[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 618 commits: Fix Secure connection issue when server is down

Timo Aaltonen gitlab at salsa.debian.org
Mon Nov 2 04:51:14 GMT 2020



Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki


Commits:
300fbb53 by Dinesh Prasanth M K at 2020-08-04T16:53:55-04:00
Fix Secure connection issue when server is down

When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.

This patch:

* allows passes instance's nssdb as the client nssdb to
  trust the SSL server created during cert-fix (offline
  cert renewal process).
* Gets the hostname using socket instead of from env
  variable

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
858d6a05 by Endi S. Dewata at 2020-08-04T15:55:38-05:00
Updated version number to 10.10.0-alpha1

- - - - -
b62d6960 by Stanislav Levin at 2020-08-04T15:56:02-05:00
Fix Version.__getnewargs__

According to the docs [0]:
>  object.__getnewargs__()
This method serves a similar purpose as __getnewargs_ex__(), but
supports only positional arguments. It must return a tuple of
arguments args which will be passed to the __new__() method upon
unpickling.

[0]: https://docs.python.org/3/library/pickle.html#object.__getnewargs__

Fixes: https://pagure.io/dogtagpki/issue/3200
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
b14b0268 by Stanislav Levin at 2020-08-04T15:58:12-05:00
Fix unittest DeprecationWarning

`assertEquals` is deprecated in favor of `assertEqual` since Python3.2:
https://docs.python.org/3/whatsnew/3.2.html

Fixes: https://pagure.io/dogtagpki/issue/3201
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
1baa5763 by Endi S. Dewata at 2020-08-05T14:01:09-05:00
Fixed exception message in ConfigClient

- - - - -
ff77811b by Endi S. Dewata at 2020-08-05T14:01:09-05:00
Updated ACME container to Fedora 31

- - - - -
49585867 by Dinesh Prasanth M K at 2020-08-05T16:35:58-04:00
Move from sudo to runuser

This patch migrates usage of sudo to runuser. In containers
sudo is not installed by default. Whereas, `runuser` is part of
'util-linux' pacakge, whcih is installed by default

Fixes: https://pagure.io/dogtagpki/issue/3171

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a2665b9f by jmagne at 2020-08-06T09:44:27-07:00
Address RHCS-1347 dd healthcheck to test the health of clone. (#496)

Simple test of clones associated with a pki instance.

Testing is predicated on locating within the given instance a CA security domain subsystem.

>From there the security domain is consulted for a list of cloned subsystems.
Each clone found is checked in a simple fashion for a connectivity and for simple data,
when appropriate. For now the OCSP , TKS, and TPS clones are checked for connectivity.

Another caveat: Originally I wanted to pair up each discoverd clone with it's master and compare data
within the CA and KRA to match them up. This round I was nota able to easily figure out this mapping, so for
now the actual clones are tested.

Simple command line to run the test directly:

pki-healthcheck --debug  --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck

The test reaches out provides a result for each group of ca, kra, ocsp, tps, and tks clones.

Note that we have issues with tps and ocsp clones at this point.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
33623f6b by Endi S. Dewata at 2020-08-07T12:37:59-05:00
Added ACMEDatabase.getAccountOrders()

The ACMEDatabase.getAccountOrders() has been added to return
all order records created by an account.

- - - - -
f6c2f759 by Endi S. Dewata at 2020-08-07T12:37:59-05:00
Added ACMEAccountOrdersService

The ACMEAccountOrdersService has been added to return
non-invalid orders created by an account.

- - - - -
64e76602 by Alexander Scheel at 2020-08-07T14:03:42-04:00
Fix runuser to use absolute path

When pki-server is called as root, the following message is displayed
when trying to use runuser:

    DEBUG: Command: runuser -u pkiuser -- /usr/sbin/pki-server upgrade --debug pki-tomcat
    ERROR: [Errno 2] No such file or directory: 'runuser'
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 40, in <module>
        cli.execute(sys.argv)
      File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 143, in execute
        super(PKIServerCLI, self).execute(args)
      File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 197, in execute
        module.execute(module_args)
      File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 770, in execute
        instance.run(
      File "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line 290, in run
        p = self.execute(
      File "/usr/lib/python3.9/site-packages/pki/server/instance.py", line 214, in execute
        subprocess.run(cmd, env=self.config, check=True)
      File "/usr/lib64/python3.9/subprocess.py", line 501, in run
        with Popen(*popenargs, **kwargs) as process:
      File "/usr/lib64/python3.9/subprocess.py", line 947, in __init__
        self._execute_child(args, executable, preexec_fn, close_fds,
      File "/usr/lib64/python3.9/subprocess.py", line 1819, in _execute_child
        raise child_exception_type(errno_num, err_msg, err_filename)
    FileNotFoundError: [Errno 2] No such file or directory: 'runuser'

This is because sudo lives under /usr/bin, which exists on PATH by
default, but because runuser lives under /usr/sbin (which is admin-only)
it doesn't live on PATH by default. Thus, an absolute path to the
executable needs to be provided.

This change was merged in 49585867207922479644a03078c29548de02cd03.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
26bb71ef by Alexander Scheel at 2020-08-07T14:03:52-04:00
Add server dependency on jaxb-api

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
acac6d87 by Dinesh Prasanth M K at 2020-08-10T18:22:25-04:00
Add nuxwdog status to pki-server status

Display whether nuxwdog is enabled on the system when executing
pki-server status

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a53957ec by Endi S. Dewata at 2020-08-10T19:10:18-05:00
Added pki-acme RPM package

The ACME-related files have been moved from pki-server to a new
pki-acme package. The pki-javadoc has been modified to include
ACME classes.

- - - - -
ce730f7f by Endi S. Dewata at 2020-08-12T08:33:14-05:00
Disabled AIA and cert policy extensions in ACME examples

The ACME NSS issuer has been modified to disable the AIA and
certificate policy extensions by default since they contain
non-functional URLs that might cause certbot to generate
error messages.

- - - - -
d7858a3b by Alexander Scheel at 2020-08-12T11:13:34-05:00
Start NSSCertExportCLI

Can be tested with pki nss-cert-export

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c5e1541f by Alexander Scheel at 2020-08-12T11:13:34-05:00
Fix export on FIPS-enabled HSMs

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
04c78d62 by Endi S. Dewata at 2020-08-12T11:13:34-05:00
Fixed cert nickname in NSSDatabase.export_cert_from_db()

The NSSDatabase.export_cert_from_db() has been modified to
no longer prepend the token name to the cert nickname since
the cert nickname obtained from serverCertNick.conf already
contains the token name.
- - - - -
2de8e580 by Endi S. Dewata at 2020-08-12T11:13:34-05:00
Removed blank lines in pki nss-cert-export output

The pki nss-cert-export has been modified to remove the extra
blank lines between certs and at the end of the output.
- - - - -
06ec7e93 by Endi S. Dewata at 2020-08-12T15:58:52-05:00
Added creation timestamps in ACME database

The ACME database has been modified to store the creation
timestamps of ACME records for further analysis.

- - - - -
06c90664 by Endi S. Dewata at 2020-08-13T09:10:00-05:00
Cleaned up log messages in FIPS.is_enabled()

- - - - -
dba65918 by Endi S. Dewata at 2020-08-13T09:10:00-05:00
Cleaned up log messages in NSSDatabase

- - - - -
78520ccf by Endi S. Dewata at 2020-08-13T09:13:46-05:00
Removed Configurator.importAndSetCertPermissionsFromHSM()

The Configurator.importAndSetCertPermissionsFromHSM()
is redundant since the import has been done and the
trust flags have been set earlier in configuration.py.

- - - - -
4976eef9 by Endi S. Dewata at 2020-08-13T09:17:51-05:00
Removed Configurator.verifySystemCertificates()

The Configurator.verifySystemCertificates() is redundant
since the certificates will be validated by the code that
actually uses the certificate.

- - - - -
dbe55769 by Endi S. Dewata at 2020-08-13T10:36:23-05:00
Removed CloneSetupRequest.setupReplication

The CloneSetupRequest.setupReplication is no longer needed
since the pki_clone_setup_replication will be checked before
calling SystemConfigService.setupClone().

- - - - -
d58a4d8e by Endi S. Dewata at 2020-08-13T12:35:23-05:00
Removed duplicate extension attributes

The X509CertImplMapper.mapObjectToLDAPAttributeSet() has been
modified to add the extensions as a single attribute with
multiple values instead of multiple attributes with single
values.

- - - - -
6642a31b by Endi S. Dewata at 2020-08-13T20:15:09-05:00
Moved ExtAttrDynMapper into a separate file

- - - - -
073ca9b9 by Endi S. Dewata at 2020-08-13T20:17:22-05:00
Moved RequestAttrsMapper into a separate file

- - - - -
8633de04 by Endi S. Dewata at 2020-08-13T20:18:38-05:00
Moved RequestIdMapper into a separate file

- - - - -
117dee93 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Moved RequestStateMapper into a separate file

- - - - -
4b7e3d9f by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in DBSSession

- - - - -
35bd2159 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in UGSubsystem.addUser()

- - - - -
13406396 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in Configurator.createSecurityDomain()

- - - - -
c6f91404 by Endi S. Dewata at 2020-08-17T12:32:32-05:00
Moved ValidityConstraint to pki-ca

- - - - -
9d4d1496 by Endi S. Dewata at 2020-08-17T12:32:41-05:00
Moved CAValidityConstraint to pki-ca

- - - - -
dcd4af06 by Endi S. Dewata at 2020-08-17T12:32:43-05:00
Moved ValidityDefault to pki-ca

- - - - -
e1a09d37 by Endi S. Dewata at 2020-08-17T12:32:45-05:00
Moved CAValidityDefault to pki-ca

- - - - -
e3e8bb43 by Endi S. Dewata at 2020-08-17T12:32:47-05:00
Moved AuthorityKeyIdentifierExtDefault to pki-ca

- - - - -
8034c425 by Endi S. Dewata at 2020-08-17T12:32:49-05:00
Moved CAEnrollDefault to pki-ca

- - - - -
f62127f1 by Endi S. Dewata at 2020-08-17T12:32:51-05:00
Moved CAAdminServlet to pki-ca

- - - - -
fa66cef4 by Endi S. Dewata at 2020-08-17T12:32:53-05:00
Moved SearchReqs to pki-ca

- - - - -
b984169f by Endi S. Dewata at 2020-08-17T12:32:56-05:00
Moved ProcessCertReq to pki-ca

- - - - -
d414e4c4 by Endi S. Dewata at 2020-08-17T12:32:59-05:00
Moved CheckRequest to pki-ca

- - - - -
4ef8639d by Endi S. Dewata at 2020-08-17T12:33:04-05:00
Moved CertificateIssuedListener to pki-ca

- - - - -
deda4fc3 by Endi S. Dewata at 2020-08-17T12:33:07-05:00
Moved CertificateRevokedListener to pki-ca

- - - - -
b346f168 by Endi S. Dewata at 2020-08-17T12:36:02-05:00
Removed unused CloneSetupRequest.domainInfo

- - - - -
cfc48c72 by Endi S. Dewata at 2020-08-17T12:36:08-05:00
Removed unused CloneSetupRequest.installToken

- - - - -
087861ff by Endi S. Dewata at 2020-08-17T12:36:10-05:00
Removed unused CloneSetupRequest.cloneUri

- - - - -
b5971bdb by Endi S. Dewata at 2020-08-17T12:36:12-05:00
Removed unused CloneSetupRequest.systemCertsImported

- - - - -
cceb1851 by Endi S. Dewata at 2020-08-17T13:27:11-05:00
Updated log messages in UGSubsystem

- - - - -
75014d31 by Christina Fu at 2020-08-17T14:10:23-07:00
Bug1629025-DEV doc for: Server-Side Keygen for EE

This patch provides document: ServerSideKeygen.adoc

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
09eaa014 by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ICertificateAuthority in CAService

- - - - -
3d7afcfe by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ICertificateAuthority in CTEngine.process()

- - - - -
2945a5b7 by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in CAPolicy.init()

- - - - -
df81fc3c by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in KRAPolicy.init()

- - - - -
bfc42c2e by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in GenericPolicyProcessor.init()

- - - - -
f7134804 by Endi S. Dewata at 2020-08-17T17:11:41-05:00
Replaced ICertificateAuthority in CertificateAuthority.createSubCA()

- - - - -
f7e1591f by Endi S. Dewata at 2020-08-17T17:11:59-05:00
Replaced ICertificateAuthority in CertificateAuthority.createCA()

- - - - -
cb1e6f9e by Endi S. Dewata at 2020-08-17T17:12:02-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCAs()

- - - - -
c2853e46 by Endi S. Dewata at 2020-08-17T17:12:05-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCA(X500Name)

- - - - -
76d1e1a3 by Endi S. Dewata at 2020-08-17T17:12:08-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCA(AuthorityID)

- - - - -
14c5298b by 06shalini at 2020-08-18T11:50:00+05:30
Added changes in ansible playbooks and role ymls to make tests run for following installations: (#509)

1. Fips enabled machine
2. Shared tomcat installation
3. Discrete tomcat installation
4. ecc discrete tomcat installation

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
ebf730d5 by Endi S. Dewata at 2020-08-18T11:58:34-05:00
Moved PublisherAdminServlet to pki-ca

- - - - -
e4b0b7f5 by Endi S. Dewata at 2020-08-18T11:58:42-05:00
Moved ChallengeRevocationServlet1 to pki-ca

- - - - -
d3814050 by Endi S. Dewata at 2020-08-18T11:58:44-05:00
Moved CMCRevReqServlet to pki-ca

- - - - -
61feb73c by Endi S. Dewata at 2020-08-18T11:58:45-05:00
Moved DisplayBySerial to pki-ca

- - - - -
50770ad9 by Endi S. Dewata at 2020-08-18T11:58:47-05:00
Moved GetCAChain to pki-ca

- - - - -
7379515c by Endi S. Dewata at 2020-08-18T11:58:49-05:00
Moved EnrollServlet to pki-ca

- - - - -
863f4e25 by Endi S. Dewata at 2020-08-18T11:58:51-05:00
Moved GetCertChain to pki-ca

- - - - -
06eefe1a by Endi S. Dewata at 2020-08-18T11:58:53-05:00
Moved LdapPublishModule to pki-ca

- - - - -
1b89140a by Endi S. Dewata at 2020-08-18T11:58:55-05:00
Moved PublishCertsJob to pki-ca

- - - - -
537f8ef3 by Endi S. Dewata at 2020-08-18T11:58:57-05:00
Moved RenewalNotificationJob to pki-ca

- - - - -
7f392e8d by Endi S. Dewata at 2020-08-18T11:59:00-05:00
Moved UnpublishExpiredJob to pki-ca

- - - - -
57610310 by Alexander Scheel at 2020-08-18T14:20:48-04:00
Make PKI use JDK8 everywhere again

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7a1a41b2 by Endi S. Dewata at 2020-08-18T13:41:46-05:00
Removed cfgPath parameter from CMSStartServlet

The cfgPath parameter has been removed from CMSStartServlet
since it is currently not used and it can only be specified
in web.xml which is not customizable either.

