[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream-next] 510 commits: ACMEEngine: check (!= null) when shutting down
Timo Aaltonen
gitlab at salsa.debian.org
Tue Jun 16 18:35:10 BST 2020
Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / dogtag-pki
Commits:
9fd7a1b8 by Fraser Tweedale at 2020-02-19T23:18:58+10:00
ACMEEngine: check (!= null) when shutting down
After ACME engine startup failure, the shutdown methods are invoked.
But due to the errors, the backend and/or database may not have been
initialised, and a NullPointerException occurs. This adds extra
backtrace noise the log/journal. Add a (!= null) check to avoid
this.
- - - - -
bf0fc39a by Alexander Scheel at 2020-02-19T12:21:29-06:00
Remove sslget -V option
Since we haven't used SVN in a while, $Revision$ and $Date$
no longer update. Remove the -V option instead of passing in
a valid version number.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f19554e1 by Dinesh Prasanth M K at 2020-02-21T13:27:46-05:00
JSON Parser (part) for Certificate Transparency (#326)
This patch adds a JSON parser skeleton that is suitable
for Certificate Transparency prototype.
This patch includes:
- CTParser: which generates JSON as per CT standard
- CTResponse: which acts as a mapper class to map JSON response
from CT log server
Partly Resolves: BZ1805541 - (part) CT JSON Parser prototype
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
bb9f405e by Dinesh Prasanth M K at 2020-02-24T11:36:07-05:00
Re-enable pytest-runner in spec file
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6955d2cf by Endi S. Dewata at 2020-02-24T13:25:02-06:00
Updated version number to 10.9.0-a1
- - - - -
12229ac4 by Endi S. Dewata at 2020-02-24T13:25:47-06:00
Reorganized .classpath
The source folders in .classpath have been reorganized
according to the dependencies.
- - - - -
feae2415 by Alexander Scheel at 2020-02-24T17:10:12-05:00
Remove MD4 and MD5 from default configuration
We remove MD4- and MD5-based algorithms in favor of more modern SHA-2
suite algorithms. We replace them in:
- In the default CS.cfg
- In the default caTransportCert.cfg
- In the ca agent updateCRL html and template,
- In EnrollProfile
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
55148664 by Stephen Coady at 2020-02-24T17:10:28-05:00
Remove bashisms
Signed-off-by: Stephen Coady <scoady at redhat.com>
- - - - -
fca6d89d by Christina Fu at 2020-02-24T16:02:15-08:00
Bug1805541 -CT cert issuance prototype (part) of [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp.
This contains my CT prototype code for issuing CT certs with Embedded Signed Certificate Time stamp;
It currently only handles one CT log (googletube);
Example profiles are caServerCertWithSCT.cfg and caECServerCertWithSCT.cfg
Usage is to enroll through those profiles with
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=SignedCertificateTimestampListExtDefaultImpl
policyset.serverCertSet.13.default.name=Certificate Transparency Poison Extension Default
It also contains addition of build and run time requirement for apache-commons-net
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
57db6ca7 by Endi S. Dewata at 2020-02-24T20:46:53-06:00
Merged pki-nsutil.jar into pki-cmsutil.jar
The pki-nsutil.jar contains only 8 classes and it is always
used together with pki-cmsutil.jar. To simplify the maintenance
it has been merged into pki-cmsutil.jar.
- - - - -
7e20fc20 by Endi S. Dewata at 2020-02-25T15:14:31-06:00
Added apache-commons-net.jar into .classpath
- - - - -
cc40c3f0 by Fraser Tweedale at 2020-02-26T10:23:23+10:00
CMSEngine.getPasswordStore: extract to static method
The ACME service is not a CMS subsystem. But for convenience, the
ACME LDAP database backend can read database and password
configuration from CS.cfg.
In order to support this, provide a static variant of
CMSEngine.getPasswordStore(), which is explicitly passed a subsystem
ID and config store.
- - - - -
115d87bd by Endi S. Dewata at 2020-02-26T11:01:18-06:00
Added pki-server-acme(8) man page
- - - - -
0d2ac2b0 by Dinesh Prasanth M K at 2020-02-26T12:56:05-05:00
Convert multiline script to use literal style scalar (#330)
The literal style scalar | preserve newlines while folded
scalar > replaces newlines with space. As a result unintended
exit codes can occur
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
1fc86af8 by Dinesh Prasanth M K at 2020-02-26T19:41:23-05:00
Migrate away from deployer.* to pki.util.* in pkidestroy (#333)
Since pki.util.* is more generic, this patch migrates pkidestroy
scripts to use:
- pki.util.rmtree() instead of deployer.directory.delete()
- pki.util.remove() instead of deployer.file.delete()
- pki.util.unlink() instead of deployer.symlink.delete()
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8455b705 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed missing token name in serverCertNick.conf
The serverCertNick.conf is used to store the nickname and
the token name of the SSL server certificate.
Previously in HSM cases the token name was missing from this
file due to mishandling, causing the installation to fail.
The SystemCertDataFactory.create() has been modified to pass
the token name properly. Also the configuration.py has been
modified to normalize the token name and use the default token
name if it's not available before storing it into the file.
https://bugzilla.redhat.com/show_bug.cgi?id=1806840
- - - - -
6fd1dc0c by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed KRA clone configuration
Previously the security_databases.py would only configure the
KRA properties that stores the system certificate nicknames and
tokens in HSM cases only. For non-HSM cases it would rely on
Configurator.updateConfigEntries() to set the properties with
values from KRA master.
The security_databases.py has been modified such that it
configures KRA properties in both HSM and non-HSM cases without
using the values from KRA master.
https://bugzilla.redhat.com/show_bug.cgi?id=1806840
- - - - -
d8d8e725 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed missing token names during KRA cloning
During replica installation, KRA certificate nicknames and
token names (if available) are normally stored in the
following properties:
- kra.transportUnit.nickName
- kra.storageUnit.nickName
Previously the Configurator.updateConfigEntries() would
incorrectly overwrite those properties with nicknames from
KRA master without the token names.
In non-HSM cases this was not a problem since there were no
token names involved. However, in HSM cases the token names
became missing so the certificates could not be found and
the installation would fail.
The Configurator.updateConfigEntries() has been modified to
no longer overwrite these properties.
https://bugzilla.redhat.com/show_bug.cgi?id=1806840
- - - - -
27fd676c by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Fixed HSM module registration
The security_databases.py has been modified to register the
HSM module using NSSDatabase.add_module() which handles the
warning generated by modutil silently.
The Modutil class is no longer used so it has been removed.
https://bugzilla.redhat.com/show_bug.cgi?id=1806840
- - - - -
64122840 by Endi S. Dewata at 2020-02-28T09:44:20-06:00
Added docs on CA, KRA, OCSP cloning with HSM
https://bugzilla.redhat.com/show_bug.cgi?id=1806840
- - - - -
aacbb2c1 by Endi S. Dewata at 2020-02-28T15:30:28-06:00
Fixed security domain authentication
Previously pkispawn would only connect to a security domain
when installing a new subsystem that joins the security domain
(pki_security_domain_type == existing). It also would only
authenticate against the security domain if it's not skipping
security domain verification (pki_skip_sd_verify == False),
which is the default.
When installing a subordinate CA with a new security (sub)domain
it would have pki_security_domain_type == new, so it would not
connect to nor authenticate against the parent security domain,
and it would not be able to get the installation token required
to complete the installation.
The code has been modified such that pkispawn will connect to a
security domain when installing a subsystem to join the security
domain (pki_security_domain_type == existing) as before, but also
when installing a subordinate CA (pki_subordinate == True). It
will also authenticate against the security domain regardless of
the pki_skip_sd_verify since the authenitcation is required to
obtain the installation token. The surrounding try-catch block
has also been removed since the original exception will have more
detailed information (i.e. the exact URL) about the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1807421
- - - - -
1888eae1 by Endi S. Dewata at 2020-02-28T16:08:45-06:00
Added PKIDeployer.setup_cert()
The code that sets up system certificates has been moved into
PKIDeployer.setup_cert().
- - - - -
470cb717 by Endi S. Dewata at 2020-02-28T16:08:51-06:00
Removed unused CertUtil.privateKeyExistsOnToken()
- - - - -
8de89c78 by Endi S. Dewata at 2020-02-28T16:08:55-06:00
Reformatted CryptoUtil.createX509CertInfo()
- - - - -
f28adddd by Endi S. Dewata at 2020-02-28T19:34:32-06:00
Refactored CertUtil.getPKCS10()
The CertUtil.getPKCS10() has been modified to get the private
key directly from the provided key pair instead of to find it
using the private key ID.
- - - - -
4984d82e by Endi S. Dewata at 2020-02-28T19:34:38-06:00
Refactored Configurator.generateCertRequest()
The Configurator.generateCertRequest() has been modified to get
the private key directly from the provided key pair instead of
to find it using the private key ID.
- - - - -
8865b623 by Endi S. Dewata at 2020-02-28T20:02:56-06:00
Refactored CertUtil.createLocalCert()
The CertUtil.createLocalCert() has been modified to get the CA
signing private key directly instead of to find it using the
private key ID.
- - - - -
e96b25e4 by Endi S. Dewata at 2020-02-28T22:12:57-06:00
Removed unused preop.cert.<tag>.privkey.id
The preop.cert.<tag>.privkey.id properties are no longer used
so they no longer need to be stored in CS.cfg.
- - - - -
e426a0c0 by Dinesh Prasanth M K at 2020-02-29T13:42:25+05:30
Refactor CTResponse (#336)
This patch refactors CTResponse class to accommodate certificate transparency prototype.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
843982ed by Endi S. Dewata at 2020-03-02T07:34:28-06:00
Removed unused preop.cert.<tag>.pubkey.encoded
The preop.cert.<tag>.pubkey.encoded properties are no longer
used so they no longer need to be stored in CS.cfg.
- - - - -
74f37737 by Endi S. Dewata at 2020-03-02T07:34:35-06:00
Removed unused preop.cert.<tag>.pubkey.exponent
The preop.cert.<tag>.pubkey.exponent properties are no longer
used so they no longer need to be stored in CS.cfg.
- - - - -
1a197522 by Endi S. Dewata at 2020-03-02T07:34:37-06:00
Removed unused preop.cert.<tag>.pubkey.modulus
The preop.cert.<tag>.pubkey.modulus properties are no longer
used so they no longer need to be stored in CS.cfg.
- - - - -
7776b605 by Endi S. Dewata at 2020-03-02T08:56:41-06:00
Refactored Configurator.storeKeyPair()
The code that configures the following properties
has been moved into from Configurator.storeKeyPair()
to security_database.py:
- ca.signing.defaultSigningAlgorithm
- ca.crl.MasterCRL.signingAlgorithm
- ca.ocsp_signing.defaultSigningAlgorithm
- ocsp.signing.defaultSigningAlgorithm
- kra.transportUnit.signingAlgorithm
- - - - -
e278f997 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Cleaned up Configurator.updateConfigEntries()
The following properties are already configured during
installation so it's no longer necessary to clone them
from master:
- ca.signing.defaultSigningAlgorithm
- ca.crl.MasterCRL.signingAlgorithm
- ca.ocsp_signing.defaultSigningAlgorithm
- ocsp.signing.defaultSigningAlgorithm
- kra.transportUnit.signingAlgorithm
- - - - -
a7379c18 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Removed unused cloning.<tag>.keyalgorithm
The cloning.<tag>.keyalgorithm properties are no longer used so
they no longer need to be stored in CS.cfg.
- - - - -
8bb088b5 by Endi S. Dewata at 2020-03-02T08:56:58-06:00
Removed unused cloning.<tag>.keytype
The cloning.<tag>.keytype properties are no longer used so
they no longer need to be stored in CS.cfg.
- - - - -
02923685 by Alexander Scheel at 2020-03-02T10:40:35-05:00
Remove unused, unnecessary RADIUS implementation
This RADIUS implementation is not used by the Dogtag and thus should be
removed from the distribution.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
870503b6 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Removed unused GetTokenInfo
The GetTokenInfo servlet is no longer used so it has been
removed.
- - - - -
66431222 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Added PKIDeployer.setup_admin()
The code that configures the admin user has been moved into
PKIDeployer.setup_admin().
- - - - -
bed36af1 by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Moved preop.cert.admin.dn
The code that configures preop.cert.admin.dn has been moved
into security_databases.py.
- - - - -
ba38607e by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Refactored ConfigClient.retrieve_existing_subsystem_cert()
The ConfigClient.retrieve_existing_subsystem_cert() has been
modified to get the subsystem certificate's nickname, token
name, and subject DN from the deployment configuration.
- - - - -
39d5ceac by Endi S. Dewata at 2020-03-02T16:46:07-06:00
Removed unused cloning.<tag>.dn
The cloning.<tag>.dn properties are no longer used so
they no longer need to be stored in CS.cfg.
- - - - -
28a3a11d by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed NSSDatabase.module_exists()
The search pattern in NSSDatabase.module_exists() has been
modified to allow matching module names at the end of line.
https://bugzilla.redhat.com/show_bug.cgi?id=1809210
- - - - -
766011eb by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed missing subsystem cert token name
The code that configures the shared secret between TKS and TPS
has been modified to use the subsystem certificate token name
if it is specified in the deployment configuration. This is
needed to install TPS with HSM.
https://bugzilla.redhat.com/show_bug.cgi?id=1809210
- - - - -
61de999c by Endi S. Dewata at 2020-03-03T18:57:41-06:00
Fixed TPS connector removal
The TPSConnector.execute_using_pki() has been modified to
use -f <password file> instead of -c <password> in order to
work properly with HSM and for better security. It has also
been modified to use -U <URL> to specify the TKS location.
https://bugzilla.redhat.com/show_bug.cgi?id=1809210
- - - - -
43e7c142 by Endi S. Dewata at 2020-03-04T10:57:49-06:00
Reorganized PKI ACME sources
PKI ACME sources have been moved from base/acme/src into
base/acme/src/main/java to support Maven in the future.
- - - - -
da66119b by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed preop.cert.<tag>.nickname cloning
The admin is responsible to provide consistent replica
deployment configuration, so it is no longer necessary to
copy preop.cert.<tag>.nickname properties from master.
- - - - -
6a73e682 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused preop.master.<tag>.nickname
The admin is responsible to provide consistent replica
deployment configuration, so it is no longer necessary
to use preop.master.<tag>.nickname properties.
- - - - -
8095fc22 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.<tag>.nickname
The cloning.<tag>.nickname properties are no longer used
so they no longer need to be stored in CS.cfg.
- - - - -
84ee873c by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.module.token
The cloning.module.token property is no longer used so
it no longer needs to be stored in CS.cfg.
- - - - -
8918d5ab by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed unused cloning.list
The cloning.list property is no longer used so it no longer
needs to be stored in CS.cfg.
