[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master-next] 64 commits: acme: log in CAClient when submitting certificate request

Timo Aaltonen gitlab at salsa.debian.org
Tue Jun 16 18:34:44 BST 2020 


Timo Aaltonen pushed to branch master-next at FreeIPA packaging / dogtag-pki


Commits:
a589107d by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: log in CAClient when submitting certificate request

It is possible to use a lower-privileged RA account to issue
certificates, if the target profile is set up to allow it.
Therefore log in the user before submitting the certificate request.

- - - - -
bd237455 by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: PKIIssuer: handle immediate issuance

Depending on profile configuration and user privileges, the cert
could be immediately issued.  Furthermore the user may not have
agent permissions to review/approve a request, but a profile
configuration could allow immediate issuance for particular
users/groups.

Therefore we must detect when the certificate was immediately issued
and if so, skip the review/approve behaviour.

- - - - -
a88a0b07 by Timo Aaltonen at 2020-05-28T09:20:05+03:00
rules: Fix java version in pki.conf.

- - - - -
26c607eb by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add OCSP connectivity healthcheck

This patch adds a new OCSP connectivity check. This check
tries to hit the API enpoint: /ocsp/admin/ocsp/getStatus

However, note that this only checks for whether the OCSP subsystem
is running and doesn't actually try to fetch any data from LDAP.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
675c2ded by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck for TKS connectivity

This patch checks if the TKS is up and running by trying to
hit the REST api enpoint: /tks/admin/tks/getStatus

Note that healthcheck does not perform any operation that
involves LDAP. It just checks if the subsystem is up and running

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
26a0be84 by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck to test TPS connectivity

This patch adds a new healthcheck to test the connectivity
of TPS subsystem by trying to hit the endpoint: /tps/admin/tps/getStatus

Note that this healthcheck does not perform any operations involving
LDAP. It just checks if the TPS subsystem itself is up and running

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ae8f5129 by Fraser Tweedale at 2020-05-29T14:00:18+10:00
acme: ACMEEngineConfigFileSource: restart file watching on error

Vi(m) file write on the watched file caused an exception due to bad
permissions.  I'm not sure if this is due to behaviour of vi(m), or
something more fundamental.  Whatever the reason, it was an ordinary
administrator action so we must gracefully handle the situation.

A naïve approach is simply to delay a moment before reading the
file.  A 1000ms sleep seems to do the trick.  For robustness, we
also restart file watching if an exception occurs, with exponential
backoff, and attempting to read the file again each time before
reconfiguring the watch service.

- - - - -
95435709 by Christina Fu at 2020-05-29T16:10:49-07:00
Bug 1805541 [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch adds additionl work to the prototype code checked in:
commit fca6d89dcd2b9e6592879c85a2f2278ed1a28e2f

It
  - added support for multiple CT log for createSCTextension
  - got one of the two verification methods working in verifySCT

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
0b6ccf3c by jmagne at 2020-05-29T16:29:51-07:00
Address Bug 1710109 - add RSA PSS support. (#416)

Upstream portion of pki part of RSA-PSS signing algorithm support. (#356)

    This fix conincides with another ticket providing RSA PSS signature support for JSS,
    which is required for this to work.

    This is designed for simple usage. If one wants to say create a CA or KRA with RSA PSS signature
    support, simply place the following line in the pkispawn script file:

    pki_use_pss_rsa_signing_algorithm=True

    This will instruct the process to take whatever signing algorithm of the form (
    SHAxxxwithRSA signing algorithms are specified and promote them to the corresponding
    PSS algorithm such as: SHS256withRSA/PSS.

    If one ONLY puts that value in the script file, all the algs, which have a default of
    SHA256withRSA will be promoted to SHA256withRSA/PSS.

    This fix also provides support , if desired, for SHA384, and SHA512 versions of PSS.
    In order to get this to work, the pkispawn config will have to explcitly enumerate
    each applicable signing algorithm as such ex:  pki_ca_signing_signing_algorithm=SHA384withRSA.
    Also the explicit alg of say SHA384withRSA/PSS can be used for each setting.