- - - - -
21a29c0e by Endi S. Dewata at 2020-08-18T13:41:46-05:00
Added id field for CMSEngine

A new id field has been added to CMSEngine to store the
subsystem ID.

- - - - -
27680c7b by Endi S. Dewata at 2020-08-18T18:23:58-05:00
Updated CMSEngine.startup()

The CMSEngine.startup() has been renamed to start(). The
code in CMSStartServlet that initializes and starts the
engine has been moved into this method.

- - - - -
bd850775 by Endi S. Dewata at 2020-08-18T19:50:35-05:00
Added ServletContextListener methods into CMSEngine

The CMSEngine has been modified to implement methods defined
in ServletContextListener interface for starting up and
shutting down the engine.

- - - - -
c5e1b24a by Endi S. Dewata at 2020-08-18T19:50:35-05:00
Updated engine parameter in CMSStartServlet

The engine parameter in CMSStartServlet has been modified to
become optional.

- - - - -
78aa0de8 by Endi S. Dewata at 2020-08-19T17:39:47-05:00
Fixed ACME schema installation

Previously the ACME schema was installed by default whenever
any PKI subsystem was installed. Since all ACME files have
been moved into an optional pki-acme package, the ACME schema
should no longer be installed by default. Instead, the ACME
schema should be installed separately as described in ACME
installation document.

- - - - -
526fd9a1 by Endi S. Dewata at 2020-08-19T20:34:49-05:00
Updated CA startup

The CAEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
760eabce by Endi S. Dewata at 2020-08-19T20:35:03-05:00
Updated KRA startup

The KRAEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
588fa0d5 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated OCSP startup

The OCSPEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
66899ea9 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated TKS startup

The TKSEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
9f861c26 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated TPS startup

The TPSEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
9bdc201a by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved ReqCertSANameEmailResolver to pki-ca

- - - - -
62d4b779 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved GetBySerial to pki-ca

- - - - -
00f01dbf by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved HashEnrollServlet to pki-ca

- - - - -
bc15cefe by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CACertCAEnrollProfile to pki-ca

- - - - -
6ccdc795 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved ServerCertCAEnrollProfile to pki-ca

- - - - -
b07e3c9d by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved UserCertCAEnrollProfile to pki-ca

- - - - -
3b964a46 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CAEnrollProfile to pki-ca

- - - - -
acbd386f by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCOutputTemplate to pki-ca

- - - - -
a78fd603 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCUserSignedSubjectNameConstraint to pki-ca

- - - - -
ac605864 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCUserSignedSubjectNameDefault to pki-ca

- - - - -
0485db3e by Endi S. Dewata at 2020-08-20T12:21:35-05:00
Moved CMCUserSignedAuth to pki-ca

- - - - -
f2e44afa by Endi S. Dewata at 2020-08-20T12:28:10-05:00
Moved CAEnrollConstraint to pki-ca

- - - - -
5a5013ed by Alexander Scheel at 2020-08-21T10:38:56-04:00
Add JAXB Implementation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0c7f54fe by Alexander Scheel at 2020-08-21T10:38:56-04:00
Add Jakarta Activation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
40857e61 by Alexander Scheel at 2020-08-24T09:11:02-04:00
Fix permissions when installing clone

When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
87a44e92 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CrossCertPairSubsystem to pki-ca

- - - - -
539e10ff by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CertificatePair to pki-ca

- - - - -
b09df5c3 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved LdapEncryptCertPublisher to pki-ca

- - - - -
8fabafa5 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved PKCS7Output to pki-ca

- - - - -
dfd0f525 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CMMFOutput to pki-ca

- - - - -
6a66f61e by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved UniqueKeyConstraint to pki-ca

- - - - -
b6548a1d by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved UniqueSubjectNameConstraint to pki-ca

- - - - -
1063c6c8 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved ServerKeygenUserKeyDefault to pki-ca

- - - - -
bd1f6853 by Endi S. Dewata at 2020-08-24T11:03:32-05:00
Moved SigningAlgConstraint to pki-ca

- - - - -
69a840f7 by Endi S. Dewata at 2020-08-24T11:03:32-05:00
Moved SigningAlgDefault to pki-ca

- - - - -
2ef0b184 by Endi S. Dewata at 2020-08-24T11:04:54-05:00
Updated log messages in AuthorityService

- - - - -
844268fd by Endi S. Dewata at 2020-08-24T11:29:14-05:00
Added CAEngine.getCA()

The CAEngine.getCA() has been added to return the main/host
CertificateAuthority instance.

- - - - -
987a4718 by Endi S. Dewata at 2020-08-24T19:06:28-05:00
Move CertificateAuthority.caMap to CAEngine

- - - - -
db000a35 by Endi S. Dewata at 2020-08-24T19:06:34-05:00
Move CertificateAuthority.getCAs() to CAEngine

- - - - -
d845df85 by Endi S. Dewata at 2020-08-24T19:06:41-05:00
Move CertificateAuthority.getCA(AuthorityID) to CAEngine

- - - - -
3ea58b7b by Endi S. Dewata at 2020-08-24T19:06:43-05:00
Move CertificateAuthority.getCA(X500Name) to CAEngine

- - - - -
e63f8b24 by Endi S. Dewata at 2020-08-24T19:10:35-05:00
Remove unused ITimeSource

- - - - -
40bc98ae by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Move CertificateAuthority.createCA() to CAEngine

- - - - -
83129466 by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Add CAEngine.addCA()

- - - - -
9de5a14b by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Add CAEngine.removeCA()

- - - - -
652eadb5 by Endi S. Dewata at 2020-08-24T19:49:32-05:00
Move CertificateAuthority.keyRetrieverThreads to CAEngine

- - - - -
bd525e0b by Endi S. Dewata at 2020-08-24T19:49:33-05:00
Add CAEngine.hasKeyRetriever()

- - - - -
256248f9 by Endi S. Dewata at 2020-08-24T19:49:34-05:00
Add CAEngine.addKeyRetriever()

- - - - -
8e8ac282 by Endi S. Dewata at 2020-08-24T19:49:35-05:00
Add CAEngine.removeKeyRetriever()

- - - - -
c73824cb by Endi S. Dewata at 2020-08-24T19:49:36-05:00
Clean up CertificateAuthority.initDefCaAttrs()

- - - - -
4be50f84 by Endi S. Dewata at 2020-08-24T19:49:37-05:00
Clean up CMSEngine.initializePasswordStore()

- - - - -
ef6bd38d by Endi S. Dewata at 2020-08-24T19:49:38-05:00
Clean up CMSEngine.configureAutoShutdown()

- - - - -
b1135ba1 by Endi S. Dewata at 2020-08-24T20:59:12-05:00
Add CMSEngine.initSecurityDomain()

- - - - -
8371f813 by Endi S. Dewata at 2020-08-24T20:59:59-05:00
Add CMSEngine.configurePorts()

- - - - -
049aa69f by Endi S. Dewata at 2020-08-24T21:00:00-05:00
Add CMSEngine.initPlugins()

- - - - -
a8c1e749 by Endi S. Dewata at 2020-08-24T21:10:11-05:00
Add CMSEngine.initSecurityProvider()

- - - - -
790f90d9 by Endi S. Dewata at 2020-08-24T21:10:28-05:00
Add CMSEngine.initLogging()

- - - - -
ea4b82a6 by Endi S. Dewata at 2020-08-26T09:29:12-05:00
Remove unused ICertificateAuthority.PROP_CA_CHAIN_NUM

- - - - -
c2ede922 by Endi S. Dewata at 2020-08-26T09:29:13-05:00
Add CertificateAuthority.getCertChain()

- - - - -
39ed2641 by Endi S. Dewata at 2020-08-26T09:29:14-05:00
Add CMSEngine.initDatabase()

- - - - -
be4512dc by Endi S. Dewata at 2020-08-26T09:53:30-05:00
Move CertificateAuthority.dbFactory to CAEngine

- - - - -
b23f5d2f by Endi S. Dewata at 2020-08-26T09:57:38-05:00
Move CertificateAuthority.authorityBaseDN() to CAEngine

- - - - -
380919dc by Endi S. Dewata at 2020-08-26T09:57:38-05:00
Move CertificateAuthority.entryUSNPluginEnabled() to CAEngine

- - - - -
07ad39b2 by Endi S. Dewata at 2020-08-26T11:33:12-05:00
Move authority update tracker to CAEngine

- - - - -
d9e31985 by Endi S. Dewata at 2020-08-26T11:33:16-05:00
Move CertificateAuthority.getCommitConstraints() to CAEngine

- - - - -
a0651daa by Endi S. Dewata at 2020-08-26T11:33:16-05:00
Move CertificateAuthority.postCommit() to CAEngine

- - - - -
2c08462c by Endi S. Dewata at 2020-08-26T12:14:16-05:00
Move CertificateAuthority.forgetAuthority() to CAEngine

- - - - -
287376e5 by Endi S. Dewata at 2020-08-26T12:14:16-05:00
Move authority deletion tracker to CAEngine

- - - - -
019cb15e by Endi S. Dewata at 2020-08-26T12:16:55-05:00
Move CertificateAuthority.addAuthorityEntry() to CAEngine

- - - - -
65ff5975 by Endi S. Dewata at 2020-08-26T12:16:56-05:00
Move CertificateAuthority.modifyAuthorityEntry() to CAEngine

- - - - -
731cc8fc by Endi S. Dewata at 2020-08-26T12:18:06-05:00
Move CertificateAuthority.deleteAuthorityEntry() to CAEngine

- - - - -
11e88c9c by Endi S. Dewata at 2020-08-26T12:18:08-05:00
Remove redundant CertificateAuthority.stopped

- - - - -
fd269bae by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Updated acmeIdentifier for ACME orders and authorizations

Previously the identifiers for ACME order and authorization
records were stored as "acmeIdentifier;<type>=<value>" in DS,
which doesn't seem to be supported in OpenLDAP. To support
both LDAP servers, the identifiers are now stored as
"acmeIdentifier=<type>:<value>".

- - - - -
f5ad995c by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Updated userCertificate for ACME certificates

Previously the certificate data for ACME certificates was stored
as "userCertificate=<data>" in DS, which doesn't seem to work in
OpenLDAP. To support both LDAP servers, the certificate data is
now stored as "userCertificate;binary=<data>".

- - - - -
483229ce by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Added OpenLDAP database for ACME

A new OpenLDAPDatabase class has been added to provide an ACME
database in OpenLDAP. The class is currently identical to the
existing LDAPDatabase class, but it's provided for implementing
OpenLDAP- specific code in the future.

A new schema file, a sample initialization file, and a sample
configuration file for OpenLDAP have been added.

The pki-server acme-database-* commands have also been
modified to support an "openldap" type.

The ACME database documentation has been updated as well.

- - - - -
ae5e4d5c by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Added DS database for ACME

The LDAP database for ACME has been copied into new DS
database to distinguish it from OpenLDAP database. Once
IPA is updated to use the DS database, the LDAP database
will be dropped.

- - - - -
d30700d3 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Run QE tests on upstream CI pipeline on Vagrant

Provision 2 Vagrant VMs inside Macintosh (only Mac is supported in
GH actions):

controller:
  VM used to run the ansible playbook. The playbook is provisioned
  using Vagrant's inbuilt provisioners
master:
  VM acts as the PKI master node. topology-02 (discrete instance) is
  used to configure this node.

Note1: Static inventory file is used. This is because the playbook
is being executed from the guest VM (controller) and autogenerated
hostfile is unreliable.