- - - - -
f2e61642 by Endi S. Dewata at 2020-03-04T14:37:33-06:00
Removed internaldb.basedn cloning
The admin is responsible to provide consistent replica
deployment configuration, so it's no longer necessary
to copy internaldb.basedn from master.
- - - - -
39462615 by Endi S. Dewata at 2020-03-04T18:55:51-06:00
Updated log messages in TransportKeyUnit
- - - - -
b2a4ec53 by Endi S. Dewata at 2020-03-04T18:58:37-06:00
Removed unused Configurator.restoreCertsFromP12()
- - - - -
16dd634a by Endi S. Dewata at 2020-03-04T18:59:35-06:00
Removed unused Configurator.importKeyCert()
- - - - -
fddbe76d by Endi S. Dewata at 2020-03-04T19:00:36-06:00
Removed unused Configurator.deleteExistingCerts()
- - - - -
5cf8f9ce by Endi S. Dewata at 2020-03-04T19:01:29-06:00
Removed unused Configurator.getMasterCertKeyList()
- - - - -
0fe78500 by Endi S. Dewata at 2020-03-04T19:02:38-06:00
Removed unused Configurator.importRequired()
- - - - -
99acc705 by Endi S. Dewata at 2020-03-04T19:03:28-06:00
Removed unused Configurator.getX509Cert()
- - - - -
895accd5 by Endi S. Dewata at 2020-03-04T19:04:26-06:00
Removed unused Configurator.isCASigningCert()
- - - - -
991dd374 by Endi S. Dewata at 2020-03-04T19:05:20-06:00
Removed unused Configurator.getX509CertFromToken()
- - - - -
681b0a7c by Endi S. Dewata at 2020-03-04T19:06:00-06:00
Removed unused Configurator.isAuditSigningCert()
- - - - -
f3b4185f by Endi S. Dewata at 2020-03-04T22:55:59-06:00
Removed instanceId cloning
The instanceId property is provided by the deployment
configuration so it no longer needs to be copied from master.
- - - - -
b0c189fb by Endi S. Dewata at 2020-03-04T22:57:47-06:00
Removed unused cloning.token
The cloning.token property is no longer used so
it has been removed.
- - - - -
254aa364 by Endi S. Dewata at 2020-03-04T23:01:28-06:00
Removed preop.ca.httpport cloning
The preop.ca.httpport property is no longer used so
it no longer needs to be copied from master.
- - - - -
69485c39 by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.httpsport cloning
The preop.ca.httpsport property is provided by the deployment
configuration so it no longer needs to be copied from master.
- - - - -
86db661a by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.list cloning
The preop.ca.list is no longer used so it no longer needs
to be copied from master.
- - - - -
72d56a1a by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.pkcs7 cloning
The preop.ca.pkcs7 property is set during installation so
it no longer needs to be copied from master.
- - - - -
9fb7d8b8 by Endi S. Dewata at 2020-03-04T23:01:32-06:00
Removed preop.ca.hostname cloning
The preop.ca.hostname property is provided by the deployment
configuration so it no longer needs to be copied from master.
- - - - -
f26c7e6c by Endi S. Dewata at 2020-03-05T10:49:46-06:00
Fixed IKeyRecord hierarchy
- - - - -
3e114d1d by Endi S. Dewata at 2020-03-05T10:59:33-06:00
Fixed generic type for IDBSession.createVirtualList()
The generic type for IDBSession.createVirtualList() has been
modified to extend IDBObj.
- - - - -
06a5db9b by Endi S. Dewata at 2020-03-05T10:59:40-06:00
Fixed generic type for IDBVirtualList
The generic type for IDBVirtualList has been modified to
extend IDBObj.
- - - - -
2c79d8b6 by Endi S. Dewata at 2020-03-05T13:38:08-06:00
Updated log messages in DBVirtualList.getEntries()
- - - - -
b7220066 by Endi S. Dewata at 2020-03-05T15:01:52-06:00
Cleaned up CertUtil.createLocalCert()
- - - - -
dd60bab1 by Endi S. Dewata at 2020-03-05T15:01:52-06:00
Removed unused CryptoUtil.createX509CertInfo()
- - - - -
5d34beb3 by Endi S. Dewata at 2020-03-06T10:36:34-06:00
Cleaned up cert nickname and token configuration
The code that configures certificate nicknames and tokens
in Configuration.updateConfig() has been moved into
security_databases.py.
- - - - -
7ee2f454 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Removed redundant SystemConfigService.updateConfiguration()
The SystemConfigService.updateConfiguration() has been
removed since the properties are already configured earlier
in security_database.py.
- - - - -
9c6e9a32 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Cleaned up Configurator.getConfigEntriesFromMaster()
The code that configures the certificate nicknames in
Configurator.getConfigEntriesFromMaster() has been removed
since the nicknames are already configured earlier in
security_database.py.
- - - - -
fb799762 by Endi S. Dewata at 2020-03-06T10:36:44-06:00
Updated Configuration.updateDomainXML()
The Configuration.updateDomainXML() has been modified to use
the <subsystem>.cert.subsystem.nickname which already includes
the token name.
- - - - -
659c0d68 by Endi S. Dewata at 2020-03-06T10:40:01-06:00
Cleaned up CA and OCSP signing certs configuration
The code that configures CA and OCSP signing certificates
in Configurator.updateConfig() has been moved into
security_databases.py.
- - - - -
40329fe0 by Endi S. Dewata at 2020-03-06T14:37:21-06:00
Cleaned up KRA certs configuration (part 1)
The code that configures KRA certificates in security_databases.py
has been simplified.
- - - - -
0c3f0643 by Endi S. Dewata at 2020-03-06T14:37:52-06:00
Cleaned up KRA certs configuration (part 2)
The code that configures KRA certificates in
Configurator.updateConfig() has been moved into
security_database.py.
- - - - -
77e49ac8 by Endi S. Dewata at 2020-03-06T14:45:42-06:00
Cleaned up audit signing certs configuration
The code that configures audit signing certificates in
Configurator.updateConfig() has been moved into
security_database.py.
- - - - -
08f86385 by Endi S. Dewata at 2020-03-06T15:07:40-06:00
Removed Configurator.updateConfig()
The remaining code in Configurator.updateConfig() has
been moved out so the method is no longer needed.
- - - - -
685d11a8 by Endi S. Dewata at 2020-03-09T17:02:19-05:00
Updated NSSDatabase.import_pkcs12()
The NSSDatabase.import_pkcs12() has been modified to support
password.conf file.
- - - - -
807c8aaa by Endi S. Dewata at 2020-03-09T19:29:32-05:00
Updated PKISubsystem.export_system_cert()
The PKISubsystem.export_system_cert() has been modified to
support exporting a system certificate without the key.
- - - - -
374d0837 by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Updated pki-server <subsystem>-clone-prep
The pki-server <subsystem>-clone-prep commands have been
modified to support --no-key option.
- - - - -
060254ab by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Added pki pkcs11-cert-export
The pki pkcs11-cert-export has been added to export a certificate
via PKCS #11 interface.
- - - - -
356d33ac by Endi S. Dewata at 2020-03-09T19:29:46-05:00
Updated pki pkcs12-import
The pki pkcs12-import command has been modified to support
password.conf.
- - - - -
347396dc by Endi S. Dewata at 2020-03-09T22:46:49-05:00
Added NSSDatabase.show_cert()
The code that shows certificate information in get
NSSDatabase.get_cert() has been moved into show_cert().
- - - - -
bf7256b7 by Endi S. Dewata at 2020-03-09T22:46:49-05:00
Updated NSSDatabase.get_cert_info()
The NSSDatabase.get_cert_info() has been modified to specify
the token from which to get the certificate.
- - - - -
58cb0870 by Alexander Scheel at 2020-03-10T17:04:39+10:00
Add warning about CVE-2020-1938
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
695053e8 by Fraser Tweedale at 2020-03-11T11:36:21+10:00
ACMEAuthorizationService: handle empty list of challenges
ACMEAuthorizationService creates challenges for an ACMEAuthorization
if .getChallenges() == null. But the return type of
ACMEAuthorization.getChallenges is Collection<ACMEChallenge>, so it
is reasonble (and arguably more correct and safer) for the database
implementation that loads the authorisation object to set an empty
list of challenges, if there are no challenges, rather than leaving
it as null.
Indeed, that is what the forthcoming LDAP database implementation
does. And that has exposed this bug, i.e. that although 'null' is
handled, and empty list is not, resulting in issuance failure (the
order cannot be finalised).
So treat '.size() <= 0' the same as '== null'.
- - - - -
1351d968 by Fraser Tweedale at 2020-03-11T14:15:34+11:00
startedByNuxwdog(): extract common code to class
Several classes have duplicated the startedByNuxwdog subroutine.
Extract it to a utility class.
- - - - -
07bd2042 by Fraser Tweedale at 2020-03-11T14:29:09+11:00
getPasswordStore(): extract to IPasswordStore
The ACME LDAP database driver needs an IPasswordStore. But we don't
want to depend on CMSEngine, where getPasswordStore() is defined.
So extract getPasswordStore() to a static method on the
IPasswordStore interface. (Static methods on interfaces are
supported since Java 8). This requires one small change: cmsutil
does not depend on on cmscore so the config store must be passed as
a Map<String, String> instead of a PropConfigStore.
- - - - -
c996d859 by Fraser Tweedale at 2020-03-11T18:17:29+10:00
ACMEEngine: extract order checks to method
ACMEEngine.validateOrder() throws an exception if something is wrong
with the order (e.g. order does not match account ID, or order is
expired). But it is useful to have a variation that does not throw
an exception and just returns the check result as a value.
Extract this logic to the 'checkOrder()' method.
- - - - -
078c3a01 by Fraser Tweedale at 2020-03-11T18:17:29+10:00
ACME: process all associated pending orders on authz finalisation
In the ACME data model an authorization may be associated with zero,
one or multiple orders. So when finalising an authorization, we
should process *all* pending orders associated with the completed
authorisation, to see if those orders are now also complete (i.e.
all authorisations have been completed).
To implement this, change the "get order by authz" methods to return
a Collection of orders with a the specified authz ID and status, and
update the ACMEChallengeService to process all returned orders.
- - - - -
f9a19bc3 by Endi S. Dewata at 2020-03-11T21:04:53-05:00
Renamed securityDomain.installToken
The securityDomain.installToken property in acl.properties has
been renamed into securityDomain.read for consistency.
- - - - -
9b47b625 by Endi S. Dewata at 2020-03-12T00:50:26-05:00
Removed securitydomain.store
The securitydomain.store property in CS.cfg has been removed
since the value is hard-coded to 'ldap'. The unused code that
stores security domain info into XML file has been removed from
UpdateDomainXML.process().
- - - - -
66d8cfa1 by Endi S. Dewata at 2020-03-12T00:52:59-05:00
Refactored SecurityDomainProcessor.addEntry()
The code that constructs the LDAP entry for a new security domain
host has been moved into SecurityDomainProcessor.addEntry() which
has been renamed into addHost().
- - - - -
a56d880c by Endi S. Dewata at 2020-03-12T00:56:10-05:00
Refactored SecurityDomainProcessor.removeHost()
The code that constructs the LDAP DN for the security
domain host to be removed has been moved into
SecurityDomainProcessor.removeHost().
- - - - -
7bbf80f8 by Endi S. Dewata at 2020-03-12T10:09:47-05:00
Cleaned up SecurityDomain.deregister()
The unused code that updates the security domain with install
token in SecurityDomain.deregister() has been removed.
- - - - -
65996495 by Endi S. Dewata at 2020-03-12T10:43:01-05:00
Cleaned up DN construction in SecurityDomainProcessor
The code that constructs the DNs in SecurityDomainProcessor
has been simplified since separate admin and agent ports are
no longer supported.
- - - - -
f6040548 by Endi S. Dewata at 2020-03-13T11:53:41-05:00
Updated variable names in ACME services
- - - - -
00a6fdaa by Endi S. Dewata at 2020-03-13T13:38:19-05:00
Fixed typos in ACME user guide
- - - - -
9aa6cf2d by Endi S. Dewata at 2020-03-16T10:33:58-05:00
Merged CryptoUtil.signECCCert()
The CryptoUtil.signECCCert() has been merged into
CryptoUtil.signCert() since they are identical.
- - - - -
27dbecae by Endi S. Dewata at 2020-03-16T10:34:03-05:00
Refactored CryptoUtil.signCert()
The CryptoUtil.signCert() has been modified to take
a java.security.PrivateKey parameter instead of
org.mozilla.js.crypto.PrivateKey.
- - - - -
a0b41362 by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Refactored CryptoUtil.createCertificationRequest()
The CryptoUtil.createCertificationRequest() has been
modified to take a java.security.PrivateKey parameter
instead of a org.mozilla.jss.crypto.PrivateKey.
- - - - -
0efedbcd by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Refactored Configurator.configRemoteCert()
The the code that generates the PKCS #10 request has been
moved outside of Configurator.configRemoteCert().
- - - - -
4206f6fc by Endi S. Dewata at 2020-03-16T10:39:20-05:00
Removed CertUtil.getPKCS10()
The code in CertUtil.getPKCS10() has been merged into
Configurator.configCert().
- - - - -
e79e316f by Endi S. Dewata at 2020-03-16T11:02:20-05:00
Refactored Configurator.configLocalCert()
The Configurator.configLocalCert() has been modified to remove
the unused X509CertImpl parameters.
- - - - -
4df0db18 by Endi S. Dewata at 2020-03-16T11:15:55-05:00
Refactored Configurator.configCert()
The Configurator.configCert() has been modified to return
the newly created X509CertImpl object.
- - - - -
9b3af422 by Endi S. Dewata at 2020-03-16T11:20:41-05:00
Refactored CertUtil.updateLocalRequest()
The code that gets the request ID from the pre-op configuration
has been moved out of CertUtil.updateLocalRequest().
- - - - -
e68b84a7 by Endi S. Dewata at 2020-03-16T11:21:16-05:00
Refactored CertUtil.getAdminProfileAlgorithm()
The code that reads the configuration parameters has been moved
out of CertUtil.getAdminProfileAlgorithm().
- - - - -
95bd3464 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Added CertUtil.createCertInfo()
The code that creates X509CertInfo has been moved from
CertUtil.createLocalCert() into createCertInfo().
- - - - -
26f193f9 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 1)
The code that creates CertInfoProfile has been moved out of
CertUtil.createLocalCert().
- - - - -
e1bc9037 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 2)
The code that creates the request object has been moved out of
CertUtil.createLocalCert().
- - - - -
44682336 by Endi S. Dewata at 2020-03-16T11:54:16-05:00
Refactored CertUtil.createLocalCert() (part 3)
The code that reads the configuration parameters has been
moved out of CertUtil.createLocalCert().
