[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master-next] 867 commits: releasing package dogtag-pki version 10.6.10-2

Timo Aaltonen gitlab at salsa.debian.org
Tue Mar 17 13:21:02 GMT 2020



Timo Aaltonen pushed to branch master-next at FreeIPA packaging / dogtag-pki


Commits:
de759471 by Timo Aaltonen at 2019-07-29T14:09:37+03:00
releasing package dogtag-pki version 10.6.10-2

- - - - -
9f58602d by Endi S. Dewata at 2019-07-31T13:36:21-05:00
Updated version number to 10.8.0-a1

- - - - -
c5d8e6e2 by Endi S. Dewata at 2019-07-31T13:38:29-05:00
Updated jackson-databind dependency in pom.xml

- - - - -
a53a2254 by Dinesh Prasanth M K at 2019-08-03T12:13:49-04:00
Fix 'pkidestroy --force' to pickup correct instance name (#231)

- When `pkidestroy --force` was executed with a non-existant non-default
  instance, it should not pickup `pki-tomcat` as the default instance

- The commit adds an additional check to remove selinux contexts
  iff the context exists. Otherwise, it skips them. This is
  necessary to accommodate the `--force` option to pkidestroy

Fixes: BZ#1698084

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
259abdc9 by Endi S. Dewata at 2019-08-05T17:32:26-05:00
Updated loggers in PasswdUserDBAuthentication

- - - - -
5e85af87 by Endi S. Dewata at 2019-08-05T18:29:44-05:00
Updated loggers in CAProcessor

- - - - -
7b2b0ffe by Endi S. Dewata at 2019-08-05T18:37:21-05:00
Updated loggers in CertRequestService

- - - - -
da314e66 by Endi S. Dewata at 2019-08-05T18:50:43-05:00
Updated loggers in EnrollDefault

- - - - -
19caa66e by Endi S. Dewata at 2019-08-05T19:50:02-05:00
Updated loggers in ProfileSubsystem

- - - - -
39895c8a by Fraser Tweedale at 2019-08-07T10:55:29+10:00
importPKIArchiveOptions: support AES

CryptoUtil.importPKIArchiveOptions() is used for Lightweight CA
(LWCA) key import.  Update it to support AES-encrypted keys.  DES
import remains supported for backwards compatibility.

Fixes: https://pagure.io/dogtagpki/issue/2777

- - - - -
a0757ccc by Fraser Tweedale at 2019-08-07T10:56:36+10:00
ca-authority-key-export: add --algorithm option

We need to support AES key export, but also require backwards
compatibility with existing servers that can only import
DES-EDE3-CBC.  So as a first step, teach the ca-authority-key-export
command the --algorithm option, which defaults to 1.2.840.113549.3.7
(DES-EDE3-CBC).  AES support will be added in a subsequent commit.

Part of: https://pagure.io/dogtagpki/issue/2666

- - - - -
5a0b9db7 by Fraser Tweedale at 2019-08-07T10:56:36+10:00
ca-authority-key-export: use random IV

Part of: https://pagure.io/dogtagpki/issue/2666

- - - - -
c844db9d by Fraser Tweedale at 2019-08-07T10:56:36+10:00
ca-authority-key-export: support AES

Add support for exporting wrapped private keys using AES128-CBC as
the symmetric algorithm.

Fixes: https://pagure.io/dogtagpki/issue/2666

- - - - -
b4e8ab72 by Christian Heimes at 2019-08-08T10:53:02-05:00
PKIConnection: Allow to customize verify option

Don't hard-code verify=False in get() and post(). This allows consumers
to customize the session object and cert validation.

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
ac2041e9 by Endi S. Dewata at 2019-08-08T15:23:01-05:00
Refactored CMSGateway.checkAuthManager()

The CMSGateway.checkAuthManager() has been modified to return
IAuthToken instead of AuthToken.

- - - - -
1c1dbcbc by Endi S. Dewata at 2019-08-08T16:23:35-05:00
Refactored CAProcessor.authenticate()

The CAProcessor.authenticate() has been modified such that
it is only executed if the profile authenticator exists.

- - - - -
b3cf899e by Endi S. Dewata at 2019-08-12T10:22:26-05:00
Refactored RequestProcessor.processRequest() (part 1)

The RequestProcessor.processRequest() has been modified to
remove redundant parameter.

- - - - -
6237c919 by Endi S. Dewata at 2019-08-12T10:22:26-05:00
Refactored RequestProcessor.processRequest() (part 2)

The RequestProcessor.processRequest() has been modified such
that the authentication token is provided by the caller.

- - - - -
21fd30f3 by Endi S. Dewata at 2019-08-12T10:22:26-05:00
Updated CertRequestDAO.changeRequestState()

The CertRequestDAO.changeRequestState() has been modified to use
the authentication token from the user principal if available, or
fall back to the processor's authentication manager. This allows
an agent to authenticate using other authentication mechanisms.

- - - - -
4ccb989a by Endi S. Dewata at 2019-08-12T10:37:38-05:00
Updated default auth-method.properties

Previously the default auth-method.properties has been set up
such that certain operations must be authenticated using specific
methods.

The file has been modified such that any authentication method
can be used by default.

- - - - -
a9fb3fe3 by Endi S. Dewata at 2019-08-12T19:32:41-05:00
Added Profile Framework diagram

- - - - -
34895110 by Endi S. Dewata at 2019-08-13T14:11:12-05:00
Updated pom.xml

The pom.xml has been modified to remove the unused javassist
dependency and to use a specific version for jackson-databind.

- - - - -
2ce318af by Endi S. Dewata at 2019-08-13T14:30:17-05:00
Refactored lib folders creation/removal in PKIServer

The code that creates and removes the lib and common/lib folders
in PKIServer class has been moved into the create_libs() and
remove_libs() methods.

- - - - -
c0fb147d by Endi S. Dewata at 2019-08-13T14:30:38-05:00
Refactored lib folders creation/removal in instance_layout.py

The code that creates the lib folders in instance_layout.py has
been modified to use the PKIServer.create_libs().

- - - - -
1e329dc0 by Endi S. Dewata at 2019-08-13T15:16:33-05:00
Added FixCommonFolder upgrade script

A new upgrade script has been added to replace the
<instance>/common link with a real folder that contains
a link to the /usr/share/pki/server/common/lib.

- - - - -
b53d0e10 by Dinesh Prasanth M K at 2019-08-14T17:36:38-04:00
Fix URL redirection for KRA and OCSP web UI (#241)

Fixes changes introduced via commit: 2210c2a

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
d57b32e2 by Dinesh Prasanth M K at 2019-08-14T17:37:40-04:00
Fix URL redirection for KRA and OCSP web UI (#241)

Fixes changes introduced via commit: 2210c2a

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
7fcf5630 by Alexander Scheel at 2019-08-15T08:40:52-04:00
Remove duplicated netscape.security tests

When #121 and #122 were merged, netscape.security got moved to JSS,
along with these test cases. They're now failing in Debian, but only in
PKI. There's no point keeping them here (since they're already tested in
JSS), so remove them.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6e30dcf6 by Endi S. Dewata at 2019-08-16T17:22:57-05:00
Fixed missing SAN extension for CA clone

The CertUtil.buildSANSSLserverURLExtension() has been modified
to include SAN parameters in the request to generate the SSL
server certificate for CA clone.

https://bugzilla.redhat.com/show_bug.cgi?id=1732637

- - - - -
0053a2c4 by Fraser Tweedale at 2019-08-22T01:49:43-05:00
LWCA key gen: use parent key size

LWCA keys are currently hardcoded to 2048-bit RSA.  This could be
less than the parent CA key, which is not desirable.  Update LWCA
key generation to use the same key size as the parent.

If the parent is not an RSA key, default to 3072-bit RSA.

Part of: https://pagure.io/dogtagpki/issue/1589

- - - - -
c1384734 by Endi S. Dewata at 2019-08-22T13:51:28-05:00
Merged pki-cmscore.jar into pki-cms.jar

The classes in pki-cmscore.jar and pki-cms.jar packages have inter-
dependencies so they cannot be built or deployed separately. To
simplify maintenance they have been merged into a single JAR file.

- - - - -
a38c388f by Endi S. Dewata at 2019-08-22T13:54:08-05:00
Cleaned up log messages in AuthzSubsystem

- - - - -
a1a30255 by Endi S. Dewata at 2019-08-22T13:55:40-05:00
Removed unused logger in JssSubsystem

- - - - -
5cc78038 by Endi S. Dewata at 2019-08-22T13:59:20-05:00
Updated loggers in AttributePresentConstraints

- - - - -
041cc582 by Endi S. Dewata at 2019-08-22T14:10:17-05:00
Updated loggers in AuthInfoAccessExt

- - - - -
35063881 by Endi S. Dewata at 2019-08-22T14:15:08-05:00
Updated loggers in AuthorityKeyIdentifierExt

- - - - -
275715b6 by Endi S. Dewata at 2019-08-22T14:19:07-05:00
Updated loggers in SubjectKeyIdentifierExt

- - - - -
e6a452db by Endi S. Dewata at 2019-08-22T14:21:43-05:00
Updated loggers in SubjectDirectoryAttributesExt

- - - - -
6a1e6794 by Endi S. Dewata at 2019-08-22T14:25:00-05:00
Updated loggers in SubjectAltNameExt

- - - - -
dabd521e by Endi S. Dewata at 2019-08-22T14:26:21-05:00
Updated loggers in PolicyMappingsExt

- - - - -
e6baa16b by Endi S. Dewata at 2019-08-22T14:34:31-05:00
Updated loggers in GenericASN1Ext

- - - - -
dd3569d9 by Endi S. Dewata at 2019-08-22T14:43:13-05:00
Updated loggers in BasicConstraintsExt

- - - - -
670b6f17 by Endi S. Dewata at 2019-08-22T14:46:58-05:00
Updated loggers in PolicyConstraintsExt

- - - - -
ccd5ebab by Endi S. Dewata at 2019-08-22T15:42:20-05:00
Updated loggers in CAService

- - - - -
cba002e9 by Endi S. Dewata at 2019-08-22T16:07:27-05:00
Updated loggers in CertificateAuthority

- - - - -
2427ccb0 by Endi S. Dewata at 2019-08-22T16:07:49-05:00
Updated loggers in CMSCRLExtensions

- - - - -
3680bf83 by Endi S. Dewata at 2019-08-22T16:07:54-05:00
Updated loggers in CRLIssuingPoint

- - - - -
09921600 by Endi S. Dewata at 2019-08-22T16:12:13-05:00
Updated loggers in SigningUnit

- - - - -
bad5869c by Endi S. Dewata at 2019-08-22T16:59:38-05:00
Updated loggers in EnrollmentService

- - - - -
e6ee4c46 by Endi S. Dewata at 2019-08-22T17:15:44-05:00
Updated loggers in KeyRecoveryAuthority

- - - - -
ff7f9f3f by Endi S. Dewata at 2019-08-22T17:20:01-05:00
Updated loggers in RecoveryService

- - - - -
2cdab4de by Endi S. Dewata at 2019-08-22T17:27:19-05:00
Updated loggers in StorageKeyUnit

- - - - -
07f64eb5 by Endi S. Dewata at 2019-08-22T17:32:59-05:00
Updated loggers in OCSPAuthority

- - - - -
b360d9d2 by Endi S. Dewata at 2019-08-22T17:36:26-05:00
Updated loggers in SigningUnit

- - - - -
a8c59f13 by Endi S. Dewata at 2019-08-22T21:49:26-05:00
Updated loggers in CMSAuthInfoAccessExtension

- - - - -
f850328b by Endi S. Dewata at 2019-08-22T21:54:18-05:00
Updated loggers in CMSCertificateIssuerExtension

- - - - -
5636156d by Endi S. Dewata at 2019-08-22T21:59:35-05:00
Updated loggers in CMSFreshestCRLExtension

- - - - -
7d8dd956 by Endi S. Dewata at 2019-08-22T22:22:04-05:00
Updated loggers in CMSIssuerAlternativeNameExtension

- - - - -
f685f824 by Endi S. Dewata at 2019-08-22T22:25:44-05:00
Updated loggers in CMSIssuingDistributionPointExtension

- - - - -
44def5a7 by Endi S. Dewata at 2019-08-22T22:29:51-05:00
Updated loggers in CertificateIssuedListener

- - - - -
d420074f by Endi S. Dewata at 2019-08-22T22:36:30-05:00
Updated loggers in UserService

- - - - -
28ee044c by Endi S. Dewata at 2019-08-22T22:38:05-05:00
Updated loggers in GroupService

- - - - -
96d75abb by Endi S. Dewata at 2019-08-22T22:54:37-05:00
Updated loggers in HashEnrollServlet

- - - - -
c1a0bfc9 by Endi S. Dewata at 2019-08-22T22:54:47-05:00
Updated loggers in ACLAdminServlet

- - - - -
8b8fae5c by Alexander Scheel at 2019-08-27T13:45:21-04:00
Fix noise generation for EC certificates

When generating noise for elliptic curves, very few bytes of entropy are
required (in comparison to RSA) because EC private keys are random data,
not random primes. Thus the amount of available entropy just need to be
sufficient for the size of the curve.

Rather than dealing with a mapping between curve to its size, set a
fixed value of 1024 bytes.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
27b01653 by Alexander Scheel at 2019-08-27T13:45:21-04:00
Clarify error message in nssdb.create_request

When create_request fails, the error message only gives the result code,
not the full command. We should output the command too, for debugging
purposes.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
58e4e161 by Alexander Scheel at 2019-08-27T13:45:21-04:00
Fix parameters for EC-based CSR generation

When generating EC-based certificate requests, we incorrectly used
key_size as the -g parameter. This is correct for RSA keys, but
incorrect for EC keys (as the parameter is generally ignored).
Compounding to this, key_size (under key_type == 'ecc') is actually the
name of the curve, and not the size of the key under that curve.

We fix the parameter generation to support both the curve and the
key_size as the curve name.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9fd384f2 by Fraser Tweedale at 2019-08-28T07:51:32-05:00
LWCA key gen: use parent key size

LWCA keys are currently hardcoded to 2048-bit RSA.  This could be
less than the parent CA key, which is not desirable.  Update LWCA
key generation to use the same key size as the parent.

If the parent is not an RSA key, default to 3072-bit RSA.

Part of: https://pagure.io/dogtagpki/issue/1589

- - - - -
e20e850e by Endi S. Dewata at 2019-08-29T20:40:42-05:00
Updated loggers in KeyRequestService.listRequests()

- - - - -
d5d55318 by Endi S. Dewata at 2019-08-29T20:40:48-05:00
Updated loggers in CMSRequestDAO.listCMSRequests()

- - - - -
3dc7156f by Endi S. Dewata at 2019-08-29T20:41:35-05:00
Updated loggers in Repository.initCache()

- - - - -
185933eb by Endi S. Dewata at 2019-08-29T20:59:47-05:00
Updated loggers in LdapCaSimpleMap

- - - - -
6093f408 by Endi S. Dewata at 2019-08-29T21:02:23-05:00
Updated loggers in CertificateRevokedListener

- - - - -
8f49eff2 by Endi S. Dewata at 2019-08-29T21:07:45-05:00
Updated loggers in LdapCertSubjMap

- - - - -
cf71d02e by Endi S. Dewata at 2019-08-29T21:12:00-05:00
Updated loggers in LdapEnhancedMap

- - - - -
6987e09e by Endi S. Dewata at 2019-08-29T21:15:42-05:00
Updated loggers in LdapSimpleMap

- - - - -
3830cec6 by Endi S. Dewata at 2019-08-29T21:21:29-05:00
Updated loggers in LdapCaCertPublisher

- - - - -
c30b5306 by Endi S. Dewata at 2019-08-29T22:06:39-05:00
Updated loggers in LdapCrlPublisher

- - - - -
7f399018 by Endi S. Dewata at 2019-08-29T22:06:56-05:00
Updated loggers in LdapCertSubjPublisher

- - - - -
8b14ceaa by Endi S. Dewata at 2019-08-29T22:07:12-05:00
Updated loggers in LdapEncryptCertPublisher

- - - - -
c938eec2 by Endi S. Dewata at 2019-08-29T22:07:25-05:00
Updated loggers in UsrGrpAdminServlet

- - - - -
57226a2f by Endi S. Dewata at 2019-08-29T22:07:25-05:00
Updated loggers in PublisherAdminServlet

- - - - -
8b16ecbd by Endi S. Dewata at 2019-08-29T22:07:25-05:00
Updated loggers in CAAdminServlet

- - - - -
b98dba3d by Endi S. Dewata at 2019-08-29T22:07:48-05:00
Updated loggers in AdminServlet

- - - - -
be827142 by Endi S. Dewata at 2019-08-30T10:04:20-05:00
Updated loggers in ReqCertSANameEmailResolver

- - - - -
719137a5 by Endi S. Dewata at 2019-08-30T10:05:58-05:00
Updated loggers in DisplayBySerial

- - - - -
738fe409 by Endi S. Dewata at 2019-08-30T10:06:12-05:00
Updated loggers in EnrollServlet

- - - - -
e9b50103 by Endi S. Dewata at 2019-08-30T10:07:29-05:00
Updated loggers in GroupMemberProcessor

- - - - -
35430a96 by Endi S. Dewata at 2019-08-30T10:10:36-05:00
Updated loggers in DoRevokeTPS

- - - - -
ab96e5e0 by Endi S. Dewata at 2019-08-30T10:11:29-05:00
Updated loggers in GetCAChain

- - - - -
d9e8404e by Endi S. Dewata at 2019-08-30T10:12:18-05:00
Updated loggers in GetCertFromRequest

- - - - -
5aaecd96 by Endi S. Dewata at 2019-08-30T10:13:12-05:00
Updated loggers in GetCRL

- - - - -
eb6ef623 by Endi S. Dewata at 2019-08-30T10:13:40-05:00
Updated loggers in RenewalServlet

- - - - -
3c933cd2 by Endi S. Dewata at 2019-08-30T10:14:52-05:00
Updated loggers in UpdateDir

- - - - -
b19ef27e by Endi S. Dewata at 2019-08-30T10:15:43-05:00
Updated loggers in CloneServlet

- - - - -
115583b2 by Endi S. Dewata at 2019-08-30T10:16:25-05:00
Updated loggers in AddCRLServlet

- - - - -
df4b3903 by Endi S. Dewata at 2019-08-30T10:17:18-05:00
Updated loggers in PKCS10Processor

- - - - -
9a0f31d4 by Endi S. Dewata at 2019-08-30T10:17:39-05:00
Updated loggers in CMCProcessor

- - - - -
44099f35 by Endi S. Dewata at 2019-08-30T10:17:55-05:00
Updated loggers in CRMFProcessor

- - - - -
693b5af4 by Endi S. Dewata at 2019-08-30T10:18:18-05:00
Updated loggers in KeyGenProcessor

- - - - -
c9105a1a by Endi S. Dewata at 2019-08-30T10:18:35-05:00
Updated loggers in PKIProcessor

- - - - -
3aeefbac by Endi S. Dewata at 2019-08-30T11:34:25-05:00
Moved com.netscape.certsrv.request.ARequestNotifier

The com.netscape.certsrv.request.ARequestNotifier has been moved
into com.netscape.cmscore.request.

- - - - -
7b197c9e by Endi S. Dewata at 2019-08-30T13:45:10-05:00
Refactored ProfileService.retrieveProfileRaw()

- - - - -
400fc9ed by Endi S. Dewata at 2019-08-30T13:45:33-05:00
Added default constructor for PropConfigStore

- - - - -
5671d5b6 by Endi S. Dewata at 2019-08-30T16:04:14-05:00
Merged ISourceConfigStore into IConfigStore

- - - - -
f8441d76 by Endi S. Dewata at 2019-08-30T16:05:23-05:00
Replaced SourceConfigStore with SimpleProperties

- - - - -
7f711fa3 by Endi S. Dewata at 2019-08-30T16:05:34-05:00
Cleaned up LDAPConfigStore.commit()

- - - - -
b1ba99e4 by Endi S. Dewata at 2019-08-30T16:25:09-05:00
Refactored FileConfigStore.load()

The FileConfigStore.load() has been modified such that it
throws generic Exception and is not invoked automatically
by the constructor.

- - - - -
f9c1240c by Endi S. Dewata at 2019-08-30T18:02:09-05:00
Added PropConfigStore.load()

- - - - -
08ef9fa0 by Endi S. Dewata at 2019-08-30T18:02:59-05:00
Refactored LDAPConfigStore.save()

The LDAPConfigStore.save() has been renamed into store() and
merged into the super class.

- - - - -
f65d409c by Endi S. Dewata at 2019-08-30T18:03:13-05:00
Refactored FileConfigStore.save()

The FileConfigStore.save() has been renamed into store() and
merged into the super class.