Note2: When creating vagrant VMs, provisioning is suspended. This is
to resolve dependency b/w master and controller (ie) the latest built
packages need to be installed in master first before controller tries
to execute playbooks.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6e9d5f9e by Shalini Khandelwal at 2020-08-26T16:34:16-04:00
Added changes in installation test playbooks to wait for other instances to come up.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

- - - - -
32c4a406 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Fix memory for the Vagrant VMs

The vagrant VM memory config was incorrect. This patch fixes the
error. The controller now gets assigned with 930MB of RAM and the
master gets around 2750MB of RAM

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
0d97d015 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Fix script file to grep from binary files

The tkstool outputs some binary characters. As a result, grep
thinks it is reading a binary file. This patch adds a grep
option to process the file containing binary characters as
Text file.

Ref: https://unix.stackexchange.com/q/335716/320815

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
807bf690 by Endi S. Dewata at 2020-08-26T16:57:03-05:00
Fixed acmeServerCert profile

The acmeServerCert profile has been modified to remove
hard-coded URLs since they point to non-existent services
which might cause certificate validation issue.

An upgrade script has been added to fix the profile
configuration file if the profile has not been customized
by the admin.

https://bugzilla.redhat.com/show_bug.cgi?id=1868233

- - - - -
62d5799b by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.lwcaLoaded to CAEngine

- - - - -
8d0f12a9 by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.foundHostAuthority to CAEngine

- - - - -
b7755753 by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.haveLightweightCAsContainer() to CAEngine

- - - - -
f23e55cb by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.readAuthority() to CAEngine

- - - - -
bed231d5 by 06shalini at 2020-08-27T21:26:19+05:30
Updated pytest-ansible to latest package and added utils from pki integration-test module. (#535)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
7abe19e5 by Endi S. Dewata at 2020-08-27T14:49:25-05:00
Fixed missing sslserver and subsystem certs

When installing an additional subsystem into an instance,
the deployment scriptlet has been modified to copy the
cert and request data for sslserver and subsystem certs
from the existing subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
7a5ade61 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Move CertificateAuthority.addHostAuthorityEntry() to CAEngine

- - - - -
15967493 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Cleaned up CA SigningUnit.init()

- - - - -
929a3c9f by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Add CertificateAuthority.initOCSPSigningUnit()

- - - - -
204e6db1 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Add CertificateAuthority.initCRLSigningUnit()

- - - - -
bef964f8 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Clean up CertificateAuthority.initSigUnit()

- - - - -
04b900f3 by Endi S. Dewata at 2020-08-31T11:39:57-05:00
Add JAVA_VERSION for CMake

The RPM spec and CMake files have been modified to detect the
actual Java version used to build PKI and add the appropriate
libraries for that version.

- - - - -
abcfb633 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Clean up CAEngine.addKeyRetriever()

- - - - -
f553c6e0 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Add CertificateAuthority.generateSigningCert()

- - - - -
ab0c00cf by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.createSubCA() to CAEngine

- - - - -
71b59059 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Add CAEngine.updateAuthoritySerialNumber()

- - - - -
2fdd6657 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.modifyAuthority() to CAEngine

- - - - -
331327dd by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.addInstanceToAuthorityKeyHosts() to CAEngine

- - - - -
9ceb9f58 by Endi S. Dewata at 2020-08-31T11:44:45-05:00
Remove DBSubsystemDefaultStub

- - - - -
9e4833fc by Endi S. Dewata at 2020-08-31T11:44:45-05:00
Remove ICryptoSubsystem

- - - - -
ce768ec2 by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Remove IDBSubsystem

- - - - -
641accda by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Move ReasonToRevoke to pki-ca

- - - - -
ce2829c3 by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Update log messages in CertificateAuthority

- - - - -
e117f897 by Endi S. Dewata at 2020-08-31T13:02:32-05:00
Added upgrade script to fix missing cert/request data

An upgrade script has been added to fix the missing sslserver
and subsystem cert/request data by copying it from another
subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
9bb247e6 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Update CMSEngine.init()

- - - - -
2c67dcfc by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Update CMSEngine.autoShutdown()

- - - - -
a8bceb9d by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Rename CMSEngine.initPlugins()

- - - - -
06c2d448 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Add CAEngine.initLogSubsystem()

- - - - -
19f4e692 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Add CAEngine.initJssSubsystem()

- - - - -
315b0264 by Endi S. Dewata at 2020-08-31T16:19:03-05:00
Add CAEngine.initDBSubsystem()

- - - - -
5916a9e8 by Endi S. Dewata at 2020-08-31T16:19:03-05:00
Add CAEngine.initUGSubsystem()

- - - - -
3b8037f9 by Endi S. Dewata at 2020-08-31T20:08:45-05:00
Add CMSEngine.initOIDLoaderSubsystem()

- - - - -
b1904853 by Endi S. Dewata at 2020-08-31T20:08:50-05:00
Add CMSEngine.initX500NameSubsystem()

- - - - -
d35abfff by Endi S. Dewata at 2020-08-31T21:07:46-05:00
Add CMSEngine.initRequestSubsystem()

- - - - -
ee57957f by Endi S. Dewata at 2020-08-31T21:41:07-05:00
Replaced IJobsScheduler with JobsScheduler

- - - - -
e0b24963 by Endi S. Dewata at 2020-08-31T21:54:07-05:00
Add CMSEngine.initJobsScheduler()

- - - - -
a21d480d by Endi S. Dewata at 2020-09-01T11:17:15-05:00
Replaced IAuthzSubsystem with AuthzSubsystem

- - - - -
bdea2888 by Endi S. Dewata at 2020-09-01T11:26:34-05:00
Add CMSEngine.initAuthzSubsystem()

- - - - -
0775bb60 by Endi S. Dewata at 2020-09-01T11:45:28-05:00
Replaced IAuthSubsystem with AuthSubsystem

- - - - -
ed142dd4 by Endi S. Dewata at 2020-09-01T11:52:49-05:00
Add CMSEngine.initAuthSubsystem()

- - - - -
d0922215 by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mCertRepot to CAEngine

- - - - -
33b7abec by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mCRLRepot to CAEngine

- - - - -
e65d55da by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mReplicaRepot to CAEngine

- - - - -
97038b51 by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.loadSubsystems()

- - - - -
244557a4 by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.initSubsystems()

- - - - -
6f634c5c by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.startupSubsystems()

- - - - -
05e63a84 by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Update CMSEngine.shutdownSubsystems()

- - - - -
e14fa10f by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Remove unused SubsystemInfo constructor

- - - - -
d968173e by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Remove unused subsystem lists in CMSEngine

- - - - -
a1c326d1 by Dinesh Prasanth M K at 2020-09-02T10:12:44-07:00
CI: Use NFS instead of virtualbox guest

VBGuest addition to a VM requires a rebuild of plugins, causing
a whole lot of packages to be installed. This patch removes the
dependency on VBGuest and uses NFS to sync the folders between
guest and host.

Note that since we plan to add more tests, we are cutting out
F31 from this patch (ie) we will be running our tests on latest
stable fedora release

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
cc6f657e by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mPolicy to CAEngine

- - - - -
6465213b by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mService to CAEngine

- - - - -
b077273c by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mNotify to CAEngine

- - - - -
44eb7eab by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mPNotify to CAEngine

- - - - -
59c5f50d by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mRequestQueue to CAEngine

- - - - -
8f4b229d by Endi S. Dewata at 2020-09-03T09:15:21-05:00
Move SystemConfigService.processKeyPair() to Configurator

- - - - -
816866b9 by Endi S. Dewata at 2020-09-03T18:02:07-05:00
Add Configurator.loadCert()

- - - - -
b799ba29 by Endi S. Dewata at 2020-09-03T18:02:50-05:00
Add Configurator.generateCert()

- - - - -
05dbb9f0 by Endi S. Dewata at 2020-09-03T18:03:20-05:00
Move SystemConfigService.processCert() to Configurator

- - - - -
ba5f1b2e by Endi S. Dewata at 2020-09-03T18:03:21-05:00
Add Configurator.setupCert()

- - - - -
c1f61a2e by Endi S. Dewata at 2020-09-04T09:11:59-05:00
Move CertificateAuthority.mDefaultCertVersion to CAEngine

- - - - -
4349c907 by Endi S. Dewata at 2020-09-04T09:11:59-05:00
Move CertificateAuthority.mDefaultValidity to CAEngine

- - - - -
7de9663e by Endi S. Dewata at 2020-09-04T09:12:51-05:00
Move CertificateAuthority.mEnablePastCATime to CAEngine

- - - - -
993f6345 by Endi S. Dewata at 2020-09-04T09:12:51-05:00
Move CertificateAuthority.mEnableOCSP to CAEngine

- - - - -
a43300fb by Endi S. Dewata at 2020-09-04T09:14:03-05:00
Move CertificateAuthority.mFastSigning to CAEngine

- - - - -
c9981d42 by Endi S. Dewata at 2020-09-04T12:52:12-05:00
Move CertificateAuthority.mUseNonces to CAEngine

- - - - -
3653533a by Endi S. Dewata at 2020-09-04T12:53:01-05:00
Move CertificateAuthority.mMaxNonces to CAEngine

- - - - -
d113c2f0 by Dinesh Prasanth M K at 2020-09-04T12:20:16-07:00
CI: Run healthcheck in CI pipeline

This patch executes both PKI healthcheck and IPA healthcheck
tools in corresponding CI jobs.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c2f6b3b7 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CA services startup to CAEngine.initSubsystems()

- - - - -
f443dfa1 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mListenerPlugins to CAEngine

- - - - -
308668fb by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mByName to CAEngine

- - - - -
67579184 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mCRLPublisher to CAEngine

- - - - -
46ef5dc5 by Endi S. Dewata at 2020-09-04T14:34:36-05:00
Move KeyRetriever checks to CAEngine.startKeyRetriever()

- - - - -
e9e1ad28 by Endi S. Dewata at 2020-09-04T14:34:41-05:00
Move KeyRetriever creation to CAEngine.startKeyRetriever()

- - - - -
9410e743 by Endi S. Dewata at 2020-09-04T14:34:41-05:00
Move CertificateAuthority.mPublisherProcessor to CAEngine

- - - - -
9ba9d601 by jmagne at 2020-09-04T17:05:41-07:00
Address Bug 1787115 - [RFE] Need Method to copy SKI from CSR to Certificate signed. (#511)

This fix allows a way to configure a profile's SubjectKeyIdentifier process to optionally pick up
a SKI extension from the incoming CSR and use it instead of the one that is self calculated by the server.

Here is a proile snippet for the SKI as example:

policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.8.default.params.messageDigest=SHA-1
policyset.caCertSet.8.default.params.useSKIFromCertRequest=true

Note the new param : useSKIFromCertRequest=true
This new param will default to false, thus not disturbing existing functionality.

When set to true, the CA will attempt to use the SKI extension within the CSR instead
of creating a new one unconditionally.

If the new param is fals or not present, the original functionality will execute.

If for some reason the ext can't be found in the CSR, the existing functionality will execute
as well.

Here is a simple CA Server CSR with a custom SKI to test with:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7zCCAdcCAQAwZTElMCMGA1UECgwcdG9wb2xvZ3ktMDNfRm9vYmFybWFzdGVyLm9yZzEbMBkG
A1UECxMSdG9wb2xvZ3ktMDMtQ0Etc2tpMR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Z1MUxsZ0AzV51ohgklOOF99O9pu3Akv
OqJA2p6B5eDxRMq3s8Dfhgg9Gh7Jtje067oYQrqQ8Y7fs1N3gI5O2F3275InKw1j6YfSwAZtq7K1
zl86ZHyI9CdHsZb1Xpb/vgyAb48mMSW2lF2Gy/4QpIQVHxpkxbxKaskEJHFE9BgptcMFaMxYGQDq
xYWpLluGyGeHYnmE9Fx3aMaj7oo5hAW7TaYRmi+LXrvuKf1EROJntm828wWYeIG+pFfvw3it80bq
j3xYo/6Vv2G1k1qqd4eKksbqZXMYkNKzNDkZkNgO/qRu0rL+S2KyAQmSejVmmZcjsHi/hqZoULE4
lG1kAQIDAQABoEUwQwYJKoZIhvcNAQkOMTYwNDARBgNVHQ4ECgQIANBvANTQZ0YwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQENBQADggEBAFPfkEGa0/m2MHOgZMUW
ZVh1hW4nmBRE9Q7ZNhG7xvZaOK7sUuavRhL4vQ1Qf7wjS0Br43LviOGyxL9S/E9ZUuAv4ckH7pfR
6iox/35mwF51MUm1+8RD7gCBeAQE97Bh/gBErmgWMMqlMVckf2jVwYuIbDy0DmSc41kLsMJlAmd7
rddGIxO8kFJm/CRnwomZTM9Y/FzIq1FK/Nz7nBBX7yWUd4TustAmiwmwofmZB+gf2B0kjI/p+2sH
uIBSWk6xdy57T3KKygtqgkDschyfTJAOHC67pCKPnPpslAOMEATxcgIV0PjP7XSvpivia1T/96Xq
cr8G9sE8VJ/hwno1l9k=
-----END NEW CERTIFICATE REQUEST-----

If the CSR doesn't have the extension while the param is set, the SKI will
be calculated as usual.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
e67dc554 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mCRLIssuePoints to CAEngine

- - - - -
8ca544d8 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mMasterCRLIssuePoint into CAEngine