- - - - -
b4f4286e by Endi S. Dewata at 2020-03-16T11:54:57-05:00
Refactored CertUtil.createCertInfo()
The code that reads the configuration parameters has been
moved out of CertUtil.createCertInfo()
- - - - -
6a28ec56 by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Added ACMEDatabase.getOrderByCertificate()
The ACMEDatabase.getOrderByCertificate() has been added to
return the order that generated a given certificate.
- - - - -
3a6c791c by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Added ACMERevokeCertificateService
The ACMERevokeCertificateService has been added to revoke
a certificate.
- - - - -
d276a7cd by Endi S. Dewata at 2020-03-17T12:34:19+10:00
Updated ACME user guide
The ACME user guide has been modified to include certificate
revocation and other updates.
- - - - -
47df4e04 by Dinesh Prasanth M K at 2020-03-19T15:56:40-04:00
Remove MAX_NUM_POLICIES hardcoded limit on cerpolicy extension
(This patch is a forward port of #349)
There are cases where an user will like to add more than 20 policies to a cert. RFC 5280
does not impose any hard limit on the number of policies. This patch removes
the hardcoded limit from the code. The user can now specify unlimited policies
This patch also fixes a minor bug to the method signature: `createUserNotice()` (ie)
the noticeNums and noticeText params have been interchanged based on the usage
in other parts of the code.
Resolves: BZ#1768718
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
4b8c7149 by Endi S. Dewata at 2020-03-20T09:09:47-05:00
Fixed typo in getOrderByCertificate
- - - - -
420bc70a by Endi S. Dewata at 2020-03-20T10:10:16-05:00
Reorganized PKI Symkey sources
PKI Symkey sources have been moved from base/symkey/src into
base/symkey/src/main/java to support Maven in the future.
- - - - -
65c1869b by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-find
The pki securitydomain-host-find command has been added to
list hosts in security domain.
- - - - -
b3a5f0c6 by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-show
The pki securitydomain-host-show has been added to show the
host details in security domain.
- - - - -
afe59acb by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-add
The pki securitydomain-host-add command has been added to
add a host into security domain.
- - - - -
6310c263 by Endi S. Dewata at 2020-03-23T11:22:46-05:00
Added pki securitydomain-host-del
The pki securitydomain-host-del command has been added to
remove a host from security domain.
- - - - -
3b5ffaa1 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up Configurator.getSubsystemCert()
The Configurator.getSubsystemCert() has been simplified and
modified to return an X509CertImpl.
- - - - -
1607b907 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up Configurator.setupClientAuthUser()
- - - - -
f01bbbf8 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Cleaned up CertUtil.addUserCertificate()
- - - - -
5f32e6e5 by Endi S. Dewata at 2020-03-23T11:28:20-05:00
Refactored CertUtil.addUserCertificate()
The code that sets up the user, certificate, and group
has been moved from Configurator.setupClientAuthUser()
into setupUser().
The CertUtil.addUserCertificate() has been moved into
Configurator class and modified to use setupUser().
- - - - -
f674a865 by Endi S. Dewata at 2020-03-23T12:05:56-05:00
Removed unused CryptoUtil.getPKCS10FromKey()
- - - - -
753b6661 by Endi S. Dewata at 2020-03-23T12:11:46-05:00
Merged Configurator.loadCertRequest()
- - - - -
0e771ccc by Endi S. Dewata at 2020-03-23T12:11:46-05:00
Merged CertUtil.injectSANextensionIntoRequest()
- - - - -
6e99d9a4 by Endi S. Dewata at 2020-03-23T12:35:37-05:00
Refactored Configurator.createGenericExtensions()
The code that reads the configuration parameters have been
moved out of Configurator.createGenericExtensions().
- - - - -
f1149818 by Endi S. Dewata at 2020-03-23T12:35:55-05:00
Refactored CertUtil.createLocalRequest()
The code that reads the configuration properties has been
moved out of CertUtil.createLocalRequest().
- - - - -
da1a4208 by Endi S. Dewata at 2020-03-23T17:31:34-05:00
Cleaned up CryptoUtil.createCertificationRequest()
- - - - -
23e68fc6 by Endi S. Dewata at 2020-03-23T18:43:45-05:00
Refactored Configurator.createCertRecord() (part 1)
The code that reads the configuration properties has been
moved out of Configurator.createCertRecord().
- - - - -
40191036 by Endi S. Dewata at 2020-03-23T18:43:54-05:00
Refactored Configurator.createCertRecord() (part 2)
The code that updates the configuration properties has been
moved out of Configurator.createCertRecord().
- - - - -
bde0858a by Endi S. Dewata at 2020-03-24T17:25:24+10:00
Refactored ACMEBackend
Some ACME backends might support only one cert authority, so
the serial number of the certs will be unique. However, some
other backends might support multiple cert authorities so the
serial number by itself might not be unique. The ACMEBackend
needs to be able to generate backend-specific unique ID for
the certs if necessary.
Some ACME backends use two-step cert enrollment: issuance and
retrieval. These steps match the ACME protocol. However, some
other backends use only one-step enrollment. In that case the
server will need to store the issued cert in ACME database for
a later retrieval.
To support the above requirements, the code has been modified
as follows:
- The ACMEBackend.getCertificateID() has been added to create
a unique ID for a cert. By default it will generate a unique
ID based on the serial number. A subclass can override this
method to generate a backend-specific unique ID.
- The ACMEBackend.generateCertificate() has been added to
generate a certificate in one step. By default this method
is not implemented. A subclass can override this method to
implement backend-specific one-step enrollment.
- The ACMEBackend.issueCertificate() has been modified to
return a cert unique ID instead of the serial number. By
default this method will call generateCertificate(), then
call getCertificateID(). A subclass can override this method
to implement a backend-specific cert issuance.
The ACMEBackend.getCertificateChain() has not been modififed,
but a subclass can override this method either to retrieve the
cert from ACME database (for one-step enrollment) or from the
ACME backend (for two-step enrollment).
- - - - -
b48a8f1a by Fraser Tweedale at 2020-03-24T17:27:25+10:00
acme: add LDAP schema for ACME service db
- - - - -
89555737 by Fraser Tweedale at 2020-03-24T17:27:25+10:00
acme: add LDAPDatabase backend
- - - - -
6eb8e96c by Endi S. Dewata at 2020-03-24T17:25:30-05:00
Reorganized PKI Util sources
PKI Util sources have been reorganized to support Maven in the
future. Here are the changes:
- base/util/src -> base/util/src/main/java
- base/util/src/pki-cmsutil.mf -> base/util/src/main/resources/META-INF/MANIFEST.MF
- base/util/PKICertImport.bash -> base/util/src/main/shell/PKICertImport.bash
- base/util/test -> base/util/src/test/java
- base/util/test/PKICertImport/certs -> base/util/src/test/resources/certs
- base/util/test/PKICertImport/runtest.bash -> base/util/src/test/shell/test_PKICertImport.bash
- - - - -
f4fcae53 by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added ACMEDatabase.getRevocationAuthorizations()
The ACMEDatabase.getRevocationAuthorizations() has been added
to return all valid and non-expired authorization records
belonging to an account.
- - - - -
e207aadc by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added ACMEDatabase.hasRevocationAuthorization()
The ACMEDatabase.hasRevocationAuthorization() has been added
to check whether the account has a valid and non-expired
authorization record for a particular identifier.
- - - - -
ae4de576 by Endi S. Dewata at 2020-03-25T15:01:44-05:00
Added revocation with authorization records
The ACMEEngine.validateRevocation() has been modified to support
validating revocation request using the account's authorization
records.
- - - - -
6cd2ce6a by Dinesh Prasanth M K at 2020-03-25T16:02:15-04:00
Patch ECAdminCertProfile upgrade script (#355)
* Patch ECAdminCertProfile upgrade script
The caECAdminCert profile was added 2 years ago but was never patched
to be added to the CS.cfg. Hence, when a user tries to upgrade, the path
did not exist and so, the upgrade failed. This patch adds the missing
attribute to ensure smooth upgradation process
Resolves: BZ#1814242
Upstream: https://pagure.io/dogtagpki/issue/3168
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
* Addressing comments in PR
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d5fd230e by Endi S. Dewata at 2020-03-25T15:04:42-05:00
Refactored Configurator.configLocalCert()
The Configurator.configLocalCert() has been modified to call
createRequest() to create the request object.
- - - - -
22e644a4 by Endi S. Dewata at 2020-03-25T15:04:42-05:00
Merged Configurator.configLocalCert()
The Configurator.configLocalCert() has been merged into
configCert().
- - - - -
fca8e7a1 by Endi S. Dewata at 2020-03-25T16:06:58-05:00
Removed redundant SystemConfigService.updateCloneConfiguration()
The SystemConfigService.updateCloneConfiguration() is no longer
making any changes to the server so it has been removed.
- - - - -
df8235ca by Endi S. Dewata at 2020-03-25T20:03:49-05:00
Replaced preop.cert.*.enable
The preop.cert.*.enable is only set to false for certs on replica
except the sslserver cert. The code has been modified to check
for that condition before calling SystemConfigClient.setupCert()
instead of using the properties.
- - - - -
ec05ca86 by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed unused preop.cert.*.enable
- - - - -
150d689e by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed CertificateSetupRequest.generateServerCert
The code has been modified to call SystemConfigClient.setupCert()
for sslserver certificate only for the first subsystem in the
instance.
- - - - -
e963ad2d by Endi S. Dewata at 2020-03-25T20:03:55-05:00
Removed CertificateSetupRequest.generateSubsystemCert
The code has been modified to call SystemConfigClient.setupCert()
for subsystem certificate only for the first subsystem in the
instance.
- - - - -
e6f254a5 by Dinesh Prasanth M K at 2020-03-26T12:42:05-04:00
Move 10.8.2 upgrade script to 10.8.3
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8b98421e by Fraser Tweedale at 2020-03-27T09:27:49+10:00
acme: fix LDAPDatabase.removeExpiredNonces
A nonce is expired when its 'acmeExpires' attribute is less than
(before) the current time. But the LDAP search for expired nonces
was returning non-expired nonces (acmeExpires>=$NOW). Fix the
search filter expression.
- - - - -
ec3cc76b by Fraser Tweedale at 2020-03-27T09:30:40+10:00
acme: add SANToCNDefault to registry
ACME profiles need the SANToCNDefault profile component in the
registry. This commit will add it for new installations. A future
change (perhaps in FreeIPA rather than Dogtag) will address adding
the component to the registry on upgrade.
- - - - -
18a921d6 by Fraser Tweedale at 2020-03-27T09:38:08+10:00
acme: add LDAP indices
- - - - -
e39ba74d by Endi S. Dewata at 2020-03-27T09:41:13+10:00
Renamed ACME backend to issuer
The term "backend" is too generic and might be confused with
"database backend" so it has been replaced with "issuer". The
code, config files, and docs have been updated accordingly.
- - - - -
d118b3ad by Tom Stellard at 2020-03-27T09:42:36+10:00
Silence -Wc++11-narrowing warnings
Clang treats these as errors by default, so this fixes the build with clang.
Example of one of the warnings:
/builddir/build/BUILD/pki-10.8.3/base/tps-client/src/processor/RA_Processor.cpp:3237:28:
error: non-constant-expression cannot be narrowed from type 'int' to
'BYTE' (aka 'unsigned char') in initializer list [-Wc++11-narrowing]
BYTE nv[2] = { v, 0x01 };
- - - - -
911a8201 by Endi S. Dewata at 2020-03-26T22:20:19-05:00
Fixed pki-server acme-create
- - - - -
79a1a967 by Endi S. Dewata at 2020-03-27T13:04:27-05:00
Cleaned up PKISubsystem.load() and save()
The PKISubsystem.load() and save() have been modified to
use pki.util.load_properties() and store_properties().
- - - - -
999e6941 by Endi S. Dewata at 2020-03-27T14:25:41-05:00
Added PKISubsystem.registry
The PKISubsystem has been modified to load and store
the plugin registry in registry.cfg.
The unused CASubsystem.load_profile_registry() has been
removed.
- - - - -
43fcca64 by Endi S. Dewata at 2020-03-27T21:48:01-05:00
Removed interactive upgrade process
The interactive upgrade process has been removed since
all upgrade steps must be completed before the server
can run. The --silent option is no longer needed so it
has been removed.
- - - - -
e656f127 by Endi S. Dewata at 2020-03-27T21:48:01-05:00
Fixed PKIUpgrader.scriptlets()
The PKIUpgrader.scriptlets() has been modified to use
a more reliable way to mark the last scriptlet in the
list.
- - - - -
4af5f40d by Endi S. Dewata at 2020-03-30T12:25:38+10:00
Changed ACME config file format
The ACME config file format has been changed from JSON to
simple properties which will be more user-friendly and
support comments.
- - - - -
97c724f1 by Fraser Tweedale at 2020-03-30T12:31:43+10:00
acme: implement LDAPDatabase.hasRevocationAuthorization
- - - - -
273d3677 by Fraser Tweedale at 2020-03-30T10:41:20-05:00
acme: fix revocation checks when account did not issue certificate
ACME provides three ways to revoke a certificate:
- proof of possession of private key
- ACME account issued the certificate to be revoked
- ACME account holds authorizations for all identifiers on the
certificate to be revoked
We recently implemented the third case, but we never reach that code
because an exception is thrown immediately if the current account
did not issue the certificate to be revoked. Fix the code by not
throwing an exception and instead fall through to the code for the
third case.
- - - - -
d98e3402 by Endi S. Dewata at 2020-04-01T12:24:10+10:00
Added upgrade script for SANToCNDefault
An upgrade script has been added to add SANToCNDefault into
existing registry.cfg. The ACME installation doc has been
updated to no longer require adding SANToCNDefault manually.
- - - - -
ab2f2b38 by Endi S. Dewata at 2020-04-01T17:34:09-05:00
Added handlers to capture CI install logs
- - - - -
6deb112d by Alexander Scheel at 2020-04-02T13:14:34-04:00
Temporarily disable PKI COPR repo for SSLEngine
Having a SSLContext implementation is confusing Tomcat, resulting in PKI
CI failing. Temporarily disable PKI's COPR repo, preventing a newer JSS
from being pulled in.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
82df48c7 by Endi S. Dewata at 2020-04-03T12:31:48-05:00
Added pki-server run --with-valgrind
The --with-valgrind option has been added to pki-server run
command to run the server with valgrind.
- - - - -
abea77b1 by dpuniaredhat at 2020-04-06T11:53:36+05:30
Certificate Enrollment Performance Test script (#370)
* Certificate Enrollment Performance Test script
Signed-off-by: Deepak Punia <dpunia at redhat.com>
* Fixed indentation
* Renamed --url to --hostname
* Removed deprecated subsystem name parameter
* Cleaned up output
Co-authored-by: Endi S. Dewata <edewata at redhat.com>
- - - - -
1ab4a584 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Fixed upgrade warnings
- - - - -
a8ef2c08 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed interactive upgrade process (part 2)
This is a continuation of 43fcca6431bd709ba92aee315a24c9a62648dd48.