- - - - -
ce5d2899 by Endi S. Dewata at 2019-08-30T18:45:53-05:00
Added ConfigStorage class

A new ConfigStorage class has been added as a super class
of FileConfigStore and LDAPConfigStore. The PropConfigStore
has been modified to include a ConfigStorage object.

- - - - -
1358157d by Endi S. Dewata at 2019-08-30T19:11:33-05:00
Added EngineConfig class

A new EngineConfig class has been added to replace the generic
IConfigStore in CMSEngine.

- - - - -
66538d19 by Endi S. Dewata at 2019-08-30T20:23:11-05:00
Added getter/setter for cs.state

- - - - -
7d17a901 by Endi S. Dewata at 2019-08-30T20:23:43-05:00
Added getter/setter for cs.type

- - - - -
11a38331 by Endi S. Dewata at 2019-08-30T21:29:54-05:00
Added getter/setter for instanceRoot

- - - - -
c00a2675 by Endi S. Dewata at 2019-08-30T21:30:13-05:00
Added getter/setter for instanceId

- - - - -
81803b20 by Endi S. Dewata at 2019-08-30T21:30:13-05:00
Added getter/setter for machineName

- - - - -
c4eed33a by Fraser Tweedale at 2019-09-02T08:10:33-05:00
install: fix token normalisation

17677ae4d2cda456b64ec67e2b25ba63f4a58a70 changed pkispawn to treat
blank token name as the default token name (as specified in the
pkispawn config, or the internal token if not specified).  As part
of this change, the token normalisation routine was updated to
replace "internal" will null.  But this introduced a regression
under the following scenario:

- default token is NOT the internal token (e.g. HSM); and
- some certificate is to use the internal token (e.g. Server-Cert)

In this case, the internal token is normalised to null, and later
re-interpreted to mean the default token.

Do not normalise internal token names to null in the Python side of
pkispawn.  This ensures that any token name that has been specified
is transmitted to the Java configuration service as-is.  Null tokens
are still interpreted as the default token on the Java side.

Fixes: https://pagure.io/dogtagpki/issue/3093

- - - - -
98447018 by Fraser Tweedale at 2019-09-04T03:24:10-05:00
install: fix token normalisation

17677ae4d2cda456b64ec67e2b25ba63f4a58a70 changed pkispawn to treat
blank token name as the default token name (as specified in the
pkispawn config, or the internal token if not specified).  As part
of this change, the token normalisation routine was updated to
replace "internal" will null.  But this introduced a regression
under the following scenario:

- default token is NOT the internal token (e.g. HSM); and
- some certificate is to use the internal token (e.g. Server-Cert)

In this case, the internal token is normalised to null, and later
re-interpreted to mean the default token.

Do not normalise internal token names to null in the Python side of
pkispawn.  This ensures that any token name that has been specified
is transmitted to the Java configuration service as-is.  Null tokens
are still interpreted as the default token on the Java side.

Fixes: https://pagure.io/dogtagpki/issue/3093

- - - - -
b8d9a647 by Endi S. Dewata at 2019-09-04T14:53:02-05:00
Added option to install with Maven dependencies

The pkispawn and pki-server create commands have been modified
to provide a --with-maven-deps option to create the PKI server
instance with Maven dependencies.

- - - - -
f6adf6d1 by Endi S. Dewata at 2019-09-04T15:05:36-05:00
Removed validation for token state transitions

The TPSSubsystem has been modified to remove the validation for
tokendb.allowedTransitions property. This will allow adding new
transitions via PKI CLI or TPS Web UI.

The TPSSubsystem will continue to validate tps.operations.allowedTransitions
as before so it will only allow transitions already defined in
the default CS.cfg.

https://bugzilla.redhat.com/show_bug.cgi?id=1470433

- - - - -
01bb5cc4 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in ProcessCertReq

- - - - -
bfe093db by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in JobsScheduler

- - - - -
eac259f0 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in PWsdrCache

- - - - -
962fbf06 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in LdapPublishModule

- - - - -
80783669 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in LdapRequestListener

- - - - -
8484098b by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in DefStore

- - - - -
8037846a by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in CrossCertPairSubsystem

- - - - -
0096d225 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in CheckRequest

- - - - -
5fffe344 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in RevocationServlet

- - - - -
d7c62c18 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in LdapCertificatePairPublisher

- - - - -
7c3f2b41 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in LdapDNCompsMap

- - - - -
3adf8c04 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in LdapCertExactMap

- - - - -
4000eb22 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in PublisherAdminServlet

- - - - -
9f5cb9a7 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in ChallengePhraseAuthentication

- - - - -
68c9ef51 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in GetStats

- - - - -
f8d01575 by Endi S. Dewata at 2019-09-04T15:07:14-05:00
Updated loggers in ChallengeRevocationServlet1

- - - - -
01e1606b by Endi S. Dewata at 2019-09-04T17:09:14-05:00
Updated loggers in CMSHoldInstructionExtension

- - - - -
74146cdb by Endi S. Dewata at 2019-09-04T17:11:36-05:00
Updated loggers in LDAPStore

- - - - -
70a240be by Endi S. Dewata at 2019-09-04T17:14:23-05:00
Updated loggers in LdapUserCertPublisher

- - - - -
440fae92 by Endi S. Dewata at 2019-09-04T17:14:40-05:00
Updated loggers in OCSPPublisher

- - - - -
5f161572 by Endi S. Dewata at 2019-09-04T21:28:42-05:00
Updated loggers in CMCRevReqServlet

- - - - -
159fa79e by Endi S. Dewata at 2019-09-04T21:30:54-05:00
Updated loggers in DisplayCRL

- - - - -
3475667a by Endi S. Dewata at 2019-09-04T21:32:48-05:00
Updated loggers in SrchKeyForRecovery

- - - - -
4c00430b by Endi S. Dewata at 2019-09-04T21:36:11-05:00
Updated loggers in ConnectorServlet

- - - - -
26bbdb32 by Endi S. Dewata at 2019-09-04T21:36:45-05:00
Updated loggers in CertificateRepository

- - - - -
6e86987a by Endi S. Dewata at 2019-09-04T21:37:10-05:00
Updated loggers in JobCron

- - - - -
dce46d3c by Endi S. Dewata at 2019-09-04T21:37:58-05:00
Updated loggers in CRLDistributionPointsExt

- - - - -
01e184d4 by Endi S. Dewata at 2019-09-04T21:38:50-05:00
Updated loggers in ReqCertEmailResolver

- - - - -
f1919a94 by Endi S. Dewata at 2019-09-04T21:39:53-05:00
Updated loggers in RequestInQListener

- - - - -
16240113 by Endi S. Dewata at 2019-09-04T21:40:45-05:00
Updated loggers in PinRemovalListener

- - - - -
b701addf by Endi S. Dewata at 2019-09-04T21:41:32-05:00
Updated loggers in GetOCSPInfo

- - - - -
a4e2d4a5 by Endi S. Dewata at 2019-09-04T21:44:32-05:00
Updated loggers in com.netscape.cms.servlet.ocsp

- - - - -
3c2721d4 by Endi S. Dewata at 2019-09-04T21:46:24-05:00
Updated loggers in ProcessReq

- - - - -
e9edb74c by Endi S. Dewata at 2019-09-04T21:46:32-05:00
Updated loggers in SearchReqs

- - - - -
1e7311cb by Endi S. Dewata at 2019-09-04T21:47:55-05:00
Updated loggers in QueryReq

- - - - -
9efd7471 by Endi S. Dewata at 2019-09-04T21:48:51-05:00
Updated loggers in SrchKey

- - - - -
3a017d7a by Endi S. Dewata at 2019-09-04T21:49:33-05:00
Updated loggers in GetPk12

- - - - -
93a1f819 by Endi S. Dewata at 2019-09-04T21:52:29-05:00
Updated loggers in GetBySerial

- - - - -
c2b4d7fb by Endi S. Dewata at 2019-09-04T21:53:08-05:00
Updated loggers in GetAsyncPk12

- - - - -
996495dd by Endi S. Dewata at 2019-09-04T21:54:43-05:00
Updated loggers in DisplayBySerialForRecovery

- - - - -
393f227d by Endi S. Dewata at 2019-09-04T21:55:55-05:00
Updated loggers in DisplayBySerial

- - - - -
85b27c1a by Endi S. Dewata at 2019-09-04T21:56:32-05:00
Updated loggers in SrchCerts

- - - - -
40d4d83d by Endi S. Dewata at 2019-09-04T21:57:11-05:00
Updated loggers in CMSAuthorityKeyIdentifierExtension

- - - - -
68371e33 by Endi S. Dewata at 2019-09-04T21:57:53-05:00
Update loggers in DoRevoke

- - - - -
fe3f039c by Endi S. Dewata at 2019-09-04T21:58:36-05:00
Update loggers in DoUnrevoke

- - - - -
c13efc64 by Endi S. Dewata at 2019-09-04T22:00:12-05:00
Updated loggers in GetInfo

- - - - -
d69fb92d by Endi S. Dewata at 2019-09-04T22:00:39-05:00
Updated loggers in Monitor

- - - - -
09b50d50 by Endi S. Dewata at 2019-09-04T22:01:39-05:00
Updated loggers in ReasonToRevoke

- - - - -
17aff073 by Endi S. Dewata at 2019-09-05T15:30:21-05:00
Added LDAPConfig class

A new LDAPConfig class has been added to encapsulate internal
database configuration.

- - - - -
4e4637d9 by Endi S. Dewata at 2019-09-05T16:40:38-05:00
Refactored internal database configuration retrieval

The code that uses internal database configuration has been
modified to use EngineConfig.getInternalDatabase().

- - - - -
75a79924 by Christina Fu at 2019-09-06T15:55:55-07:00
Bug 1523330 - CC: missing audit event for CS acting as TLS client

This patch adds failed CLIENT_ACCESS_SESSION_ESTABLISH audit event for the case
when internal ldap server goes down

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523330

- - - - -
49dc5132 by Endi S. Dewata at 2019-09-09T12:55:20-05:00
Updated enable_pki_logger()

The enable_pki_logger() has been modified to add a top-level
PKI logger.

- - - - -
2e5724fa by Endi S. Dewata at 2019-09-09T13:02:17-05:00
Cleaned up Python classes

- - - - -
ed4e693c by Endi S. Dewata at 2019-09-09T15:13:17-05:00
Cleaned up Password objects

The code has been modified to clear Password objects explicitly
as soon as they are no longer used.

- - - - -
fecb4815 by Endi S. Dewata at 2019-09-09T15:33:16-05:00
Added CMSEngine.getJSSSubsystem()

- - - - -
8664adc3 by Endi S. Dewata at 2019-09-09T15:55:34-05:00
Updated loggers in com.netscape.cms.servlet.key

- - - - -
1434bf36 by Endi S. Dewata at 2019-09-09T16:14:30-05:00
Updated loggers in com.netscape.cms.servlet.csadmin

- - - - -
202a564c by Endi S. Dewata at 2019-09-09T16:27:18-05:00
Updated loggers in com.netscape.cms.servlet

- - - - -
bfcc9d8c by Endi S. Dewata at 2019-09-09T16:42:03-05:00
Updated loggers in com.netscape.cms.servlet.base

- - - - -
18ba9a95 by Endi S. Dewata at 2019-09-09T16:48:04-05:00
Updated loggers in com.netscape.kra

- - - - -
08587227 by Endi S. Dewata at 2019-09-09T16:59:40-05:00
Updated loggers in com.netscape.cms.crl

- - - - -
367a6665 by Endi S. Dewata at 2019-09-09T17:46:57-05:00
Updated loggers in com.netscape.cms.servlet.profile

- - - - -
0802da9e by Endi S. Dewata at 2019-09-09T17:55:40-05:00
Updated loggers in com.netscape.cmscore.dbs

- - - - -
f4d7ee68 by Endi S. Dewata at 2019-09-09T18:05:02-05:00
Updated loggers in org.dogtagpki.legacy.server.policy.constraints

- - - - -
47e3151a by Endi S. Dewata at 2019-09-09T18:10:25-05:00
Updated loggers in com.netscape.cmscore.connector

- - - - -
fa8bc69b by Endi S. Dewata at 2019-09-09T18:15:23-05:00
Updated loggers in org.dogtagpki.legacy.core.policy

- - - - -
deb5815c by Endi S. Dewata at 2019-09-09T18:20:16-05:00
Updated loggers in com.netscape.cms.publish.mappers

- - - - -
e66e5fab by Endi S. Dewata at 2019-09-09T18:24:12-05:00
Updated loggers in com.netscape.cmscore.notification

- - - - -
d3971e73 by Endi S. Dewata at 2019-09-09T18:28:27-05:00
Updated loggers in com.netscape.cmscore.authentication

- - - - -
14393cfb by Endi S. Dewata at 2019-09-09T18:49:31-05:00
Updated loggers in CronItem

- - - - -
87d5a4e5 by Endi S. Dewata at 2019-09-09T18:55:36-05:00
Updated loggers in com.netscape.cms.servlet.admin

- - - - -
f185e3e8 by Endi S. Dewata at 2019-09-09T19:04:55-05:00
Updated loggers in com.netscape.cms

- - - - -
25c9ba7d by Endi S. Dewata at 2019-09-09T19:16:47-05:00
Updated loggers in com.netscape.cmscore

- - - - -
55dd77d8 by Endi S. Dewata at 2019-09-09T19:21:48-05:00
Updated loggers in APolicyRule

- - - - -
505900fa by Endi S. Dewata at 2019-09-09T19:36:56-05:00
Updated loggers in CertificatePoliciesExt

- - - - -
903dd58f by Endi S. Dewata at 2019-09-09T19:38:26-05:00
Updated loggers in CertificateScopeOfUseExt

- - - - -
924207c4 by Endi S. Dewata at 2019-09-09T20:23:01-05:00
Updated loggers in org.dogtagpki.legacy.server.policy

- - - - -
2d3d79c3 by Endi S. Dewata at 2019-09-09T20:23:23-05:00
Updated loggers in CRLIssuingPoint

- - - - -
0a562652 by Endi S. Dewata at 2019-09-09T20:23:51-05:00
Updated loggers in CA

- - - - -
f694dc21 by Endi S. Dewata at 2019-09-09T20:24:10-05:00
Updated loggers in KRA

- - - - -
7591765e by Endi S. Dewata at 2019-09-09T20:24:32-05:00
Updated loggers in OCSP

- - - - -
091f3893 by Endi S. Dewata at 2019-09-09T20:25:26-05:00
Updated loggers in TKS

- - - - -
7eaaeac7 by Endi S. Dewata at 2019-09-09T20:25:57-05:00
Updated loggers in TPS

- - - - -
f6c339df by Endi S. Dewata at 2019-09-10T19:43:59-05:00
Fixed TPSTokendb.tdbFindTokenRecordsByUID()

The TPSTokendb.tdbFindTokenRecordsByUID() has been modified such
that it uses (tokenUserID=<UIID>) filter to find tokens with exact
owner UID instead of filter with wildcards.

https://bugzilla.redhat.com/show_bug.cgi?id=1520258

- - - - -
fc5f8df3 by Timo Aaltonen at 2019-09-11T20:28:43+03:00
Switch to python3. (Closes: #918538)

- - - - -
eb4aafdb by Timo Aaltonen at 2019-09-11T20:40:44+03:00
tests: Migrate to dscreate, bump 389-ds-base dependency.

- - - - -
2f4dafae by Timo Aaltonen at 2019-09-11T23:15:13+03:00
fix dep on python3-pki-base

- - - - -
ba78842b by Timo Aaltonen at 2019-09-11T23:38:01+03:00
close a bug

- - - - -
ba915f89 by Timo Aaltonen at 2019-09-11T23:39:17+03:00
Merge commit 'de759471bececf0' into master-next

- - - - -
359e4214 by Timo Aaltonen at 2019-09-11T23:40:22+03:00
releasing package dogtag-pki version 10.7.3-2

- - - - -
59bc35fc by Endi S. Dewata at 2019-09-11T16:27:49-05:00
Updated exception handling in ProfileAdminServlet.addProfilePolicy()

- - - - -
4ed697d8 by Endi S. Dewata at 2019-09-11T16:30:31-05:00
Updated exception handling in ProfileAdminServlet.listProfileInstances()

- - - - -
96e7c1a5 by Endi S. Dewata at 2019-09-11T16:39:35-05:00
Updated exception handling in ProfileAdminServlet.getProfileInstanceConfig()

- - - - -
07bc8478 by Endi S. Dewata at 2019-09-11T16:39:48-05:00
Updated exception handling in ProfileApproveServlet.auditProfileOp()

- - - - -
45f400cb by Endi S. Dewata at 2019-09-11T16:45:55-05:00
Updated exception handling in ProfileService.modifyProfileState()

- - - - -
f475e560 by Endi S. Dewata at 2019-09-11T16:48:16-05:00
Updated exception handling in ProfileService.modifyProfileRaw()

- - - - -
0bd47436 by Endi S. Dewata at 2019-09-11T16:53:54-05:00
Updated exception handling in ProfileService.changeProfileData()

- - - - -
8b1bdd13 by Endi S. Dewata at 2019-09-11T19:33:03-05:00
Updated exception handling in ProfileSubsystem.deleteProfile()

- - - - -
177ea87d by Endi S. Dewata at 2019-09-11T19:36:23-05:00
Updated exception handling in AbstractProfileSubsystem.getProfileEnableBy()

- - - - -
c8829250 by Endi S. Dewata at 2019-09-11T20:51:44-05:00
Updated exception handling in AbstractProfileSubsystem.isProfileEnable()

- - - - -
f9c581b1 by Endi S. Dewata at 2019-09-11T20:52:03-05:00
Added SubsystemsConfig

The SubsystemsConfig class has been added to encapsulate the
collection of subsystems in CS.cfg.

- - - - -
d586566a by Endi S. Dewata at 2019-09-11T20:55:59-05:00
Added SubsystemConfig

The SubsystemConfig class has been added to encapsulate individual
subsystems in CS.cfg.

- - - - -
9716d73b by Endi S. Dewata at 2019-09-11T22:31:35-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.authentication

- - - - -
9c1f7438 by Endi S. Dewata at 2019-09-11T22:32:35-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.profile

- - - - -
b649e476 by Endi S. Dewata at 2019-09-11T22:33:17-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.servlet.cert

- - - - -
cea1a1f3 by Endi S. Dewata at 2019-09-11T22:33:53-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.servlet.csadmin

- - - - -
f1363e75 by Endi S. Dewata at 2019-09-11T22:34:29-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.servlet.admin

- - - - -
f8fa847e by Endi S. Dewata at 2019-09-11T22:35:31-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.servlet.key

- - - - -
8138f118 by Endi S. Dewata at 2019-09-11T22:36:09-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.servlet

- - - - -
5d421acf by Endi S. Dewata at 2019-09-11T22:37:37-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms.publish.publishers

- - - - -
4bfdea18 by Endi S. Dewata at 2019-09-11T22:42:59-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cms

- - - - -
abba5233 by Endi S. Dewata at 2019-09-11T22:43:21-05:00
Replaced CMSEngine.getConfigStore() in com.netscape.cmscore

- - - - -
ebeb6e06 by Endi S. Dewata at 2019-09-11T22:43:48-05:00
Replaced CMSEngine.getConfigStore() in org.dogtagpki.legacy

- - - - -
b4cf5db5 by Endi S. Dewata at 2019-09-11T22:44:09-05:00
Replaced CMSEngine.getConfigStore() in org.dogtagpki.server.rest

- - - - -
616c4ac5 by Endi S. Dewata at 2019-09-12T07:50:48-05:00
Cleaned up CMSEngine.getConfig() invocations

- - - - -
f5c2effc by Endi S. Dewata at 2019-09-12T08:02:25-05:00
Cleaned up LogFile.init()

- - - - -
e24f24ec by Endi S. Dewata at 2019-09-12T08:18:25-05:00
Moved IEnrollProfile

The com.netscape.certsrv.profile.IEnrollProfile has been moved
into com.netscape.cms.profile.common.

- - - - -
ec0b1716 by Endi S. Dewata at 2019-09-12T08:22:17-05:00
Moved ICertInfoPolicyDefault

The com.netscape.certsrv.profile.ICertInfoPolicyDefault has been
moved into com.netscape.cms.profile.def.

- - - - -
051127f6 by Endi S. Dewata at 2019-09-12T08:27:00-05:00
Moved IProfileEx

The com.netscape.certsrv.profile.IProfileEx has been moved into
com.netscape.cms.profile.common.

- - - - -
4538b131 by Endi S. Dewata at 2019-09-12T08:37:25-05:00
Moved IProfileSubsystem

The com.netscape.certsrv.profile.IProfileSubsystem has been
moved into com.netscape.cmscore.profile.

- - - - -
f716a671 by Endi S. Dewata at 2019-09-12T08:40:21-05:00
Moved IProfileUpdater

The com.netscape.certsrv.profile.IProfileUpdater has been moved
into com.netscape.cms.profile.updater.