- - - - -
bd196146 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mIssuanceProtCert to CAEngine

- - - - -
405c1283 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.authorityMonitor to CAEngine

- - - - -
4a3ade75 by Endi S. Dewata at 2020-09-08T18:09:26-05:00
Move CertificateAuthority.mCertIssuedListener to CAEngine

- - - - -
be899c7b by Endi S. Dewata at 2020-09-08T18:09:28-05:00
Move CertificateAuthority.mCertRevokedListener to CAEngine

- - - - -
dcc83f7c by Endi S. Dewata at 2020-09-08T18:09:29-05:00
Move CertificateAuthority.mReqInQListener to CAEngine

- - - - -
296c4bff by Endi S. Dewata at 2020-09-08T18:09:30-05:00
Clean up CertificateAuthority.startup()

- - - - -
2222ba4b by Endi S. Dewata at 2020-09-08T18:09:31-05:00
Refactored CertificateAuthority constructor

- - - - -
95883203 by Endi S. Dewata at 2020-09-08T18:09:33-05:00
Refactored CertificateAuthority.hostCA

- - - - -
4cbb18d1 by Endi S. Dewata at 2020-09-08T18:09:34-05:00
Add CAEngine.getConnectionFactory()

- - - - -
6e553f66 by Endi S. Dewata at 2020-09-08T19:44:39-05:00
Clean up SelfTestSubsystem initialization

- - - - -
149630e0 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up CertificateAuthority initialization

- - - - -
75a713d9 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up CrossCertPairSubsystem initialization

- - - - -
37bb71ba by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up KeyRecoveryAuthority initialization

- - - - -
853b910d by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up OCSPAuthority initialization

- - - - -
eac41bd9 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up TKSAuthority initialization

- - - - -
e6531d9b by Christina Fu at 2020-09-10T15:40:45-07:00
Bug1875563-Add KRA Transport and Storage Certificates profiles for IPA

This patch adds two profiles for IPA, namely
 caIPAKraTransportCert
 caIPAKraStorageCert

Both are consistent with with the existing profile caIPAserviceCert where
  visible=false
  auth.instance_id=raCertAuth
    raCertAuth is an instance of AgentCertAuth with
    agentGroup=Registration Manager Agents

Upgrade scripts are provided to handle upgrades as well.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
421bf4c0 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Update javax-activation paths for Debian

As reported by Timo on IRC.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
41c732a4 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Migrate JAVA_HOME in instance configuration

When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME
to set it to the new value. This value will also change on F32 (from a
JDK8-specific path to a generic path). This requires migration to happen
on subsystem start.

This means that the recommended way to configure JAVA_HOME to a value
OTHER then what's shipped in /usr/.../pki.conf becomes to set it in
/etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets
rewritten each time.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2a70b3f0 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Enforce JDK 8 source and bytecode everywhere

This will ensure that, as F33 and later releases happen, we'll continue
developing code compatible with RHEL 8 and F32.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d367fd75 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Keep JAVA_HOME in tomcat.conf

Despite the name tomcat.conf, this is also the main configuration file
loaded by instances. Instances (especially pkispawn) expect config to be
only the Tomcat configuration, despite loading configuration from the
environment as well. Eventually, we should migrate all of this to use
the global configuration rather than the per-instance configuration.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c200594f by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Move Configurator.setupReplication() to SubsystemDBInitCLI

- - - - -
4abfdc77 by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Clean up log messages in LDAPConfigurator

- - - - -
137815a5 by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Remove unused SystemConfigResource.setupClone()

- - - - -
1da816ca by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Remove unused CloneSetupRequest

- - - - -
206df0a6 by Dinesh Prasanth M K at 2020-09-11T17:35:52-07:00
Add CONTRIBUTING doc

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
7c2f595d by 06shalini at 2020-09-14T19:55:46+05:30
Merging tier1 functional tests jobs to master (#553)

* Updated pytest-ansible to latest package and added utils from pki integration-test module.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Sync downstream test code with upstream for all tier1 jobs

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Test checkin to run pipeline

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Fixed external-ca and ldaps test jobs

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
3bccc93e by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Refactor LDAPConfigStore

The LDAPConfigStore has been modified to use an LDAPConnection
instead of an ILdapConnFactory.

- - - - -
83931e93 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Move CAConfigurator.importProfiles() into CAProfileImportCLI

- - - - -
f1b8e6b8 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Add pki-server ca-profile-import

- - - - -
c14511a8 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Remove unused SystemConfigResource.setupDatabase()

- - - - -
fbccd2ad by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Remove unused DatabaseSetupRequest

- - - - -
1623b441 by Endi S. Dewata at 2020-09-14T11:17:59-05:00
Clean up PKIDeployer.setup_cert()

- - - - -
3c23c840 by Endi S. Dewata at 2020-09-14T11:34:44-05:00
Refactor Configurator.createAdminCertificate() (part 1)

The code that imports the admin cert has been moved out of
Configurator.createAdminCertificate(). The code that uses
the CA to generate the admin certificate has been moved into
CAConfigurator.

- - - - -
26da2448 by Endi S. Dewata at 2020-09-14T11:50:51-05:00
Refactor Configurator.createAdminCertificate() (part 2)

The Configurator.createAdminCertificate() that uses the CA
to create the admin cert has been moved into CAConfigurator.

- - - - -
e87fa82a by Dinesh Prasanth M K at 2020-09-14T18:42:31-07:00
Fix syntax error in performance testing script

Missing paranthesis causes error while trying to execute performance
test.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
41ba09a5 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move UpdateCRL to pki-ca

- - - - -
186adaf5 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move Configurator.createPKCS7()

- - - - -
e7a997ec by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.loadCert()

The code that creates the cert and request records for
existing certs in Configurator.loadCert() has been moved
into CAConfigurator.

- - - - -
75c7a913 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.configCert()

The Configurator.configCert() has been renamed to generateCert()
and modified to store the cert data in the Cert object instead
of returning an X509CertImpl object.

- - - - -
c75022b4 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Remove unused Cert.mDN

- - - - -
a470a898 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.configRemoteCert()

The Configurator.configRemoteCert() has been modified to
take a binary instead of Base64-encoded request data.

- - - - -
795008bd by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move CertUtils.buildSANSSLserverURLExtension() to Configurator

- - - - -
99e20c8a by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Add Configurator.generateLocalCert()

- - - - -
d46659ba by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Add Configurator.generateRemoteCert()

- - - - -
b2e62dc4 by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Refactor Configurator.generateCertAndRequest()

The Configurator.generateCertAndRequest() has been replaced
with direct calls to generateCertRequest() and generateCert().

- - - - -
5f061a2d by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Refactor Configurator.generateCert()

The code that generates the certs for CA and the
SSL server cert for CA clone has been moved into
CAConfigurator.generateCert().

- - - - -
83f4259e by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Move Configurator.generateLocalCert()

- - - - -
43df3931 by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Move Configurator.createRequest()

- - - - -
40bd8274 by Endi S. Dewata at 2020-09-14T21:34:21-05:00
Update log messages in CertificateAuthority

- - - - -
02c0a0c2 by Endi S. Dewata at 2020-09-14T21:34:24-05:00
Update log messages in CAEngine

- - - - -
127a233d by Dinesh Prasanth M K at 2020-09-15T16:15:42-07:00
Update README.md with instructions

Our README.md currently has very low-level technical info
which might not serve its use for a beginner. The README
should act as a good cover page for the project to attract
more contributors and users and, provide minimal yet useful
information for new-users.

This patch updates the existing README.md file with such
minimal, yet useful information

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a85d998c by Endi S. Dewata at 2020-09-16T13:27:28-05:00
Updated ACME docs

- - - - -
f35d270b by Alexander Scheel at 2020-09-17T11:01:51-04:00
Add dependencies in Java11-specific libraries

This ensures lib/ gets created prior to any Java11-specific symlinks.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
54de035b by Alexander Scheel at 2020-09-17T11:01:51-04:00
Make PKI_JAVA_PATH respect PKI_JAVA_PATH

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8c6af8d9 by Alexander Scheel at 2020-09-17T11:01:51-04:00
Fix %{java_version} -> ${java_version}

Because java_version isn't a RPM spec file attribute (and is instead an
inline shell variable), we have to use $ instead of % to reference it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6f0da7ca by Alexander Scheel at 2020-09-17T12:06:55-04:00
Add Fedora 33 image, switch to r.fp.o

registry.fedoraproject.org (r.fp.o) has more up-to-date Fedora images
than Dockerhub does. This is because Dockerhub is external infra with
a review process, whereas registry.fedoraproject.org is directly
controlled by the Fedora Project, so images can be pushed directly.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
782f9df4 by Alexander Scheel at 2020-09-17T12:06:55-04:00
Fix variable names for flake8 on python3.9

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
fca78037 by Alexander Scheel at 2020-09-17T12:06:55-04:00
Disable W0707 warning due to output

Consider explicitly re-raising using the 'from' keyword

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
91fb4a88 by Alexander Scheel at 2020-09-17T15:31:42-04:00
Migrate from commons-lang2 -> commons-lang3

Note that this is blocked on lang3 >= 3.10 landing in Fedora 31.

Credits: Fabio "decathorpe" Valentini

Related: https://pagure.io/dogtagpki/issue/3205

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
64c17e27 by Alexander Scheel at 2020-09-17T15:31:42-04:00
Work with older Apache Commons Lang3

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d9491b46 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add package.json for NPM

The package.json has been added in order to import files
distributed via NPM (e.g. PatternFly, jQuery).

- - - - -
b9a832a2 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add PatternFly 4.35.2 for ACME

Some PatternFly files have been imported for ACME.
A tool has been added to simplify updating the files
in the future.

- - - - -
960cf8a0 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add jQuery 3.5.1 for ACME

A minimized jQuery file has been imported for ACME.
A tool has been provided to simplify updating the file
in the future.

- - - - -
88c7a1ab by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add ACME front page

A new index.jsp has been added for ACME webapp. The web.xml
has been modified to map only ACME URLs to ACME application.

- - - - -
a0bd61a2 by Endi S. Dewata at 2020-09-17T18:26:02-05:00
Fix NPE in TPSProcessor.mapCredFromMsgResponse()

The TPSAuthenticator has been modified to no longer store a
reference to the authentication manager during initialization.
Instead, it will get the authentication manager directly from
the AuthSubsystem when requested in getAuthManager().

The TPSProcessor.checkAndAuthenticateUser() has also been
modified to chain the original exception to provide the complete
stack trace.

- - - - -
4c3ddb0c by Endi S. Dewata at 2020-09-21T09:47:21-05:00
Remove unused Profile.mOwner

- - - - -
d3802641 by Endi S. Dewata at 2020-09-21T09:51:09-05:00
Rename IProfileAuthenticator to ProfileAuthenticator

- - - - -
2ed60233 by Endi S. Dewata at 2020-09-21T09:51:10-05:00
Rename IAuthManager to AuthManager

- - - - -
c7fa6617 by Endi S. Dewata at 2020-09-21T09:51:10-05:00
Rename ICertUserLocator to CertUserLocator

- - - - -
0bcca28a by Endi S. Dewata at 2020-09-21T09:51:11-05:00
Move CertUserLocator to pki-server

- - - - -
8ef461d0 by Endi S. Dewata at 2020-09-21T09:51:13-05:00
Move CMCSharedTokenSubjectNameConstraint to pki-ca

- - - - -
6db61a9b by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Merge ILdapConnInfo into LdapConnInfo

- - - - -
679c0990 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Merge ILdapAuthInfo into LdapAuthInfo

- - - - -
fe9fff13 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Clean up LdapConnInfo

- - - - -
c0309750 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Clean up LdapAuthInfo

- - - - -
5a5349c0 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Remove unused ISubsystem from Profile.init()

- - - - -
78671846 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Move BaseSubsystem into pki-server

- - - - -
1eba66ed by Dinesh Prasanth M K at 2020-09-21T10:46:48-07:00
Enable COPR_REPO to fix QE tests in CI

Note the use of delimiter ~ instead of / since the copr
name consists of / and @ characters.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c8470c3d by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add LDAPConnectionConfig getters

- - - - -
e1785072 by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add PKISocketConfig

- - - - -
083c1814 by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Clean up NPM tools

- - - - -
495e768f by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Clean up Client.createProxy()

- - - - -
14caa1fe by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add Client.get() and post()

- - - - -
aefb34f8 by Endi S. Dewata at 2020-09-21T16:40:29-05:00
Replace PKIConnection.resteasyClient with client

- - - - -
f8747a8a by Endi S. Dewata at 2020-09-21T16:41:20-05:00
Add PKIConnection.target()

- - - - -
43d111d4 by Endi S. Dewata at 2020-09-21T16:41:27-05:00
Add PKIClient.setOutput()

- - - - -
1de3e235 by Endi S. Dewata at 2020-09-21T16:48:47-05:00
Merge PKIConnection.get() and post() to PKIClient

- - - - -
807f0568 by Endi S. Dewata at 2020-09-21T17:30:50-05:00
Merge PKIConnection.createProxy() into PKIClient

- - - - -
1354de3d by Endi S. Dewata at 2020-09-21T17:31:33-05:00
Rename AccountInfo to Account

- - - - -
9fd77d22 by Endi S. Dewata at 2020-09-21T18:53:20-05:00
Add JSON parser for Account class

- - - - -
cd878aba by Endi S. Dewata at 2020-09-21T19:20:38-05:00
Merge PKIConnection.getEntity() into PKIClient

- - - - -
00d2015f by Endi S. Dewata at 2020-09-21T21:36:47-05:00
Add response type to PKIClient.get() and post()

- - - - -
85a88309 by Endi S. Dewata at 2020-09-21T21:36:47-05:00
Add response type to Client.get() and post()

- - - - -
f7515402 by Endi S. Dewata at 2020-09-21T21:39:50-05:00
Update AccountClient

The AccountClient has been modified to use get() instead
of AccountResource.