    Tested with a basic CA and KRA. Also tested with a non PSS CA and a no PSS ca with ECC so far.
    The goal is to not interfere with any existing functionality if PSS support is not desired.

Added fix  to the CMCRespone tool.

The tool currently does not initialize the CryptoManager.
Doing so is necessary to register the JSS Provider which provides the
encoding / parsing support for the RSAPSS algorithm parameters.

Co-authored-by: Jack Magne <jmagne at test.host.com>

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
Co-authored-by: Jack Magne <jmagne at test.host.com>
- - - - -
333b9c4f by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Move pylint from buildtime to a separate CI job

This patch moves python code linting from RPM build
to a separate CI job.

Note that this new job runs on INSTALLED python files due to
lack of setuptools [1].

[1] https://pagure.io/dogtagpki/issue/3175

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
e84ffda9 by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Package lint script into pki-tests package

This patch adds the pki-lint script to pki-tests package.
This patch also improves the pki-lint script to accept
custom config files to execute pylint and flake8 linters.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d900dc21 by Christina Fu at 2020-06-01T18:04:04-07:00
Bug 1805541 added comments and error handling for [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp

This patch mostly simply adds some comments and error handlings for CT.
verifySCT signature size is hardcoded to SHA256withEC for now (will be
improved on later)

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
7b2baf57 by Timo Aaltonen at 2020-06-02T10:18:03+03:00
Drop pki-server upgrade from postinst, and drop --validate option from the systemd service as it's gone.

- - - - -
82964212 by Fraser Tweedale at 2020-06-03T15:24:29+10:00
acme: handle file rename in ACMEEngineConfigFileSource

Renames are not handled as ENTRY_MODIFY but rather as a pair of
ENTRY_DELETE and ENTRY_CREATE events.  Update the file watching to
process ENTRY_CREATE events so the modify-by-rename scenario is
handled.

- - - - -
34c85d39 by Fraser Tweedale at 2020-06-04T14:47:22+10:00
spec: set Requires among pki RPMs to depend on same release

Currently the Requires depends only on pki-foo = %{version}.
This can result in problems where, e.g. a package that depends on
'pki-ca = 10.9.0-0.1.TIMESTAMP.DIGEST' ends up with Dogtag packages
from mismatched builds (same version, different %{release}).

Update the spec file to ensure that Dogtag RPMs that depend on other
Dogtag RPMs depend on the exact same build.

Note that prior to 4966ebf0759a0d9f5de54e9f731393a14ef4558f, all
intra-spec dependencies were pegged to the %{release}.  This was
removed because of problems caused by some packages being built in
different modules.  Removing /all/ such pegging was going a bit too
far.  So among packages we know will be built in the same module it
is OK to add the %{release} back into the Requires directives.

- - - - -
45d3c46c by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Rename registry names in setup.py to allow additional plugins

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8a386dee by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check CA System Cert trust flag

This patch:
- adds a new healthcheck to check the Trust flag
  present in CA's nssdb
- Adds a reusable method to get trust flags of system
  certs from NSSDB or HSM

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8d108d98 by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check KRA's system cert trust flags

This patch adds a new healthcheck to test the System Cert
trust flag of all KRA's system certificates.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8093b4d2 by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Fixed NPE in PostgreSQLDatabase.close()

- - - - -
794f85ab by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Added ACMEIssuerConfig.getParameterNames(parent)

The ACMEIssuerConfig.getParameterNames(parent) has been
added to return the relative names of the parameters under
the specified parent parameter.

- - - - -
df2548ef by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Reorganized ACME docs

The doc that describes ACME issuer configuration has been
moved into Configuring_ACME_Issuer.md.

- - - - -
5220c401 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for OCSP system cert trust flag

This patch adds a OCSP healthcheck to test whether the trust flag
of its system certs match the expected value

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
3e339461 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for TKS system cert trust flags

This patch adds a new healthcheck to check the trust
flag of TKS's System certs with known good value

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6f3c5a7a by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healtcheck to test TPS system cert trust flag

This patch adds a new healthcheck to compare the trust flags
of TPS's systemc certs with known trust flags.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
649a8a38 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Change log level for unconfigured subsystems

PKI healthcheck reports results to IPA healthcheck automatically.
As a result, RHCS specific tests (like OCSPSystemCertTrustFlagCheck)
report a SUCCESS. This can be quite misleading to the users.