- - - - -
83bd180b by Endi S. Dewata at 2019-09-12T08:53:42-05:00
Moved ICertificateAuthority

The com.netscape.certsrv.ca.ICertificateAuthority has been moved
into org.dogtagpki.server.ca.

- - - - -
9699c69b by Endi S. Dewata at 2019-09-12T08:56:09-05:00
Moved ICRLIssuingPoint

The com.netscape.certsrv.ca.ICRLIssuingPoint has been moved into
org.dogtagpki.server.ca.

- - - - -
a123eace by Endi S. Dewata at 2019-09-12T09:00:31-05:00
Moved ICAService

The com.netscape.certsrv.ca.ICAService has been moved into
org.dogtagpki.server.ca.

- - - - -
b2def5d8 by Endi S. Dewata at 2019-09-12T09:08:20-05:00
Moved ICMSCRLExtensions

The com.netscape.certsrv.ca.ICMSCRLExtensions has been moved
into org.dogtagpki.server.ca.

- - - - -
46eac724 by Endi S. Dewata at 2019-09-12T09:13:26-05:00
Moved ICMSCRLExtension

The com.netscape.certsrv.ca.ICMSCRLExtension has been moved into
org.dogtagpki.server.ca.

- - - - -
e1af9362 by Fraser Tweedale at 2019-09-12T18:14:20-05:00
ca-authority-del: fix usage string

The usage string for `pki ca-authority-del' mentions "DN", but the
argument is actually an authority ID.  Fix the string.

- - - - -
640adf0f by Timo Aaltonen at 2019-09-14T00:03:12+03:00
fix-tomcat-paths.diff: We have /etc/default/tomcat9 instead of tomcat.conf.

- - - - -
a044e924 by Timo Aaltonen at 2019-09-14T00:03:42+03:00
pki-tomcatd at .service: Updated to match the upstream version.

- - - - -
f346a4de by Timo Aaltonen at 2019-09-14T00:05:45+03:00
hardcode-tomcat-version.diff: Dropped, instead pass --tomcat  for pki-server migrate in the service file.

- - - - -
0ade3516 by Timo Aaltonen at 2019-09-14T00:06:05+03:00
releasing package dogtag-pki version 10.7.3-3

- - - - -
15fe8458 by Endi S. Dewata at 2019-09-13T17:37:31-05:00
Fixed TPSTokendb.tdbFindTokenRecordsByUID() (part 2)

The TPSTokendb.tdbFindTokenRecordsByUID() has been modified to
construct (userID=<UID>) filter which will be translated into
(tokenUserID=<UID>) LDAP filter as defined in TokenRecord.

https://bugzilla.redhat.com/show_bug.cgi?id=1520258

- - - - -
2d14a2c2 by Endi S. Dewata at 2019-09-13T19:15:00-05:00
Deprecated subsystem and use_root_uri params in PKIConnection

The subsystem and use_root_uri params in PKIConnection have been
deprecated such that the object can be used with all subsystems.

https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

- - - - -
9a9c6f63 by Endi S. Dewata at 2019-09-13T19:15:00-05:00
Removed warnings due to changes in PKIConnection

https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

- - - - -
2ec105d8 by Endi S. Dewata at 2019-09-13T19:38:56-05:00
Updated ProfileSubsystem.createProfile()

The ProfileSubsystem.createProfile() has been modified such that
the profile configuration can be loaded from the path specified
in the CS.cfg.

- - - - -
6fce2984 by Timo Aaltonen at 2019-09-16T18:10:29+03:00
tomcat-start.sh: Dropped everything we don't need from the original copy from tomcat9.

- - - - -
47c6072d by Timo Aaltonen at 2019-09-16T18:16:21+03:00
debian-support.diff: Drop the hunk about disabling pki_security_manager, it works fine with defaults.

- - - - -
09399aca by Timo Aaltonen at 2019-09-16T18:16:48+03:00
control: Bump pki-base-java dep on libjss-java.

- - - - -
7ce60013 by Endi S. Dewata at 2019-09-16T12:38:02-05:00
Updated exception declaration for RenewalProcessor.processRenewal()

- - - - -
35cb734b by Endi S. Dewata at 2019-09-16T12:38:22-05:00
Updated exception declaration for CertProcessor.populateRequests()

- - - - -
a2e6deba by Endi S. Dewata at 2019-09-16T12:38:43-05:00
Updated exception declaration for IProfile.populateInput()

- - - - -
a55142d1 by Endi S. Dewata at 2019-09-16T12:38:59-05:00
Updated exception declaration for IProfile.createRequests()

- - - - -
4e0b79d5 by Endi S. Dewata at 2019-09-16T12:39:16-05:00
Updated exception declaration for IProfileInput.populate()

- - - - -
225396a1 by Endi S. Dewata at 2019-09-16T12:39:45-05:00
Updated PKIServerUpgrader.subsystems()

The PKIServerUpgrader.subsystems() has been modified to get the
subsystems from the instance instead of creating new PKISubsystem
objects.

- - - - -
0aafbebd by Endi S. Dewata at 2019-09-16T12:39:45-05:00
Added profile methods in CASubsystem

The CASubsystem has been modified to add a method to load profile
registry and to get the list of profile configuration files.

- - - - -
9b428197 by Christina Fu at 2019-09-16T13:23:03-07:00
Bug 1744095 - CMCResponse is not working as expected

This patch fixes the issue that HttpClient extracting less bytes than
the actual data size from the HTTP response.
My investigation shows that there used to be 6 lines of headers, and
now it's down to 5.
The fix is to default to 5, but add an unadvertised numHeaderLines
that allows one to customize in case the server changes again.
It is limited to the range of 1 - 56

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1744095

- - - - -
7ff83d2e by Endi S. Dewata at 2019-09-16T15:36:21-05:00
Moved IProfile.getAuthenticator()

The IProfile.getAuthenticator() has been moved into
IProfileSubsystem.getAuthenticator().

- - - - -
fc4290c9 by Endi S. Dewata at 2019-09-16T15:36:31-05:00
Moved IProfileAuthenticator

The com.netscape.certsrv.profile.IProfileAuthenticator has been
moved into com.netscape.cms.profile.

- - - - -
c9dac4eb by Endi S. Dewata at 2019-09-16T15:36:40-05:00
Renamed IProfileContext.set() to put()

- - - - -
a7319bcc by Endi S. Dewata at 2019-09-16T15:36:49-05:00
Replaced IProfileContext with Map

- - - - -
1bf36ffc by Endi S. Dewata at 2019-09-16T19:03:44-05:00
Cleaned up IPolicyConstraint.init()

The unused profile parameter in IPolicyConstraint.init() has
been removed.

- - - - -
d50db2b9 by Endi S. Dewata at 2019-09-16T19:06:26-05:00
Cleaned up IProfileOutput.init()

The unused profile parameter in IPolicyOutput.init() has
been removed.

- - - - -
035c8176 by Endi S. Dewata at 2019-09-16T20:59:23-05:00
Removed old upgrade code in SubjectAltNameExtDefault

The SubjectAltNameExtDefault has been modified to remove an old
code that upgrades SAN parameters.

- - - - -
2c9a2101 by Timo Aaltonen at 2019-09-17T18:13:49+03:00
fix-tomcat-paths.diff: Cleanups.

- - - - -
23b45ac9 by Timo Aaltonen at 2019-09-17T18:18:33+03:00
tests: Redirect dscreate stderr to stdout.

- - - - -
972f2808 by Timo Aaltonen at 2019-09-17T18:22:14+03:00
control: Drop dependency on pki-base from python3-pki-base. (Closes: #940287)

- - - - -
31d79366 by Timo Aaltonen at 2019-09-17T18:22:35+03:00
releasing package dogtag-pki version 10.7.3-4

- - - - -
5f322928 by Endi S. Dewata at 2019-09-17T15:17:48-05:00
Updated pki-server db logging

- - - - -
c02fa132 by Endi S. Dewata at 2019-09-17T15:57:08-05:00
Updated pki-server ca logging

- - - - -
0012a344 by Endi S. Dewata at 2019-09-17T17:11:13-05:00
Added pki-server ca-db module

- - - - -
244958dc by Endi S. Dewata at 2019-09-17T19:55:42-05:00
Updated PKIInstance.load()

The PKIInstance.load() has been modified to load the subsystems
in the order defined in SUBSYSTEM_TYPES.

- - - - -
626dd82e by Endi S. Dewata at 2019-09-17T20:47:27-05:00
Added SubsystemDBUpgradeCLI Java class

The SubsystemDBUpgradeCLI Java class has been added
as a base class for subsystem database upgrade.

- - - - -
10d04acc by Endi S. Dewata at 2019-09-17T20:47:33-05:00
Added SubsystemDBUpgradeCLI Python class

The SubsystemDBUpgradeCLI Python class has been added
as a wrapper for SubsystemDBUpgradeCLI Java class.

- - - - -
9cf1f839 by Endi S. Dewata at 2019-09-17T21:53:44-05:00
Cleaned up CLI class names

- - - - -
dbf97591 by Endi S. Dewata at 2019-09-18T13:03:07-05:00
Added JSON mapping for key classes

- - - - -
b7e4f19c by Endi S. Dewata at 2019-09-18T13:20:03-05:00
Updated SystemCertService.getTransportCertFromKRA()

The SystemCertService.getTransportCertFromKRA() has been updated
to return the transport certificate's not before and not after
fields.

- - - - -
4389f512 by Endi S. Dewata at 2019-09-18T13:56:53-05:00
Deprecated subsystem_name in PKIServer.setup_cert_authentication()

https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

- - - - -
f7de9162 by Endi S. Dewata at 2019-09-19T16:15:59-05:00
Updated pki-server db-upgrade

The code that upgrades the CA database in DBUpgradeCLI Python
class has been moved into CADBUpgradeCLI Java class such that
it is no longer dependent on python-nss.

The DBUpgrade has been modified to upgrade all subsystems in
the instance.

- - - - -
889756aa by Dinesh Prasanth M K at 2019-09-20T11:34:57-04:00
Update KRATool to process TPS recovery request (#261)

The `netkeyKeyRecovery` request entries are generated when
the TPS retrieves encryption cert onto tokens.

The attributes processed by KRATool include:
* requestId
* dn
* dateOfModify
* cn
* extdata-requestid
* extdata-request-notes (creates, if it doesn't exist)

Forward port of PRs #248 & #234

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
387cb6dd by Endi S. Dewata at 2019-09-20T10:39:41-05:00
Updated NSSDatabase class

The NSSDatabase class has been modified to support unprotected
NSS databases.

- - - - -
0a09ba2d by Endi S. Dewata at 2019-09-20T10:39:41-05:00
Updated loggers in PKCS12ImportCLI

- - - - -
91ed93c2 by Endi S. Dewata at 2019-09-20T11:03:47-05:00
Replaced "Advanced Search" with "Filter" in TPS UI

- - - - -
368db6da by Endi S. Dewata at 2019-09-20T13:32:09-05:00
Updated loggers in TPSProcessor

- - - - -
78b8655d by Endi S. Dewata at 2019-09-20T13:32:33-05:00
Updated loggers in FilterMappingParams

- - - - -
86bad8a6 by Endi S. Dewata at 2019-09-20T13:32:45-05:00
Updated loggers in LDAPDatabase

- - - - -
593ceb1c by Endi S. Dewata at 2019-09-20T13:32:49-05:00
Updated loggers in UidPwdDirAuthentication

- - - - -
da104c70 by Endi S. Dewata at 2019-09-20T13:35:35-05:00
Added JSON mapping for key info classes

- - - - -
39292fca by Endi S. Dewata at 2019-09-20T13:35:35-05:00
Added --output-format option to pki kra-key-find

- - - - -
4df65a4d by Endi S. Dewata at 2019-09-20T14:53:02-05:00
Cleaned up DirBasedAuthentication.init()

- - - - -
9610359c by Endi S. Dewata at 2019-09-20T14:55:34-05:00
Cleaned up DirBasedAuthentication.formCertInfo()

- - - - -
2b36e2a2 by Endi S. Dewata at 2019-09-20T14:57:11-05:00
Cleaned up DirBasedAuthentication.formSubjectName()

- - - - -
bc525bfd by Endi S. Dewata at 2019-09-20T15:02:46-05:00
Fixed exception chaining in TPSTokendb

- - - - -
ce72ff84 by Endi S. Dewata at 2019-09-20T15:15:27-05:00
Cleaned up FilterMappingResolver.getResolvedMapping()

- - - - -
0c105026 by Endi S. Dewata at 2019-09-20T17:08:34-05:00
Cleaned up SecurityDataProcessor

- - - - -
090fd3a0 by Endi S. Dewata at 2019-09-20T17:08:53-05:00
Cleaned up KeyClient

- - - - -
310a2890 by Endi S. Dewata at 2019-09-20T17:09:07-05:00
Added KeyClient.getWrapAlgorithmName()

- - - - -
8e0a792e by Endi S. Dewata at 2019-09-20T17:14:55-05:00
Added KeyClient.generateSessionKey()

- - - - -
edb87776 by Endi S. Dewata at 2019-09-20T17:18:14-05:00
Changed variable name in KRAKeyRetrieveCLI

- - - - -
33f3da88 by Endi S. Dewata at 2019-09-20T18:08:44-05:00
Changed KeyClient.retrieveKeyData() return type

- - - - -
6096c128 by Endi S. Dewata at 2019-09-20T18:10:10-05:00
Changed KeyClient.retrieveKeyByPKCS12() return type

- - - - -
c74fc9fb by Endi S. Dewata at 2019-09-20T18:11:02-05:00
Changed KeyClient.retrieveKeyUsingWrappedPassphrase() return type

- - - - -
a51702c2 by Endi S. Dewata at 2019-09-20T18:11:30-05:00
Changed KeyClient.retrieveKeyByPassphrase() return type

- - - - -
f798e4d0 by Endi S. Dewata at 2019-09-20T18:20:55-05:00
Refactored KeyClient.retrieveKey() and retrieveKeyByRequest()

The KeyClient.retrieveKey() and retrieveKeyByRequest() have been
modified to return unprocessed key.

- - - - -
1287f8b1 by Endi S. Dewata at 2019-09-20T18:22:11-05:00
Changed KeyClient.retrieveKey() return type

- - - - -
9fda42d3 by Endi S. Dewata at 2019-09-20T18:22:29-05:00
Changed KeyClient.retrieveKeyByRequest() return type

- - - - -
aeaae921 by Endi S. Dewata at 2019-09-20T19:36:23-05:00
Cleaned up KRAKeyArchiveCLI and KRAKeyFindCLI

- - - - -
d28b6f2e by Endi S. Dewata at 2019-09-20T19:36:48-05:00
Added --input-format option for pki kra-key-archive

- - - - -
95aedf44 by Endi S. Dewata at 2019-09-20T19:37:06-05:00
Added --input-format option for pki kra-key-retrieve

- - - - -
29a4fd38 by Endi S. Dewata at 2019-09-20T19:37:14-05:00
Added --output-format option for pki kra-key-retrieve

- - - - -
bcc23c96 by Dinesh Prasanth M K at 2019-09-23T10:39:48-04:00
Fix Python error in crypto.import_cert() (#262)

Patch to fix `import_cert()` method in crypto.py to handle
both python2 and python3 based methods

Fixes: https://pagure.io/dogtagpki/issue/3108

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
4c98ff89 by Dinesh Prasanth M K at 2019-09-23T13:53:26-04:00
Fix Python error in crypto.import_cert() (#262)

Patch to fix `import_cert()` method in crypto.py to handle
both python2 and python3 based methods

Fixes: https://pagure.io/dogtagpki/issue/3108

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
31eee19b by Endi S. Dewata at 2019-09-24T13:12:29-05:00
Removed mCMCData field in EnrollProfile

The mCMCData field in EnrollProfile has been removed to
avoid concurrency issue since the profile may be shared by
multiple threads. Instead, the CMC data will be returned by
getPKIDataFromCMCblob() as a local variable in parseCMC()
which then will be passed as a parameter to other methods.

- - - - -
7dc2ef76 by Endi S. Dewata at 2019-09-25T11:00:30-05:00
Added pki kra-cert-transport commands

New PKI commands have been added to display and retrieve KRA's
transport certificate.

- - - - -
76a50090 by Endi S. Dewata at 2019-09-26T11:29:40-05:00
Cleaned up IPolicyDefault.init()

The unused profile parameter in IPolicyDefault.init() has
been removed.

- - - - -
a92bfd92 by Endi S. Dewata at 2019-09-26T11:32:13-05:00
Updated loggers in PKICertificateApprovalCallback

- - - - -
514d1f13 by Endi S. Dewata at 2019-09-26T12:26:24-05:00
Updated Jackson packages in pom.xml

- - - - -
78147ebc by Endi S. Dewata at 2019-09-26T12:28:21-05:00
Moved EnrollProfile.normalizeCertReq()

The EnrollProfile.normalizeCertReq() has been moved into
CertUtils.

- - - - -
50f415ee by Endi S. Dewata at 2019-09-26T13:07:20-05:00
Moved EnrollProfile.parsePKCS10()

The EnrollProfile.parsePKCS10() has been moved into CertUtils.

- - - - -
0a20a49a by Endi S. Dewata at 2019-09-26T13:07:35-05:00
Moved EnrollProfile.parseKeyGen()

The EnrollProfile.parseKeyGen() has been moved into CertUtils.

- - - - -
b6fc26a2 by Endi S. Dewata at 2019-09-26T13:08:55-05:00
Moved EnrollProfile.parseCRMF()

The EnrollProfile.parseCRMF() has been moved into CertUtils.

- - - - -
db74abaa by Endi S. Dewata at 2019-09-26T13:09:12-05:00
Removed redundant references to IProfileInput

- - - - -
79022b4d by Endi S. Dewata at 2019-09-26T13:09:12-05:00
Removed redundant references to IProfileOutput

- - - - -
0d995ad4 by Endi S. Dewata at 2019-09-26T20:14:43-05:00
Cleaned up pki client-init

- - - - -
0f26249a by Endi S. Dewata at 2019-09-26T20:55:26-05:00
Cleaned up pki client-cert-import

- - - - -
b4507a71 by Endi S. Dewata at 2019-09-26T20:55:42-05:00
Cleaned up pki pkcs12-import

- - - - -
6032a0e0 by Endi S. Dewata at 2019-09-27T10:26:36-05:00
Updated PKCS10Client

The PKCS10Client has been modified to work with unprotected NSS
database by making the password parameter optional.

- - - - -
f5113cfc by Endi S. Dewata at 2019-09-27T10:26:36-05:00
Updated pki client-cert-request

The pki client-cert-request has been modified to work with
unprotected NSS database by making the password parameter
optional.

- - - - -
b4044db4 by Endi S. Dewata at 2019-09-27T10:43:50-05:00
Added pki ca-cert-export

The pki ca-cert-export has been added to export a certificate
from the CA. This is similar to pki kra-cert-transport-export.

- - - - -
11881959 by Endi S. Dewata at 2019-09-27T11:32:55-05:00
Deprecated some options in pki ca-cert-show

- - - - -
9ba49ed2 by Endi S. Dewata at 2019-09-27T15:01:26-05:00
Refactored MainCLI

The MainCLI has been modified such that it can only be
initialized once.

- - - - -
e7d8bf30 by Endi S. Dewata at 2019-09-27T15:04:00-05:00
Refactored SubsystemCLI

The SubsystemCLI has been modified such that it stores a
reference to the MainCLI.

- - - - -
89290cc6 by Endi S. Dewata at 2019-09-27T15:42:08-05:00
Updated pki client initialization

- - - - -
6945b725 by Endi S. Dewata at 2019-09-27T17:19:38-05:00
Updated pki ca-authority initialization

- - - - -
dbd7c191 by Endi S. Dewata at 2019-09-27T17:19:52-05:00
Updated pki ca-kraconnector initialization

- - - - -
73eb636e by Endi S. Dewata at 2019-09-27T17:20:01-05:00
Updated pki ca-profile initialization

- - - - -
7099f2dd by Endi S. Dewata at 2019-09-27T17:20:11-05:00
Updated pki kra-cert initialization

- - - - -
aafdbdd1 by Endi S. Dewata at 2019-09-27T17:20:24-05:00
Updated pki tks-tpsconnector initialization

- - - - -
c367bf61 by Endi S. Dewata at 2019-09-27T17:20:35-05:00
Updated pki tps-cert initialization

- - - - -
b01381ed by Endi S. Dewata at 2019-09-27T17:20:43-05:00
Updated pki tps-profile initialization

- - - - -
feba9f1c by Endi S. Dewata at 2019-09-27T17:20:54-05:00
Updated pki tps-token initialization

- - - - -
ab3f590f by Endi S. Dewata at 2019-09-27T18:35:42-05:00
Updated pki tps-activity initialization

- - - - -
5319d556 by Endi S. Dewata at 2019-09-27T18:35:45-05:00
Updated pki tps-config initialization

- - - - -
29854f5e by Endi S. Dewata at 2019-09-27T18:36:01-05:00
Updated pki securitydomain initialization

- - - - -
b7ab656a by Endi S. Dewata at 2019-09-27T18:36:10-05:00
Updated pki pkcs7 initialization

- - - - -
e2982f9d by Endi S. Dewata at 2019-09-27T18:36:16-05:00
Updated pki pkcs11 initialization

- - - - -
76d2232a by Endi S. Dewata at 2019-09-27T18:36:26-05:00
Updated pki pkcs12-cert initialization

- - - - -
1f6e000d by Endi S. Dewata at 2019-09-27T18:36:32-05:00
Updated pki pkcs12-key initialization

- - - - -
f948a18a by Endi S. Dewata at 2019-09-27T18:36:41-05:00
Updated pki pkcs12-import/export initialization

- - - - -
7205e2f1 by Endi S. Dewata at 2019-09-27T21:18:39-05:00
Added CLI.getRoot()

The CLI.getRoot() has been added to get the MainCLI object.