- - - - -
f5864246 by Endi S. Dewata at 2020-09-21T21:40:08-05:00
Merge AccountResource into AccountService

- - - - -
e680746a by Endi S. Dewata at 2020-09-22T08:51:08-05:00
Clean up JSON mapping in ResourceMessage

- - - - -
8b5eb770 by Endi S. Dewata at 2020-09-22T08:51:09-05:00
Move ACME.randomAlphanumeric() into ACMEEngine

- - - - -
2797b6bf by Endi S. Dewata at 2020-09-22T09:11:46-05:00
Add ACMEEngine.setEnabled()

- - - - -
29b191e6 by Endi S. Dewata at 2020-09-22T18:24:32-05:00
Fix typos in ACME docs

- - - - -
e37ac813 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Remove SSL configuration; rely on crypto-policies

When TLSv1.3 support landed in Fedora and RHEL, crypto-policies enabled
it everywhere including in FIPS mode. However, because we bounded the
range above by TLSv1.2, we wouldn't negotiate TLSv1.3 when communicating
with CA instances. crypto-policies should be the single source of truth
for these values, and we shouldn't limit ourselves artificially.
Instead, users should change crypto-policies to the correct policy for
their needs.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8400f54a by Alexander Scheel at 2020-09-23T05:46:19-04:00
Align server.xml with crypto-policies

We shouldn't set custom ciphers in server.xml as they'll override the
default NSS values. These values already align with crypto-policies, and
these legacy configuration options result in global values which apply
to all parts (client and server) of the PKI configuration. Instead,
server-specific values should be chosen by using standard Tomcat
parameters:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

These are:

 protocols="<values>"
 ciphers="<values>"

See the tomcat documentation for more information.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b21ac386 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Remove unused SSLVersionRange code

This code shouldn't be used as it affects global NSS configuration; we
should leave these at the default values and only change individual
SSL-backed PRFileDesc instances instead.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3dec5afa by Alexander Scheel at 2020-09-23T05:46:19-04:00
Enable PHA in legacy SSLSocket

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0615fb89 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Add migration script to remove legacy config

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
71d70af8 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Bump JSS to reflect PHA dependency

This commit never made it to v10.9 branch, but it has the same
dependency. SSLSocket.enablePostHandshakeAuthDefault was added in JSS
v4.7.3, hence the JSS version bump.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9bd1c6a0 by Endi S. Dewata at 2020-09-23T08:36:47-05:00
Fix PKI_JAVA_PATH

- - - - -
4a456082 by Endi S. Dewata at 2020-09-23T08:46:17-05:00
Remove duplicate ldapjdk.jar in ACME

- - - - -
96fd9e00 by Endi S. Dewata at 2020-09-23T08:57:18-05:00
Rename LDAPDatabase.basedn to baseDN

- - - - -
b578706d by Endi S. Dewata at 2020-09-23T18:27:02-05:00
Update links to project website

- - - - -
9fc36ca5 by Endi S. Dewata at 2020-09-24T12:52:32-05:00
Move ACME common classes to pki-certsrv

The ACME common classes have been moved into pki-certsrv
package since they will be needed by ACME clients.

- - - - -
9ec48ef9 by Endi S. Dewata at 2020-09-25T11:55:37-05:00
Update reqId in CertUtils.updateLocalRequest()

- - - - -
12bae613 by Endi S. Dewata at 2020-09-25T11:55:38-05:00
Clean up preop.cert.<tag>.reqId

- - - - -
fe9e75a8 by Endi S. Dewata at 2020-09-25T11:55:39-05:00
Move CertUtils.updateLocalRequest() to CAConfigurator

- - - - -
180bee97 by Endi S. Dewata at 2020-09-25T11:55:41-05:00
Merge Configurator.handleCert() into processCert()

- - - - -
4a5029e4 by Endi S. Dewata at 2020-09-25T11:55:42-05:00
Merge Configurator.importCert() into processCert()

- - - - -
a10ec92f by Endi S. Dewata at 2020-09-25T11:55:43-05:00
Move TKSKnownSessionKey to pki-tks

- - - - -
78faaf36 by Endi S. Dewata at 2020-09-25T11:55:44-05:00
Clean up log messages in PluginRegistry

- - - - -
c1ef9ce3 by Endi S. Dewata at 2020-09-25T14:04:23-05:00
Remove unused CertUtil.findCertificate()

- - - - -
06eecf76 by Endi S. Dewata at 2020-09-25T14:24:12-05:00
Replace CMSEngine with CAEngine in pki-ca

- - - - -
0ce630d0 by Endi S. Dewata at 2020-09-25T14:24:13-05:00
Replace CMSEngine with KRAEngine in pki-kra

- - - - -
7e380ea9 by Endi S. Dewata at 2020-09-25T14:24:14-05:00
Replace CMSEngine with OCSPEngine in pki-ocsp

- - - - -
a4d29a9b by Endi S. Dewata at 2020-09-25T14:24:15-05:00
Replace CMSEngine with TKSEngine in pki-tks

- - - - -
4a3b2729 by Endi S. Dewata at 2020-09-25T14:24:15-05:00
Replace CMSEngine with TPSEngine in pki-tps

- - - - -
a34ac929 by Endi S. Dewata at 2020-09-25T15:18:41-05:00
Replace EngineConfig with TKSEngineConfig in pki-tks

- - - - -
989cbe64 by Endi S. Dewata at 2020-09-25T15:18:42-05:00
Add setter/getter for tps.list

- - - - -
b8bb2e9d by Endi S. Dewata at 2020-09-25T15:18:43-05:00
Add TPSConnectorConfig

- - - - -
040b5657 by Endi S. Dewata at 2020-09-25T15:18:44-05:00
Add setters/getters for TPSConnectorConfig

- - - - -
06107852 by Endi S. Dewata at 2020-09-28T14:48:36-05:00
Update NPM package files

- - - - -
ddb37345 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Clean up SAN parameters handling

- - - - -
d6677b13 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove UGSubsystem.getCertUserLocator()

- - - - -
e51a3f40 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused User.mBase

- - - - -
ea6c1fc1 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused Group.mBase

- - - - -
10dc5005 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused IUsrGrp

- - - - -
c0f09c5e by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused IIdEvaluator

- - - - -
3176ae6c by Dinesh Prasanth M K at 2020-09-29T13:24:05-04:00
Fix brackets in revocation performance test

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
3bf42402 by Endi S. Dewata at 2020-09-29T14:29:15-05:00
Add AppService

The AppService has been added to provide a list of subsystems
deployed on the instance. The list is generated by checking each
subfolder under <instance>/conf to see if it has a corresponding
deployed web application. The /pki/ui page has been modified to
use the AppService to provide links to all subsystems on the
instance.

- - - - -
4e10ad78 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMEManagedService

The ACMEManagedService annotation has been added to apply the
ACMERequestFilter to certain services only rather than the
entire ACME responder.

- - - - -
df7c5b23 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMERealm

The ACMERealm has been added to define the users and groups
allowed to access certain services in the ACME responder.

- - - - -
1d46b9cd by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add LDAPRealm and DSRealm for ACME

The DSRealm (which extends LDAPRealm) has been added to
define the ACME realm using users and groups in DS.

- - - - -
8fea902e by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki-server acme-realm-show/mod commands

The pki-server acme-realm-show/mod commands have been
added to display and configure the ACME realm.

- - - - -
10e38701 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMELoginService and ACMELogoutService

The ACMELoginService and ACMELogoutService have been added
to authenticate into the ACME responder.

- - - - -
361d1227 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMEEnableService and ACMEDisableService

The ACMEEnableService and ACMEDisableService have been
added to enable/disable services in the ACME responder.

- - - - -
69eaf22b by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki acme-info command

The pki acme-info command has been added to show
some information about the ACME responder.

- - - - -
65a3ea23 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki acme-enable/disable commands

The pki acme-enable/disable commands have been added to
enable/disable services in the ACME responder.

- - - - -
3b5a26e6 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Update ACME docs

- - - - -
c863e587 by Endi S. Dewata at 2020-09-29T17:21:31-05:00
Move base/common/src to base/common/src/main/java

- - - - -
64caba59 by Endi S. Dewata at 2020-09-29T18:18:34-05:00
Move base/common/functional/src to base/common/src/test/java

- - - - -
1caad924 by Endi S. Dewata at 2020-09-29T19:01:49-05:00
Add UGSubsystemConfig

- - - - -
0acf647c by Endi S. Dewata at 2020-09-29T19:01:50-05:00
Clean up UGSubsystem.init()

- - - - -
823c8405 by Endi S. Dewata at 2020-09-29T19:01:51-05:00
Remove unused UGSubsystem.mId

- - - - -
8fe1284e by Endi S. Dewata at 2020-09-29T19:01:52-05:00
Remove unused UGSubsystem.getDescription()

- - - - -
c69f970c by Endi S. Dewata at 2020-09-29T19:01:53-05:00
Clean up log messages in UGSubsystem

- - - - -
3d41b645 by Alexander Scheel at 2020-09-30T09:19:15-04:00
Remove net-tools as dependency

As far as I can tell, this package isn't required by the new
pkispawn installer. As people are asking for it to be removed from
Fedora ELN, we should drop our dependency on it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4df4769e by Endi S. Dewata at 2020-09-30T10:56:27-05:00
Replace CMSEngine.getEEHost() with EngineConfig.getHostname()

- - - - -
b9567d0b by Endi S. Dewata at 2020-09-30T10:56:29-05:00
Replace CMSEngine.getEESSLHost() with EngineConfig.getHostname()

- - - - -
e2a49f66 by Endi S. Dewata at 2020-09-30T10:56:31-05:00
Replace CMSEngine.getEENonSSLHost() with EngineConfig.getHostname()

- - - - -
4e8443b8 by Endi S. Dewata at 2020-09-30T10:56:33-05:00
Replace CMSEngine.getAgentHost() with EngineConfig.getHostname()

- - - - -
ee755d9f by Endi S. Dewata at 2020-09-30T10:56:34-05:00
Remove unused CMSEngine.getAdminHost()

- - - - -
78ffb9c9 by Endi S. Dewata at 2020-09-30T10:56:35-05:00
Remove unused CMSEngine.hostname

- - - - -
a7ea9abf by jmagne at 2020-09-30T10:36:40-07:00
Resolve: Bug 1710978 - TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (#560)

Submitted by RHCS-maint.

This fix provides better logging when the update to the token db sufferes a partial or complete failure.

Due to the unlikelyness of this happening in practice, this fix provides a simple config based way to simulate
the issue, such that the log activity can be easily observed just as if had happened during an actual failure.

Set the following in the TPS's CS.cfg:

op.enroll.testAddCertsToDBFailure=true.

The setting is false by default.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
49d9d4ad by jmagne at 2020-09-30T10:39:36-07:00
 Resolve: Bug 1858860 - TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8. (#565)

This is simply the addition to one very simple patch to the pin reset procedure, that provides
    the proper error code back to the client in 2 very unlikely error scenarios.

RHCS-maint.
- - - - -
40d6412d by Endi S. Dewata at 2020-09-30T14:17:15-05:00
Move base/native-tools to base/tools

The base/native-tools folder has been renamed into base/tools.
The files in pki-tools package will be unchanged except that
the /usr/share/pki/native-tools/setpin.conf will now be in
/usr/share/pki/tools.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
782fc369 by Endi S. Dewata at 2020-09-30T15:43:46-05:00
Move base/acme/sbin to base/acme/bin

- - - - -
ddc2e6ba by Endi S. Dewata at 2020-09-30T15:43:46-05:00
Clean up pki.spec

- - - - -
97e415f0 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Clean up Instance.wait_for_startup()

- - - - -
e8df0e76 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add PasswordStoreConfig

- - - - -
e93543cd by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig

- - - - -
d0e8b1af by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.isEnabled()

- - - - -
a8499e4a by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getNSSDatabaseDir()

- - - - -
87ba1bf7 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getObscureMethod()

- - - - -
e702a174 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getCloseNSSDatabase()

- - - - -
e78e357c by Endi S. Dewata at 2020-10-01T13:47:37-05:00
Add RandomConfig

- - - - -
5433cc92 by Endi S. Dewata at 2020-10-01T13:47:39-05:00
Add SSLConfig

- - - - -
e6076319 by Endi S. Dewata at 2020-10-01T13:47:40-05:00
Add SSLConfig.getCipherPreferences()

- - - - -
2cc2d232 by Endi S. Dewata at 2020-10-01T13:47:42-05:00
Add SSLConfig.getECType()

- - - - -
2d89b873 by Endi S. Dewata at 2020-10-01T13:47:44-05:00
Clean up CAConfigurator.createLocalAdminCert()

The CAConfigurator.createLocalAdminCert() has been modified
to return the newly created certificate object so it's not
necessary to retrieve the certificate from the repository.