- - - - -
80630e61 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIUpgrader.index
- - - - -
b4536e14 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIUpgrader.version
- - - - -
55eb3e25 by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIServerUpgrader.instance_version
- - - - -
f2900ccc by Endi S. Dewata at 2020-04-06T18:36:53-05:00
Removed unused PKIServerUpgrader.subsystemName
- - - - -
2a0de2a0 by Fraser Tweedale at 2020-04-07T11:10:21+10:00
acme: PKIIssuer: support reading password from file
It may be desirable to put the PKIIssuer password configuration in a
different file, e.g. /etc/pki/pki-tomcat/password.conf. Add support
for this via the 'passwordFile' config.
- - - - -
856ccf3d by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIServerUpgrader.instanceName
The PKIServerUpgrader.instanceName has been replaced with
a list of instances provided by the caller.
- - - - -
6fb014e8 by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIServerUpgrader.subsystems()
The code that calls PKIServerUpgrader.subsystems() has been
modified to get the subsystems from the instance directly.
- - - - -
c8800dad by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIUpgradeScriptlet.upgrade()
The PKIUpgradeScriptlet.upgrade() has been replaced with
PKIUpgrader.run_scriptlet().
- - - - -
e1fb07c9 by Endi S. Dewata at 2020-04-06T20:43:41-05:00
Refactored PKIUpgradeScriptlet.init()
The PKIUpgradeScriptlet.init() has been replaced with
PKIUpgrader.init_scriptlet().
- - - - -
c1cda5d8 by Endi S. Dewata at 2020-04-06T20:46:32-05:00
Refactored PKIServerUpgradeScriptlet.upgrade_subsystems()
The PKIServerUpgradeScriptlet.upgrade_subsystems() has been
replaced with PKIUpgrader.upgrade_subsystems().
- - - - -
3fa929b2 by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIServerUpgradeScriptlet.update_server_tracker()
The PKIServerUpgradeScriptlet.update_server_tracker() has been
replaced with PKIServerUpgrader.update_server_tracker().
- - - - -
064f598d by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIServerUpgradeScriptlet.can_upgrade_server()
The PKIServerUpgradeScriptlet.can_upgrade_server() has been
replaced with PKIServerUpgrader.can_upgrade_server().
- - - - -
b305919a by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIUpgradeScriptlet.update_tracker()
The PKIUpgradeScriptlet.update_tracker() has been replaced
with PKIUpgrader.update_tracker().
- - - - -
074702c9 by Endi S. Dewata at 2020-04-06T20:46:44-05:00
Refactored PKIUpgradeScriptlet.can_upgrade()
The PKIUpgradeScriptlet.can_upgrade() has been replaced
with PKIUpgrader.can_upgrade().
- - - - -
7c970fcb by Endi S. Dewata at 2020-04-07T18:27:53-05:00
Added pki-server run --agentpath
The pki-server run command has been modified to provide
an option to specify the agent path for Java.
- - - - -
5a3f3f73 by Endi S. Dewata at 2020-04-07T22:35:00-05:00
Fixed CertUtil.createCertInfo()
The CertUtil.createCertInfo() broke when it was cleaned up
in commit b7220066354a177b973ef9279da22f09b6a72d37 causing
a problem in CA installation with external CA signing cert.
The code has been reverted to work properly.
https://pagure.io/dogtagpki/issue/3162
- - - - -
f66b7639 by Endi S. Dewata at 2020-04-08T20:24:22-05:00
Added pki-tests package
A new pki-tests package has been added for PKI test suite.
Currently it is empty. The content will be added later.
- - - - -
c46d63a9 by Endi S. Dewata at 2020-04-08T20:52:53-05:00
Fixed PKIServerUpgrader.get_server_tracker()
The PKIServerUpgrader.get_server_tracker() has been modified
to fix incorrect subsystem tracker name.
- - - - -
d3824107 by Endi S. Dewata at 2020-04-08T20:59:41-05:00
Fixed PKIUpgradeTracker.__init__()
The PKIUpgradeTracker.__init__() has been modified to run all
scriptlets for each upgrade version regardless of previous
upgrade status.
- - - - -
bcb160d4 by Endi S. Dewata at 2020-04-08T20:59:45-05:00
Fixed PKIServerUpgrader.upgrade_subsystems()
The PKIServerUpgrader.upgrade_subsystems() has been modified
to reload the subsystem configuration to synchronize tracker
changes in CS.cfg.
- - - - -
2fa58b5b by Endi S. Dewata at 2020-04-09T20:10:09-05:00
Fixed warnings in PKIUpgradeScriptlet.backup()
- - - - -
62dbebf8 by Endi S. Dewata at 2020-04-09T20:14:37-05:00
Cleaned up log messages in PKIUpgrader.upgrade()
- - - - -
f6af950f by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Cleaned up log messages in PKIUpgrader.revert()
- - - - -
9adaeccc by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Removed PKIServerUpgrader.can_upgrade_server()
The PKIServerUpgrader.can_upgrade_server() method and the
PKIUpgrader.can_upgrade() method are no longer needed since
all scriptlets for an upgrade version will be executed, so
they have been removed.
- - - - -
423f0d72 by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Removed subsystem upgrade trackers
The PKIServerUpgrader has been modified to no longer use
subsystem upgrade trackers.
- - - - -
adf0ad35 by Endi S. Dewata at 2020-04-09T20:14:47-05:00
Cleaned up PKIServerUpgrader.get_server_tracker()
The PKIServerUpgrader.get_server_tracker() has been modified
to no longer create subsystem upgrade tracker objects.
- - - - -
62923b01 by Endi S. Dewata at 2020-04-10T00:04:14-05:00
Refactored PKIServerUpgrader.__init__()
The PKIServerUpgrader.__init__() has been modified to
take a single instance instead of a list of instances.
- - - - -
2ee49ed9 by Endi S. Dewata at 2020-04-10T00:04:14-05:00
Refactored PKIServerUpgrader.instances
The list of instances in PKIServerUpgrader has been
replaced with a single instance.
- - - - -
4b944ebd by Endi S. Dewata at 2020-04-10T00:13:33-05:00
Refactored PKIServerUpgrader.get_server_tracker()
The PKIServerUpgrader.get_server_tracker() has been
renamed into get_tracker().
- - - - -
c8ab5ad6 by Endi S. Dewata at 2020-04-13T12:42:55-05:00
Moved PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS
The PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS has been moved to
pki.server.DEFAULT_DIR_MODE.
- - - - -
bc71461f by Endi S. Dewata at 2020-04-13T12:43:07-05:00
Moved PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS
The PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS has been moved to
pki.server.DEFAULT_FILE_MODE.
- - - - -
a93ec6f1 by Endi S. Dewata at 2020-04-13T12:43:15-05:00
Updated PKIServer.makedirs()
The PKIServer.makedirs() has been updated to set the modes of
the new directories.
- - - - -
8ceb7a5f by Endi S. Dewata at 2020-04-13T12:43:21-05:00
Updated PKIServer.copyfile()
The PKIServer.copyfile() has been updated to set the mode of
the new file.
- - - - -
798b3a78 by Endi S. Dewata at 2020-04-13T12:43:25-05:00
Updated PKIServer.copy()
The PKIServer.copy() has been updated to set the modes of the
new directories and files.
- - - - -
086806f6 by Endi S. Dewata at 2020-04-13T15:42:18-05:00
Cleaned up import statements in pkispawn/pkidestroy
- - - - -
d9948c7b by Endi S. Dewata at 2020-04-13T15:42:55-05:00
Cleaned up pkispawn/pkidestroy help messages
- - - - -
873d5439 by Endi S. Dewata at 2020-04-13T15:43:02-05:00
Removed unused pkispawn/pkidestroy properties
- - - - -
67189324 by Endi S. Dewata at 2020-04-13T15:43:10-05:00
Refactored start_logging() in pkispawn
- - - - -
de217557 by Endi S. Dewata at 2020-04-13T15:43:19-05:00
Removed pki_log_level global variable
- - - - -
384bf0ee by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Removed pki_log_name global variable
- - - - -
4900b203 by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Removed pki_log_dir global variable
- - - - -
0102d836 by Endi S. Dewata at 2020-04-13T16:15:08-05:00
Added --debug option for pkispawn/pkidestroy
- - - - -
773a2da8 by Endi S. Dewata at 2020-04-13T17:44:41-05:00
Added PKIServer.exists()
The PKIServer.exists() has been added to replace is_valid().
- - - - -
cc140e0d by Endi S. Dewata at 2020-04-13T17:44:41-05:00
Added PKIServer.touch()
The PKIServer.touch() has been added to create a file with
the proper permissions.
- - - - -
d930c3ab by Endi S. Dewata at 2020-04-15T20:44:13-05:00
Cleaned up PKIServerUpgrader.upgrade_subsystems()
- - - - -
55582f6e by Endi S. Dewata at 2020-04-15T20:45:45-05:00
Cleaned up PKIServerUpgrader.run_scriptlet()
- - - - -
02f3c9fb by Endi S. Dewata at 2020-04-15T21:13:42-05:00
Removed tracker methods from PKIServerUpgrader
The tracker methods in PKIServerUpgrader have been removed
since they are identical to the ones in PKIUpgrader.
- - - - -
35478b2c by Endi S. Dewata at 2020-04-15T21:14:26-05:00
Merged PKIServerUpgrader.get_current_version()
The PKIServerUpgrader.get_current_version() has been merged
with the one in PKIUpgrader.
- - - - -
183bbc2c by Endi S. Dewata at 2020-04-15T22:51:55-05:00
Fixed javadoc warnings
- - - - -
ec044119 by Endi S. Dewata at 2020-04-15T23:17:22-05:00
Removed deprecated ClientResponseType
- - - - -
5b3ac481 by Endi S. Dewata at 2020-04-15T23:18:07-05:00
Added PKIServer.copydirs()
- - - - -
391dccf7 by Endi S. Dewata at 2020-04-16T15:38:18-05:00
Refactored PKIInstance.get_subsystems()
The PKIInstance.get_subsystems() has been moved into
PKIServer class.
- - - - -
7916b404 by Endi S. Dewata at 2020-04-16T15:38:33-05:00
Updated log messages in pki.server
- - - - -
7df26d23 by Endi S. Dewata at 2020-04-16T15:38:35-05:00
Updated log messages in pki.server.deployment
- - - - -
798fa33b by Endi S. Dewata at 2020-04-16T15:38:36-05:00
Updated log messages in pki.server.instance
- - - - -
52ec771a by Endi S. Dewata at 2020-04-16T15:38:37-05:00
Updated log messages in pki.server.subsystem
- - - - -
af0c7fdd by Endi S. Dewata at 2020-04-16T15:38:38-05:00
Updated log messages in pkihelper.py
- - - - -
5e7c3492 by Endi S. Dewata at 2020-04-16T16:46:00-05:00
Updated log messages in infrastructure_layout.py
- - - - -
b49867ae by Endi S. Dewata at 2020-04-16T16:46:24-05:00
Updated log messages in instance_layout.py
- - - - -
7b2ff7f6 by Endi S. Dewata at 2020-04-16T16:48:09-05:00
Updated log messages in security_databases.py
- - - - -
b849cd10 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Refactored PKIUpgradeScriptlet.backup()
The PKIUpgradeScriptlet.backup() has been moved into
PKIUpgrader class.
- - - - -
2bcb68a0 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Cleaned up pkidaemon log messages
- - - - -
f5dbb1d9 by Endi S. Dewata at 2020-04-16T21:44:15-05:00
Cleaned up pki-server migrate log messages
- - - - -
527a97c0 by Endi S. Dewata at 2020-04-16T21:45:03-05:00
Cleaned up pki-server upgrade log messages
- - - - -
98544f99 by Endi S. Dewata at 2020-04-17T10:22:56-05:00
Updated log messages in subsystem_layout.py
- - - - -
7dafa3bf by Endi S. Dewata at 2020-04-17T14:36:15-05:00
Added PKIServer.get_subsystems()
- - - - -
55cb5e4b by Endi S. Dewata at 2020-04-17T16:44:25-05:00
Refactored PKIServer.subsystems
The PKIServer.subsystems has been changed from a list to
a dictionary.
- - - - -
6d60732c by Endi S. Dewata at 2020-04-17T16:44:34-05:00
Cleaned up AbstractBasePkiScriptlet
- - - - -
8259178a by Endi S. Dewata at 2020-04-17T16:44:34-05:00
Added AbstractBasePkiScriptlet.instance
- - - - -
96642fa5 by Endi S. Dewata at 2020-04-17T17:06:07-05:00
Cleaned up enable_pki_logger()
- - - - -
ee54af52 by Endi S. Dewata at 2020-04-17T17:32:30-05:00
Display upgrade errors on console
- - - - -
918612e8 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to jquery v3.4.1
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
49728af0 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to jquery-i18n-properties v1.2.7
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
4f5e2676 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to backbone v1.4.0
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5dd8e345 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Upgrade to bootstrap v3.4.1
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
b46f6611 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Upgrade to underscore v1.9.2
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d0dacd14 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update to patternfly v3.59.3
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
aa6afbf2 by Alexander Scheel at 2020-04-21T21:43:54-04:00
Update Patternfly fonts
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1e7d4af0 by Alexander Scheel at 2020-04-21T21:45:07-04:00
Include new ecj.jar path in pki.policy
Resolves: rhbz#1755634
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3a314aa1 by Endi S. Dewata at 2020-04-22T15:20:40-05:00
Added wildcard support for ACME responder
The ACME responder has been modified to support wildcards for
enrollment and revocation using in-memory and PostgresSQL
databases. The support for LDAP database will be added later.
- - - - -
f8729b87 by Fraser Tweedale at 2020-04-23T12:22:36-04:00
acme: fix NPE ACMEEngine.validateCSR()
validateCSR() reads authz.getWildcard() and uses the result in a
condition. But this routine returns Boolean, and if the result is
null (not set; implying false) then NullPointerException occurs.
Avoid the NPE by first testing != null.
- - - - -
396d419f by Fraser Tweedale at 2020-04-23T12:22:52-04:00
acme: avoid vacuous revocation authorisation
If there are no identifiers to check authorisation will be vacuously
authorised. Certificate use cases where there might be no ACME
identifiers include user or CA certificates. Prevent revocation
unless there is at least one ACME identifier to check.