- - - - -
614ef9b1 by Endi S. Dewata at 2019-09-27T21:30:03-05:00
Updated pki ca-cert initialization

- - - - -
22364fc0 by Endi S. Dewata at 2019-09-27T21:30:12-05:00
Updated pki kra-key initialization

- - - - -
fce70cd4 by Endi S. Dewata at 2019-09-27T21:30:50-05:00
Updated pki <subsytem>-audit initialization

- - - - -
31fe751e by Endi S. Dewata at 2019-09-27T21:31:16-05:00
Updated pki <subsystem>-authenticator initialization

- - - - -
dc22384e by Endi S. Dewata at 2019-09-27T21:31:16-05:00
Updated pki <subsystem>-connector initialization

- - - - -
c43f873d by Endi S. Dewata at 2019-09-27T21:31:16-05:00
Updated pki <subsystem>-feature initialization

- - - - -
b68f4c33 by Endi S. Dewata at 2019-09-27T21:31:43-05:00
Updated pki <subsystem>-group initialization

- - - - -
0c04b36d by Endi S. Dewata at 2019-09-27T21:31:50-05:00
Updated pki <subsystem>-user initialization

- - - - -
916764bc by Endi S. Dewata at 2019-09-27T21:32:31-05:00
Updated pki <subsystem>-selftest initialization

- - - - -
546ab1ef by Endi S. Dewata at 2019-09-27T22:18:14-05:00
Updated pki CLI initialization

The pki CLI has been modified such that it initializes NSS
only when it is needed by the CLI.

- - - - -
0aaedde6 by Endi S. Dewata at 2019-09-30T14:25:24-05:00
Updated loggers in OCSPClient

- - - - -
0e2805eb by Endi S. Dewata at 2019-09-30T14:25:46-05:00
Updated loggers in pki ca-cert-status

- - - - -
378cc99b by Endi S. Dewata at 2019-09-30T14:26:10-05:00
Updated loggers in OCSPProcessor

- - - - -
8e05b31c by Endi S. Dewata at 2019-09-30T19:54:12-05:00
Updated loggers in pki ca-cert-request

- - - - -
58509b9d by Endi S. Dewata at 2019-09-30T19:56:49-05:00
Updated loggers in pki ca-cert

- - - - -
34c16092 by Endi S. Dewata at 2019-09-30T20:48:59-05:00
Updated loggers in pki client

- - - - -
28eeaa67 by Endi S. Dewata at 2019-09-30T21:57:37-05:00
Updated loggers in pki <subsystem>-user

- - - - -
c2536ccb by Endi S. Dewata at 2019-10-02T14:27:42-05:00
Refactored CLI.printHelp()

- - - - -
10a5a341 by Endi S. Dewata at 2019-10-03T10:10:51-05:00
Updated default port for PKI CLI

The PKI CLI has been modified to use HTTPS over port 8443
by default.

https://www.dogtagpki.org/wiki/PKI_10.8_PKI_CLI_Changes

- - - - -
beb7301c by Endi S. Dewata at 2019-10-03T10:10:51-05:00
Updated PKI CLI handling of untrusted issuer

The PKICertificateApprovalCallback.handleUntrustedIssuer() has
been modified such that it will ask the user whether to trust
the SSL certificate of the PKI server that the client is trying
to access. If the certificate is trusted, it will be imported
into the client's NSS database and marked as trusted peer.

https://www.dogtagpki.org/wiki/PKI_10.8_PKI_CLI_Changes

- - - - -
36c0bd48 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Added CommandCLI

The CommandCLI has been added as a base class for all commands.

- - - - -
285d9029 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki <subsystem>-group

- - - - -
16e07b0b by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki kra-key

- - - - -
737dd5cc by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki <subsystem>-audit

- - - - -
b8dfa8c6 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki <subsystem>-selftest

- - - - -
ace09170 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki ca-profile

- - - - -
09408112 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tks-tpsconnector

- - - - -
d9390771 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-activity

- - - - -
dd0ee8e9 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-authenticator

- - - - -
6f50ffb1 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-cert

- - - - -
953e8a3f by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-config

- - - - -
6e672c4b by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-connector

- - - - -
bb07d47d by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-profile-mapping

- - - - -
9d6a8527 by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-profile

- - - - -
373d428e by Endi S. Dewata at 2019-10-03T10:13:20-05:00
Updated loggers in pki tps-token

- - - - -
134adce3 by Endi S. Dewata at 2019-10-03T17:34:24-05:00
Cleaned up pki ca-authority

- - - - -
ca629d72 by Endi S. Dewata at 2019-10-03T17:34:48-05:00
Cleaned up pki ca-cert

- - - - -
fa903aa6 by Endi S. Dewata at 2019-10-03T17:34:48-05:00
Cleaned up pki ca-kraconnector

- - - - -
952b15be by Endi S. Dewata at 2019-10-03T17:34:48-05:00
Cleaned up pki client

- - - - -
cd09729d by Endi S. Dewata at 2019-10-03T17:34:48-05:00
Cleaned up pki kra-key

- - - - -
0317fcfd by Endi S. Dewata at 2019-10-03T17:35:06-05:00
Cleaned up pki <subsystem>-audit

- - - - -
7b7a9b67 by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki <subsystem>-feature

- - - - -
50683d76 by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki <subsystem>-user

- - - - -
7488883a by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki securitydomain

- - - - -
41c3317c by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki pkcs7

- - - - -
f8fa4ef8 by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki pkcs11

- - - - -
5b8dfe81 by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki pkcs12

- - - - -
b6183708 by Endi S. Dewata at 2019-10-03T17:36:09-05:00
Cleaned up pki-server <subsystem>-db

- - - - -
5cdf00aa by Endi S. Dewata at 2019-10-03T17:37:12-05:00
Cleaned up pki help

- - - - -
4cf4507c by Endi S. Dewata at 2019-10-03T17:37:32-05:00
Updated loggers in MainCLI

- - - - -
d0d0ec4c by Endi S. Dewata at 2019-10-03T17:49:27-05:00
Updated loggers in PKIConnection

- - - - -
5a585ddd by Endi S. Dewata at 2019-10-03T17:53:43-05:00
Updated loggers in PKIClient

- - - - -
44878aac by Endi S. Dewata at 2019-10-04T18:03:12-05:00
Removed unused verbose field in CLI

- - - - -
104033a4 by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server banner

- - - - -
525ca314 by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server cert

- - - - -
16609ed0 by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server instance

- - - - -
10272b76 by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server kra

- - - - -
518db78e by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server migrate

- - - - -
a446caac by Endi S. Dewata at 2019-10-04T18:50:45-05:00
Updated loggers in pki-server nuxwdog

- - - - -
0d9786c5 by Endi S. Dewata at 2019-10-04T20:52:08-05:00
Updated loggers in pki-server ocsp

- - - - -
1d620d3b by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server password

- - - - -
c0a91dde by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server subsystem

- - - - -
ba51c74c by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server tks

- - - - -
f2434714 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server tps

- - - - -
6e2ffca2 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server <subsystem>-audit

- - - - -
4d128e37 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki-server

- - - - -
43b40ba9 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki pkcs12

- - - - -
10d74e56 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki CLI

- - - - -
74b3be04 by Endi S. Dewata at 2019-10-04T20:52:37-05:00
Updated loggers in pki.nssdb

- - - - -
dbb55535 by Endi S. Dewata at 2019-10-04T20:53:01-05:00
Removed unused fields in pki.cli.CLI

- - - - -
522372c9 by Endi S. Dewata at 2019-10-07T09:56:20-05:00
Removed LDAP setup files from instance folder

The following files are only used to setup LDAP during
installation so they have been removed from instance folder:
- schema-authority.ldif
- schema-certProfile.ldif
- usn.ldif

- - - - -
0e32d11a by Endi S. Dewata at 2019-10-07T10:57:18-05:00
Fixed links to default Tomcat configuration files

The following Tomcat configuration files have been converted into
links since they are identical to the default:
- context.xml
- tomcat-users.xml
- tomcat-users.xsd
- web.xml

- - - - -
e3e6131d by Endi S. Dewata at 2019-10-07T12:48:33-05:00
Moved PKIInstance

The pki.server.PKIInstance class has been moved into
pki.server.instance module.

- - - - -
960d2c48 by Endi S. Dewata at 2019-10-07T15:16:55-05:00
Fixed flake8 issues in upgrade scripts

- - - - -
63e4dde8 by Endi S. Dewata at 2019-10-09T13:47:49-05:00
Cleaned up XML conversion in CertReviewResponse

- - - - -
a7b6ffd6 by Endi S. Dewata at 2019-10-09T14:40:54-05:00
Added CACertRequestCLI

The commands to manage certificate requests in CA have been
moved from CACertCLI into CACertRequestCLI.

- - - - -
c428e35d by Endi S. Dewata at 2019-10-09T14:55:46-05:00
Cleaned up pki ca-cert-request-review

- - - - -
f38eda2d by Endi S. Dewata at 2019-10-10T08:40:50-05:00
Refactored SystemCertService

The SystemCertService has been split into CASystemCertService
and KRASystemCertService such that they can be customized for
each subsystem.

- - - - -
3cb89643 by Endi S. Dewata at 2019-10-10T08:41:08-05:00
Added pki ca-cert-transport commands

- - - - -
685ddc78 by Endi S. Dewata at 2019-10-10T08:42:55-05:00
Added pki ca-cert-signing commands

- - - - -
d70a2b50 by Endi S. Dewata at 2019-10-11T19:43:59-05:00
Added hashCode() and equals() for KeyData

- - - - -
c2ad6005 by Endi S. Dewata at 2019-10-11T19:44:18-05:00
Added hashCode() and equals() for KeyRequestResponse

- - - - -
2f352948 by Endi S. Dewata at 2019-10-11T19:45:24-05:00
Updated exception declarations for key services

- - - - -
22e746dc by Endi S. Dewata at 2019-10-11T19:46:05-05:00
Added XML/JSON converters for CMSRequestInfo

- - - - -
6295fb8e by Endi S. Dewata at 2019-10-11T19:46:19-05:00
Updated XML/JSON converters for KeyRequestInfo

- - - - -
5525b905 by Endi S. Dewata at 2019-10-11T19:46:43-05:00
Added XML/JSON converters for KeyRequestResponse

- - - - -
e962157c by Endi S. Dewata at 2019-10-11T19:47:48-05:00
Cleaned up JSON output in key classes

- - - - -
430f70d8 by Endi S. Dewata at 2019-10-11T19:48:38-05:00
Updated loggers in KeyClient

- - - - -
e335c79c by Endi S. Dewata at 2019-10-11T19:48:54-05:00
Updated loggers in KeyRequestService

- - - - -
415816e0 by Endi S. Dewata at 2019-10-11T19:58:17-05:00
Updated loggers in KeyService

- - - - -
6f9c5c69 by Endi S. Dewata at 2019-10-14T07:25:57-05:00
Fixed pylint issues on Fedora Rawhide

- - - - -
3807543a by Endi S. Dewata at 2019-10-14T07:27:13-05:00
Removed old upgrade check

- - - - -
1dfc6252 by Endi S. Dewata at 2019-10-14T07:27:28-05:00
Fixed RPM issues on Fedora Rawhide

- - - - -
413e6d79 by Endi S. Dewata at 2019-10-14T08:26:38-05:00
Renamed upgrade scripts

- - - - -
f8346926 by Endi S. Dewata at 2019-10-14T08:27:39-05:00
Removed unused UserDatabase from server.xml

- - - - -
9eb54439 by Endi S. Dewata at 2019-10-14T08:27:39-05:00
Removed unused tomcat-user.xml and tomcat-user.xsd

- - - - -
b8e72e6e by Endi S. Dewata at 2019-10-14T08:27:39-05:00
Removed policy files from instance folder

The installation tool has been modified to no longer copy
policy files into instance folder.

- - - - -
c10c0038 by Endi S. Dewata at 2019-10-14T08:27:39-05:00
Added upgrade script to remove pki.policy

- - - - -
5ec851db by Endi S. Dewata at 2019-10-14T08:27:39-05:00
Added upgrade script to remove empty custom.policy

- - - - -
74000558 by Endi S. Dewata at 2019-10-14T12:27:42-05:00
Updated default auth-method.properties (part 2)

Previously the default auth-method.properties has been set up
such that certain operations must be authenticated using specific
methods.

The file has been modified such that any authentication method
can be used by default.

- - - - -
8d74fa8c by Endi S. Dewata at 2019-10-14T12:27:50-05:00
Updated NSSCryptoProvider

The NSSCryptoProvider has been modified to work with
unprotected NSS database.

- - - - -
409096af by Endi S. Dewata at 2019-10-14T12:28:48-05:00
Updated pki kra-key

The pki kra-key has been modified to work with unprotected
NSS database.

- - - - -
a40b6cb1 by Endi S. Dewata at 2019-10-14T12:29:01-05:00
Fixed pki kra-key-retrieve

The pki kra-key-retrieve has been modified to send the entire
KeyRecoveryRequest object to the server.

- - - - -
5a4352f4 by Endi S. Dewata at 2019-10-14T12:29:01-05:00
Removed base64 line wrapping in key messages

- - - - -
e302c564 by Christina Fu at 2019-10-14T18:21:24-07:00
RHCS-maint TMS patches integration

- - - - -
48915674 by Endi S. Dewata at 2019-10-15T11:46:47-05:00
Moved PKIInstance.open_nssdb()

- - - - -
7e723260 by Endi S. Dewata at 2019-10-15T11:46:47-05:00
Cleaned up RESTEasy links in CMakeLists.txt

- - - - -
114b010f by Endi S. Dewata at 2019-10-15T14:21:15-05:00
Added p11-kit-trust for pki CLI

The pki CLI has been modified to add the p11-kit-trust module
into the NSS database such that it trusts the CA certificates
provided by the system.

- - - - -
a40850d9 by Endi S. Dewata at 2019-10-15T17:07:45-05:00
Updated LICENSE file

The LICENSE file has been updated to include GPLv2+:
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

The EngineConfig.java has been updated to use SPDX header:
https://events.static.linuxfound.org/sites/events/files/Introduction%20to%20SPDX-without%20graphics.pdf
This is to show how to use SPDX header in a new source code.

A GPL Cooperation Commitment file has been added:
https://gplcc.github.io/gplcc/Project/README.html

- - - - -
a5216a14 by Endi S. Dewata at 2019-10-16T17:31:12-05:00
Cleaned up TPS build scripts

Previously the TPS build scripts generated some artifacts in the
buildroot that were not included in the RPM package so rpmbuild
would generate warnings about those files.

To avoid the warnings the TPS build scripts have been modified
to no longer install those files into the buildroot.

In the future the unused sources should be removed from the
source repository.

- - - - -
ed4a3ade by Endi S. Dewata at 2019-10-16T17:45:01-05:00
Updated loggers in EnrollProfile

- - - - -
e7cb29d0 by Endi S. Dewata at 2019-10-16T17:45:01-05:00
Updated loggers in UserSubjectNameDefault

- - - - -
2115c3de by Endi S. Dewata at 2019-10-16T17:45:01-05:00
Cleaned up CertificatePoliciesExtDefault.createExtension()

- - - - -
de740797 by Endi S. Dewata at 2019-10-16T17:45:01-05:00
Fixed pki-server webapp-undeploy

- - - - -
7c1d04e2 by Endi S. Dewata at 2019-10-16T17:45:01-05:00
Added --no-password option for pki-server nss-create

- - - - -
8b7a2793 by Endi S. Dewata at 2019-10-16T17:45:19-05:00
Fixed javadoc warnings

- - - - -
fea79ccf by Endi S. Dewata at 2019-10-17T08:28:09-05:00
Updated PKIServer.create()

The PKIServer.create() has been modified to remove the unused
UserDatabase during installation. The RemoveUserDatabase upgrade
script has been modified to call the same code.

- - - - -
36067df4 by Endi S. Dewata at 2019-10-17T08:28:09-05:00
Removed unused LockOutRealm

The PKIServer.create() and the RemoveUserDatabase upgrade
script have been modified to remove the unused LockOutRealm
that depends on UserDatabase.

- - - - -
dcd87724 by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in SessionKey.cpp

This patch fixed the following warnings:
/root/build/pki/BUILD/pki-10.8.0-a1/base/symkey/src/com/netscape/symkey/SessionKey.cpp:349:39: warning: ISO C++ forbids converting a string constant to 'char*' [-Wwrite-strings]

- - - - -
ff25b4e8 by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in p7tool (part 1)

This patch fixed the following warnings:
/usr/include/nss3/key.h:9:9: note: #pragma message: key.h is deprecated. Please include keyhi.h instead.

- - - - -
2c5cf4fe by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in p7tool (part 2)

This patch fixed the following warnings:
/root/build/pki/BUILD/pki-10.8.0-a1/base/native-tools/src/p7tool/secutil.h:207:58: warning: duplicate 'const' declaration specifier [-Wduplicate-decl-specifier]

- - - - -
b1a09a88 by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in revoker

This patch fixed the following warnings:
/root/build/pki/BUILD/pki-10.8.0-a1/base/native-tools/src/revoker/revoker.c:334:14: warning: passing argument 1 of 'errWarn' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

- - - - -
1378a9fd by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in setpin

This patch fixed the following warnings:
/root/build/pki/BUILD/pki-10.8.0-a1/base/native-tools/src/setpin/setpin.c:161:19: warning: passing argument 1 of 'exitError' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

- - - - -
5348ecb4 by Endi S. Dewata at 2019-10-17T17:57:56-05:00
Fixed warnings in sslget

This patch fixed the following warnings:
/root/build/pki/BUILD/pki-10.8.0-a1/base/native-tools/src/sslget/sslget.c:320:14: warning: passing argument 1 of 'errWarn' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

- - - - -
4f576c36 by Endi S. Dewata at 2019-10-21T13:00:08-05:00
Generalized pki.policy

The pki.policy has been modified to grant permissions to all
shared PKI files instead of to specific subsystem files only.

- - - - -
df8e6a1a by Endi S. Dewata at 2019-10-21T13:00:08-05:00
Added initial ACMEApplication

This patch added the initial ACMEApplication and CLIs to deploy
and undeploy the application. Other functionalities will be added
in subsequent patches.

- - - - -
8096717a by Endi S. Dewata at 2019-10-21T15:16:58-05:00
Fixed build warnings in tkstool (part 1)

- - - - -
c5f78b48 by Endi S. Dewata at 2019-10-21T15:23:58-05:00
Fixed build warnings in tkstool (part 2)

- - - - -
5e3f79b6 by Endi S. Dewata at 2019-10-21T16:00:12-05:00
Fixed build warnings in tkstool (part 3)

- - - - -
8fadd668 by Endi S. Dewata at 2019-10-21T16:19:49-05:00
Fixed build warnings in tkstool (part 4)

- - - - -
76e0fffc by Endi S. Dewata at 2019-10-21T16:41:03-05:00
Fixed build warnings in tkstool (part 5)

- - - - -
55fccf5e by Endi S. Dewata at 2019-10-21T17:20:40-05:00
Fixed build warnings in tkstool (part 6)

- - - - -
f5621cc7 by Endi S. Dewata at 2019-10-21T18:26:34-05:00
Fixed build warnings in setpin

- - - - -
4e3f1c96 by Christina Fu at 2019-10-22T14:14:24-07:00
Addition to TMS RHCS-maint code merge from 7571dc339ba44c06588764d161749974fe556831

involves:
Bug 1523330 - (addl fix) CC: missing audit event for CS acting as TLS client
Bug 1585722 - TMS - PKISocketFactory – Modify Logging to Allow External Use of class to work like CS8

Fix in 1523330 might have broken 1585722; This patch is to put the audit
call under if (!external) so that external apps calling this class would
not reach the audit code.
In addition, the "external" changes for logging is added (previously omitted
for RHCS-Maint work)

I only tested to be sure that the CA continues to work;  QE will need to
test both again.

https://bugzilla.redhat.com/show_bug.cgi?id=1523330
https://bugzilla.redhat.com/show_bug.cgi?id=1585722

- - - - -
351a8d83 by Endi S. Dewata at 2019-10-23T13:57:54-05:00
Removed unused TPS modules

The sources of legacy TPS modules are no longer used so they
have been removed.