- - - - -
df755783 by Endi S. Dewata at 2020-10-01T13:47:45-05:00
Remove unused preop.admincert properties

- - - - -
67625856 by Endi S. Dewata at 2020-10-01T15:07:40-05:00
Move base/tools/src to base/tools/src/main/native

The native tools sources have been moved from base/tools/src
to base/tools/src/main/native to separate it from Java tools
sources.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
e4f73cef by Endi S. Dewata at 2020-10-01T15:54:21-05:00
Fix Java source paths

- - - - -
5e80fc0f by Alexander Scheel at 2020-10-05T12:47:40-04:00
Update links to bug trackers to point to GitHub

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
389d34a5 by Endi S. Dewata at 2020-10-05T12:28:14-05:00
Merge base/java-tools into base/tools

The Java tools sources have been moved from base/java-tools
to base/tools.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
8b9242ca by Alexander Scheel at 2020-10-05T14:40:08-04:00
Limit requiredSecret character set

This adds new parameters `charset` and `length` to
`generate_password(...)`, letting us limit the character set when
required without modifying PUNCTUATION, while also extending the
length of the generated password when required.

Resolves: #3342

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
29f8189b by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IEnrollmentPolicy to pki-server

- - - - -
26d86e9e by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IKeyArchivalPolicy to pki-server

- - - - -
9b972734 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IKeyRecoveryPolicy to pki-server

- - - - -
64581338 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IRenewalPolicy to pki-server

- - - - -
6d9cdc62 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IRevocationPolicy to pki-server

- - - - -
81e967d7 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IPolicySet to pki-server

- - - - -
faed9e6c by Endi S. Dewata at 2020-10-05T15:04:17-05:00
Merge ICertificateRepository to CertificateRepository

- - - - -
c74a8763 by Endi S. Dewata at 2020-10-05T16:39:08-05:00
Clean up Configurator.updateNextRanges()

- - - - -
0ac70565 by Endi S. Dewata at 2020-10-05T17:48:39-05:00
Clean up TPSInstaller.configureCAConnector()

The unused cainfo.select has been removed.

- - - - -
8a7dff2c by Endi S. Dewata at 2020-10-05T17:48:49-05:00
Clean up TPSInstaller.configureTKSConnector()

The unused tksinfo.select has been removed.

- - - - -
1780884e by Endi S. Dewata at 2020-10-05T17:49:09-05:00
Clean up TPSInstaller.configureKRAConnector()

The unused krainfo.select has been removed.

- - - - -
faf0f928 by Endi S. Dewata at 2020-10-05T18:29:39-05:00
Remove unused subsystem.count

- - - - -
c5edf12e by Endi S. Dewata at 2020-10-05T19:33:41-05:00
Clean up Configurator.loadKeyPair()

The Configurator.loadKeyPair() has been modified to take
an existing X509Certificate object.

- - - - -
ec049163 by Endi S. Dewata at 2020-10-05T19:36:00-05:00
Clean up Configurator.createECCKeyPair()

The Configurator.createECCKeyPair() has been modified to
use the default curve name if not provided.

- - - - -
b687119d by Endi S. Dewata at 2020-10-05T19:36:42-05:00
Clean up Configurator.createRSAKeyPair()

The Configurator.createRSAKeyPair() has been modified to
use the default key size if not provided.

- - - - -
e711488a by Endi S. Dewata at 2020-10-05T19:37:45-05:00
Replace Configurator.processKeyPair()

The Configurator.processKeyPair() has been replaced with a
direct call to loadKeyPair() or createKeyPair() depending
on the availability of the certificate.

- - - - -
c54f1113 by 06shalini at 2020-10-06T12:06:55+05:30
Fixed nighly pipeline run by fixing stable package versions (#3344)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
bd2a7654 by Endi S. Dewata at 2020-10-06T08:48:51-05:00
Remove redundant Cert.mSubsystem

- - - - -
1147bc6e by Endi S. Dewata at 2020-10-06T08:48:52-05:00
Refactor Configurator.generateCertRequest()

The Configurator.generateCertRequest() has been converted
into createCertRequest() which returns the certificate request
data.

- - - - -
8b31aa71 by Endi S. Dewata at 2020-10-06T08:48:53-05:00
Refactor Configurator.configRemoteCert()

The Configurator.configRemoteCert() has been converted into
createRemoteCert() that takes a list of DNS names for SAN
extension.

- - - - -
a426b800 by Endi S. Dewata at 2020-10-06T08:48:54-05:00
Replace Configurator.generateRemoteCert()

The Configurator.generateRemoteCert() has been replaced with
a direct call to createRemoteCert().

- - - - -
2f00efb6 by Endi S. Dewata at 2020-10-06T08:48:55-05:00
Refactor CAConfigurator.generateLocalCert()

The CAConfigurator.generateLocalCert() has been converted
into createLocalCert() that returns an X509CertImpl object.

- - - - -
2ed9adb5 by Endi S. Dewata at 2020-10-06T08:48:56-05:00
Refactor Configurator.generateCert()

The Configurator.generateCert() has been converted into
createCert() that returns an X509CertImpl object.

- - - - -
74f4897e by Endi S. Dewata at 2020-10-06T08:48:58-05:00
Remove unused Cert.mType

- - - - -
78d8f115 by Endi S. Dewata at 2020-10-06T08:48:59-05:00
Refactor Configurator.loadCert()

The code that loads the cert and request data from CS.cfg
has been moved out of Configurator.loadCert().

- - - - -
2b165d8e by Endi S. Dewata at 2020-10-06T08:49:00-05:00
Refactor Configurator.processCert()

The Configurator.processCert() has been modified to take
an X509Certificate object.

- - - - -
838b1f5e by Endi S. Dewata at 2020-10-06T08:58:43-05:00
Refactor CAConfigurator.updateLocalRequest()

The CAConfigurator.updateLocalRequest() has been modified to
take an IRequest object instead of a RequestId object such
that it doesn't need to search for the request object in the
request queue.

- - - - -
5fb0b660 by Endi S. Dewata at 2020-10-06T08:58:43-05:00
Replace CertUtils.createLocalCert()

The CertUtils.createLocalCert() has been replaced with
a direct call to createCertRecord().

- - - - -
e22143e2 by Endi S. Dewata at 2020-10-06T08:58:44-05:00
Clean up CAConfigurator.updateLocalRequest()

- - - - -
090c2a66 by Endi S. Dewata at 2020-10-06T08:58:45-05:00
Refactored CertUtils.createLocalRequest()

The CertUtils.createLocalRequest() has been converted
into initLocalRequest() that takes an IRequest object.

- - - - -
2ec60d4a by Endi S. Dewata at 2020-10-06T08:58:46-05:00
Replace CAConfigurator.createRequest()

The CAConfigurator.createRequest() has been replaced
with direct calls to IRequestQueue.newRequest() and
CertUtils.initLocalRequest().

- - - - -
51a2d078 by Dinesh Prasanth M K at 2020-10-07T11:33:01-04:00
GH issues migration cleanup 1

This patch cleansup code, that refers to pagure tickets,
to point to the new GH issue.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8e16088f by Dinesh Prasanth M K at 2020-10-07T13:24:52-04:00
Update pkispawn man page with instructions to dscreate

This patch updates pkispawn's man page with instructions
to install a DS instance using dscreate.

Partly resolves: bz#1656772

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
15e78c27 by Dinesh Prasanth M K at 2020-10-07T13:24:52-04:00
Fix angle brackets in pkispawn man page

This patch:
- Fixes issue with angle brackets in pkispawn man page
- Removes obsolete DS specific information from pkispawn man page

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
67ac57cd by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Refactor Configurator.processCert()

The Configurator.processCert() has been modified to
take a Cert object that contains the cert info.

- - - - -
2a95560b by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Add PKIDeployer.finalize_subsystem()

The code that finalizes the configuration parameters in
Configurator.finalizeConfiguration() has been moved into
PKIDeployer.finalize_subsystem().

- - - - -
b991a225 by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Remove unused FinalizeConfigRequest.importSharedSecret

- - - - -
c279c652 by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Remove TPSConfigurator.getSharedSecret()

The code that configures conn.tks1.tksSharedSymKeyName
in TPSConfigurator.getSharedSecret() has been moved into
PKIDeployer.import_shared_secret().

- - - - -
53e305c1 by Christina Fu at 2020-10-08T09:20:33-07:00
Bug1875563-add profile caAuditSigningCert

This patch will revert the previously added IPA specific KRA storage
and transport cert prorfiles, as it turned out that they just need
generic KRA storage and transport cert profiles, which could be
fulfilled by using the following two existing profiles
  caStorageCert.cfg
  caTransportCert.cfg
In addition, a caAuditSigningCert profile is added, although I find
a misleading profile named caSignedLogCert.cfg  that was intended for
the use.  I disabled caSignedLogCert.cfg instead.

I also removed the SHA1 algorithms from all the *storage* and *audit*
profiles while I'm at it.

The upgrade scripts only adds the new profile caAuditSigningCert.  It
does not modify existing profiles or remove those two IPA specific
ones.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
ec176564 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Merge IPublisherProcessor into PublisherProcessor

- - - - -
3e923404 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Remove unused CMSEngine.upgradeConfig()

- - - - -
293c5e8a by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Remove unused Upgrade class

- - - - -
4fba2d34 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move GetCRL to pki-ca

- - - - -
9fdad1cb by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move DisplayCRL to pki-ca

- - - - -
9d5c4850 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move GetInfo to pki-ca

- - - - -
eb9b36e5 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move UpdateDir to pki-ca

- - - - -
23f7f9bd by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CrlCachePrettyPrint to pki-ca

- - - - -
5fc92a21 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSAuthorityKeyIdentifierExtension to pki-ca

- - - - -
7366502e by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSCRLNumberExtension to pki-ca

- - - - -
a38d11e5 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSDeltaCRLIndicatorExtension to pki-ca

- - - - -
10bad6ab by Endi S. Dewata at 2020-10-08T11:44:32-05:00
Rename pki-server <subsystem>-range-update to <subsystem>-range-request

- - - - -
ac717455 by Endi S. Dewata at 2020-10-08T11:46:23-05:00
Add SubsystemRangeUpdateCLI

The code that updates ranges in Configurator.updateNextRanges()
has been copied into SubsystemRangeUpdateCLI.

- - - - -
a6da401c by Endi S. Dewata at 2020-10-08T11:47:10-05:00
Add pki-server <subsystem>-range-update

The pki-server <subsystem>-range-update has been added to
call SubsystemRangeUpdateCLI from command line.

- - - - -
2c24f572 by Endi S. Dewata at 2020-10-08T11:47:32-05:00
Add CACertRemoveCLI

The code that removes the CA signing cert record in
Configurator.deleteSigningRecord() has been copied
into CACertRemoveCLI.

- - - - -
e72efb3a by Endi S. Dewata at 2020-10-08T11:47:32-05:00
Add pki-server ca-cert-del

The pki-server ca-cert-del has been added to call
CACertRemoveCLI from command line.

- - - - -
f5e68806 by Endi S. Dewata at 2020-10-08T14:14:57-05:00
Add LDAPConfigMonitor

The LDAPConfigMonitor has been added for LDAPDatabase
to monitor ACME config properties stored in the database
using persistent search.

The ACMEEnableService and ACMEDisableService have been
modified to update the 'enabled' config property in the
database.

The ACMERequestFilter has been modified to use the `enabled`
config property from the database. However, if the property
is not set in the database, the filter will use the property
from the config file instead.

- - - - -
2ef15dc8 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 1)

The code that removes the CA signing cert record in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
d739fac2 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 2)

The code that enables the profile subsystem in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
ab091c5a by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 3)

The code that configures ca.crl.MasterCRL.startingCrlNumber
in CAConfigurator.finalizeConfiguration() has been moved into
configuration.py.

- - - - -
3faa3866 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 4)

The code that disables CRL caching and generation in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
49c12096 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 5)

The code that configures security domain master in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
26c347a8 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 6)

The code that updates the range numbers in CAConfigurator and
KRAConfigurator.finalizeConfiguration() has been moved into
configuration.py.

- - - - -
a175d385 by Christina Fu at 2020-10-09T09:20:45-07:00
Bug1874595-(add missing patch for) TPS Server-side keygen support for id only tokens

This patch relates to Bug 1494591, where the fix was missing a patch.

It makes it so that as long as one keyType has serverKeyGen enabled then
all key tyes under the same tps profile are consideered server-side
keygen.

Code submitted by RHCS-MAINT

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874595

- - - - -
101c5b76 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move ListCerts to pki-ca

- - - - -
bf2b7b40 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move SrchCerts to pki-ca

- - - - -
32960d12 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move Monitor to pki-ca

- - - - -
a1095bef by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move CRLRepository to pki-ca

- - - - -
80d49141 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move UniqueSubjectName to pki-ca

- - - - -
74de65a9 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move UniqueSubjectNameConstraints to pki-ca

- - - - -
3c5df519 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move org.dogtagpki.legacy.server.policy.extensions to pki-ca

- - - - -
d7776c45 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move org.dogtagpki.legacy.server.policy.constraints to pki-ca

- - - - -
f09342d5 by Endi S. Dewata at 2020-10-09T11:36:13-05:00
Remove ICertificateAuthority.getCRLRepository()

The ICertificateAuthority.getCRLRepository() has been replaced
with direct calls to CAEngine.getCRLRepository().