- - - - -
7af607b8 by Dinesh Prasanth M K at 2020-04-23T13:29:38-04:00
Add GH actions to CI (#383)
This Patch:
- Adds Github Actions to CI
- reuses scripts under ./travis/ (requires improvement)
- Uploads artifacts to GH by removing dependency on transfer.sh
- Uploads built rpms (auto-deleted every 90 days)
- Runs build job on container provisioned by GH actions (ie)
not necessary to meddle with docker/podman commands manually
- Run PKI test job on self-provisioned container (room for improvement
by running on service containers by combining with Docker GH actions)
- Gathers logs of IPA and PKI and corresponding journalctl
logs and uploads it as a GH action artifact
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
3544aef7 by Dinesh Prasanth M K at 2020-04-23T17:15:06-04:00
Clean up GH actions code
Update self executed container to ensure
we run with latest set of packages
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
0db1749f by Fraser Tweedale at 2020-04-24T12:23:02+10:00
acme: prevent revocation of wrong certificate
For the PKIIssuer we must retrieve and compare the full certificate
against the certificate from the revocation request. Otherwise a
certificate from a different issuer or a maliciously altered
certificate that otherwise passes revocation authorisation checks
will cause the PKIIssuer to revoke the serial number of the
presented certificate.
- - - - -
214f3b6c by Fraser Tweedale at 2020-04-24T12:23:02+10:00
acme: document ACMEIssuer.revokeCert security requirements
- - - - -
08d4c547 by jmagne at 2020-04-24T15:20:53-07:00
Apply contributed patch - TPS - Searching the certificate DB for a brand new token takes too long. Bad search filter (#390)
Resolves:
Bug 1710975 - TPS - Searching the certificate DB for a band new token takes too long. Bad search filter.
Submitted by RHCS-Maint
- - - - -
c396b44f by Endi S. Dewata at 2020-04-27T16:02:51-05:00
Always run workflows regardless of branch
- - - - -
dadc7433 by Endi S. Dewata at 2020-04-27T16:45:56-05:00
Updated PKIUpgrader.copyfile()
The PKIUpgrader.copyfile() has been updated to provide a
force option.
- - - - -
9dbe1a2b by Endi S. Dewata at 2020-04-27T16:45:56-05:00
Refactored PKIUpgradeScriptlet.revert()
The PKIUpgradeScriptlet.revert() has been moved into
PKIUpgrader class.
- - - - -
56c21c22 by Endi S. Dewata at 2020-04-27T16:47:02-05:00
Updated pki.util.makedirs()
The pki.util.makedirs() has been updated to provide an
exist_ok as in os.makedirs().
- - - - -
1d78cebb by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Added PKIServer.store_properties()
The PKIServer.store_properties() has been added to store
property files with the proper ownership.
- - - - -
9abe18d2 by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Updated log messages in subsystem_layout.py
- - - - -
20a6fdf3 by Endi S. Dewata at 2020-04-27T16:47:19-05:00
Refactored subsystem_layout.py
The subsystem_layout.py has been modified to create the
subsystem files using PKIServer methods.
- - - - -
ac1d229a by Endi S. Dewata at 2020-04-28T12:18:25-05:00
Updated registry.cfg creation
The deployment scriptlet has been modified to create the
registry.cfg consistently for all subsystems.
- - - - -
637e9e66 by Endi S. Dewata at 2020-04-28T14:11:40-05:00
Changed CertService.authority type
The CertService.authority has been modified to use
CertificateAuthority instead of ICertificateAuthority.
- - - - -
d0c5a7ef by Endi S. Dewata at 2020-04-28T14:11:44-05:00
Updated exception handling in CertService.getCertChainData()
The CertService.getCertChainData() has been modified not to
catch any exception and let the caller handle it.
- - - - -
97a142d3 by Endi S. Dewata at 2020-04-28T14:11:44-05:00
Removed null checks in CertService.getCertChainData()
The null checks for mCACerts in CertService.getCertChainData()
are unnecessary so they have been removed.
- - - - -
e6019dfc by Endi S. Dewata at 2020-04-28T14:54:02-05:00
Updated exception handling in CAEngine.getPKCS7()
The CAEngine.getPKCS7() has been modified not to catch
any exception and to let the caller handle it.
- - - - -
f76fc230 by Endi S. Dewata at 2020-04-28T14:55:31-05:00
Refactored CAEngine.getPKCS7()
The CAEngine.getPKCS7() has been converted into getCertChain()
which returns an array of X509Certificates.
- - - - -
5a28baf6 by Endi S. Dewata at 2020-04-28T14:56:32-05:00
Cleaned up CAEngine.getCertChain()
- - - - -
899d1c34 by Endi S. Dewata at 2020-04-28T17:20:34-05:00
Refactored CertService.getCertChainData()
The CertService.getCertChainData() has been converted into
getCertChain() which returns an array of X509Certificates.
- - - - -
68fefe33 by Endi S. Dewata at 2020-04-28T17:27:39-05:00
Cleaned up PKCS7.encodeSignedData() calls
- - - - -
c17fa904 by Endi S. Dewata at 2020-04-28T19:57:26-05:00
Added CertUtils.certInCertChain()
The code that checks if a cert is already in a cert chain
has been moved into CertUtils.certInCertChain().
- - - - -
19b936da by Endi S. Dewata at 2020-04-28T20:06:54-05:00
Simplified CertService.getCertChain()
- - - - -
3d610cd8 by Endi S. Dewata at 2020-04-28T20:13:48-05:00
Merged CertService.getCertChain()
The CertService.getCertChain() has been merged into
CAEngine.getCertChain().
- - - - -
8540b5a2 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Fixed Password.get_password()
- - - - -
eef48da5 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Moved ClientCertImportCLI.setTrustAttributes()
The ClientCertImportCLI.setTrustAttributes() has been moved
into CryptoUtil.setTrustFlags().
- - - - -
e9b82e4f by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Added CryptoUtil.importPKCS7()
The code that imports PKCS #7 certificates into NSS database
has been moved into CryptoUtil.importPKCS7().
- - - - -
25db7f31 by Endi S. Dewata at 2020-04-29T19:29:16-05:00
Added pki pkcs7-import
The pki pkcs7-import command has been added to import
PKCS #7 certificate chain into NSS database.
- - - - -
eb6bb2f1 by Endi S. Dewata at 2020-04-29T19:56:05-05:00
Added TransportKeyUnit.getChain()
The TransportKeyUnit.getChain() has been added to provide
the certificate chain for the transport certificate.
- - - - -
62540fcd by Endi S. Dewata at 2020-04-29T20:20:16-05:00
Updated KRASystemCertService
The KRASystemCertService has been modified to provide
the certificate chain for KRA transport certificate.
- - - - -
78fb45d9 by Endi S. Dewata at 2020-04-29T20:20:39-05:00
Updated CASystemCertService
The CASystemCertService has been modified to provide the
certificate chains for CA signing certificate and the
transport certificate for the KRA connector.
- - - - -
1593608a by Endi S. Dewata at 2020-04-29T20:20:45-05:00
Removed unused preop.<subsystem>.certchain.*
- - - - -
425ccd3e by Endi S. Dewata at 2020-04-29T20:54:05-05:00
Refactored pki_one_time_pin
The code that generates pki_one_time_pin has been moved into
subsystem_layout.py. The code that loads pki_one_time_pin
has been moved into configuration.py.
- - - - -
f96023d3 by Fraser Tweedale at 2020-04-30T14:48:07+10:00
acme: reject CSR with unknown indentifiers
Unknown identifiers must be treated as unauthorised. Otherwise a
CSR with only authorised DNS names but e.g. *also* an RFC822 name,
would be passed through to the CA and (under a standard profile
configuration) issued with the unrecognised name.
This is an unacceptable security flaw and also violates RFC 8555
§7.4.
- - - - -
cadf100b by Fraser Tweedale at 2020-04-30T14:48:07+10:00
acme: ensure all identifiers from order appear in CSR
RFC 8555 §7.4 states:
The CSR MUST indicate the exact same
set of requested identifiers as the initial newOrder request.
We were already checking that unauthorised DNS names were not
present in the CSR. But we did not check that /all/ the names from
the order were present in the CSR. Add this check.
- - - - -
aa186769 by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add config to disable entire service
Read the (optional) `engine.conf' to enable or disable the entire
ACME engine. If the file is missing or if its 'enabled=' knob is
not present, the default is to enable the service (preserving
existing behaviour).
The status is enforced by the ACMERequestFilter which will result in
status 503 Service Unavailable if the engine is disabled.
- - - - -
d5374dfa by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add dynamic enable/disable of ACME service
Update ACME configuration system to support dynamically
enabling/disabling the ACME service.
This patch implements two providers: one that just supplies default
configuration (ACME service is uncondtionally enabled) and another
that reads the configuration from a file, and also watches that file
and reloads the configuration when the file is modified.
The engine configuration source and its parameters are defined in
'configsources.conf'. When using ACMEEngineConfigFileSource the
file to read is configurable; 'engine.conf' is suggested.
Other parts of the ACME service configuration may eventually be made
configurable, e.g. validator configuration, backend configuration,
etc. When we implement those features, 'configsources.conf' should
be used to configure those config sources too.
The FreeIPA implementation of ACME sercice will require LDAP-based
dynamic reconfiguration (i.e. so the ACME service can be
enabled/disabled deployment-wide with a single modification in
replicated LDAP database). This patch does not implement an LDAP
configuration provider (that will come in a later patch). But it is
a proof of the interfaces and may be useful for other ACME
deployments. Some other parts of the configuration, e.g. which
challenges are enabled, may also require a similar capability so
this patch also serves as a reference implementation of the concept.
- - - - -
da9d0260 by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: add example configsources.conf and engine.conf
- - - - -
d9cf715f by Fraser Tweedale at 2020-04-30T14:50:05+10:00
acme: ACMEEngineConfigFileSource: cache values
Cache config values to avoid spurious updates. Use of the caches
ensures we only send a value if it actually changed, instead of
every time the file gets re-read.
- - - - -
befad485 by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki ca-cert-signing-export --pkcs7 option
The pki ca-cert-signing-export has been modified to provide
an option to export the CA signing certificate chain.
- - - - -
8c9fa74a by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki ca-cert-transport-export --pkcs7 option
The pki ca-cert-transport-export has been modified to provide
an option to export the transport certificate chain for the KRA
connector.
- - - - -
b7028e52 by Endi S. Dewata at 2020-04-30T09:41:21-05:00
Added pki kra-cert-transport-export --pkcs7 option
The pki kra-cert-transport-export has been modified to provide
an option to export the KRA transport certificate chain.
- - - - -
45cd1ad1 by Endi S. Dewata at 2020-04-30T11:37:26-05:00
Refactored NSSDatabase.import_pkcs7() (part 1)
The NSSDatabase.import_pkcs7() has been modified to no longer
return the nickname of the imported certificate chain.
- - - - -
fb7270d3 by Endi S. Dewata at 2020-04-30T11:37:49-05:00
Refactored NSSDatabase.import_pkcs7() (part 2)
The NSSDatabase.import_pkcs7() has been modified to no longer
return the imported certificate chain.
- - - - -
7fa4f3fd by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Refactored NSSDatabase.import_pkcs7() (part 3)
The NSSDatabase.import_pkcs7() has been modified to support
importing certificate chain without a nickname.
- - - - -
2141e8ee by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Removed Configurator.importCertChain()
The code in Configurator.importCertChain() has been moved
into configureCACertChain() and setupClone().
- - - - -
e688337b by Endi S. Dewata at 2020-04-30T11:37:56-05:00
Added get_cert_chain() in configuration.py
The get_cert_chain() has been added into configuration.py
to retrieve the signing certificate chain from the CA.
- - - - -
ca4384ac by Dinesh Prasanth M K at 2020-04-30T19:29:46-04:00
Refactor Certificate Transparency request - JSON parameter (#398)
This patch:
- Generates JSON for certificate Transparency using jackson
- Create wrapper class for CTRequest
- Sorts the certificate chain, from subCA to rootCA, before
embedding on the JSON request
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6ac70e58 by Endi S. Dewata at 2020-05-01T18:33:50-05:00
Updated CryptoUtil.importPKCS7() (part 1)
The CryptoUtil.importPKCS7() has been modified to trust
the root CA certificate.
- - - - -
4aa1d8bc by Endi S. Dewata at 2020-05-01T18:33:53-05:00
Updated CryptoUtil.importPKCS7() (part 2)
The CryptoUtil.importPKCS7() has been modified to support
setting the nickname of the leaf certificate.
- - - - -
81a67b72 by Endi S. Dewata at 2020-05-01T18:33:58-05:00
Updated CryptoUtil.importPKCS7() (part 3)
The CryptoUtil.importPKCS7() has been modified to support
setting the trust flags of the leaf certificate.
- - - - -
091afb4e by Endi S. Dewata at 2020-05-01T19:07:52-05:00
Updated pki pkcs7-import (part 1)
The pki pkcs7-import has been modified to accept an optional
nickname for the leaf certificate.
- - - - -
e8122e46 by Endi S. Dewata at 2020-05-01T19:07:56-05:00
Updated pki pkcs7-import (part 2)
The --input-file option in pki pkcs7-import has changed to
become optional. If it's not specified the command will read
the PKCS #7 from standard input.
- - - - -
c6918ecd by Endi S. Dewata at 2020-05-01T19:21:47-05:00
Updated pki pkcs7-import (part 3)
The --trust-flags in pki pkcs7-import has been modified to
set the trust flags for the leaf certificate.
- - - - -
f08372bd by Endi S. Dewata at 2020-05-01T20:06:38-05:00
Cleaned up ClientCertImportCLI.importPKCS7()
The ClientCertImportCLI.importPKCS7() has been modified to reuse
CryptoUtil.importPKCS7().
- - - - -
88cb3279 by Endi S. Dewata at 2020-05-01T20:09:38-05:00
Deprecated pki client-cert-import --pkcs7
The pki client-cert-import --pkcs7 has been replaced with
pki pkcs7-import.
- - - - -
87abed71 by Viktor Ashirov at 2020-05-04T10:17:03-05:00
Update ACIs with the correct syntax
The value of the first character in target* keywords
is expected to be a double quote.
Fixes: https://pagure.io/dogtagpki/issue/3173
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
- - - - -
26ffde4f by Endi S. Dewata at 2020-05-04T13:36:34-05:00
Updated PKIClient
The PKIClient has been updated to provide a new constructor,
get(), post(), and getInfo() methods.
- - - - -
cc7eff9b by Endi S. Dewata at 2020-05-04T14:10:27-05:00
Updated MainCLI
The MainCLI has been modified to call PKIClient.getInfo()
to get the server information.
- - - - -
390c9aea by Endi S. Dewata at 2020-05-04T14:10:31-05:00
Updated InfoCLI
The InfoCLI has been modified to call PKIClient.getInfo()
to get the server information.
- - - - -
e7a8125c by Endi S. Dewata at 2020-05-04T14:10:38-05:00
Replaced Configurator.get()
The Configurator.get() has been replaced with PKIClient.get().