- - - - -
09b2aa96 by Endi S. Dewata at 2019-10-23T13:58:51-05:00
Added ACMEv2 protocol classes

This patch added classes that will be used in ACMEv2 protocol.
Each class has a JSON mapper, but some fields are not mapped
since they are only used internally by the ACME service.

- - - - -
42934ad9 by Endi S. Dewata at 2019-10-23T13:58:51-05:00
Added ACMEDatabase and ACMEBackend

This patch added the configuration and base classes for
ACME database and backend.

- - - - -
298788c2 by Endi S. Dewata at 2019-10-23T13:58:51-05:00
Added default ACME configuration

This patch added the default ACME configuration files. Note that
these files need to customized before they can be used properly
since the base database and backend classes are just skeletons.
The real database and backend classes will be added in subsequent
patches.

- - - - -
38ec16f6 by Endi S. Dewata at 2019-10-23T13:58:51-05:00
Added pki-server acme-create/remove

This patch added some CLIs to create and remove ACME
configuration files/folder.

- - - - -
eec98d5c by Endi S. Dewata at 2019-10-23T13:58:51-05:00
Added ACMEEngine

This patch added ACMEEngine which will load the configuration
and initialize the database and backend.

- - - - -
879114a4 by Alexander Scheel at 2019-10-23T16:10:51-04:00
Simplify HMAC SecretKey construction

Rather than wrapping and unwrapping a key, we can use the
SecretKeyFactory which is part of the JSS Provider, in combination with
a SecretKeySpec, in order to create a SHA1 HMAC key without requiring
that we wrap and unwrap it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2adbab48 by Endi S. Dewata at 2019-10-23T17:27:01-05:00
Cleaned up KeyRequestDAO.doesKeyExist()

- - - - -
34f3122b by Endi S. Dewata at 2019-10-23T17:27:01-05:00
Updated loggers in KeyService

- - - - -
a32cdd00 by Endi S. Dewata at 2019-10-23T17:27:01-05:00
Added --output-format option for pki kra-key-archive

- - - - -
358d1bab by Endi S. Dewata at 2019-10-28T11:56:19-05:00
Fixed javadoc source path

- - - - -
157e4094 by Endi S. Dewata at 2019-10-28T11:56:19-05:00
Fixed CLI classpath

- - - - -
c502998e by Endi S. Dewata at 2019-10-28T17:08:08-05:00
Added ACMEDirectoryService

The ACMEDirectoryService has been added to list the services
provided by the ACME application.

- - - - -
44ea7cdc by Endi S. Dewata at 2019-10-28T17:08:08-05:00
Added ACMENewNonceService

The ACMENewNonceService has been added to provide the initial
nonce for ACME clients.

- - - - -
cd1a9eeb by Endi S. Dewata at 2019-10-28T17:08:08-05:00
Added ACMENewAccountService

The ACMENewAccountService has been added to create new accounts
or validate existing accounts.

- - - - -
b8a0c6fa by Endi S. Dewata at 2019-10-29T10:13:42-05:00
Updated certificate request review process

This patch introduces new certificate request review processes
which should be easier to use and automate.

The following command will display a summary of the request,
then ask the user to enter an action:

  $ pki ca-cert-request-review <request ID>

The following command will display a summary of the request,
then ask the user to confirm the specified action:

  $ pki ca-cert-request-<action> <request ID>

The following command will execute the specified action on
the request without asking for confirmation:

  $ pki ca-cert-request-<action> <request ID> --force

The following commands will store the complete request into
a file allowing a more detailed review, then perform the
specified action based on the updated request in the file:

  $ pki ca-cert-request-review <request ID> --output-file <file>
  $ pki ca-cert-request-<action> <request ID> --input-file <file>

The old processes are still available, but they have been
deprecated and may be removed in the future.

https://www.dogtagpki.org/wiki/PKI_10.8_PKI_CLI_Changes

- - - - -
95d0c670 by Endi S. Dewata at 2019-10-29T11:10:44-05:00
Updated KeyRecoveryRequest

The Python KeyRecoveryRequest class has been updated to store
the parameters as request attributes only if they have values.

- - - - -
96691864 by Endi S. Dewata at 2019-10-29T11:12:26-05:00
Fixed pki-server nss-create --no-password

- - - - -
861396e5 by Endi S. Dewata at 2019-10-29T12:03:20-05:00
Fixed PKIServer.create_server_xml()

- - - - -
2cc9006c by Endi S. Dewata at 2019-10-30T17:55:53-05:00
Fixed logging in PKIInstance.execute()

- - - - -
e682cccf by Endi S. Dewata at 2019-10-30T17:56:09-05:00
Cleaned up CertUtils.verifySystemCertValidityByNickname()

- - - - -
d85610d4 by Endi S. Dewata at 2019-10-30T17:56:34-05:00
Updated loggers in upgrade framework

- - - - -
9e44ce18 by Endi S. Dewata at 2019-10-30T17:57:11-05:00
Updated loggers in PKI 10.8.0 upgrade scripts

- - - - -
ef03a87a by Endi S. Dewata at 2019-10-30T18:30:25-05:00
Updated loggers in ProxyRealm

- - - - -
5ed8eb85 by Endi S. Dewata at 2019-10-30T20:45:14-05:00
Cleaned up build.sh

- - - - -
3f9024ce by Endi S. Dewata at 2019-10-31T17:30:49-05:00
Added CMSEngine.createConfig()

The createConfig() method has been added to CMSEngine such
that each subsystem can create subsystem-specific engine
configuration object.

- - - - -
56743283 by Endi S. Dewata at 2019-10-31T17:30:58-05:00
Added subsystem-specific EngineConfig classes

- - - - -
4864d6da by Endi S. Dewata at 2019-10-31T21:00:50-05:00
Added AuthenticationConfig

The AuthenticationConfig has been added to encapsulate auths.*
properties in CS.cfg.

- - - - -
03900d68 by Endi S. Dewata at 2019-10-31T21:25:27-05:00
Replaced AuthSubsystem.mConfig

The AuthSubsystem.mConfig has been converted into an
AuthenticationConfig object and passed to the authentication
managers via a separate method.

- - - - -
a0081b1d by Endi S. Dewata at 2019-10-31T21:25:51-05:00
Added AuthManagersConfig

The AuthManagersConfig has been added to encapsulate
auths.instance.* properties in CS.cfg.

- - - - -
d0476cb3 by Endi S. Dewata at 2019-10-31T21:25:51-05:00
Added AuthManagerConfig

The AuthManagerConfig has been added to encapsulate
auths.instance.<name>.* properties in CS.cfg.

- - - - -
e1d7d0ac by Endi S. Dewata at 2019-10-31T21:25:51-05:00
Added AuthorizationConfig

The AuthorizationConfig has been added to encapsulate authz.*
properties in CS.cfg.

- - - - -
35a2f54b by Endi S. Dewata at 2019-10-31T21:25:51-05:00
Added DatabaseConfig

The DatabaseConfig has been added to encapsulate dbs.*
properties in CS.cfg.

- - - - -
15e13f6f by Endi S. Dewata at 2019-11-01T10:17:53-05:00
Moved IAuthSubsystem

- - - - -
9b76055f by Endi S. Dewata at 2019-11-01T10:18:47-05:00
Moved ICertUserDBAuthentication

- - - - -
8d1a2e2f by Endi S. Dewata at 2019-11-01T10:19:41-05:00
Moved AuthToken

- - - - -
0e13c647 by Endi S. Dewata at 2019-11-01T10:20:43-05:00
Moved AuthManagerProxy

- - - - -
2529484a by Endi S. Dewata at 2019-11-01T10:21:33-05:00
Moved IAuthManager

- - - - -
04752f1c by Endi S. Dewata at 2019-11-01T11:32:13-05:00
Updated config objects in authentication managers

The generic config objects in all authentication managers have
been replaced with AuthManagerConfig.

- - - - -
d522c85f by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Moved IAuthzSubsystem

- - - - -
5180baee by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Moved AuthzManagerProxy

- - - - -
cd5cd3af by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Moved AuthzToken and IAuthzManager

- - - - -
4e246063 by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Moved AuthorizationConfig

- - - - -
f5f4693c by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Moved authentication config classes

- - - - -
bfd9aaad by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Added AuthzManagersConfig

The AuthzManagersConfig has been added to encapsulate
authz.instance.* properties in CS.cfg.

- - - - -
dbf9e967 by Endi S. Dewata at 2019-11-01T11:43:44-05:00
Added AuthzManagerConfig

The AuthzManagerConfig has been added to encapsulate
authz.instance.<name>.* properties in CS.cfg.

- - - - -
0bc564ab by Endi S. Dewata at 2019-11-04T08:40:22-06:00
Updated NSSDatabase.create()

The NSSDatabase.create() has been modified to add the
p11-kit-trust module in the newly created NSS database.

- - - - -
578e51da by Endi S. Dewata at 2019-11-04T08:42:15-06:00
Refactored PropConfigStore.getSubStore()

The PropConfigStore.getSubStore() has been modified to support
creating specific config objects.

- - - - -
e2105b6e by Endi S. Dewata at 2019-11-04T08:42:34-06:00
Replaced generic config with LDAPConfig

- - - - -
ab72fb43 by Endi S. Dewata at 2019-11-04T08:42:49-06:00
Added LDAPConfig.getBaseDN()

- - - - -
fbdef952 by Endi S. Dewata at 2019-11-04T08:43:12-06:00
Added CRLIssuingPointConfig

- - - - -
0352545d by Endi S. Dewata at 2019-11-04T08:43:33-06:00
Added subsystem configuration classes

- - - - -
44138b47 by Endi S. Dewata at 2019-11-04T10:45:22-06:00
Fixed pki-server tks-clone-prepare

The pki-server tks-clone-prepare has been modified to no
longer export the signing certificate since it is not listed
in tks.cert.list property in CS.cfg.

- - - - -
46df45c0 by Endi S. Dewata at 2019-11-04T11:44:56-06:00
Fixed missing ManualAuthentication

The GenericPolicyProcessor has been modified to remove the
hard-coded package name of ManualAuthentication class.

https://pagure.io/dogtagpki/issue/3111

- - - - -
3cdb3ae8 by Endi S. Dewata at 2019-11-04T12:43:12-06:00
Fixed LDAPProfileSubsystem initialization

The LDAPProfileSubsystem has been modified to initialize the
Collection fields during object instantiation to prevent NPE
during shutdown.

- - - - -
473dc0ad by Endi S. Dewata at 2019-11-04T12:56:12-06:00
Updated loggers in GenericPolicyProcessor.initSystemPolicies()

- - - - -
b9d16758 by Endi S. Dewata at 2019-11-05T09:45:44-06:00
Cleaned up pkidestroy log messages

- - - - -
03fb65fd by Endi S. Dewata at 2019-11-05T12:43:14-06:00
Updated server NSS database creation

The code that creates and removes NSS database has been moved
into security_databases.py.

- - - - -
68010fe6 by Endi S. Dewata at 2019-11-05T12:44:36-06:00
Added NSSDatabase.exists()

- - - - -
2424253d by Dinesh Prasanth M K at 2019-11-06T09:11:17-05:00
[DOC] Update clone installation instructions (#279)

SELinux context needs to be set on the exported PKCS#12 file
containing master's system certificates. Otherwise, pkispawn will fail
with permission denied

- - - - -
32a972e6 by Endi S. Dewata at 2019-11-06T09:54:19-06:00
Added PKIInstance.create_nssdb() and remove_nssdb()

- - - - -
bce123bf by Endi S. Dewata at 2019-11-06T10:49:16-06:00
Added support for custom NSS database

Deployment scriptlets have been modified to use the existing NSS
database if it already exists in the instance folder. This allows
the admin to create a custom NSS database if needed.

- - - - -
bcce7dc5 by Endi S. Dewata at 2019-11-07T12:30:18-06:00
Added ACMENewOrderService

The ACMENewOrderService has been added to accept certificate
enrollment requests.

- - - - -
4c841b1f by Endi S. Dewata at 2019-11-07T12:30:18-06:00
Added ACME validators

The DNS01Validator and HTTP01Validator have been added to
provide dns-01 and http-01 domain validations.

- - - - -
ee03d352 by Endi S. Dewata at 2019-11-07T12:30:18-06:00
Added ACMEAuthorizationService

The ACMEAuthorizationService has been added to generate ACME
challenges.

- - - - -
caf73448 by Endi S. Dewata at 2019-11-07T12:30:18-06:00
Added ACMEChallengeService

The ACMEChallengeService has been added to perform the ACME
validation.

- - - - -
4dead15f by Endi S. Dewata at 2019-11-11T10:13:43-06:00
Added PostgreSQLDatabase

The PostgreSQLDatabase has been added to provide a PostgreSQL
data store for ACME.

- - - - -
315eb19f by Alexander Scheel at 2019-11-11T15:08:11-05:00
Use JSS-provided CSPRNG for token generation

RandomStringUtils.randomAlphanumeric isn't guaranteed to choose numbers
from a cryptographically secure random source. The default Random(...)
instance in Java isn't likely to be a CSPRNG either. Use
RandomStringUtils.random(...) with a JSS-provided CSPRNG instead.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6b9915dd by Endi S. Dewata at 2019-11-11T15:13:27-06:00
CI improvements

To improve CI reliability, reduce execution time, and conserve
resources, the build and test logs will be uploaded to transfer.sh
only on failures.

- - - - -
7e7a0d01 by Endi S. Dewata at 2019-11-11T18:30:30-06:00
Updated DatabaseConfig

- - - - -
7e519e30 by Endi S. Dewata at 2019-11-11T18:30:30-06:00
Renamed EngineConfig.getInternalDatabase()

- - - - -
dbb7f3c5 by Endi S. Dewata at 2019-11-11T18:30:30-06:00
Moved IDBSubsystem

- - - - -
b43751f5 by Endi S. Dewata at 2019-11-11T20:27:46-06:00
Updated LdapBoundConnFactory.init()

The LdapBoundConnFactory.init() has been modified to take an
LDAPConfig object instead of generic IConfigStore object.

- - - - -
018707a1 by Endi S. Dewata at 2019-11-11T20:28:43-06:00
Updated LdapAnonConnFactory.init()

The LdapAnonConnFactory.init() has been modified to take an
LDAPConfig object instead of generic IConfigStore object.

- - - - -
b1af3e26 by Endi S. Dewata at 2019-11-11T22:45:38-06:00
Added LDAPConnectionConfig

- - - - -
a8f7df4e by Endi S. Dewata at 2019-11-11T22:45:56-06:00
Added LDAPAuthenticationConfig

- - - - -
e99f73ae by Endi S. Dewata at 2019-11-11T23:15:44-06:00
Replaced CMSEngine.getConfigStore()

- - - - -
97ba7c9d by Endi S. Dewata at 2019-11-12T14:22:10-06:00
Moved IProfile

- - - - -
a7a05f05 by Endi S. Dewata at 2019-11-12T20:05:07-06:00
Replaced Configurator.getBaseEntry()

The Configurator.getBaseEntry() has been replaced with
LDAPConfigurator.getEntry().

- - - - -
0c183748 by Endi S. Dewata at 2019-11-12T20:05:11-06:00
Replaced Configurator.getMappingEntry()

The Configurator.getMappingEntry() has been replaced with
LDAPConfigurator.getEntry().

- - - - -
59e19bdf by Endi S. Dewata at 2019-11-12T20:05:11-06:00
Replaced Configurator.getDatabaseEntry()

The Configurator.getDatabaseEntry() has been replaced with
LDAPConfigurator.getEntry().

- - - - -
01f19623 by Endi S. Dewata at 2019-11-12T22:43:35-06:00
Replaced Configurator.confirmNoConflictingMappingsForDB()

The Configurator.confirmNoConflictingMappingsForDB() has been
replaced with LDAPConfigurator.checkForConflictingMappings().

- - - - -
2754dc40 by Endi S. Dewata at 2019-11-12T22:55:15-06:00
Replaced Configurator.deleteSubtree()

The Configurator.deleteSubtree() has been replaced with
LDAPConfigurator.deleteEntry().

- - - - -
beccf568 by Endi S. Dewata at 2019-11-13T12:00:15-06:00
Replaced Configurator.wait_for_task()

The Configurator.wait_for_task() has been replaced with
LDAPConfigurator.waitForTask().

- - - - -
c42cf626 by Endi S. Dewata at 2019-11-13T14:24:15-06:00
Replaced Configurator.createDatabaseEntry()

The Configurator.createDatabaseEntry() has been replaced with
LDAPConfigurator.createDatabaseEntry().

- - - - -
e17825e3 by Endi S. Dewata at 2019-11-13T14:25:58-06:00
Replaced Configurator.createDatabaseMappingEntry()

The Configurator.createDatabaseMappingEntry() has been replaced
with LDAPConfigurator.createMappingEntry().

- - - - -
eea65b97 by Endi S. Dewata at 2019-11-13T15:42:42-06:00
Replaced Configurator.checkParentExists()

The Configurator.checkParentExists() has been replaced with
LDAPConfigurator.checkParentExists().

- - - - -
5504da54 by Endi S. Dewata at 2019-11-13T17:42:31-06:00
Added ACMEFinalizeOrderService

The ACMEFinalizeOrderService has been added to validate the CSR
against authorized identifiers and use the backend to issue the
certificate.

- - - - -
9ba75c9e by Endi S. Dewata at 2019-11-13T17:42:31-06:00
Added ACMEOrderService

The ACMEOrderService has been added to return the requested
order object.

- - - - -
68e56abb by Endi S. Dewata at 2019-11-13T17:42:31-06:00
Added ACMECertificateService

The ACMECertificateService has been added to return the requested
certificate chain.

- - - - -
b81908ed by Endi S. Dewata at 2019-11-14T11:56:25-06:00
Replaced Configurator.createBaseEntry()

The Configurator.createBaseEntry() has been replaced with
LDAPConfigurator.createBaseEntry().

- - - - -
c7f165ac by Endi S. Dewata at 2019-11-14T11:56:32-06:00
Refactored Configurator.importLDIFS()

The code in Configurator.importLDIFS() that customizes an LDIF
template and import it into database has been moved into
importLDIF().

- - - - -
cfeb21b5 by Endi S. Dewata at 2019-11-14T11:56:48-06:00
Cleaned up log messages

- - - - -
4db75425 by Endi S. Dewata at 2019-11-14T11:56:53-06:00
Added PreOpConfig

The PreOpConfig has been added to encapsulate preop.* properties.

- - - - -
5108d60d by Endi S. Dewata at 2019-11-14T18:30:09-06:00
Replaced LDAPUtil.importLDIF()

The LDAPUtil.importLDIF() has been replaced with
LDAPConfigurator.importLDIFFile() and importLDIFRecord().

- - - - -
552b0333 by Endi S. Dewata at 2019-11-14T18:50:39-06:00
Updated loggers in ProfileService.createProfileRaw()

- - - - -
8bcc8df9 by Endi S. Dewata at 2019-11-14T18:52:29-06:00
Updated loggers in ProfileSubsystem.createProfile()

- - - - -
618c0cfe by Endi S. Dewata at 2019-11-15T21:24:55-06:00
Added LDAPConfigurator.deleteDatabase()

The code that removes the existing database in
Configurator.populateDB() has been moved into
LDAPConfigurator.deleteDatabase().

- - - - -
aac5ba00 by Endi S. Dewata at 2019-11-15T21:24:55-06:00
Added pki-server <subsystem>-db-remove

The pki-server <subsystem>-db-remove has been added to remove
the existing subsystem database.

- - - - -
96b9d1e2 by Endi S. Dewata at 2019-11-15T21:24:55-06:00
Added pki-server <subsystem>-db-empty

The pki-server <subsystem>-db-empty has been added to empty
the existing subsystem database.

- - - - -
0b2bbb40 by Endi S. Dewata at 2019-11-15T21:57:13-06:00
Refactored Configurator.populateDB()

The code that removes the existing subsystem database in
Configurator.populateDB() has been moved into configuration.py.

- - - - -
b0b592b9 by Endi S. Dewata at 2019-11-16T20:54:36-06:00
Moved PKIConfigParser.ds_bind()

The PKIConfigParser.ds_bind() and methods that depend on it has
been moved into pkispawn.py.

- - - - -
15707084 by Endi S. Dewata at 2019-11-18T17:19:20-06:00
Moved ConfigurationFile.verify_sensitive_data()

The ConfigurationFile.verify_sensitive_data() has been moved into
initialization.py.