- - - - -
abeed422 by Endi S. Dewata at 2020-10-09T11:36:15-05:00
Merge ICRLRepository into CRLRepository

- - - - -
e6588ad4 by Endi S. Dewata at 2020-10-09T11:36:17-05:00
Remove ICertificateAuthority.getCRLIssuingPoints()

The ICertificateAuthority.getCRLIssuingPoints() has been
replaced with direct calls to CAEngine.getCRLIssuingPoints().

- - - - -
98d33c5b by Endi S. Dewata at 2020-10-09T11:36:18-05:00
Remove ICertificateAuthority.getCRLIssuingPoint()

The ICertificateAuthority.getCRLIssuingPoint() has been
replaced with direct calls to CAEngine.getCRLIssuingPoint().

- - - - -
cb3b51f1 by Endi S. Dewata at 2020-10-09T11:36:20-05:00
Replace ICertificateAuthority.getCertificateRepository()

Some of the ICertificateAuthority.getCertificateRepository()
invocations have been replaced with direct calls to
CAEngine.getCertificateRepository().

- - - - -
1ba298dc by Endi S. Dewata at 2020-10-09T12:34:14-05:00
Move AddCAServlet to pki-ocsp

- - - - -
47ab2a1e by Endi S. Dewata at 2020-10-09T12:34:16-05:00
Move AddCRLServlet to pki-ocsp

- - - - -
96a7c8a7 by Endi S. Dewata at 2020-10-09T12:34:17-05:00
Move CheckCertServlet to pki-ocsp

- - - - -
bdef9580 by Endi S. Dewata at 2020-10-09T12:34:18-05:00
Move ListCAServlet to pki-ocsp

- - - - -
329468b6 by Endi S. Dewata at 2020-10-09T12:34:19-05:00
Move RemoveCAServlet to pki-ocsp

- - - - -
c834e372 by Endi S. Dewata at 2020-10-09T12:34:20-05:00
Move com.netscape.certsrv.logging.event to pki-server

- - - - -
020ccefb by Endi S. Dewata at 2020-10-09T12:34:22-05:00
Move org.dogtagpki.legacy.policy to pki-server

- - - - -
9db1146a by Endi S. Dewata at 2020-10-09T12:34:23-05:00
Move IConnector to pki-server

- - - - -
f99b426d by Endi S. Dewata at 2020-10-09T12:34:25-05:00
Move IService to pki-server

- - - - -
410e1c60 by Endi S. Dewata at 2020-10-09T12:34:26-05:00
Move request interfaces to pki-server

- - - - -
50333404 by Endi S. Dewata at 2020-10-09T13:06:55-05:00
Move GeneralNamesAsConstraintsConfig to a new file

- - - - -
47a1d84b by Endi S. Dewata at 2020-10-09T13:06:57-05:00
Move GeneralNamesConfig to a new file

- - - - -
6f1ea9ef by Endi S. Dewata at 2020-10-09T13:06:58-05:00
Move GeneralNameConfig to a new file

- - - - -
872ab4f8 by Endi S. Dewata at 2020-10-09T13:07:00-05:00
Move GeneralNameAsConstraintsConfig to a new file

- - - - -
413d70cc by Endi S. Dewata at 2020-10-09T13:07:02-05:00
Move SubjAltNameGN to a new file

- - - - -
f9c4bb93 by Endi S. Dewata at 2020-10-09T13:07:03-05:00
Move PolicyInstance to a new file

- - - - -
752cf648 by Endi S. Dewata at 2020-10-09T13:07:05-05:00
Move RegisteredPolicy to a new file

- - - - -
7963fdfe by Endi S. Dewata at 2020-10-09T13:07:07-05:00
Move PredicateTokenizer to a new file

- - - - -
bd646873 by Endi S. Dewata at 2020-10-09T13:07:09-05:00
Move ExpressionComps to a new file

- - - - -
9332e4f6 by Endi S. Dewata at 2020-10-09T13:07:10-05:00
Rename ICRLPublisher to CRLPublisher

- - - - -
e6e2a1e4 by Endi S. Dewata at 2020-10-13T11:15:32-05:00
Remove CryptoUtil.sortCertificateChain()

The CryptoUtil.sortCertificateChain() has been replaced with
Cert.sortCertificateChain().

- - - - -
aa480286 by Endi S. Dewata at 2020-10-13T11:15:37-05:00
Merge ICertUserDBAuthentication into CertUserDBAuthentication

- - - - -
e0d5d37a by Endi S. Dewata at 2020-10-13T11:15:42-05:00
Merge IGroup to Group

- - - - -
2df76f48 by Endi S. Dewata at 2020-10-13T11:15:43-05:00
Merge IGroupConstants into Group

- - - - -
c4042744 by Endi S. Dewata at 2020-10-13T11:15:46-05:00
Merge IUser into User

- - - - -
ad8bd463 by Endi S. Dewata at 2020-10-13T11:18:39-05:00
Merge IUserConstants into User

- - - - -
7ebf8d78 by Endi S. Dewata at 2020-10-13T16:06:40-05:00
Clean up LDAPDatabase

- - - - -
0619f5a1 by Endi S. Dewata at 2020-10-13T16:06:41-05:00
Clean up LDAPRealm

- - - - -
f589afad by Endi S. Dewata at 2020-10-13T16:06:42-05:00
Clean up LDAPConfigMonitor

- - - - -
304040d5 by Endi S. Dewata at 2020-10-13T16:06:43-05:00
Clean up create.ldif for DS realm

- - - - -
4f4e5a29 by dpuniaredhat at 2020-10-14T17:37:41+05:30
acme mvp test (#3352)

Adding automation to Deploy acme container on podman and openshift

1. Update existing acme test cases and add test cases
2. Adding test to deploy acme using podman with Persistent Database and run test cases
3. Adding acme deployment with nss_issuer
4. Adding test to delopy acme on openshift with Persistent Database

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
d765cd87 by dpuniaredhat at 2020-10-15T19:00:15+05:30
Bugzilla 1874595 automation (#3355)

TPS - Server side key generation is not working for Identity only tokens

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
cb3f19b8 by Endi S. Dewata at 2020-10-15T09:53:40-05:00
Add patternfly.min.css.map into ACME UI

- - - - -
8d96b89f by Endi S. Dewata at 2020-10-15T09:54:12-05:00
Clean up ACME UI

- - - - -
eb501630 by Endi S. Dewata at 2020-10-15T09:54:13-05:00
Add JSON encoder/decoder for User

- - - - -
8883e23d by Endi S. Dewata at 2020-10-15T09:54:14-05:00
Update LDAPRealm to generate PKIPrincipal

The LDAPRealm has been updated generate a PKIPrincipal
instead of a GenericPrincipal such that it can store
the User object.

- - - - -
d9607c2b by Christina Fu at 2020-10-15T17:02:24-07:00
Bug1874600-TPS does not check token cuid on the user externalReg record during PIN reset

  RHCS-MAINT contribution
  This patch makes sure that if "tokenCUID" exists for the user reg record,
  pinReset operation would make sure that it mathes with the current
  tokne cuid;
  If the "tokenCUID" does not exisst in the user registration record
  then any token can be used for pinReset;

  fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874600

- - - - -
b9edb38d by Endi S. Dewata at 2020-10-19T13:16:48-05:00
Remove unused UGSubsystem.startup()

- - - - -
26e16da1 by Endi S. Dewata at 2020-10-19T13:16:56-05:00
Add hashCode() and equals() for DataCollection

- - - - -
aa6d7b08 by Endi S. Dewata at 2020-10-19T13:19:15-05:00
Add pki-server <subsystem>-group-find

The pki-server <subsystem>-group-find has been added to
list all groups directly from the database.

- - - - -
14244b72 by Endi S. Dewata at 2020-10-19T14:43:47-05:00
Add pki-server <subsystem>-group-member-find

The pki-server <subsystem>-group-member-find has been added
to list all members of a group directly from the database.

- - - - -
2c114ff2 by Endi S. Dewata at 2020-10-19T14:43:50-05:00
Add pki-server <subsystem>-group-member-add

The pki-server <subsystem>-group-member-add has been added
to add a member into a group directly into the database.

- - - - -
033d3200 by Endi S. Dewata at 2020-10-19T14:43:50-05:00
Move pkidbuser group configuration

The code that configures pkidbuser groups have been moved
into configuration.py.

- - - - -
2defedfd by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Fix cert validation in LDAPRealm

The LDAPRealm has been modified to validate the cert data
in addition to the cert ID.

- - - - -
5f4ed745 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Add PostgreSQLRealm

The PostgreSQLRealm has been added to define the ACME realm
using users and groups in PostgreSQL database.

- - - - -
fbf94d38 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Update pki-server acme-realm

- - - - -
7f43a712 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Add docs for PostgreSQLRealm

- - - - -
f1ce33fb by Endi S. Dewata at 2020-10-19T16:03:34-05:00
Clean up realm doc

- - - - -
4d8520c7 by Endi S. Dewata at 2020-10-19T16:04:31-05:00
Refactor UGSubsystem.addCertSubjectDN()

The UGSubsystem.addCertSubjectDN() has been converted into
addSeeAlso() which takes a user ID and the value of the
seeAlso attribute.

- - - - -
9badc0c0 by Endi S. Dewata at 2020-10-19T16:06:34-05:00
Refactor UGSubsystem.removeCertSubjectDN()

The UGSubsystem.removeCertSubjectDN() has been converted
into removeSeeAlso() that takes the user ID and the value
of the seeAlso attribute.

- - - - -
ea148d61 by Endi S. Dewata at 2020-10-19T16:14:10-05:00
Add UGSubsystem.findUsersByKeyword()

The code that generates an LDAP filter to search users by
keyword has been moved into UGSubsystem.findUsersByKeyword().

- - - - -
a6646131 by Endi S. Dewata at 2020-10-19T16:14:17-05:00
Add JSON converter for UserData

- - - - -
d23b45b3 by Endi S. Dewata at 2020-10-19T16:14:17-05:00
Add JSON converter for UserCollection

- - - - -
93b892a1 by Endi S. Dewata at 2020-10-19T19:35:18-05:00
Update PostgreSQLRealm to create PKIPrincipal

The PostgreSQLRealm has been modified to create a PKIPrincipal
which stores the User object instead of a GenericPrincipal which
stores only the username.

- - - - -
6c62d4b8 by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: add StartupNotifier interface

Add the StartupNotifier interface.  Update CMSEngine to invoke
.notifyReady() for each configured notifier when startup is
completed.

Loading of notifiers and a systemd notifier instance will be
implemented in subsequent commits.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
c452bdec by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: initialise from CS.cfg

Initialise StartupNotifier instances configured in CS.cfg.  The
configuration scheme is:

  startupNotifiers.list=systemd,foo
  startupNotifiers.systemd.class=package.and.ClassName
  startupNotifiers.foo.class=com.netscape.cmscore.apps.FooNotifier
  startupNotifiers.foo.paramA=valueA
  startupNotifiers.foo.paramB=valueB

`startupNotifiers.list' gives a list of substore names, one for each
StartupNotifier instance.  The 'class' parameter of each substore
specifies the Java class name.  The config substore is passed to the
StartupNotifier.init() method.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
5c0a0c9d by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: add pki-systemd jar

Implement SystemdStartupNotifier, which does not actually notify
systemd yet (this will be implemented in a subsequent commit).
Ship this class in its own jar.  The inclusion of this jar in the
pki-server package will be made conditional on an RPM macro in the
next commit.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
4f106e2b by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: make the systemd class optional

Add the `sdnotify` RPM bcond to make the SystemdStartupNotifier
class optional.  When enabled, it is supplied in a separate JAR
(part of the pki-server package), and the webapp symlink is added in
the pki-ca package.  It is enabled by default.

Note that on Fedora and presumably RHEL also, libsystemd.so is
always present.  sd_booted(3) can be used to determine whether pid 1
is systemd or not, so having a systemd notifier implementation
present doesn't imply that systemd must be used.

Nevertheless, it was requested to make this component optional.  So
here we are.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
1bc6a40c by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: complete systemd notifier

Complete the implementation of SystemdStartupNotifier.  We use JNA
to bind to libsystemd.  The dependency on 'jna' package only occurs
when %{with sdnotify}.

The systemd unit template file is left alone, retaining Type=simple.
In order to enable systemd startup notification, you can override
the Type in the "drop-in" directory. For example, if the instance
name is 'pki-tomcat', write to the file:

  /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/notify.conf

the content:

  [Service]
  Type=notify

See systemd.unit(5) for more details.

Fixes: https://pagure.io/dogtagpki/issue/1233

- - - - -
ef088977 by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: load libsystemd in init()

In the SystemdStartupNotifier, in order to better handle errors load
the library in init() rather than as static class configuration.
This gives better control over when Dogtag attempts to load the
library, and how it can handle errors.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
592f412e by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: return result to caller

Update the StartupNotifier interface to return a NotifyResult to the
caller.  The NotifyResult contains a success/failure enum and a
string message.  Update CMSEngine to interpret the NotifyResult and
log a message if appropriate.

The SystemdStartupNotifier no longer writes to stderr/stdout.  As a
result, there is no longer any ambiguity about which CMS subsystem a
failure occurred in.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
6f573ee1 by jmagne at 2020-10-19T18:26:57-07:00
Enhancment to Bug 1858860 - TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8. (#3361)

This enhancement allows config values to be used to test the unlikely error conditions addressed in the original bug:

To test one two scenarios, use these settings one at a time:

op.pinReset.testNoBeginMsg=false
op.pinReset.testUpdateDBFailure=false

The first one will test the error code returned when the beginOp message is missing when atempting
a pin Reset operation. The error returned should be error "4".