This patch adds INFO data to inform users that the subsystem is
unconfigured, when using --verbose

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
84b9b2b5 by Dinesh Prasanth M K at 2020-06-04T17:21:59-04:00
Include trust flag info in pki-server cert-* operation

This patch includes trust flags when running cert-show or cert-find
in its output, to provide more information to the user

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
54d32449 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_WEB_SERVER_TYPE

The PKI_WEB_SERVER_TYPE was hardcoded so the variable has
been removed.

- - - - -
d217e77f by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_UNCONFIGURED_PKI_ENTRIES

The TOTAL_UNCONFIGURED_PKI_ENTRIES is no longer needed since
pkispawn will always complete the instance configuration.

- - - - -
74eb6de2 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Mandatory instance name for pkidaemon

The pkidaemon has been modified such that the instance name
must be specified.

- - - - -
acd29cb9 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_PKI_REGISTRY_ENTRIES

Since the instance name must be specified when calling
pkidaemon, the TOTAL_PKI_REGISTRY_ENTRIES will always be 1
so the variable is no longer needed.

- - - - -
8b2d3c25 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_REGISTRY_ENTRIES

Since the instance name must be specified when calling
pkidaemon, the PKI_REGISTRY_ENTRIES will only contain 1
entry, so it has been replaced with PKI_REGISTRY_ENTRY.

- - - - -
f7c103dc by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_TYPE

The PKI_TYPE was hardcoded so the variable has been removed.

- - - - -
2945f571 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused Instance.tomcat_instances()

The Instance.tomcat_instances() was not used so it has
been removed.

- - - - -
226cf16e by Endi S. Dewata at 2020-06-05T22:01:52-05:00
Added user/group option for pki-server create

The pki-server create command has been modified to provide
options to specify the user and group for PKI server.

- - - - -
122d2e04 by Endi S. Dewata at 2020-06-05T22:19:09-05:00
Refactored NSSDatabase.directory

The NSSDatabase.directory has been replaced with a path.

- - - - -
0a60992c by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Added NSSDatabase.passwordStore

The NSSDatabase.passwordStore has been added to store
the NSS database passwords.

- - - - -
a829d72a by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEEngine.validateCSR()

The ACMEEngine.validateCSR() has been modified to take a
PKCS #10 object.

- - - - -
3fb78aa3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.issueCertificate()

The ACMEIssuer.issueCertificate() has been modified to
take a PKCS #10 object.

- - - - -
bc6254a3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.revokeCert()

The ACMEIssuer.revokeCert() has been renamed to
revokeCertificate().

- - - - -
e9721b9c by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createRemoteCert()

The CertUtil.createRemoteCert() has been moved into CertUtils.

- - - - -
278e4568 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.buildSANSSLserverURLExtension()

The CertUtil.buildSANSSLserverURLExtension() has been moved
into CertUtils.

- - - - -
b890b0ae by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalRequest()

The CertUtil.createLocalRequest() has been moved into
CertUtils.

- - - - -
0b3116a1 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.updateLocalRequest()

The CertUtil.updateLocalRequest() has been moved into
CertUtils.

- - - - -
5fafadce by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.getAdminProfileAlgorithm()

The CertUtil.getAdminProfileAlgorithm() has been moved into
CertUtils.

- - - - -
a2506418 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertInfo()

The CertUtil.createCertInfo() has been moved into CertUtils.

- - - - -
1ca6075b by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertRecord()

The CertUtil.createCertRecord() has been moved into
CertUtils.

- - - - -
dad09cb5 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalCert()

The CertUtil.createLocalCert() has been moved into CertUtils.

- - - - -
c311ab56 by Endi S. Dewata at 2020-06-08T18:28:22-05:00
Moved CertUtil

The CertUtil has been moved into pki-util.