- - - - -
000175cc by Endi S. Dewata at 2019-11-18T20:22:03-06:00
Refactored password.conf creation

The code that generates and stores internal token password, HSM
password, internal database password, and replication password
has been moved into instance_layout.py.

- - - - -
55e87cec by Endi S. Dewata at 2019-11-18T20:23:34-06:00
Removed unused DatabaseSetupRequest.replicationPassword

- - - - -
7d11e591 by dependabot[bot] at 2019-11-19T15:44:32-06:00
Bump jackson-databind from 2.9.10 to 2.10.1 (#286)

Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.9.10 to 2.10.1.
- [Release notes](https://github.com/FasterXML/jackson/releases)
- [Commits](https://github.com/FasterXML/jackson/commits)

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
3a012a07 by Endi S. Dewata at 2019-11-19T21:03:37-06:00
Updated LDAPConfigurator constructor

The LDAPConfigurator constructor has been modified to take an
EngineConfig object.

- - - - -
8b853892 by Endi S. Dewata at 2019-11-19T21:11:29-06:00
Added LDAPConfigurator.params

The parameter map that is used to customize LDIF templates has
been moved into LDAPConfigurator.params.

- - - - -
fec5e2d4 by Endi S. Dewata at 2019-11-20T10:15:08-06:00
Added LDAPConfigurator.customizeFile()

The code that customizes LDIF templates using a parameter map
has been moved into LDAPConfigurator.customizeFile().

- - - - -
296baf6d by Endi S. Dewata at 2019-11-20T10:22:32-06:00
Added LDAPConfigurator.importFile()

The code that customizes and import LDIF files has been moved
into LDAPConfigurator.importFile().

- - - - -
e80238d0 by Endi S. Dewata at 2019-11-20T10:23:09-06:00
Replaced preop.subsystem.select

The preop.subsystem.select has been replaced with clone
parameters in request objects.

- - - - -
53ef1086 by Endi S. Dewata at 2019-11-20T10:25:42-06:00
Added LDAPConfigurator.enableUSN()

The LDAPConfigurator.enableUSN() has been added to replace
preop.internaldb.usn.ldif parameter for enabling USN plugin.

- - - - -
0bdfed49 by Endi S. Dewata at 2019-11-20T10:25:46-06:00
Added LDAPConfigurator.reindexDatabase()

The code that regenerates database indexes has been moved
into LDAPConfigurator.reindexDatabase().

- - - - -
d1d91998 by Endi S. Dewata at 2019-11-20T10:26:29-06:00
Added LDAPConfigurator.createIndexes()

The code that creates database indexes has been moved into
LDAPConfigurator.createIndexes().

- - - - -
d071a1bf by Endi S. Dewata at 2019-11-20T10:29:39-06:00
Added LDAPConfigurator.createContainers() and setupACL()

The code that creates container entries and sets up ACL has
been moved into LDAPConfigurator.createContainers() and
setupACL().

- - - - -
e504711a by Endi S. Dewata at 2019-11-20T14:39:49-06:00
Added SANToCNDefault policy

The SANToCNDefault policy has been added to generate a
subject DN from the first DNS name in the SAN extension.

- - - - -
efb4b648 by Endi S. Dewata at 2019-11-20T14:39:49-06:00
Added ACME profile

The acmeServerCert.cfg has been added to provide a profile for
generating server certificates for ACME clients.

The default.cfg has been modified such that the installation tool
will install the default profiles in /usr/share/pki/ca/profiles/ca.
The acmeServerCert.cfg is stored in /usr/share/pki/ca/profiles so
it will not be installed by default.

The pki.spec has been modified to include the new profile.

- - - - -
50b3b965 by Endi S. Dewata at 2019-11-20T14:39:49-06:00
Added PKIBackend

The PKIBackend class has been added to provide a CA backend for
the ACME service using Dogtag PKI CA.

- - - - -
cb58f35b by Endi S. Dewata at 2019-11-21T09:06:15-06:00
Fixed EnrollProfile

The EnrollProfile.setDefaultCertInfo() has been modified to add
a blank subject DN by default.

- - - - -
21c86f5d by Endi S. Dewata at 2019-11-21T09:06:23-06:00
Updated ACME logging level

The default logging level for ACME has been changed to INFO.
In the future the logging level will be configurable via user-
editable configuration file.

- - - - -
05036e9f by Endi S. Dewata at 2019-11-21T12:11:13-06:00
Added InMemoryDatabase

The InMemoryDatabase has been added to provide a simple in-memory
storage for development/testing. It is not meant for production.

- - - - -
e50eda0a by Endi S. Dewata at 2019-11-21T16:18:45-06:00
Cleaned up pkispawn/pkidestroy log messages

- - - - -
918db08f by Endi S. Dewata at 2019-11-21T19:38:43-06:00
Added pki nss-create/remove

The pki nss-create/remove commands have been added to manage
client's NSS database.

- - - - -
ee4d8d79 by Endi S. Dewata at 2019-11-22T09:30:57-06:00
Updated version number to 10.8.0-a2

- - - - -
531bfe18 by Endi S. Dewata at 2019-11-22T10:52:57-06:00
Disabled adding p11-kit-trust by default

The Java and Python NSSDatabase.create() methods have been modified
to no longer add p11-kit-trust module by default.

A document has been added to describe how to install PKI server
with custom NSS databases.

- - - - -
b8c1bb4e by Endi S. Dewata at 2019-11-22T11:02:53-06:00
Removed PKI user creation with random UID

The PKI user has a preallocated UID in Fedora and RHEL, so
the code that creates the user with random UID is redundant.

- - - - -
0a345451 by jmagne at 2019-11-25T11:36:42-08:00
Port pistool support to the master branch. (#293)


- - - - -
e50104e9 by Christina Fu at 2019-11-25T11:56:10-08:00
bug1706521 CA - SubjectAltNameExtInput does not display text fields to the enrollment page

This patch is proposed by RHCS_Maint.  With this patch, the SANs text fields
now will show up on the profile display at EE enrollment UI.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1706521

- - - - -
1c27628b by Endi S. Dewata at 2019-12-02T17:53:32-06:00
Added LDAPConfigurator.configureDirectory()

The code that modifies the global directory configuration has been
moved into LDAPConfigurator.configureDirectory().

- - - - -
5e94af54 by Endi S. Dewata at 2019-12-02T17:54:06-06:00
Added LDAPConfigurator.setupSchema()

The code that sets up the schema has been moved into
LDAPConfigurator.setupSchema().

- - - - -
6fc1962e by Endi S. Dewata at 2019-12-02T17:54:34-06:00
Added DatabaseSetupRequest.setupReplication

- - - - -
2fd85cf4 by Endi S. Dewata at 2019-12-02T17:55:12-06:00
Added LDAPConfigurator.setupDatabaseManager()

The code that sets up database manager has been moved into
LDAPConfigurator.setupDatabaseManager().

- - - - -
9c4d7ef4 by Endi S. Dewata at 2019-12-02T17:57:55-06:00
Added LDAPConfigurator.createVLVIndexes()

The code that creates VLV indexes has been moved into
LDAPConfigurator.createVLVIndexes().

- - - - -
46cee974 by Endi S. Dewata at 2019-12-02T17:58:04-06:00
Added LDAPConfigurator.rebuildVLVIndexes()

The code that rebuilds VLV indexes has been moved into
LDAPConfigurator.rebuildVLVIndexes().

- - - - -
e36c666d by Endi S. Dewata at 2019-12-03T14:04:20-06:00
Removed redundant LDAPConfigurator.checkParentExists()

The installation will fail if the base entry cannot be added,
so this check is redundant.

- - - - -
7492883c by Endi S. Dewata at 2019-12-03T14:10:59-06:00
Removed redundant preop.database.removeData

The old content of the database has been removed earlier
during installation, so this property is redundant.

- - - - -
c9245876 by Endi S. Dewata at 2019-12-03T14:13:13-06:00
Added DatabaseSetupRequest.createDatabase

The DatabaseSetupRequest.createDatabase has been added to
replace preop.database.createNewDB.

- - - - -
31b86869 by Endi S. Dewata at 2019-12-03T14:14:17-06:00
Added DatabaseSetupRequest.reindexDatabase

The DatabaseSetupRequest.reindexDatabase has been added to
replace preop.database.reindexData.

- - - - -
4b1a3c68 by Endi S. Dewata at 2019-12-03T14:14:28-06:00
Added LDAPConfig.getDatabase() and setDatabase()

- - - - -
b091022b by Endi S. Dewata at 2019-12-04T18:32:02-06:00
Fixed PostgreSQLDatabase.getAccountContacts()

The PostgreSQLDatabase.getAccountContacts() has been modified
to add the contacts retrieved from the database into the
ACMEAccount object properly.

- - - - -
b503392d by Endi S. Dewata at 2019-12-04T19:29:19-06:00
Merged Configurator.setupDirectory()

The Configurator.setupDirectory() has been merged into
Configurator.initializeDatabase().

- - - - -
2f3d14b7 by Endi S. Dewata at 2019-12-04T19:29:32-06:00
Merged Configurator.setupDatabase()

The Configurator.setupDatabase() has been merged into
Configurator.initializeDatabase().

- - - - -
358e2254 by Endi S. Dewata at 2019-12-04T19:29:32-06:00
Merged Configurator.populateDBManager()

The Configurator.populateDBManager() has been merged into
Configurator.initializeDatabase().

- - - - -
69653ca7 by Endi S. Dewata at 2019-12-04T19:29:32-06:00
Merged Configurator.populateVLVIndexes()

The Configurator.populateVLVIndexes() has been merged into
Configurator.initializeDatabase().

- - - - -
844f4465 by Fraser Tweedale at 2019-12-05T10:34:42-06:00
ACMEDatabase: make it an abstract class

To ensure overrides of required stub methods are not forgotten when
implementing ACMEDatabase subclasses, make ACMEDatabase an abstract
class with abstract methods.

- - - - -
15d9f5f9 by Fraser Tweedale at 2019-12-05T10:35:18-06:00
ACMEIdentifier: add constructor that receives types and value

- - - - -
ffe79e85 by Endi S. Dewata at 2019-12-05T11:31:35-06:00
Fixed CLI option handling

Previously some mandatory CLI options such as --status were defined
using Option.setRequired(true) so these options had to be specified
in all cases, including when displaying the help message using the
--help option. This behavior made it difficult to use the command.

The code has been modified to parse all options without using
Option.setRequired(true). Instead, the code will check the option
value if it's required and generate an exception if it's missing.
This way the --help option can be used to display the help message
without specifying the mandatory options.

https://bugzilla.redhat.com/show_bug.cgi?id=1777032

- - - - -
62bf4046 by Endi S. Dewata at 2019-12-09T11:27:18-06:00
Refactored Configurator.updateConfigEntries() (part 1)

The Configurator.updateConfigEntries() has been modified to throw
an exception on error instead of returning a boolean value.

- - - - -
a06f8087 by Endi S. Dewata at 2019-12-09T11:27:30-06:00
Refactored Configurator.updateConfigEntries() (part 2)

The Configurator.updateConfigEntries() has been modified to
throw an exception as soon as an error is detected.

- - - - -
a41a8e47 by Endi S. Dewata at 2019-12-09T11:27:35-06:00
Refactored Configurator.updateConfigEntries() (part 3)

The Configurator.updateConfigEntries() has been modified to
validate the master configuration parameters as soon as it is
received.

- - - - -
275dacb3 by Endi S. Dewata at 2019-12-09T13:18:52-06:00
Refactored ReplicationUtil.setupReplication() (part 1)

The ReplicationUtil.setupReplication() has been modified to
use the master and replica connections provided by the caller.

- - - - -
5171b806 by Endi S. Dewata at 2019-12-09T14:08:47-06:00
Refactored ReplicationUtil.setupReplication() (part 2)

The ReplicationUtil.setupReplication() has been modified to
store the master LDAP password in the password store before
creating the master LDAP connection.

- - - - -
ec31f011 by Endi S. Dewata at 2019-12-09T14:08:54-06:00
Refactored ReplicationUtil.setupReplication() (part 3)

The ReplicationUtil.setupReplication() has been modified to
determine the proper masterReplicationPort before setting up
the replication.

- - - - -
2a8b57b9 by Endi S. Dewata at 2019-12-09T14:08:54-06:00
Removed internaldb.ldapconn.cloneReplicationPort

The code that generates cloneReplicationPort has been moved
into configuration.py.

- - - - -
42c9ae7c by Endi S. Dewata at 2019-12-09T14:08:54-06:00
Removed internaldb.ldapconn.replicationSecurity

The code that generates replicationSecurity has been moved
into configuration.py.

- - - - -
58d22afb by Endi S. Dewata at 2019-12-09T14:08:54-06:00
Removed unused replication agreement parameters

- - - - -
39314b3d by Endi S. Dewata at 2019-12-09T14:54:01-06:00
Refactored ReplicationUtil.createReplicationManager()

The ReplicationUtil.createReplicationManager() has been moved
into LDAPConfigurator and split into createSystemContainer()
and createReplicationManager().

- - - - -
832326f4 by Endi S. Dewata at 2019-12-09T17:33:47-06:00
Refactored ReplicationUtil.getInstanceDir()

The ReplicationUtil.getInstanceDir() has been moved into
LDAPConfigurator.

- - - - -
2d314cda by Endi S. Dewata at 2019-12-09T18:17:26-06:00
Refactored ReplicationUtil.createChangeLog()

The ReplicationUtil.createChangeLog() has been moved into
LDAPConfigurator.

- - - - -
3f991a4e by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Refactored ReplicationUtil.enableReplication()

The ReplicationUtil.enableReplication() has been moved into
LDAPConfigurator.

- - - - -
cdb38275 by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Refactored ReplicationUtil.createReplicationAgreement()

The ReplicationUtil.createReplicationAgreement() has been moved
into LDAPConfigurator.

- - - - -
b507287b by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Refactored ReplicationUtil.initializeConsumer()

The ReplicationUtil.initializeConsumer() has been moved into
LDAPCOnfigurator.

- - - - -
ebeb0ead by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Refactored ReplicationUtil.replicationDone()

The ReplicationUtil.replicationDone() has been moved into
LDAPConfigurator.

- - - - -
8dcbbc73 by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Refactored ReplicationUtil.replicationStatus()

The ReplicationUtil.replicationStatus() has been moved into
LDAPConfigurator.

- - - - -
626e4786 by Endi S. Dewata at 2019-12-10T20:49:54-06:00
Cleaned up ReplicationUtil.setupReplication()

- - - - -
1cec322b by Endi S. Dewata at 2019-12-11T11:56:49-06:00
Restored pki CLI error messages

The pki CLI has been modified to match the error messages
in PKI 10.7:
https://github.com/dogtagpki/pki/blob/v10.7/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java#L676-L716

The exception is that the "Error:" will now become "ERROR:".

https://bugzilla.redhat.com/show_bug.cgi?id=1778953

- - - - -
32f64f0a by Endi S. Dewata at 2019-12-11T12:50:23-06:00
Fixed JSS initialization in pki client-cert-import

The pki client-cert-import supports importing certificates
from different sources including PEM file, PKCS12 file, and
directly from the server.

When PKI was still using NSS DBM database the command would
initialize JSS only if it was going to use JSS to import the
certificate. If the command would use external tools such as
certutil it would not initialize JSS to prevent conflicts.

There was also a bug that causes the command to miss JSS
initialization when importing a cert from the server by its
serial number.

Since now PKI is using NSS SQL database, the NSS database
can be shared with multiple processes. This patch modifies
the command to initialize JSS in all cases, which will fix
the bug as well.

https://bugzilla.redhat.com/show_bug.cgi?id=1782486

- - - - -
13985444 by Endi S. Dewata at 2019-12-11T13:32:36-06:00
Updated version number to 10.8.0-b1

- - - - -
123e2cd9 by Endi S. Dewata at 2019-12-11T15:13:56-06:00
Added ACME installation doc

- - - - -
ecfa3fd0 by Endi S. Dewata at 2019-12-13T11:02:39-06:00
Fixed typo in Configurator.initializeDatabase()

- - - - -
541054a9 by Endi S. Dewata at 2019-12-13T11:49:02-06:00
Updated version number to 10.8.0-b2

- - - - -
3840ac87 by Dinesh Prasanth M K at 2019-12-13T15:47:38-05:00
Propogate error code if the command fails in Travis CI

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c42421f9 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored ReplicationUtil.setupReplication()

The ReplicationUtil.setupReplication() has been moved into
Configurator.

- - - - -
11881e93 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Added LDAPConfig.getDBUser()

- - - - -
36a12746 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored Configurator.isValidCloneURI()

The Configurator.isValidCloneURI() has been converted into
getHostInfo() which returns a host info based on the subsystem
type, hostname, and secure port number.

- - - - -
5521dddd by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored Configurator.getCertChain()

The Configurator.getCertChain() has been modified to return
the certificate chain as byte array.

- - - - -
bb011b00 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored Configurator.verifySystemCertificates()

The code that configures the cert nicknames has been moved from
Configurator.verifySystemCertificates() into getConfigEntriesFromMaster()..

- - - - -
e578f844 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Removed redundant CMS.getCMSEngine() in Configurator

- - - - -
ff4b5a50 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Replaced Configurator.getSecurityDomainPorts()

The Configurator.getSecurityDomainPorts() has been replaced
with getHostInfo().

- - - - -
f2d6f476 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Replaced Configurator.getPortFromSecurityDomain()

The Configurator.getPortFromSecurityDomain() has been replaced
with getHostInfo().

- - - - -
072f54b5 by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored Configurator.isSDHostDomainMaster()

The Configurator.isSDHostDomainMaster() has been modified
to use getHostInfo().

- - - - -
e575b62b by Endi S. Dewata at 2019-12-16T13:10:07-06:00
Refactored Configurator.logIntoSecurityDomain()

The Configurator.logIntoSecurityDomain() has been modified
to return the install token.

- - - - -
257ec864 by Endi S. Dewata at 2019-12-16T16:05:22-06:00
Added XML and JSON converter for PKIException.Data

The PKIException.Data has been modified to provide XML and
JSON converters.

- - - - -
6b1419f8 by Endi S. Dewata at 2019-12-16T17:10:41-06:00
Updated exception in client methods

All client methods have been modified to throw a generic Exception.

- - - - -
4bb1f588 by Endi S. Dewata at 2019-12-16T17:10:47-06:00
Updated PKIConnection.handleErrorResponse()

The PKIConnection.handleErrorResponse() has been modified to
log the XML or JSON PKIException data for troubleshooting.

- - - - -
571865ac by Endi S. Dewata at 2019-12-17T08:47:18-06:00
Fixed ConfigClient.save_admin_cert()

The ConfigClient.save_admin_cert() has been modified to store
the admin cert in PEM format instead of plain base64 format.

- - - - -
12e642fa by Endi S. Dewata at 2019-12-17T13:46:52-06:00
Added LDAPConfigurator.importSchemaFile()

The LDAPConfigurator.importSchemaFile() has been added to import
an LDAP schema file.

- - - - -
d21c073c by Endi S. Dewata at 2019-12-17T13:46:52-06:00
Added PKISubsystem.init_database()

The code that initializes the internal database has
been moved from Configurator.initializeDatabase() into
PKISubsystem.init_database().

- - - - -
38bc1491 by Endi S. Dewata at 2019-12-17T19:26:55-06:00
Fixed exception handling in PKIConnection

When an error occurs on the server, the server will return a
response containing the exception info to the client, and the
client is supposed to recreate and rethrow the exception on
the client side.

Previously the client would use MediaType.equals() to check
the content type of the response. If the content type was an
application/xml or an application/json, the client could
parse the exception info needed to recreate the exception.

However, since the actual content type contains a charset
parameter (e.g. application/xml;charset=utf-8), the code could
not match it against any of the supported types, so it threw a
generic PKIException instead.

Now the code has been modified to use MediaType.isCompatible()
which will match the content type properly regardless of the
charset parameter, so the client can throw the proper exception.

https://bugzilla.redhat.com/show_bug.cgi?id=1778953

- - - - -
82d3bef1 by Endi S. Dewata at 2020-01-06T11:18:05-06:00
Cleaned up installation log messages

- - - - -
bc890b0f by Endi S. Dewata at 2020-01-06T11:18:48-06:00
Refactored PKIConfigParser.set_property()

The PKIConfigParser.set_property() has been moved into
PKIDeployer class. The section parameter has been changed to
become optional.

- - - - -
5646d83c by Endi S. Dewata at 2020-01-06T11:20:30-06:00
Refactored DS methods in PKIConfigParser

The DS methods in PKIConfigParser have been moved into
PKIDeployer class.

- - - - -
08ea6289 by Endi S. Dewata at 2020-01-06T11:25:45-06:00
Refactored security domain methods in PKIConfigParser

The security domain methods in PKIConfigParser have been
moved into PKIDeployer class.