The second one will test if the update of the db for the token does not complete properly.

The error returned in this scenario should be "41".

The tpsclient utility can be used to test these two scenarios. Once again try them separately
because the first error will stop the pin reset procedure before the second scenario can even happen.
- - - - -
8529ebe2 by Endi S. Dewata at 2020-10-20T09:22:50-05:00
Add PostgreSQLConfigMonitor

The PostgreSQLConfigMonitor has been added to periodically
monitor ACME config properties stored in PostgreSQL database.

- - - - -
885136fb by Endi S. Dewata at 2020-10-20T09:22:50-05:00
Add docs for PostgreSQLConfigMonitor

- - - - -
c7be1f9b by Endi S. Dewata at 2020-10-20T09:26:55-05:00
Fix pki-server acme-realm-show

- - - - -
4f12d13e by Endi S. Dewata at 2020-10-20T11:26:48-05:00
Update version number to 10.10.0-beta1

- - - - -
3df7a23c by Endi S. Dewata at 2020-10-20T16:54:54-05:00
Update JSS dependency

- - - - -
9b6247dc by Fraser Tweedale at 2020-10-21T10:47:27+10:00
CommonNameToSANDefault: allow label starting with digit

https://tools.ietf.org/html/rfc1123#section-2 relaxes the grammar
specified in https://tools.ietf.org/html/rfc1034#section-3.5,
allowing a DNS label to start with a number.  RFC 5280 explicitly
adopts the modifications of RFC 1123, so the current check that
requires a label to start with a letter is too strict.  Update the
check to allow labels to start with number or letter.

Fixes: https://github.com/dogtagpki/pki/issues/3339

- - - - -
2e1a0cfd by Endi S. Dewata at 2020-10-21T08:38:27-05:00
Update TomcatJSS dependency

- - - - -
8449667d by Endi S. Dewata at 2020-10-21T16:55:20-05:00
Add pki-acme.js

The JavaScript code in ACME's index.jsp has been moved
into pki-acme.js.

- - - - -
defadf1a by Endi S. Dewata at 2020-10-21T19:18:10-05:00
Add pki-server <subsystem>-user-find

The pki-server <subsystem>-user-find has been added to
find users linked to a certificate.

- - - - -
6c322670 by Endi S. Dewata at 2020-10-21T19:27:02-05:00
Add pki-server <subsystem>-user-mod

The pki-server <subsystem>-user-mod has been added to
link/unlink a user to a certificate.

- - - - -
27e27237 by Endi S. Dewata at 2020-10-21T20:25:03-05:00
Remove Configurator.removeOldDBUsers()

The code that links/unlinks users to/from subsystem cert
has been moved into configuration.py.

- - - - -
fb0ed640 by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Add InMemoryRealm

The InMemoryRealm has been added to provide a simple realm
that contains just the admin user.

- - - - -
0b73ae1b by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Update ACME deployment for Podman

The Dockerfile and the pki-acme-run script have been modified
to use the InMemoryRealm by default and provide a mechanism
to change it.

- - - - -
6157d431 by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Update ACME deployment for OpenShift

The OpenShift deployment files have been modified to use
the InMemoryRealm by default and provide a mechanism to
change it.

- - - - -
ad6d9fad by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Clean up exception handling in pki-server

The pki-server has been modified to show better error messages.

- - - - -
b0047db2 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add log messages for Password.get_password()

- - - - -
84696756 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor UGSubsystem.addUserCert()

The UGSubsystem.addUserCert() has been modified to take
a user ID and a certificate object.

- - - - -
f093ae97 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-cert-add

The pki-server <subsystem>-user-cert-add has been added to
add a cert to a user for client cert authentication.

- - - - -
d49310da by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor pkidbuser cert configuration

The code that configures pkidbuser cert has been moved
into configuration.py.

- - - - -
6ad73713 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Clean up UGSubsystem.addUser()

The UGSubsystem.addUser() has been modified to allow
optional attributes according to the LDAP schema.

- - - - -
438eff69 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-show

The pki-server <subsystem>-user-show has been added to
retrieve a user directly from the database.

- - - - -
4f9e4d95 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-add

The pki-server <subsystem>-user-add has been added to
add a user directly into the database.

- - - - -
4078259a by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor pkidbuser creation

The code that creates pkidbuser has been moved into
configuration.py.

- - - - -
89f178ad by Endi S. Dewata at 2020-10-23T11:09:59-05:00
Add PKIDeployer.setup_database_user()

The code that configures pkidbuser has been moved into
PKIDeployer.setup_database_user().

- - - - -
61744481 by Endi S. Dewata at 2020-10-23T13:44:06-05:00
Fix cloning issue

Due to recent changes pkispawn tried to add a duplicate
pkidbuser during cloning so it failed. The code has been
modified to no longer add pkidbuser during cloning.

- - - - -
42ab987a by Endi S. Dewata at 2020-10-23T14:43:08-05:00
Remove unused SystemConfigService.setupDatabaseUser()

- - - - -
ab918bf7 by Endi S. Dewata at 2020-10-26T15:13:53-05:00
Fix error handling in pki-server

- - - - -
355f2655 by Endi S. Dewata at 2020-10-26T15:14:00-05:00
Fix Password.get_password()

The Password.get_password() has been modified to use
pki.util.load_properties() to load the password file.

- - - - -
2648cc6e by Endi S. Dewata at 2020-10-26T15:29:52-05:00
Add pki securitydomain-join

The code that registers the new subsystem into the security
domain has been moved into pki securitydomain-join.

- - - - -
65781959 by Endi S. Dewata at 2020-10-26T21:48:32-05:00
Clean up PKISubsystem.join_security_domain()

- - - - -
25f6ecd4 by Endi S. Dewata at 2020-10-26T21:49:16-05:00
Add pki-server sd-host-add

The code that adds the security domain manager has been
moved into pki-server sd-host-add.

- - - - -
26450226 by Endi S. Dewata at 2020-10-26T23:01:00-05:00
Add pki-server sd-create

The code that creates the security domain has been moved into
pki-server sd-create.

- - - - -
b4a33e33 by Endi S. Dewata at 2020-10-26T23:01:06-05:00
Remove unused SystemConfigService.setupSecurityDomain()

- - - - -
b24f6b16 by Endi S. Dewata at 2020-10-26T23:01:06-05:00
Remove unused SecurityDomainSetupRequest

- - - - -
f74a6bd2 by Endi S. Dewata at 2020-10-27T13:10:41-05:00
Clean up group configuration for pkidbuser

- - - - -
73d0e6e4 by Endi S. Dewata at 2020-10-27T13:10:44-05:00
Add --output-format for pki-server <subsystem>-group-member-find

- - - - -
53706d43 by Endi S. Dewata at 2020-10-27T13:10:45-05:00
Add --tps-profiles for pki-server <subsystem>-add-user

- - - - -
f26500c1 by Endi S. Dewata at 2020-10-27T13:10:47-05:00
Refactor admin certificate configuration

The code that configures the admin certificate in
Configurator.updateAdminUserCert() has been moved into
PKIDeployer.setup_admin().

- - - - -
9e3db097 by Endi S. Dewata at 2020-10-27T13:10:49-05:00
Refactor admin group configuration

The code that configures the admin groups in
Configurator.createAdminUser() has been moved into
PKIDeployment.setup_admin().

- - - - -
63c7434b by Endi S. Dewata at 2020-10-27T13:10:50-05:00
Refactor admin user creation

The code that creates the admin user in
Configurator.createAdminUser() has been moved into
PKIDeployer.setup_admin().

- - - - -
d4ed7a86 by Endi S. Dewata at 2020-10-27T13:10:52-05:00
Remove ACME tech preview notifications

- - - - -
d7cd7104 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: refactor validation retry behaviour into ACMEChallengeProcessor

Challenge retry behaviour was duplicated across validators.
Refactor this behaviour into the ACMEChallengeProcessor class.

The validateChallenge method can now no longer raise (arbitrary)
exceptions.  Instead it returns a value of the ValidationResult
type.  As a consequence, more exceptions need to be handled, but the
upshot is that such failures are now captured and get represented
properly in the challenge object's error field.

- - - - -
cc566b63 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: add ACMEIdentifierValidator class

Add a class and methods for validating the syntax of an identifier.
This will allow the newOrder service to reject orders with malformed
identifiers (a subsquent commit will implement this behaviour).

- - - - -
2cfa3c63 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: validate identifier syntax

Update ACMENewOrderService to validate identifier syntax and respond
with an error object if it finds a malformed identifier.

Also add a service base class providing the "respond with ACMEError
object".  Other service classes should be updated over time to use
it, so that we (a) return proper error objects in conformance with
RFC 8555 and (b) avoid code duplication through use of the base
class.

- - - - -
e63ff629 by Endi S. Dewata at 2020-10-28T11:08:21-05:00
Clean up ACME docs

- - - - -
113a8634 by Endi S. Dewata at 2020-10-28T11:11:59-05:00
Clean up ACME docs (part 2)

- - - - -
927f6662 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Update ACME login and logout services

The ACME login service has been modified to allow anybody
to retrieve the login information from the current session.

The ACME logout service has been modified to allow anybody
to clear the current session.

- - - - -
373f5c5c by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add avatar and user's full name for ACME UI

The ACME UI has been modified to display an avatar and
user's full name.

- - - - -
9db5355f by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add profile menu for ACME UI

The ACME UI has been modified to provide a profile menu
which initially contains the login and logout menu items.

- - - - -
38616b5a by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add sidebar menu for ACME UI

A sidebar menu has been added into the ACME UI. The main page
has been split into home.jsp and help.jsp.

- - - - -
2cd562a5 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add sidebar toggle in ACME UI

A toggle has been added to show/hide the sidebar in the ACME UI.

- - - - -
15962317 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add configuration page in ACME UI

A configuration page has been added in ACME UI to show the
current service status and links to enable/disable the service.

- - - - -
181487b3 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add login/logout sidebar menu

- - - - -
5e06d806 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Fix ACME UI logout

- - - - -
61297c6f by Endi S. Dewata at 2020-10-28T14:42:31-05:00
Update version number to 10.0.0

- - - - -
4531ea21 by Timo Aaltonen at 2020-10-31T20:32:00+02:00
Merge tag 'v10.9.4' into m-n

- - - - -
4326bcb5 by Timo Aaltonen at 2020-10-31T20:32:05+02:00
Merge branch 'master' into m-n

- - - - -
209133e8 by Timo Aaltonen at 2020-11-01T13:04:37+02:00
bump the version

- - - - -
01773e48 by Timo Aaltonen at 2020-11-01T13:09:33+02:00
patches: Refreshed, fix-java11-dependencies.diff and fix-pki-java- path.diff dropped, upstream.

- - - - -
ff5c30d5 by Timo Aaltonen at 2020-11-01T13:10:48+02:00
control: Bump jss and tomcatjss dependencies.

- - - - -
c73e1f9b by Timo Aaltonen at 2020-11-01T13:15:19+02:00
control: Migrate to libcommons-lang3-java.

- - - - -
7973918b by Timo Aaltonen at 2020-11-01T14:15:12+02:00
control, pki-server.install, rules: Add support for systemd notifications, add libjna-java to depends.

- - - - -
150c41d9 by Timo Aaltonen at 2020-11-01T14:24:04+02:00
pki-tools, copyright: Java and native-tools got moved, update paths.

- - - - -
8fdbdced by Timo Aaltonen at 2020-11-01T18:54:44+02:00
refresh rest of the patches

- - - - -


30 changed files:

- .classpath
- + .github/workflows/qe-tests.yml
- .github/workflows/required-tests.yml
- .gitignore
- + CONTRIBUTING.md
- README.md
- base/CMakeLists.txt
- base/acme/CMakeLists.txt
- base/acme/Dockerfile
- + base/acme/bin/pki-acme-run
- + base/acme/conf/realm.conf
- + base/acme/database/ds/create.ldif
- + base/acme/database/ds/database.conf
- + base/acme/database/ds/schema.ldif
- base/acme/database/ldap/create.ldif
- base/acme/database/ldap/schema.ldif
- + base/acme/database/openldap/create.ldif
- + base/acme/database/openldap/database.conf
- + base/acme/database/openldap/schema.ldif
- base/acme/database/postgresql/create.sql
- base/acme/database/postgresql/drop.sql
- base/acme/database/postgresql/statements.conf
- base/acme/openshift/pki-acme-deployment.yaml
- + base/acme/openshift/pki-acme-realm.yaml
- + base/acme/realm/ds/create.ldif
- + base/acme/realm/ds/realm.conf
- + base/acme/realm/in-memory/realm.conf
- + base/acme/realm/postgresql/create.sql
- + base/acme/realm/postgresql/drop.sql
- + base/acme/realm/postgresql/realm.conf


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/3881dbb2d95a82c98e4c4d76d31e62a7a7ee651e...8fdbdced6b34a362b6e8133d0334ce3f33965dd1

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/3881dbb2d95a82c98e4c4d76d31e62a7a7ee651e...8fdbdced6b34a362b6e8133d0334ce3f33965dd1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201102/4eb849a9/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list