- - - - -
a1e301f4 by Endi S. Dewata at 2020-05-04T14:10:38-05:00
Replaced Configurator.post()
The Configurator.post() has been replaced with PKIClient.post().
- - - - -
8fd74e49 by Endi S. Dewata at 2020-05-04T22:12:02-05:00
Refactored Configurator.getCertChain()
The Configurator.getCertChain() has been modified to use the
PKIClient provided by the caller.
- - - - -
5d9d09b6 by Endi S. Dewata at 2020-05-04T22:12:28-05:00
Moved Configurator.getCertChain()
The Configurator.getCertChain() has been moved into CAClient.
- - - - -
4b3d8d5b by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Moved SystemCertService.createCertificateData()
The SystemCertService.createCertificateData() has been moved
into CertData.fromCertChain().
- - - - -
af6114b5 by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Updated CASystemCertClient.getSigningCert()
The CASystemCertClient.getSigningCert() has been modified to
fallback to legacy servlet if the REST service is not available.
- - - - -
d8d50efc by Endi S. Dewata at 2020-05-04T22:12:29-05:00
Updated pki client-cert-import --ca-server
The pki client-cert-import --ca-server has been modified to
use CAClient.getCertChain().
- - - - -
10db1f44 by Fraser Tweedale at 2020-05-05T19:05:55+10:00
acme: make acmeAuthorizationWildcard a required attribute
Having acmeAuthorizationWildcard as a required attribute will make
identifier queries for revocation authorisation checking much
simpler. Therefore make it a required attribute and ensure we set
it when creating authorization objects.
Note also:
* The ACME authorization (JSON) objects MUST include the
"wildcard" member ONLY when the value is true, otherwise
the "wildcard" member MUST NOT be included. Therefore
there is no change to the implementation when reading
authorization objects from LDAP.
* The wildcard attribute is, at this time, only used for DNS
identifier authorisations. If we implement other kinds of
identifiers, now that it is a mandatory LDAP attribute it
a value will still have to be assigned for this attribute.
Intuitively, FALSE would seem a reasonable value to use, but we
should decide carefully for each identifier type and document
the reasons.
- - - - -
8259b5e4 by Fraser Tweedale at 2020-05-05T19:05:55+10:00
acme: update LDAPDatabase to handle wildcard revocation
- - - - -
7e2d1d9b by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Fixed PKIClient constructor
- - - - -
93113f53 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Removed PKIClient.downloadCACertChain()
The PKIClient.downloadCACertChain() is no longer used so it
has been removed.
- - - - -
024cad46 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Removed SystemCertService
The SystemCertService no longer contains useful code so it
has been removed.
- - - - -
e8af3cf5 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki ca-cert-signing-export
- - - - -
635ab59f by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki ca-cert-transport-export
- - - - -
3d4dac79 by Endi S. Dewata at 2020-05-05T14:07:56-05:00
Cleaned up pki kra-cert-transport-export
- - - - -
c011d6b1 by Dinesh Prasanth M K at 2020-05-05T22:12:58-04:00
Remove the exception on debug log while deferring approval (#402)
This patch removes the java exception stacktrace when a certificate
request submitted gets deferred for manual approval.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d77dc10a by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Updated NSSDatabase.import_pkcs7()
The NSSDatabase.import_pkcs7() has been updated to support
importing PKCS #7 data already loaded in memory.
- - - - -
4da4af54 by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored preop.ca.pkcs7 creation
The code that stores the signing cert chain from the issuing CA
into preop.ca.pkcs7 has been moved into configuration.py.
- - - - -
2e3a1d9e by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored preop.clone.pkcs7 creation
The code that stores the signing cert chain from the CA master
into preop.clone.pkcs7 has been moved into configuration.py.
- - - - -
303c9216 by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored cert chain import (part 1)
The code that imports the signing cert chain from the issuing CA
has been moved into configuration.py.
- - - - -
97ea599c by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Refactored cert chain import (part 2)
The code that imports the signing cert chain from the CA master
has been moved into configuration.py.
- - - - -
f40c47ea by Endi S. Dewata at 2020-05-05T22:40:49-05:00
Removed Configurator.configureCACertChain()
The Configurator.configureCACertChain() no longer contains
useful code so it has been removed.
- - - - -
6f28e12c by Alexander Scheel at 2020-05-07T13:01:00-04:00
Move from %doc -> %license for LICENSE files
See: https://pagure.io/packaging-committee/issue/411
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
2b21552f by Alexander Scheel at 2020-05-07T16:55:24-04:00
Enforce ACME wildcard policy
ACME (in RFC 8555 Section 7.1.3) restricts wildcard issuance to only
identifiers beginning with a wildcard and containing no other
wildcards. Introduce a new class for enforcing ACME policy.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
624d36cc by Alexander Scheel at 2020-05-07T17:24:51-04:00
Update to jQuery v3.5.1
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
2e673ee8 by Alexander Scheel at 2020-05-07T17:24:51-04:00
Mark bundled JS as bundled
See: https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a8b37675 by Endi S. Dewata at 2020-05-07T22:09:23-05:00
Removed "External CA" literals
The deployment tool has been modified to check whether it's an
external or standalone deployment scenario instead of using the
"External CA" literals.
- - - - -
7ff83563 by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored preop.ca.type configuration
The code that configures preop.ca.type has been moved into
subsystem_layout.py.
- - - - -
a789750c by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored Configurator.configRemoteCert() (part 1)
The Configurator.configRemoteCert() has been modified to use the
parameters provided by the caller instead of reading the preop
parameters directly.
- - - - -
6aff2fbc by Endi S. Dewata at 2020-05-07T22:09:44-05:00
Refactored Configurator.configRemoteCert() (part 2)
The Configurator.configRemoteCert() has been simplified to handle
all cases with the same code.
- - - - -
b424bc8a by Endi S. Dewata at 2020-05-08T15:04:33-05:00
Cleaned up Configurator.configCert()
- - - - -
dc2a742e by Endi S. Dewata at 2020-05-08T16:30:48-05:00
Refactored preop.cert.signing.type configuration
The code that configures preop.cert.signing.type has been
moved into subsystem_layout.py.
- - - - -
df6730af by Endi S. Dewata at 2020-05-08T16:31:50-05:00
Refactored preop.cert.signing.profile configuration
The code that configures preop.cert.signing.profile has been
moved into subsystem_layout.py.
- - - - -
00056dbe by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored preop.cert.sslserver.type configuration
The code that configures preop.cert.sslserver.type has been
moved into subsystem_layout.py.
- - - - -
b03f2280 by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored preop.cert.sslserver.profile configuration
The code that configures preop.cert.sslserver.profile has been
moved into subsystem_layout.py.
- - - - -
db8951ee by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 1)
The Configurator.configCert() has been modified to remove
duplicate code.
- - - - -
12752abc by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 2)
The Configurator.configCert() has been modified to remove
unnecessary changes to preop.ca.type.
- - - - -
bf78951a by Endi S. Dewata at 2020-05-08T16:31:54-05:00
Refactored Configurator.configCert() (part 3)
The Configurator.configCert() has been modified to no longer
use sign_clone_sslserver_cert_using_master.
- - - - -
a51dce68 by Fraser Tweedale at 2020-05-09T09:08:54+10:00
acme: include Location header in finalize response
mod_md fails when the finalize response does not include a Location
header. For details see https://github.com/icing/mod_md/issues/216.
Work around the mod_md bug by including the Location header in the
finalize response. This also brings us into line with the Boulder
(Let's Encrypt) behaviour, although this behaviour is not required
by RFC 8555.
- - - - -
c518571c by Endi S. Dewata at 2020-05-08T20:23:27-05:00
Refactored preop.cert.subsystem.profile configuration
The code that configures preop.cert.subsystem.profile has been
moved into subsystem_layout.py.
- - - - -
3323ea9a by Endi S. Dewata at 2020-05-11T09:09:11-05:00
Refactored preop.cert.subsystem.profile for ECC
The code that configures preop.cert.subsystem.profile for ECC
has been moved into subsystem_layout.py.
- - - - -
c6c4152b by Endi S. Dewata at 2020-05-11T09:09:50-05:00
Refactored preop.cert.sslserver.profile for ECC
The code that configures preop.cert.sslserver.profile for ECC
has been moved into subsystem_layout.py.
- - - - -
505f77fb by Endi S. Dewata at 2020-05-11T09:17:05-05:00
Cleaned up Configurator.updateConfigEntries()
- - - - -
b7dff0f3 by Endi S. Dewata at 2020-05-11T09:19:37-05:00
Cleaned up Configurator.getConfigEntriesFromMaster()
- - - - -
bcd3d1ef by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Clean up CI scripts
This patch:
- Removes travis as we completely rely on GH actions
- Rename CI related scripts dir
- Update OS matrix (since F30 reached EOL)
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
711c2f1b by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Remove transfer.sh dependency
We upload all PKI and IPA related logs as GH artifacts and
no longer depend on transfer.sh to upload our logs.
This patch cleans up the code that collects and uploads
the logs to transfer.sh
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
70705209 by Dinesh Prasanth M K at 2020-05-11T11:36:47-04:00
Update paths + use dscreate
This patch migrates from the use of legacy DS
installation and uses the latest `dscreate`.
This patch also cleans up the path in the scripts
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
be8aba2b by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed Configurator.getSystemCertProfileID()
- - - - -
15f2161a by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed Configurator.configureSecurityDomain()
- - - - -
0d73d86f by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed SystemConfigService.configure()
- - - - -
333add54 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigClient.create_config_request()
- - - - -
af4ba498 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigClient.set_issuing_ca_parameters()
- - - - -
ba2c6ffa by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.isClone
- - - - -
e10c5f28 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.issuingCA
- - - - -
1d8cb100 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.systemCertsImported
- - - - -
2d7657d3 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.securityDomainType
- - - - -
b75d7252 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest.pin
- - - - -
6d8a8185 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest constants
- - - - -
3242ab37 by Endi S. Dewata at 2020-05-11T10:46:00-05:00
Removed ConfigurationRequest
- - - - -
d9c2437c by Endi S. Dewata at 2020-05-11T12:03:15-05:00
Added Range class
The Range class has been added to encapsulate request ID, serial
number, and replica ID ranges.
- - - - -
9a9eab2e by Endi S. Dewata at 2020-05-11T12:03:51-05:00
Refactored Configurator.updateNumberRange() (part 1)
The Configurator.updateNumberRange() has been modified to
take a PKIClient object and session ID, then construct the
content Map.
- - - - -
2c0466b1 by Endi S. Dewata at 2020-05-11T17:43:49-05:00
Refactored Configurator.updateNumberRange() (part 2)
The Configurator.updateNumberRange() has been converted
into requestRange() which returns a Range object.
- - - - -
62ebae9b by Endi S. Dewata at 2020-05-11T17:44:04-05:00
Moved Configurator.requestRange()
The Configurator.requestRange() has been moved into
SubsystemClient.
- - - - -
eeeb347a by Endi S. Dewata at 2020-05-11T17:44:04-05:00
Refactored Configurator.setupNumberRanges()
The Configurator.setupNumberRanges() has been converted into
updateRanges() which takes a PKIClient object.
- - - - -
dd14200b by Endi S. Dewata at 2020-05-11T17:48:18-05:00
Added CertificateSetupRequest.masterURL
The CertificateSetupRequest.masterURL has been added to
replace master.hostname and master.httpsport properties.
- - - - -
5598ef52 by Endi S. Dewata at 2020-05-11T17:49:26-05:00
Removed unused master.httpsadminport property
- - - - -
31611e29 by Endi S. Dewata at 2020-05-11T21:21:19-05:00
Added pki ca/kra-range-request
The pki ca/kra-range-request has been added to request a
request ID, serial number, or replica ID range from master.
- - - - -
ca95d661 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Refactored Configurator.updateRanges()
The Configurator.updateRanges() has been converted into
PKISubsystem.update_ranges().
- - - - -
5b524944 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Added pki-server ca/kra-range-show
The pki-server ca/kra-range-show has been added to display
the number range configuration.
- - - - -
99961000 by Endi S. Dewata at 2020-05-11T21:21:24-05:00
Added pki-server ca/kra-range-update
The pki-server ca/kra-range-update has been added to update
the request ID, serial number, and replica ID ranges.
- - - - -
1a488909 by Endi S. Dewata at 2020-05-12T22:15:44-05:00
Updated loggers in Python code
- - - - -
270ad809 by Endi S. Dewata at 2020-05-13T11:18:04-05:00
Updated PKIUpgrader.makedirs()
The PKIUpgrader.makedirs() has been updated to support
exist_ok parameter.
- - - - -
6fd1553a by Endi S. Dewata at 2020-05-13T11:34:59-05:00
Updated file/folder creation in PKIServerUpgrader
The PKIServerUpgrader has been modified to use instance
methods to create files/folders with proper permissions.
- - - - -
0cdc3c59 by Endi S. Dewata at 2020-05-13T11:35:22-05:00
Added PKIUpgrader.touch()
The PKIUpgrader.touch() has been added to create files
with the proper permissions.
- - - - -
89608275 by Alexander Scheel at 2020-05-14T09:41:44-04:00
Build PKI in %build, not %install
We build PKI in the %install section of the RPM Spec file currently; we
should move the build to the %build section so tooling works correctly.
Resolves: rh-bz#1792252
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
49c14dda by Alexander Scheel at 2020-05-14T09:41:44-04:00
Fix recompile issue
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5129d424 by Endi S. Dewata at 2020-05-14T11:42:24-05:00
Updated PKI server upgrade process
Previously when the pki-server RPM package is updated
it will upgrade all PKI server instances on the system.
However, the PKI subsystem packages (e.g. pki-ca) has
a dependency on pki-server, so it is not possible to
create an upgrade scriptlet in pki-server package that
installs new files from PKI subsystem packages.
To address the problem, the pki.spec has been modified
to no longer call pki-server upgrade command. Instead,
the systemd unit file has been modified to call the
command to upgrade just the instance being started. At
that point all RPM packages are already installed so
new files from those packages can now be installed.
Since the upgrade process now runs during startup as
pkiuser, the upgrade backup directory has been moved
into /var/log/pki/<instance>/backup.
- - - - -
fe5b3a34 by Endi S. Dewata at 2020-05-14T11:42:24-05:00
Added upgrade script for ACME server cert profile
The ACME server cert profile (acmeServerCert.cfg) has
been moved into /usr/share/pki/ca/profiles/ca such that
it will be included in new CA installations.
An upgrade script has been added to deploy the profile
into existing instances and update the CS.cfg when the
server is restarted.