- - - - -
30e45117 by Alexander Scheel at 2020-01-06T17:52:46-05:00
Add support for running PKI under GDB

Sometimes it is necessary to debug the PKI instance under GDB,
especially when the issue is in the native layer, e.g., in the
JSS<->NSS mapping. Add the --gdb flag for running the PKI server
under gdb.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f218c64b by Endi S. Dewata at 2020-01-06T19:10:37-06:00
Refactored PKIDeployer.init()

The PKIDeployer.init() has been modified to construct the
DS URL from installation parameters.

- - - - -
545db244 by Endi S. Dewata at 2020-01-06T19:10:37-06:00
Updated Java security domain classes

The Java security domain classes have been modified to
return the subsystems and hosts as maps in JSON format.

- - - - -
526a59f7 by Endi S. Dewata at 2020-01-06T20:35:11-06:00
Updated Python security domain classes

The Python security domain classes have been updated to
match the corresponding Java classes.

- - - - -
0b78516a by Endi S. Dewata at 2020-01-06T22:13:13-06:00
Refactored domain info retrieval

The code that retrieves the domain info has been moved
from Configurator into configuration.py.

- - - - -
05a7a55c by Endi S. Dewata at 2020-01-06T22:13:14-06:00
Refactored installation token creation

The code that creates installation token has been moved
from Configurator into configuration.py.

- - - - -
e6053db0 by Endi S. Dewata at 2020-01-06T22:13:14-06:00
Removed unused fields in ConfigurationRequest

- - - - -
7e004cdd by Endi S. Dewata at 2020-01-07T15:14:41-06:00
Fixed deprecation warning in pkidestroy

The infrastructure_layout.py has been modified to remove
sensitive parameters (including the deprecated ones) before
storing a copy of the deployment configuration instead of
masking them out. This way when pkidestroy reads the file
it will no longer generate a deprecation warning.

- - - - -
4b5ec0bd by Endi S. Dewata at 2020-01-08T18:25:34-06:00
Removed redundant code in subsystem_layout.py

The code that finds the secure and unsecure ports in
subsystem_layout.py has been replaced with existing
methods in ServerConfiguration class.

- - - - -
260cd738 by Endi S. Dewata at 2020-01-08T18:26:14-06:00
Removed unused code in TokenAuthentication

The code that authenticates session IDs via EE interface
in TokenAuthentication is not used so it has been removed.

- - - - -
8a7bb376 by Endi S. Dewata at 2020-01-08T18:48:01-06:00
Removed unused preop.securitydomain params

The preop.securitydomain params are not used so they have
been removed.

- - - - -
0e8dc207 by Endi S. Dewata at 2020-01-08T18:48:05-06:00
Removed unused code in Configurator.updateSecurityDomain()

The code that updates the security domain via agent interface
in Configurator.updateSecurityDomain() is not used so it has
been removed.

- - - - -
f5c9c178 by Endi S. Dewata at 2020-01-08T23:02:16-06:00
Added PKIDeployer.join_domain()

The PKIDeployer.join_domain() has been added to get the
domain info, find the security domain host info, and get
the installation token.

- - - - -
e0b97fec by Endi S. Dewata at 2020-01-09T10:01:49-06:00
Consolidated security domain params configuration

The code that configures the security domain params has
been moved into configuration.py.

- - - - -
669fa133 by Timo Aaltonen at 2020-01-09T18:57:42+02:00
tests: Don't run pkidestroy.

- - - - -
68464f44 by Endi S. Dewata at 2020-01-09T20:51:10-06:00
Added Configurator.setupClone()

The Configurator.setupClone() has been added to retrieve
configuration parameters from master and set up the clone.

- - - - -
ddfea89e by Endi S. Dewata at 2020-01-09T21:16:10-06:00
Refactored Configurator.initializeDatabase() (part 1)

The code that sets up replication has been moved from
Configurator.initializeDatabase() into setupClone().

- - - - -
694b9a3c by Endi S. Dewata at 2020-01-09T21:51:46-06:00
Refactored Configurator.initializeDatabase() (part 2)

The Configurator.initializeDatabase() has been renamed into
setupDatabase() and will reinitialize the subsystems.

- - - - -
fcea2302 by Endi S. Dewata at 2020-01-09T21:52:53-06:00
Removed redundant calls to CMS.getCMSEngine()

- - - - -
b3fd5f28 by Endi S. Dewata at 2020-01-10T15:49:57-06:00
Dropped support for Python 2

The RPM spec file and CMake files have been modified to
no longer support Python 2.

- - - - -
e04868d0 by Endi S. Dewata at 2020-01-10T15:49:57-06:00
Removed Python 3 build options

The RPM spec file and CMake files have been modified to
always use Python 3, so the options to build with Python 3
are no longer needed.

- - - - -
4086746e by Endi S. Dewata at 2020-01-10T15:49:57-06:00
Dropped unsupported platforms

The RPM spec file has been modified to no longer support
older Fedora and RHEL platforms. Debian does not use RPM
spec file so it has been dropped as well.

- - - - -
997fd180 by Endi S. Dewata at 2020-01-10T15:49:57-06:00
Updated Python executable

The RPM spec file has been modified to specify the Python
executable for each supported platform.

- - - - -
af4b192a by Endi S. Dewata at 2020-01-10T15:50:32-06:00
Added missing imports for pki.server.instance

- - - - -
c2787a46 by Endi S. Dewata at 2020-01-10T15:51:26-06:00
Updated PKIServer.execute()

The PKIServer.execute() has been modified to handle missing
environment variables or libraries more gracefully.

- - - - -
2e1d252b by Endi S. Dewata at 2020-01-10T21:30:53-06:00
Refactored Configurator.configureCACertChain() (part 1)

The Configurator.configureCACertChain() has been modified
to get the subsystem hierarchy from the hierarchy.select
parameter.

- - - - -
e126866d by Endi S. Dewata at 2020-01-10T21:31:05-06:00
Refactored Configurator.configureCACertChain() (part 2)

The code that configures preop.ca.* parameters in
Configurator.configureCACertChain() has been moved into
configuration.py.

- - - - -
74999112 by Endi S. Dewata at 2020-01-13T10:29:54-06:00
Added pki info command

The pki info command has been added to display the product name
and version of the server.

- - - - -
7181fa39 by Endi S. Dewata at 2020-01-13T10:29:54-06:00
Refactored GetStatus

The GetStatus has been modified to use CMS.getProductName()
to get the product name.

- - - - -
8742f31a by Endi S. Dewata at 2020-01-13T12:16:10-06:00
Updated link to ACME page

- - - - -
10ab7611 by Endi S. Dewata at 2020-01-14T22:55:53-06:00
Fixed HTTP01Validator

The HTTP01Validator has been modified to trim whitespaces
in the HTTP-01 challenge response.

- - - - -
f3db09b8 by Endi S. Dewata at 2020-01-14T23:01:03-06:00
Added ACMEOrder.serialNumber

The ACMEOrder.serialNumber has been added to store the
certificate serial number in the database instead of the
certificate URL.

- - - - -
4e6d2238 by Endi S. Dewata at 2020-01-15T11:47:29-06:00
Refactored ACMEOrder.finalize

The ACMEOrder.finalize has been modified to no longer be
stored in the database but instead it will be generated
dynamically.

- - - - -
4692edc3 by Endi S. Dewata at 2020-01-15T11:47:37-06:00
Refactored ACMEAccount.orders

The ACMEAccount.orders has been modified to no longer be
stored in the database but instead it will be generated
dynamically.

- - - - -
db7a678f by Endi S. Dewata at 2020-01-15T12:23:06-06:00
Added ACMEOrder.authzIDs

The ACMEOrder.authzIDs has been added to store the order
authorization IDs in the database instead of the order
authorization URLs.

- - - - -
99f7a6b5 by Endi S. Dewata at 2020-01-15T12:50:17-06:00
Cleaned up ACME log messages

- - - - -
df22faed by Endi S. Dewata at 2020-01-15T18:32:49-06:00
Added ACMEEngine.createAccountDoesNotExistException()

The code that creates the accountDoesNotExist error has been
moved into ACMEEngine.createAccountDoesNotExistException().

- - - - -
4b9f3577 by Endi S. Dewata at 2020-01-15T18:37:36-06:00
Refactored ACMEEngine.getAccount()

The ACMEEngine.getAccount() has been modified to provide an
option whether to check the validity of the account retrieved
from the database.

- - - - -
c1e727fe by Endi S. Dewata at 2020-01-15T19:01:53-06:00
Fixed ACMENewAccountService

The ACMENewAccountService has been modified to return HTTP 200
if the new account already exists. If the new account does not
already exist and onlyReturnExisting is true, the server will
return HTTP 400.

- - - - -
a81683ad by Endi S. Dewata at 2020-01-16T11:33:05-06:00
Refactored ACMEChallenge.url

The ACMEChallenge.url has been modified to no longer be
stored in the database but instead it will be generated
dynamically.

- - - - -
527ea307 by Endi S. Dewata at 2020-01-16T11:33:07-06:00
Refactored ACMEEngine.validateJWS()

The code that performs the signature validation has been
moved into a separate ACMEEngine.validateJWS() method.

- - - - -
6d00b9e4 by Endi S. Dewata at 2020-01-16T13:12:25-06:00
Refactored ACMEOrder.serialNumber

The BigInteger ACMEOrder.serialNumber has been replaced with
String certID for simplicity and consistency.

- - - - -
edd0f11c by Endi S. Dewata at 2020-01-16T13:43:09-06:00
Refactored ACMEOrder.csr

The ACMEOrder.csr has been modified such that it's no longer
stored in the database.

- - - - -
b74e6582 by Endi S. Dewata at 2020-01-16T14:12:28-06:00
Updated version number to 10.8.0-b3

- - - - -
588bd148 by Dinesh Prasanth M K at 2020-01-21T15:53:04-05:00
[CI] Update CI matrix in Travis (#303)

- Update CI matrix to include latest Fedora release
- Include nightly IPA builds
- IPA testsuite fails due to an upstream bug and so,
we are not able to run them in our CI. This blocks
us from updating our CI. 
Bug: https://pagure.io/freeipa/issue/7989

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
3ac0eedd by Dinesh Prasanth M K at 2020-01-27T16:46:05-05:00
Add PKI healthcheck tool framework

This patch adds the PKI healthcheck tool framework to `pki-server` package.
This patch includes 1 healthcheck:
- Check whether certs in NSSDB match certs in CS.cfg

Only minimal healthcheck is added to ensure that the framework is stable
before writing complex healthchecks.

This tool utilizes ipa-healthcheck tool's core library for parsing input, output
and executing health checks. This framework can autoregister with
ipa-healthcheck to report status of PKI subsystem in an IPA deployment.
pki-healthcheck can also be executed in a standalone PKI deployment.

Partly addresses upstream bug: https://pagure.io/dogtagpki/issue/2251

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6590f8f0 by Dinesh Prasanth M K at 2020-01-28T12:45:19-05:00
Fix requires for Healthcheck tool

PKI Health Check tool is part of pki-server package.
The requires should be part of it. This patch fixes it.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
82a5a465 by Dinesh Prasanth M K at 2020-01-29T18:44:06-05:00
PKI healthcheck docs (#310)

This patch includes the man page and upstream documentation
(instructions) on how to use the PKI Health Check tool that was
introduced as part of PR#301 

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
fe5fb947 by Alexander Scheel at 2020-01-30T11:00:40-06:00
Fix FIPS detection

The original FIPS detection code fails on python3:

    $ python3
    Python 3.7.6 (default, Dec 19 2019, 22:52:49)
    >>> '0' == b'0'
    False

This is because bytes and strings are not directly comparable in all
scenarios, so the comparison now returns false. Python3's subprocess
also returns bytes in most scenarios:

> By default, this function will return the data as encoded bytes. The
> actual encoding of the output data may depend on the command being
> invoked, so the decoding to text will often need to be handled at the
> application level.

This results in PKI incorrectly believing that it is in FIPS mode,
when it really isn't.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7dfe08d5 by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Removed base64 chunking in TPSConnectorService

- - - - -
fc2333d3 by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Moved TPSConnectorCLI classes

The TPSConnectorCLI classes have been moved into
com.netscape.cmstools.tks since they are used to
manage the TPS connector in TKS.

- - - - -
b2459a22 by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Moved TPSConnectorService.createDes3SessionKeyOnInternal()

The TPSConnectorService.createDes3SessionKeyOnInternal()
has been moved into CryptoUtil for reusability.

- - - - -
9de8ed67 by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Updated pki tks-tpsconnector commands

The pki tks-tpsconnector has been updated to support JSON
input and output.

- - - - -
4d1b77cc by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Added pki tks-key commands

The pki tks-key commands have been added to manage keys in
TKS remotely.

- - - - -
81211928 by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Added pki nss-key commands

The pki nss-key commands have been added to manage keys in
local NSS database.

- - - - -
9c96999a by Endi S. Dewata at 2020-01-31T17:48:56-06:00
Refactored shared secret configuration

The code that configures the shared secret between TKS and TPS
has been moved from TPSConfigurator (which runs inside the server)
to configuration.py (which runs outside the server).

- - - - -
7ad490f3 by Endi S. Dewata at 2020-02-02T21:18:20-06:00
Moved profile servlets

The profile servlets have been moved from pki-server package
into pki-ca package since they are only used by the CA.

- - - - -
9c213f51 by Endi S. Dewata at 2020-02-02T21:18:30-06:00
Moved revocation servlets

The revocation servlets have been moved from pki-server package
into pki-ca package since they are only used by the CA.

- - - - -
b33e7d59 by Endi S. Dewata at 2020-02-02T21:34:33-06:00
Moved certificate processors

The certificate processors have been moved from pki-server
package into pki-ca package since they are only used by the CA.

- - - - -
7138e8fb by Endi S. Dewata at 2020-02-02T23:08:59-06:00
Moved CRSEnrollment

The CRSEnrollment classes have been moved from pki-server
package into pki-ca package because they are only used by
the CA.

- - - - -
26355427 by Endi S. Dewata at 2020-02-02T23:15:15-06:00
Moved CAProcessor

The CAProcessor and dependent classes have been moved from
pki-server package into pki-ca package because they are only
used by the CA.

- - - - -
477f8508 by Endi S. Dewata at 2020-02-03T01:25:21-06:00
Added CMSEngine.getPluginRegistry()

The CMSEngine.getPluginRegistry() has been added to return
the plugin registry instance.

- - - - -
e60a4a07 by Endi S. Dewata at 2020-02-03T01:57:03-06:00
Merged IPluginRegistry into PluginRegistry

The IPluginRegistry is no longer used so it has been merged
into PluginRegistry.

- - - - -
36fafbea by Endi S. Dewata at 2020-02-03T02:09:05-06:00
Added default registry path

The PluginRegistry.init() has been modified to load the
plugin registry from a default location if the registry
file is not specified in CS.cfg.

- - - - -
98a88476 by Endi S. Dewata at 2020-02-03T02:09:05-06:00
Added KRAConnectorServlet

The code that normalizes the profile request for KRA connector
in CA has been moved from ConnectorServlet class into a new
KRAConnectorServlet subclass.

- - - - -
27b68759 by Endi S. Dewata at 2020-02-03T03:27:11-06:00
Renamed BasicProfile

The BasicProfile has been renamed into Profile as the base
class of all profiles.

- - - - -
cd864411 by Endi S. Dewata at 2020-02-03T03:27:56-06:00
Merged IProfileEx into CAEnrollProfile

The IProfileEx has been merged into CAEnrollProfile since
there are no other classes implementing IProfileEx.

- - - - -
06f3af69 by Dinesh Prasanth M K at 2020-02-03T09:42:04-05:00
Modify pylint logic to run against all individual python files (#313)

The previous logic was to run pylint on the directory. As a result, few of
the python files were untested.

This patch improves the logic to list and test individual python files. This
will also help to include any new python files added to the project in future

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
68afc6ba by jmagne at 2020-02-03T15:01:44-08:00
Re-animate previously commented out crypto code in TMS. (#314)

This is possible because this commit aso makes sure that  said crypto routines have
been moved to either reside within the pki-tps jar file or the pki-tks jar file.
Some minor refactoring and duplication has also been necessary to make this happen, but
has been kept to a minimum.

With this patch, the final pki jar files that previously contained pieces of this crypto code,
will no longer contain any such code or classes.

This is an intermediate step until we can get the new JSS / NSS support for the sp 800 kdf and the AES_CMAC
alrogithm working with hardware hsm's.
- - - - -
1b0a8410 by Jack Magne at 2020-02-03T15:31:19-08:00
Remove unused comments from code, checking in with trivial change exception.

- - - - -
0a43f939 by Endi S. Dewata at 2020-02-03T18:33:13-06:00
Fixed encoding issue in pki-server cert-show --pretty-print

- - - - -
b699a4e2 by Endi S. Dewata at 2020-02-03T18:39:29-06:00
Cleaned up ECC installation docs

The ECC installation docs have been updated for consistency
with other installation docs.

- - - - -
c444be15 by Endi S. Dewata at 2020-02-04T03:34:26-06:00
Merged IProfileSubsystem into ProfileSubsystem

The IProfileSubsystem has been merged into ProfileSubsystem
which will be the base for all profile subsystem implementations.

- - - - -
727c58b6 by Endi S. Dewata at 2020-02-04T03:34:56-06:00
Added CAEngine.getProfileSubsystem()

The CAEngine.getProfileSubsystem() has been added to provide
the profile subsystem for CA.

- - - - -
eaa78e1c by Endi S. Dewata at 2020-02-04T03:45:13-06:00
Cleaned up log messages in UGSubsystem.findGroups()

- - - - -
d5e16646 by Endi S. Dewata at 2020-02-04T03:47:04-06:00
Added Configurator.setupNumberRanges()

The code that configures number ranges has been moved from
Configurator.getConfigEntriesFromMaster() into setupNumberRanges().

- - - - -
8ff47f59 by Endi S. Dewata at 2020-02-04T03:49:57-06:00
Cleaned up Configurator.updateNumberRange()

The Configurator.updateNumberRange() has been simplified and
updated to remove redundant code.

- - - - -
87c06cc7 by Endi S. Dewata at 2020-02-04T03:53:49-06:00
Cleaned up Configurator.updateConfigEntries()

The Configurator.updateConfigEntries() has been updated for
clarity.

- - - - -
7153bfca by Endi S. Dewata at 2020-02-04T03:57:05-06:00
Cleaned up Configurator.getConfigEntriesFromMaster()

The Configurator.getConfigEntriesFromMaster() has been modified
to the the master host info from the parameter instead of
preop properties.

- - - - -
50c1f174 by Endi S. Dewata at 2020-02-04T21:07:11-06:00
Added UpdateNumberRange.getRepository()

The code that returns the repository objects in UpdateNumberRange
has been moved into getRepository().

- - - - -
62471284 by Endi S. Dewata at 2020-02-04T21:07:18-06:00
Split UpdateNumberRange

The UpdateNumberRange has been split into CAUpdateNumberRange
and KRAUpdateNumberRange which provide the proper repository
objects for CA and KRA, respectively.

- - - - -
6183755b by Endi S. Dewata at 2020-02-04T21:07:28-06:00
Cleaned up log messages in GetConfigEntries

- - - - -
3e1fa039 by Endi S. Dewata at 2020-02-04T21:19:03-06:00
Cleaned up CryptoUtil.convertPublicKeyToX509Key()

The CryptoUtil.convertPublicKeyToX509Key() has been cleaned up
and renamed into createX509Key().

- - - - -
4ab92f33 by Endi S. Dewata at 2020-02-04T21:19:33-06:00
Replaced KeyCertUtil.convertPublicKeyToX509Key()

The KeyCertUtil.convertPublicKeyToX509Key() has been replaced
with CertUtil.createX509Key().

- - - - -
458423d9 by Endi S. Dewata at 2020-02-04T22:47:40-06:00
Consolidated X509Key creation

The code that creates X509Key from preop properties has been
updated to use CryptoUtil.createX509Key().

- - - - -
ec7cce4f by Endi S. Dewata at 2020-02-04T23:02:20-06:00
Moved common constants from IEnrollProfile to IRequest

- - - - -
6e0b59a2 by Endi S. Dewata at 2020-02-04T23:02:48-06:00
Merged IEnrollProfile into EnrollProfile

- - - - -
52f7823e by Endi S. Dewata at 2020-02-04T23:09:33-06:00
Merged IProfile into Profile

- - - - -
27c25f54 by Endi S. Dewata at 2020-02-05T02:28:06-06:00
Replaced SystemConfigClient.backupKeys()

The SystemConfigClient.backupKeys() has been replaced with
PKIDeployer.backup_keys() which exports the certificates
and keys directly from the server's NSS database.

- - - - -
798ed095 by Endi S. Dewata at 2020-02-05T02:28:06-06:00
Removed unused SystemConfigService.backupKeys()

The SystemConfigService.backupKeys() is no longer used so
it has been removed.