- - - - -
d81097f4 by Endi S. Dewata at 2020-06-08T18:29:00-05:00
Refactored CertUtils.normalizeCertReq()

The CertUtils.normalizeCertReq() has been moved and converted
into CertUtil.parseCSR() which returns the CSR binaries.

- - - - -
30f8447b by Endi S. Dewata at 2020-06-09T12:47:47-05:00
Refactored CertUtils.getEncodedCert() (part 1)

The CertUtils.getEncodedCert() has been modified to throw
a generic Exception.

- - - - -
7a6b6822 by Endi S. Dewata at 2020-06-09T14:30:30-05:00
Refactored CertUtils.getEncodedCert() (part 2)

The CertUtils.getEncodedCert() has been moved and renamed
into CertUtil.toPEM().

- - - - -
ce67604c by Endi S. Dewata at 2020-06-09T14:30:41-05:00
Cleaned up NSSKeyCLI

- - - - -
ea3d5ef3 by Fraser Tweedale at 2020-06-10T06:44:18+10:00
CT: handle missing config

If Certificate Transparency config is not defined in CS.cfg, all
certificate issuance fails.  This situation can arise in upgrade
scenarios.

Tolerate the absense of the certTransparency.enable CS.cfg
directive, defaulting to false.

- - - - -
b3514113 by jmagne at 2020-06-09T15:06:21-07:00
Address CVE-2020-1721. (#434)

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
76820004 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Introduce pki_ajp_secret configuration parameter

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1bd84062 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Add migration logic for 8.5 -> 9.0.31

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e2ee6e1e by Alexander Scheel at 2020-06-09T18:47:15-04:00
Make pki_ajp_secret a random password by default

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
737fc097 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Always gather journalctl logs, instance config

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
741c7982 by Alexander Scheel at 2020-06-09T19:33:54-04:00
Remove Tomcat 7.0, Tomcat 8.0 specific configs

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f7cd25bc by Endi S. Dewata at 2020-06-10T11:47:50-05:00
Updated version number to 10.9.0-0.2 (alpha 2)

- - - - -
70c8d130 by Timo Aaltonen at 2020-06-15T19:02:22+03:00
Merge branch 'upstream-next' into master-next

- - - - -
7e965bbe by Timo Aaltonen at 2020-06-15T19:02:52+03:00
bump the version

- - - - -
0ca3548c by Timo Aaltonen at 2020-06-16T15:50:28+03:00
patches: Refreshed.

- - - - -
3836dc33 by Timo Aaltonen at 2020-06-16T20:34:14+03:00
releasing package dogtag-pki version 10.9.0~a2-1

- - - - -


30 changed files:

- .github/workflows/required-tests.yml
- CMakeLists.txt
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuerConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEEngine.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEEngineConfigFileSource.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEFinalizeOrderService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMERevokeCertificateService.java
- base/ca/shared/profiles/ca/AdminCert.cfg
- base/ca/shared/profiles/ca/ECAdminCert.cfg
- base/ca/shared/profiles/ca/caAdminCert.cfg
- base/ca/shared/profiles/ca/caAgentFileSigning.cfg
- base/ca/shared/profiles/ca/caAgentServerCert.cfg
- base/ca/shared/profiles/ca/caCACert.cfg
- base/ca/shared/profiles/ca/caCMCECUserCert.cfg
- base/ca/shared/profiles/ca/caCMCECserverCert.cfg
- base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
- base/ca/shared/profiles/ca/caCMCUserCert.cfg
- base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
- base/ca/shared/profiles/ca/caCMCcaCert.cfg
- base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
- base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
- base/ca/shared/profiles/ca/caCMCocspCert.cfg
- base/ca/shared/profiles/ca/caCMCserverCert.cfg
- base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
- base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
- base/ca/shared/profiles/ca/caDirBasedDualCert.cfg
- base/ca/shared/profiles/ca/caDirPinUserCert.cfg


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/7ee687a81af60bf1c79343a3ab62074c3c51cced...3836dc33161b9399df47c387b4d90d760399013d

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/7ee687a81af60bf1c79343a3ab62074c3c51cced...3836dc33161b9399df47c387b4d90d760399013d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200616/6a0aec75/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list