- - - - -
95a17fcb by Dinesh Prasanth M K at 2020-05-14T13:19:43-04:00
Bump min cmake version
With PR#339, we need at least cmake 3.0.2
to compile PKI project. This patch bumps the
min requirement
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
b40ac8f6 by Dinesh Prasanth M K at 2020-05-14T13:35:03-04:00
Move CT related classes into new package
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
f39e4a1d by Dinesh Prasanth M K at 2020-05-14T13:35:03-04:00
Load config values from CS.cfg
This patch:
- Loads CT log server configurations from CS.cfg
- Can submit precertificates to multiple log servers
- Creates CT relevant java packages
TODO:
Refactor code to:
- Embed multiple SCT responses onto certificate
- accommodate REST structure
- Move CT related code into it's related java package
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
310f3d3b by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Fixed getopt in upgrade tools
The pki-upgrade and pki-server upgrade commands have
been modified to use getopt.gnu_getopt for consistency
with other commands.
- - - - -
5923897f by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Removed stderr piping
The stderr piping in some places has been removed to allow
error messages to appear on the console.
- - - - -
fb7a8ef9 by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Refactored PKISubsystem.update_ranges()
The PKISubsystem.update_ranges() has been updated to take
an install token object instead of a session ID.
- - - - -
c9966f3d by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Refactored TPS config classes
The TPS config classes in com.netscape.certsrv.tps.config
have been moved into org.dogtagpki.common so they can be
used by other subsystems.
- - - - -
6d8391be by Endi S. Dewata at 2020-05-14T14:06:38-05:00
Cleaned up ConfigCLI.getConfigClient()
The ConfigCLI.getConfigClient() has been modified to create
the ConfigClient object only when needed.
- - - - -
1ee06c61 by Endi S. Dewata at 2020-05-14T14:12:13-05:00
Added JSON converter for ConfigData
- - - - -
8c3b0656 by Endi S. Dewata at 2020-05-14T14:22:51-05:00
Refactored Configurator.updateConfigEntries()
The Configurator.updateConfigEntries() has been converted
into getConfig() which returns a ConfigData object.
- - - - -
9b4ea632 by Endi S. Dewata at 2020-05-14T15:08:21-05:00
Refactored Configurator.getConfig()
The Configurator.getConfig() has been moved into ConfigClient.
- - - - -
73e57542 by Endi S. Dewata at 2020-05-14T15:08:29-05:00
Refactored ConfigCLI (part 1)
The TPS-specific code in ConfigCLI has been moved into
TPSConfigCLI.
- - - - -
14edcf75 by Endi S. Dewata at 2020-05-14T15:08:29-05:00
Refactored ConfigCLI (part 2)
The ConfigCLI has been moved from com.netscape.cmstools.tps.config
into com.netscape.cmstools.config.
- - - - -
fea377ac by Endi S. Dewata at 2020-05-14T15:53:44-05:00
Added pki <subsystem>-config-export
The pki <subsystem>-config-export has been added to export
the configuration properties required for cloning.
- - - - -
156f49ae by Endi S. Dewata at 2020-05-14T17:08:14-05:00
Refactored Configurator.getConfigEntries() (part 1)
The code in Configurator.getConfigEntries() that retrieves
and updates the configuration properties has been moved into
PKISubsystem.retrieve_config() and update_config().
- - - - -
b17e3adc by Endi S. Dewata at 2020-05-14T17:08:14-05:00
Refactored Configurator.getConfigEntries() (part 2)
The remaining code in Configurator.getConfigEntries() that
validates the master and replica internal databases has been
moved into PKISubsystem.update_config().
- - - - -
0b1267dd by Christina Fu at 2020-05-15T14:39:23-07:00
Bug 1629025 Server-Side Kyegen Enrollment
This patch contains the code that provides the Server-Side Keygen Enrollment feature for both RSA and EC keys.
KRA must be installed along with CA.
This patch contains mainly the following pieces:
input:
The new input plugin ServerKeygenInput.java, which works with the
midified ProfileSelect.template to
- accept the p12 passwd that will be used to compose the p12 once the keys are generated on KRA and cert issued by the CA.
- accept the keyType: RSA/ECC
- accept the keySize: RSA key sizes or ECC curves
Profile default plugin:
- The new default plugin: ServerKeygenUserKeyDefault.java, which inserts temporary fake keys so code won't blow up down the road; Such fake key will be replaced later when KRA generates the new keys
Profiles
Both of the new profiles below allows one to enable/disable key archival.
- The new caServerKeygen_UserCert.cfg profile which utilizes the new input and output; This profile requires manual approval from a CA agent
- The new caServerKeygen_DirUserCert.cfg profile which utilizes the new input and output; This profile requires directory-auth setup in CS.cfg; It allows for automatic approval without specific agent approval.
output:
Working in conjunction with the modified profile servlets, the new output plugin PKCS12Output.java, which contains the p12 to be sent back to the browser when the request has been approved.
Note: the new audit events implemented are
- SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
- SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
- SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
- SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED
where SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED is not yet added
https://bugzilla.redhat.com/show_bug.cgi?id=1629025
- - - - -
b98a2323 by Endi S. Dewata at 2020-05-18T13:32:38-05:00
Fixed PKIServer.get_subsystems() to return a list
- - - - -
93fa1514 by Endi S. Dewata at 2020-05-18T13:32:45-05:00
Refactored DBSchemaUpgradeCLI.update_schema()
The code that imports an LDIF file into LDAP database in
DBSchemaUpgradeCLI.update_schema() has been moved into
PKIServer.import_ldif().
- - - - -
26e9cd2a by dpuniaredhat at 2020-05-19T11:33:31+05:30
Update performance test (#400)
Updated certificate revocation after every 100 certificate enrollemnt
Added Throughput calculation for reporting purpose
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
acc2a256 by Endi S. Dewata at 2020-05-19T21:15:26-05:00
Fixed 01-AddSANToCNDefault.py
The 01-AddSANToCNDefault.py upgrade script for PKI 10.9.0 has
been modified to add defaultPolicy.sanToCNDefaultImpl.class.
- - - - -
9bfa832e by Dinesh Prasanth M K at 2020-05-20T14:55:16-04:00
Add symlink to apache-commons-net jar
Dependency to apache-commons-net was introduced in the commit:
https://github.com/dogtagpki/pki/commit/fca6d89dcd2b9e6592879c85a2f2278ed1a28e2f
The symlink to JARs need to be created for new instance installations as well as
existing instances.
This patch adds symlink to the new dependency.
TODO: The upgrade script to add symlinks to existing instances. This effort
should be coupled when CT moves out of prototype phase.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
50867042 by Dinesh Prasanth M K at 2020-05-20T14:55:16-04:00
Fix getting publicKey of LogServer
In PR #406 a new LogServer object was introduced to store Log Server
information. However, the public key of Log Server was never used.
This patch removes the usage of hardcoded Public Key and uses the
one defined in CS.cfg
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
5bcaeb78 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Refactored HTTPConnectorCLI.set_param()
The code that modifies XML element attributes in
HTTPConnectorCLI.set_param() has been moved into
pki.util.set_property().
- - - - -
f4c13565 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Cleaned up pki.util.read_text()
The pki.util.read_text() has been modified to simplify
the code.
- - - - -
a0aa0647 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 1)
The pki.util.read_text() has been modified to accept
an empty input if a default value is specified. The
allow_empty option is no longer used so it has been
removed.
- - - - -
e54c5d09 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 2)
The pki.util.read_text() has been modified to provide
an option to read a password without showing the value.
- - - - -
94768a86 by Endi S. Dewata at 2020-05-21T11:53:46-05:00
Updated pki.util.read_text() (part 3)
The pki.util.read_text() has been modified to return the
default value if it accepts an empty value, and return an
empty string if it accepts a blank.
- - - - -
dc38f8ec by Alexander Scheel at 2020-05-21T13:57:28-04:00
Bump JSS and TomcatJSS dependencies
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
6ec0b77e by Alexander Scheel at 2020-05-21T13:57:28-04:00
Re-enable COPR repo in build jobs
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
4d83dbad by Endi S. Dewata at 2020-05-21T15:06:48-05:00
Updated pki.util.read_text() (part 4)
The pki.util.read_text() has been modified to provide
an option to require a non-empty input.
- - - - -
c51fd2bc by Dinesh Prasanth M K at 2020-05-21T20:16:39-04:00
Minor bug fix to SystemCertClient and subsystem
Add param `subsystem` to SystemCertClient as specifying
subsystem in connection has been deprecated in 10.8
Fix the import error
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6d902657 by Dinesh Prasanth M K at 2020-05-21T20:56:16-04:00
Avoid printing INFO level log messages while running healthcheck tool
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
183a8ea6 by Endi S. Dewata at 2020-05-21T20:26:11-05:00
Removed redundant default values for dict.get()
- - - - -
3c0c2f16 by Endi S. Dewata at 2020-05-22T10:17:23-05:00
Refactored ConfigClient.create_clone_setup_request()
The code that initializes the clone replication port in
ConfigClient.create_clone_setup_request() has been moved
into Configurator.setupReplication().
- - - - -
d65435ef by Endi S. Dewata at 2020-05-22T10:18:32-05:00
Added LdapBoundConnection.connectionFactory
The LdapBoundConnection.connectionFactory has been added to
keep track of the connection's factory. The BoundConnection
class is no longer used to it has been removed.
- - - - -
4db4de4f by Endi S. Dewata at 2020-05-22T10:27:26-05:00
Refactored LDAPConfigurator constructors
The LDAPConfigurator constructors have been modified to require
an LDAPConfig object.
- - - - -
17a81c24 by Endi S. Dewata at 2020-05-22T10:27:32-05:00
Refactored LDAPConfigurator.customizeFile()
The LDAPConfigurator.customizeFile() has been modified to
construct the parameter map when needed.
- - - - -
6af63e89 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.enableReplication()
The LDAPConfigurator.enableReplication() has been converted
into createReplicaObject() that generates the replica DN from
base DN and returns true if the replica object was created
successfully.
- - - - -
99c9b799 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.createReplicationAgreement()
The LDAPConfigurator.createReplicationAgreement() has been
modified to generate the replica DN from base DN.
- - - - -
6d28d4f9 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.initializeConsumer()
The LDAPConfigurator.initializeConsumer() has been modified to
generate the replica DN from base DN.
- - - - -
a889b951 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored LDAPConfigurator.createChangeLog()
The LDAPConfigurator.createChangeLog() has been modified to
use a fixed changelog directory.
- - - - -
c463c710 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Refactored Configurator.setupReplicationAgreements()
The code that uses the configuration parameters in
Configurator.setupReplicationAgreements() has been moved
outside the method.
- - - - -
d37658f7 by Endi S. Dewata at 2020-05-22T10:28:02-05:00
Added LDAPConfigurator.setupReplicationAgreement()
The code that creates the replication agreements for master
and replica in Configurator.setupReplicationAgreements() has
been merged into LDAPConfigurator.setupReplicationAgreement().
- - - - -
b6ff324b by Endi S. Dewata at 2020-05-22T12:39:42-05:00
Added pki-server acme-metadata commands
The pki-server acme-metadata commands have been added to
manage ACME metadata configuration.
- - - - -
7cc72178 by Endi S. Dewata at 2020-05-22T13:20:35-05:00
Added pki-server acme-database commands
The pki-server acme-database commands have been added to
manage ACME database configuration.
- - - - -
bd085c8b by Endi S. Dewata at 2020-05-22T13:55:03-05:00
Added pki-server acme-issuer commands
The pki-server acme-issuer commands have been added to
manage ACME issuer configuration.
- - - - -
3454878a by Dinesh Prasanth M K at 2020-05-22T22:17:43-04:00
Add a new healthcheck to test CA connectivity to PKI server
This patch adds a new healthcheck to test whether the CA is accessible
by trying to list 1 cert (ie) similar to running `pki ca-cert-find --size 1`
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
617a3c1d by Dinesh Prasanth M K at 2020-05-22T22:17:43-04:00
Add a new healthcheck to test KRA connectivity to PKI server
This patch adds a new healthcheck to test whether the KRA is accessible
by trying to show KRA's transport cert (ie) similar to running
`pki kra-cert-transport-show`
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
ad266ddd by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Reorganized ACME schema
The /usr/share/pki/server/conf/schema.ldif has been
modified such that it only contains only the original
PKI schema. The ACME schema has been moved into
/usr/share/pki/acme/conf/database/ldap/schema.ldif.
The LDAPConfigurator.setupSchema() has been modified
to import both PKI schema and ACME schema during the
initial installation.
The pki-server db-schema-upgrade has been modified to
import both PKI schema and ACME schema during manual
database upgrade.
- - - - -
9a5f4b69 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Added ACME LDAP database config
A sample create.ldif and database.conf has been added
to initialize and configure an LDAP database for ACME.
The LDAPDatabase class has been modified to obtain the
configuration parameters and password from database.conf
in standalone ACME deployment scenario (without CA).
- - - - -
a5570323 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Reorganized ACME docs
The ACME installation doc and user guide have been moved
into "acme" subfolders.
- - - - -
8687c4a9 by Endi S. Dewata at 2020-05-26T15:54:37+10:00
Added ACME database configuration doc
A new doc has been added to describe ACME database
configuration using in-memory database and LDAP
database.
- - - - -
da18f355 by Endi S. Dewata at 2020-05-26T17:37:36-05:00
Cleaned up pki.spec
- - - - -
b970a72d by Fraser Tweedale at 2020-05-26T21:28:41-05:00
acme: remove redundant schema file
ACME LDAP schema has been extracted as a modify LDIF. I tested the
FreeIPA schema update machinery and it works fine with a modify
LDIF. So the other schema LDIF, which is not an update object but a
plain entry, can be removed.
We could do likewise for LWCA and profile schema, but that is for
another day.
- - - - -
a589107d by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: log in CAClient when submitting certificate request
It is possible to use a lower-privileged RA account to issue
certificates, if the target profile is set up to allow it.
Therefore log in the user before submitting the certificate request.
- - - - -
bd237455 by Fraser Tweedale at 2020-05-28T08:15:17+10:00
acme: PKIIssuer: handle immediate issuance
Depending on profile configuration and user privileges, the cert
could be immediately issued. Furthermore the user may not have
agent permissions to review/approve a request, but a profile
configuration could allow immediate issuance for particular
users/groups.
Therefore we must detect when the certificate was immediately issued
and if so, skip the review/approve behaviour.