- - - - -
92b326d8 by Endi S. Dewata at 2020-02-05T04:27:51-06:00
Moved authority interfaces

- - - - -
252bbe4a by Endi S. Dewata at 2020-02-05T04:27:56-06:00
Moved KRA interfaces

- - - - -
046af968 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved OCSP interfaces

- - - - -
c768558c by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved TKS interfaces

- - - - -
c0531a8f by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved RA interfaces

- - - - -
daa00cb2 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved ILdapCertMapper and ILdapCrlMapper

- - - - -
cca7e04c by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Merged ILdapPublishModule into LdapPublishModule

- - - - -
708c1ccb by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved ICRLPublisher

- - - - -
b37d820d by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved ILdapExpression

- - - - -
0bb89b29 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Moved publisher classes

- - - - -
d6cf43e6 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Refactored LdapRequestListener.init()

The code that creates the listener objects in
LdapRequestListener.init() has been moved into
setPublisherProcessor().

- - - - -
dfc420c7 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Refactored IPublisherProcessor

The IPublisherProcessor has been modified to no longer
extend ISubsystem.

- - - - -
96bb054b by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Refactored LdapConnModule.init()

The LdapConnModule.init() has been modified to no longer
take an owner object.

- - - - -
09d96ab9 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Refactored StorageKeyUnit.init()

The StorageKeyUnit.init() has been modified to no longer
take an owner object.

- - - - -
08f0e573 by Endi S. Dewata at 2020-02-05T05:53:44-06:00
Removed DBSubsystem.mOwner

The DBSubsystem.mOwner has been replaced by CMSEngine instance.

- - - - -
c9c29ffb by Endi S. Dewata at 2020-02-05T06:32:35-06:00
Refactored IPolicyRule.init()

The IPolicyRule.init() has been modified to take an
IPolicyProcessor object instead of ISubsystem.

- - - - -
bfbe77df by Endi S. Dewata at 2020-02-05T06:35:04-06:00
Refactored IOCSPStore

The IOCSPStore has been modified to no longer extend
ISubsystem.

- - - - -
1adffc9e by Endi S. Dewata at 2020-02-05T06:38:30-06:00
Refactored ISubsystem.init()

The ISubsystem.init() has been modified to no longer take
an ISubsystem object.

- - - - -
694ac700 by Endi S. Dewata at 2020-02-05T08:49:49-06:00
Refactored CMSEngine

The CMSEngine has been modified to no longer implement
ISubsystem.

- - - - -
3247c7e4 by Timo Aaltonen at 2020-02-06T13:52:36+02:00
Merge branch 'upstream'

- - - - -
035473ab by Timo Aaltonen at 2020-02-06T13:53:01+02:00
bump the version

- - - - -
b146c6ce by Timo Aaltonen at 2020-02-06T14:02:58+02:00
Use debhelper-compat 12.

- - - - -
6715b551 by Endi S. Dewata at 2020-02-06T06:06:03-06:00
Added explicit check params for subprocess.run()

- - - - -
039d4c7b by Timo Aaltonen at 2020-02-06T14:06:23+02:00
tests: Instead of skipping pkidestroy ignore failures

- - - - -
ba275e14 by Endi S. Dewata at 2020-02-06T06:08:23-06:00
Updated log messages in TPSConnectorService

- - - - -
2aafb520 by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Updated log messages in RegisterUser

- - - - -
2850a390 by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Cleaned up CMSEngine.initSubsystem()

The code that configures CMSEngine after subsystem initialization
has been moved into separate methods.

- - - - -
b75bef75 by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Removed unused fields in BaseSubsystem

- - - - -
6183bcbd by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Refactored Debug class

The Debug class has been changed to no longer extend ISubsystem
and moved out of the static subsystem list in CMSEngine.

- - - - -
09ef0d82 by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Refactored PluginRegistry class

The PluginRegistry has been modified to no longer extend
ISubsystem and moved out of static subsystem list in CMSEngine.

- - - - -
46072177 by Endi S. Dewata at 2020-02-06T06:08:31-06:00
Refactored PluginRegistry.init()

The PluginRegistry.init() has been modified to take a
default plugin registry file name parameter instead of
getting it directly from CMSEngine.

- - - - -
fe752938 by Timo Aaltonen at 2020-02-06T21:13:42+02:00
releasing package dogtag-pki version 10.7.4-1

- - - - -
a8b18302 by Endi S. Dewata at 2020-02-07T07:11:02-06:00
Fixed PKIServer.create()

The PKIServer.create() has been modified to add PKI_VERSION
into tomcat.conf to track server upgrades.

- - - - -
679b5d98 by Endi S. Dewata at 2020-02-07T07:55:03-06:00
Updated version number to 10.8.0

- - - - -
82ca843d by Timo Aaltonen at 2020-02-08T17:35:11+02:00
Use pybuild.

- - - - -
0f5074d8 by Timo Aaltonen at 2020-02-08T17:41:29+02:00
releasing package dogtag-pki version 10.7.4-2

- - - - -
0c65d43a by Endi S. Dewata at 2020-02-08T20:50:44-06:00
Fixed python3-pytest-runner dependency

- - - - -
7b3fbfe7 by Endi S. Dewata at 2020-02-10T22:31:47+10:00
Added ACMEAccountService

The ACMEAccountService has been added to update and unregister
an ACME account.

- - - - -
37f985b8 by Endi S. Dewata at 2020-02-10T07:48:17-06:00
Cleaned up ConfigClient.process_admin_cert()

The ConfigClient.process_admin_cert() has been modified to use
NSSDatabase.add_cert() to import the admin certificate into the
client's NSS database.

- - - - -
948a4314 by Endi S. Dewata at 2020-02-10T07:48:17-06:00
Added CMSEngine.getUGSubsystem()

- - - - -
2ee0fa8e by Endi S. Dewata at 2020-02-10T07:52:41-06:00
Refactored Configurator.createPKCS7()

The Configurator.createPKCS7() has been modified to return
a PKCS7 object.

- - - - -
a074366d by Endi S. Dewata at 2020-02-10T12:06:07-06:00
Refactored Configurator.submitAdminCertRequest()

The Configurator.submitAdminCertRequest() has been modified
to return an X509CertImpl object.

- - - - -
655079cf by Endi S. Dewata at 2020-02-10T12:06:07-06:00
Fixed PKIDeployer.backup_keys()

The PKIDeployer.backup_keys() has been updated to work with
non-default instance name.

- - - - -
c523b56e by Endi S. Dewata at 2020-02-10T12:15:36-06:00
Updated version number to 10.8.1

- - - - -
c8e352ae by Endi S. Dewata at 2020-02-11T15:40:03+10:00
Added user guide for ACME responder

- - - - -
ff4c26d9 by Endi S. Dewata at 2020-02-11T00:44:23-06:00
Merged IProfilePolicy into ProfilePolicy

- - - - -
0ca8f0f0 by Endi S. Dewata at 2020-02-11T01:07:23-06:00
Replaced IPolicyConstraint with PolicyConstraint

- - - - -
bbb04b5a by Endi S. Dewata at 2020-02-11T01:07:30-06:00
Replaced ICertInfoPolicyDefault with EnrollDefault

- - - - -
a702f507 by Endi S. Dewata at 2020-02-11T01:32:43-06:00
Replaced IPolicyDefault with PolicyDefault

- - - - -
4de2059e by Endi S. Dewata at 2020-02-12T03:37:11-06:00
Refactored ProfileService.createProfileInput()

The ProfileService.createProfileInput() has been modified
to create a ProfileInput object then add the attributes
afterwards.

- - - - -
84111eaf by Endi S. Dewata at 2020-02-12T12:18:28-06:00
Removed unsupported capture_output in subprocess.run()

The PKI Python library uses subprocess.run() which is available
since Python 3.5. However, the capture_output parameter is only
available since Python 3.7. Since some platforms do not have it
yet it has been changed to set the stdout and stderr parameters
to PIPE instead.

The pki.spec file has also been updated to require Python 3.5.

- - - - -
8bdb6cad by Endi S. Dewata at 2020-02-12T12:54:06-06:00
Refactored ProfileService.createProfileOutput()

The ProfileService.createProfileOutput() has been modified
to create a ProfileOutput object then add the attributes
afterwards.

- - - - -
2d8ba4ea by Endi S. Dewata at 2020-02-12T12:54:06-06:00
Replaced IProfileInput with ProfileInput

- - - - -
1aac0912 by Endi S. Dewata at 2020-02-12T12:54:06-06:00
Replaced IProfileOutput with ProfileOutput

- - - - -
3ec62aac by Endi S. Dewata at 2020-02-13T02:25:15-06:00
Refactored ConfigClient.create_certificate_setup_request()

The ConfigClient.create_certificate_setup_request() has been
modified to store only the info of the certificate being set up.

- - - - -
5314a62a by Endi S. Dewata at 2020-02-13T02:25:15-06:00
Refactored CertificateSetupRequest

The CertificateSetupRequest has been modified to store only
the info of the certificate being set up.

- - - - -
3c01e7e9 by Dinesh Prasanth M K at 2020-02-13T10:27:43-05:00
Update travis build matrix

- Re-enables FreeIPA smoke tests
  https://pagure.io/freeipa/issue/7989

- Adds F32 to build matrix as optional job

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a2a019a2 by Endi S. Dewata at 2020-02-13T22:19:49-06:00
Fixed SystemCertService.createCertificateData()

The SystemCertService.createCertificateData() has been modified
to generate a more consistent PEM certificate with a newline
character after the footer.

- - - - -
1d4f161e by Endi S. Dewata at 2020-02-13T22:54:54-06:00
Refactored SystemConfigService.setupAdmin()

The SystemConfigService.setupAdmin() has been modified to
create the admin certificate first then create the user in
the database.

- - - - -
670b89c0 by Endi S. Dewata at 2020-02-13T22:58:47-06:00
Updated log messages in ProfileAdminServlet

- - - - -
9ac33f6a by Endi S. Dewata at 2020-02-13T22:59:29-06:00
Updated log messages in CertProcessor

- - - - -
c60c233a by Endi S. Dewata at 2020-02-14T08:07:32-06:00
Updated version number to 10.8.2

- - - - -
59a17d41 by Fraser Tweedale at 2020-02-14T09:38:22-06:00
refactor RemoveLDAPSetupFiles

The ACME LDAP schema will soon be added.  Before we add it, the task
that cleans up extra schema / DS configuration files from the PKI
instance directory needs a tidy-up to reduce duplication.

- - - - -
72595f68 by Endi S. Dewata at 2020-02-14T10:13:57-06:00
Cleaned up KeyConstraint

The KeyConstraint has been cleaned up to help troubleshooting
key constraint issues.

- - - - -
f9fe7fe1 by Endi S. Dewata at 2020-02-14T10:54:44-06:00
Cleaned up EnrollProfile

The EnrollProfile has been cleaned up to help troubleshooting
enrollment issues.

- - - - -
2e4914e8 by Endi S. Dewata at 2020-02-14T13:34:36-06:00
Updated log messages in AAclAuthz.checkPermission()

- - - - -
84c039e9 by Endi S. Dewata at 2020-02-14T20:02:40-06:00
Fixed caECAdminCert profile

Previously the profile.caECAdminCert.config property in CA's
CS.cfg was incorrectly pointing to caAdminCert.cfg which contains
an RSA key constraint. This was causing a problem when installing
other PKI subsystems using EC keys.

The property has been updated to point to caECAdminCert.cfg which
contains the correct EC key constraint. An upgrade script has been
added as well to fix existing instances.

https://bugzilla.redhat.com/show_bug.cgi?id=1802006

- - - - -
6e1779da by Alexander Scheel at 2020-02-18T10:43:19-05:00
Fix interactive DS configuration

In f218c64bec0ccfe754a42bdcd46c7c2cfc09bc77, PKIDeployer configuration
was refactored. This included placing most of the DS specific init logic
into a separate PKIDeployer.init() call. However, this wasn't issued
until much later in the PKI Spawn process. During interactive
installations, the user would be prompted for DS connection information,
which would subsequently be verified. However, since PKIDeployer.init()
hadn't yet been called, ds_url was None, resulting in a connection
failure:

    Traceback (most recent call last):
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration
        deployer.ds_connect()
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect
        self.ds_connection = ldap.initialize(self.ds_url)
      File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize
        return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode)
      File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__
        self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
      File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call
        result = func(*args,**kwargs)
    TypeError: initialize() argument 1 must be str, not None

Move DS configuration out of init() and into ds_init(); make
ds_connect() call ds_init() when ds_url is None, and call ds_init() from
init(). PKI Spawn has been updated to call ds_init() when necessary, and
also to reset ds_url to None when validation fails, forcing ds_init() to
be called again.

Resolves: rh-bz#1795215

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
afb708ff by Dinesh Prasanth M K at 2020-02-18T13:28:13-05:00
Fix interactive installation for subsystems other than CA (#322)

When doing an interactive installation, the pkispawn script tries
to connect to Security Domain via `sd_connect` and attaches user
credentials. At this point, the user has not been prompted for any
credentials. So, the authentication happens with empty strings. As
a result the interactive installation fails.

This was not observed in non-interactive installation because all the info
is provided via cfg file and is available in the dictionary at the time
of execution.

This patch moves the authentication logic from `sd_connect()`
to `sd_login()` (ie) authenticate before trying to log in

The bug was introduced in commit: 08ea62892a894553d8ceae200618c6fa8d7f0585

Resolves: BZ#1795215

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
fccd45e7 by Dinesh Prasanth M K at 2020-02-26T12:59:25-05:00
Convert multiline script to use literal style scalar (#330)

The literal style scalar | preserve newlines while folded
scalar > replaces newlines with space. As a result unintended
exit codes can occur

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
eb6f614e by Dinesh Prasanth M K at 2020-02-26T13:42:28-05:00
Re-enable pytest-runner in spec file

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
d64aa66c by Timo Aaltonen at 2020-02-27T16:06:40+02:00
Merge tag 'v10.7.4' into master-next

- - - - -
e4acbe26 by Timo Aaltonen at 2020-02-27T16:37:30+02:00
Merge branch 'master' into master-next

- - - - -
2a53f9f7 by Timo Aaltonen at 2020-02-27T16:47:25+02:00
bump the version

- - - - -
4764996a by Timo Aaltonen at 2020-02-27T16:48:51+02:00
patches: Refreshed.

- - - - -
4f31a00a by Timo Aaltonen at 2020-02-27T18:56:11+02:00
control: Add python3-setuptools to build-depends.

- - - - -
944a6d50 by Timo Aaltonen at 2020-02-27T18:56:42+02:00
fix-healthcheck-install.diff: Use debian layout when installing the healthcheck stuff.

- - - - -
f4d84e92 by Endi S. Dewata at 2020-02-28T09:56:01-06:00
Fixed missing token name in serverCertNick.conf

The serverCertNick.conf is used to store the nickname and
the token name of the SSL server certificate.

Previously in HSM cases the token name was missing from this
file due to mishandling, causing the installation to fail.

The SystemCertDataFactory.create() has been modified to pass
the token name properly. Also the configuration.py has been
modified to normalize the token name and use the default token
name if it's not available before storing it into the file.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
11d977d4 by Endi S. Dewata at 2020-02-28T09:56:01-06:00
Fixed KRA clone configuration

Previously the security_databases.py would only configure the
KRA properties that stores the system certificate nicknames and
tokens in HSM cases only. For non-HSM cases it would rely on
Configurator.updateConfigEntries() to set the properties with
values from KRA master.

The security_databases.py has been modified such that it
configures KRA properties in both HSM and non-HSM cases without
using the values from KRA master.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
37eaf2ab by Endi S. Dewata at 2020-02-28T09:56:01-06:00
Fixed missing token names during KRA cloning

During replica installation, KRA certificate nicknames and
token names (if available) are normally stored in the
following properties:
- kra.transportUnit.nickName
- kra.storageUnit.nickName

Previously the Configurator.updateConfigEntries() would
incorrectly overwrite those properties with nicknames from
KRA master without the token names.

In non-HSM cases this was not a problem since there were no
token names involved. However, in HSM cases the token names
became missing so the certificates could not be found and
the installation would fail.

The Configurator.updateConfigEntries() has been modified to
no longer overwrite these properties.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
b0dfe58e by Endi S. Dewata at 2020-02-28T09:56:01-06:00
Fixed HSM module registration

The security_databases.py has been modified to register the
HSM module using NSSDatabase.add_module() which handles the
warning generated by modutil silently.

The Modutil class is no longer used so it has been removed.

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
2b489f55 by Endi S. Dewata at 2020-02-28T09:56:01-06:00
Added docs on CA, KRA, OCSP cloning with HSM

https://bugzilla.redhat.com/show_bug.cgi?id=1806840

- - - - -
2c906dd0 by Endi S. Dewata at 2020-03-02T09:13:18-06:00
Fixed security domain authentication

Previously pkispawn would only connect to a security domain
when installing a new subsystem that joins the security domain
(pki_security_domain_type == existing). It also would only
authenticate against the security domain if it's not skipping
security domain verification (pki_skip_sd_verify == False),
which is the default.

When installing a subordinate CA with a new security (sub)domain
it would have pki_security_domain_type == new, so it would not
connect to nor authenticate against the parent security domain,
and it would not be able to get the installation token required
to complete the installation.

The code has been modified such that pkispawn will connect to a
security domain when installing a subsystem to join the security
domain (pki_security_domain_type == existing) as before, but also
when installing a subordinate CA (pki_subordinate == True). It
will also authenticate against the security domain regardless of
the pki_skip_sd_verify since the authenitcation is required to
obtain the installation token. The surrounding try-catch block
has also been removed since the original exception will have more
detailed information (i.e. the exact URL) about the problem.

https://bugzilla.redhat.com/show_bug.cgi?id=1807421

- - - - -
73394cec by Endi S. Dewata at 2020-03-03T18:56:46-06:00
Fixed NSSDatabase.module_exists()

The search pattern in NSSDatabase.module_exists() has been
modified to allow matching module names at the end of line.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
f911cff2 by Endi S. Dewata at 2020-03-03T18:56:46-06:00
Fixed missing subsystem cert token name

The code that configures the shared secret between TKS and TPS
has been modified to use the subsystem certificate token name
if it is specified in the deployment configuration. This is
needed to install TPS with HSM.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
c7029a1c by Endi S. Dewata at 2020-03-03T18:56:46-06:00
Fixed TPS connector removal

The TPSConnector.execute_using_pki() has been modified to
use -f <password file> instead of -c <password> in order to
work properly with HSM and for better security. It has also
been modified to use -U <URL> to specify the TKS location.

https://bugzilla.redhat.com/show_bug.cgi?id=1809210

- - - - -
b55549ae by Endi S. Dewata at 2020-03-03T19:19:10-06:00
Updated version number to 10.8.3

- - - - -
699a7470 by Timo Aaltonen at 2020-03-17T15:20:10+02:00
Merge branch 'upstream-next' into master-next

- - - - -
51ad5c9c by Timo Aaltonen at 2020-03-17T15:20:35+02:00
bump the version

- - - - -


30 changed files:

- .classpath
- .travis.yml
- CMakeLists.txt
- + COMMITMENT
- LICENSE
- base/CMakeLists.txt
- + base/acme/CMakeLists.txt
- + base/acme/conf/backend.json
- + base/acme/conf/backend/pki/backend.json
- + base/acme/conf/database.json
- + base/acme/conf/database/in-memory/database.json
- + base/acme/conf/database/postgresql/create.sql
- + base/acme/conf/database/postgresql/database.json
- + base/acme/conf/database/postgresql/drop.sql
- + base/acme/conf/database/postgresql/statements.conf
- + base/acme/conf/metadata.json
- + base/acme/conf/validators.json
- + base/acme/src/CMakeLists.txt
- + base/acme/src/org/dogtagpki/acme/ACME.java
- + base/acme/src/org/dogtagpki/acme/ACMEAccount.java
- + base/acme/src/org/dogtagpki/acme/ACMEAuthorization.java
- + base/acme/src/org/dogtagpki/acme/ACMEChallenge.java
- + base/acme/src/org/dogtagpki/acme/ACMEDirectory.java
- + base/acme/src/org/dogtagpki/acme/ACMEError.java
- + base/acme/src/org/dogtagpki/acme/ACMEHeader.java
- + base/acme/src/org/dogtagpki/acme/ACMEIdentifier.java
- + base/acme/src/org/dogtagpki/acme/ACMEMetadata.java
- + base/acme/src/org/dogtagpki/acme/ACMENonce.java
- + base/acme/src/org/dogtagpki/acme/ACMEOrder.java
- + base/acme/src/org/dogtagpki/acme/ACMERevocation.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/de635bb70efd6d80702e9c4d0aefc6d3a9706228...51ad5c9c9e0ed67245d97aea791042639114ddf4

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/de635bb70efd6d80702e9c4d0aefc6d3a9706228...51ad5c9c9e0ed67245d97aea791042639114ddf4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200317/dbdb72eb/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list