- - - - -
26c607eb by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add OCSP connectivity healthcheck
This patch adds a new OCSP connectivity check. This check
tries to hit the API enpoint: /ocsp/admin/ocsp/getStatus
However, note that this only checks for whether the OCSP subsystem
is running and doesn't actually try to fetch any data from LDAP.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
675c2ded by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck for TKS connectivity
This patch checks if the TKS is up and running by trying to
hit the REST api enpoint: /tks/admin/tks/getStatus
Note that healthcheck does not perform any operation that
involves LDAP. It just checks if the subsystem is up and running
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
26a0be84 by Dinesh Prasanth M K at 2020-05-28T20:01:41-04:00
Add new healthcheck to test TPS connectivity
This patch adds a new healthcheck to test the connectivity
of TPS subsystem by trying to hit the endpoint: /tps/admin/tps/getStatus
Note that this healthcheck does not perform any operations involving
LDAP. It just checks if the TPS subsystem itself is up and running
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
ae8f5129 by Fraser Tweedale at 2020-05-29T14:00:18+10:00
acme: ACMEEngineConfigFileSource: restart file watching on error
Vi(m) file write on the watched file caused an exception due to bad
permissions. I'm not sure if this is due to behaviour of vi(m), or
something more fundamental. Whatever the reason, it was an ordinary
administrator action so we must gracefully handle the situation.
A naïve approach is simply to delay a moment before reading the
file. A 1000ms sleep seems to do the trick. For robustness, we
also restart file watching if an exception occurs, with exponential
backoff, and attempting to read the file again each time before
reconfiguring the watch service.
- - - - -
95435709 by Christina Fu at 2020-05-29T16:10:49-07:00
Bug 1805541 [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch adds additionl work to the prototype code checked in:
commit fca6d89dcd2b9e6592879c85a2f2278ed1a28e2f
It
- added support for multiple CT log for createSCTextension
- got one of the two verification methods working in verifySCT
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
0b6ccf3c by jmagne at 2020-05-29T16:29:51-07:00
Address Bug 1710109 - add RSA PSS support. (#416)
Upstream portion of pki part of RSA-PSS signing algorithm support. (#356)
This fix conincides with another ticket providing RSA PSS signature support for JSS,
which is required for this to work.
This is designed for simple usage. If one wants to say create a CA or KRA with RSA PSS signature
support, simply place the following line in the pkispawn script file:
pki_use_pss_rsa_signing_algorithm=True
This will instruct the process to take whatever signing algorithm of the form (
SHAxxxwithRSA signing algorithms are specified and promote them to the corresponding
PSS algorithm such as: SHS256withRSA/PSS.
If one ONLY puts that value in the script file, all the algs, which have a default of
SHA256withRSA will be promoted to SHA256withRSA/PSS.
This fix also provides support , if desired, for SHA384, and SHA512 versions of PSS.
In order to get this to work, the pkispawn config will have to explcitly enumerate
each applicable signing algorithm as such ex: pki_ca_signing_signing_algorithm=SHA384withRSA.
Also the explicit alg of say SHA384withRSA/PSS can be used for each setting.
Tested with a basic CA and KRA. Also tested with a non PSS CA and a no PSS ca with ECC so far.
The goal is to not interfere with any existing functionality if PSS support is not desired.
Added fix to the CMCRespone tool.
The tool currently does not initialize the CryptoManager.
Doing so is necessary to register the JSS Provider which provides the
encoding / parsing support for the RSAPSS algorithm parameters.
Co-authored-by: Jack Magne <jmagne at test.host.com>
Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
Co-authored-by: Jack Magne <jmagne at test.host.com>
- - - - -
333b9c4f by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Move pylint from buildtime to a separate CI job
This patch moves python code linting from RPM build
to a separate CI job.
Note that this new job runs on INSTALLED python files due to
lack of setuptools [1].
[1] https://pagure.io/dogtagpki/issue/3175
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
e84ffda9 by Dinesh Prasanth M K at 2020-06-01T13:04:48-04:00
Package lint script into pki-tests package
This patch adds the pki-lint script to pki-tests package.
This patch also improves the pki-lint script to accept
custom config files to execute pylint and flake8 linters.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d900dc21 by Christina Fu at 2020-06-01T18:04:04-07:00
Bug 1805541 added comments and error handling for [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp
This patch mostly simply adds some comments and error handlings for CT.
verifySCT signature size is hardcoded to SHA256withEC for now (will be
improved on later)
https://bugzilla.redhat.com/show_bug.cgi?id=1805541
- - - - -
82964212 by Fraser Tweedale at 2020-06-03T15:24:29+10:00
acme: handle file rename in ACMEEngineConfigFileSource
Renames are not handled as ENTRY_MODIFY but rather as a pair of
ENTRY_DELETE and ENTRY_CREATE events. Update the file watching to
process ENTRY_CREATE events so the modify-by-rename scenario is
handled.
- - - - -
34c85d39 by Fraser Tweedale at 2020-06-04T14:47:22+10:00
spec: set Requires among pki RPMs to depend on same release
Currently the Requires depends only on pki-foo = %{version}.
This can result in problems where, e.g. a package that depends on
'pki-ca = 10.9.0-0.1.TIMESTAMP.DIGEST' ends up with Dogtag packages
from mismatched builds (same version, different %{release}).
Update the spec file to ensure that Dogtag RPMs that depend on other
Dogtag RPMs depend on the exact same build.
Note that prior to 4966ebf0759a0d9f5de54e9f731393a14ef4558f, all
intra-spec dependencies were pegged to the %{release}. This was
removed because of problems caused by some packages being built in
different modules. Removing /all/ such pegging was going a bit too
far. So among packages we know will be built in the same module it
is OK to add the %{release} back into the Requires directives.
- - - - -
45d3c46c by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Rename registry names in setup.py to allow additional plugins
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8a386dee by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check CA System Cert trust flag
This patch:
- adds a new healthcheck to check the Trust flag
present in CA's nssdb
- Adds a reusable method to get trust flags of system
certs from NSSDB or HSM
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8d108d98 by Dinesh Prasanth M K at 2020-06-04T13:29:58-04:00
Add healthcheck to check KRA's system cert trust flags
This patch adds a new healthcheck to test the System Cert
trust flag of all KRA's system certificates.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
8093b4d2 by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Fixed NPE in PostgreSQLDatabase.close()
- - - - -
794f85ab by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Added ACMEIssuerConfig.getParameterNames(parent)
The ACMEIssuerConfig.getParameterNames(parent) has been
added to return the relative names of the parameters under
the specified parent parameter.
- - - - -
df2548ef by Endi S. Dewata at 2020-06-04T13:55:46-05:00
Reorganized ACME docs
The doc that describes ACME issuer configuration has been
moved into Configuring_ACME_Issuer.md.
- - - - -
5220c401 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for OCSP system cert trust flag
This patch adds a OCSP healthcheck to test whether the trust flag
of its system certs match the expected value
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
3e339461 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healthcheck for TKS system cert trust flags
This patch adds a new healthcheck to check the trust
flag of TKS's System certs with known good value
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
6f3c5a7a by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Add new healtcheck to test TPS system cert trust flag
This patch adds a new healthcheck to compare the trust flags
of TPS's systemc certs with known trust flags.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
649a8a38 by Dinesh Prasanth M K at 2020-06-04T16:16:12-04:00
Change log level for unconfigured subsystems
PKI healthcheck reports results to IPA healthcheck automatically.
As a result, RHCS specific tests (like OCSPSystemCertTrustFlagCheck)
report a SUCCESS. This can be quite misleading to the users.
This patch adds INFO data to inform users that the subsystem is
unconfigured, when using --verbose
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
84b9b2b5 by Dinesh Prasanth M K at 2020-06-04T17:21:59-04:00
Include trust flag info in pki-server cert-* operation
This patch includes trust flags when running cert-show or cert-find
in its output, to provide more information to the user
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
54d32449 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_WEB_SERVER_TYPE
The PKI_WEB_SERVER_TYPE was hardcoded so the variable has
been removed.
- - - - -
d217e77f by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_UNCONFIGURED_PKI_ENTRIES
The TOTAL_UNCONFIGURED_PKI_ENTRIES is no longer needed since
pkispawn will always complete the instance configuration.
- - - - -
74eb6de2 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Mandatory instance name for pkidaemon
The pkidaemon has been modified such that the instance name
must be specified.
- - - - -
acd29cb9 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused TOTAL_PKI_REGISTRY_ENTRIES
Since the instance name must be specified when calling
pkidaemon, the TOTAL_PKI_REGISTRY_ENTRIES will always be 1
so the variable is no longer needed.
- - - - -
8b2d3c25 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_REGISTRY_ENTRIES
Since the instance name must be specified when calling
pkidaemon, the PKI_REGISTRY_ENTRIES will only contain 1
entry, so it has been replaced with PKI_REGISTRY_ENTRY.
- - - - -
f7c103dc by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused PKI_TYPE
The PKI_TYPE was hardcoded so the variable has been removed.
- - - - -
2945f571 by Endi S. Dewata at 2020-06-04T23:11:11-05:00
Removed unused Instance.tomcat_instances()
The Instance.tomcat_instances() was not used so it has
been removed.
- - - - -
226cf16e by Endi S. Dewata at 2020-06-05T22:01:52-05:00
Added user/group option for pki-server create
The pki-server create command has been modified to provide
options to specify the user and group for PKI server.
- - - - -
122d2e04 by Endi S. Dewata at 2020-06-05T22:19:09-05:00
Refactored NSSDatabase.directory
The NSSDatabase.directory has been replaced with a path.
- - - - -
0a60992c by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Added NSSDatabase.passwordStore
The NSSDatabase.passwordStore has been added to store
the NSS database passwords.
- - - - -
a829d72a by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEEngine.validateCSR()
The ACMEEngine.validateCSR() has been modified to take a
PKCS #10 object.
- - - - -
3fb78aa3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.issueCertificate()
The ACMEIssuer.issueCertificate() has been modified to
take a PKCS #10 object.
- - - - -
bc6254a3 by Endi S. Dewata at 2020-06-05T22:20:29-05:00
Refactored ACMEIssuer.revokeCert()
The ACMEIssuer.revokeCert() has been renamed to
revokeCertificate().
- - - - -
e9721b9c by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createRemoteCert()
The CertUtil.createRemoteCert() has been moved into CertUtils.
- - - - -
278e4568 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.buildSANSSLserverURLExtension()
The CertUtil.buildSANSSLserverURLExtension() has been moved
into CertUtils.
- - - - -
b890b0ae by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalRequest()
The CertUtil.createLocalRequest() has been moved into
CertUtils.
- - - - -
0b3116a1 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.updateLocalRequest()
The CertUtil.updateLocalRequest() has been moved into
CertUtils.
- - - - -
5fafadce by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.getAdminProfileAlgorithm()
The CertUtil.getAdminProfileAlgorithm() has been moved into
CertUtils.
- - - - -
a2506418 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertInfo()
The CertUtil.createCertInfo() has been moved into CertUtils.
- - - - -
1ca6075b by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createCertRecord()
The CertUtil.createCertRecord() has been moved into
CertUtils.
- - - - -
dad09cb5 by Endi S. Dewata at 2020-06-08T17:37:14-05:00
Moved CertUtil.createLocalCert()
The CertUtil.createLocalCert() has been moved into CertUtils.
- - - - -
c311ab56 by Endi S. Dewata at 2020-06-08T18:28:22-05:00
Moved CertUtil
The CertUtil has been moved into pki-util.
- - - - -
d81097f4 by Endi S. Dewata at 2020-06-08T18:29:00-05:00
Refactored CertUtils.normalizeCertReq()
The CertUtils.normalizeCertReq() has been moved and converted
into CertUtil.parseCSR() which returns the CSR binaries.
- - - - -
30f8447b by Endi S. Dewata at 2020-06-09T12:47:47-05:00
Refactored CertUtils.getEncodedCert() (part 1)
The CertUtils.getEncodedCert() has been modified to throw
a generic Exception.
- - - - -
7a6b6822 by Endi S. Dewata at 2020-06-09T14:30:30-05:00
Refactored CertUtils.getEncodedCert() (part 2)
The CertUtils.getEncodedCert() has been moved and renamed
into CertUtil.toPEM().
- - - - -
ce67604c by Endi S. Dewata at 2020-06-09T14:30:41-05:00
Cleaned up NSSKeyCLI
- - - - -
ea3d5ef3 by Fraser Tweedale at 2020-06-10T06:44:18+10:00
CT: handle missing config
If Certificate Transparency config is not defined in CS.cfg, all
certificate issuance fails. This situation can arise in upgrade
scenarios.
Tolerate the absense of the certTransparency.enable CS.cfg
directive, defaulting to false.
- - - - -
b3514113 by jmagne at 2020-06-09T15:06:21-07:00
Address CVE-2020-1721. (#434)
Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
76820004 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Introduce pki_ajp_secret configuration parameter
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1bd84062 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Add migration logic for 8.5 -> 9.0.31
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e2ee6e1e by Alexander Scheel at 2020-06-09T18:47:15-04:00
Make pki_ajp_secret a random password by default
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
737fc097 by Alexander Scheel at 2020-06-09T18:47:15-04:00
Always gather journalctl logs, instance config
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
741c7982 by Alexander Scheel at 2020-06-09T19:33:54-04:00
Remove Tomcat 7.0, Tomcat 8.0 specific configs
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f7cd25bc by Endi S. Dewata at 2020-06-10T11:47:50-05:00
Updated version number to 10.9.0-0.2 (alpha 2)
- - - - -
30 changed files:
- .classpath
- + .github/workflows/required-tests.yml
- − .travis.yml
- CMakeLists.txt
- base/CMakeLists.txt
- base/acme/CMakeLists.txt
- − base/acme/conf/backend.json
- − base/acme/conf/backend/pki/backend.json
- + base/acme/conf/configsources.conf
- + base/acme/conf/database.conf
- − base/acme/conf/database.json
- + base/acme/conf/database/in-memory/database.conf
- − base/acme/conf/database/in-memory/database.json
- + base/acme/conf/database/ldap/create.ldif
- + base/acme/conf/database/ldap/database.conf
- + base/acme/conf/database/ldap/schema.ldif
- + base/acme/conf/database/postgresql/database.conf
- − base/acme/conf/database/postgresql/database.json
- base/acme/conf/database/postgresql/statements.conf
- + base/acme/conf/engine.conf
- + base/acme/conf/issuer.conf
- + base/acme/conf/issuer/pki/issuer.conf
- + base/acme/conf/metadata.conf
- − base/acme/conf/metadata.json
- + base/acme/conf/validators.conf
- − base/acme/conf/validators.json
- − base/acme/src/CMakeLists.txt
- base/acme/src/org/dogtagpki/acme/ACME.java → base/acme/src/main/java/org/dogtagpki/acme/ACME.java
- base/acme/src/org/dogtagpki/acme/ACMEAccount.java → base/acme/src/main/java/org/dogtagpki/acme/ACMEAccount.java
- base/acme/src/org/dogtagpki/acme/ACMEAuthorization.java → base/acme/src/main/java/org/dogtagpki/acme/ACMEAuthorization.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/b55549ae53cd230b1177f0cd77243300a86dd332...f7cd25bc03521876ed553ccb6584fad2004e30a9
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/b55549ae53cd230b1177f0cd77243300a86dd332...f7cd25bc03521876ed553ccb6584fad2004e30a9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200616/c02a957f/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list