[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 847 commits: Update version number to 10.11.0-alpha1
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Oct 6 18:50:04 BST 2021
Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki
Commits:
bce94aea by Endi S. Dewata at 2020-11-20T17:32:30-06:00
Update version number to 10.11.0-alpha1
- - - - -
a6a8599e by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add CA test
- - - - -
1a976060 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add KRA test
- - - - -
91afea61 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add OCSP test
- - - - -
9c6b1cd1 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add TKS test
- - - - -
58701617 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add TPS test
- - - - -
a6fe0e3e by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add Python test
- - - - -
c8e8ca6b by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Update status badges in README.md
- - - - -
9dfc1f25 by Endi S. Dewata at 2020-11-30T19:23:42-06:00
Fix pki-server cert-fix
In commit e680746ac4926367aef5c3ae3404dbb23c07eb19 the
ResourceMessage was modified to no longer include empty
attributes. Because of this in certain cases the server
might return a CertEnrollmentRequest object (which extends
ResourceMessage) without the Input or Output attributes,
which broke the pki-server cert-fix command.
To fix the problem, the CertEnrollmentRequest.from_json()
has been modified to check whether the response contains
Input and Output before parsing the attributes.
https://bugzilla.redhat.com/show_bug.cgi?id=1897120
- - - - -
62a26c84 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Update default base dir in PKISubsystem
The PKISubsystem has been modified to use <instance>/<subsystem>
as the base directory by default.
- - - - -
d07e710d by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Refactor LDAPConfigurator.importFile()
The LDAPConfigurator.importFile() has been converted into
importLDIF() which returns the imported LDIF records.
- - - - -
53fb4ff5 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Rename LDAPConfigurator.createVLVIndexes()
- - - - -
1909fae8 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Refactor LDAPConfigurator.rebuildVLVIndexes()
The LDAPConfigurator.rebuildVLVIndexes() has been converted
into reindexVLVs() which utilizes the importLDIF().
- - - - -
cef8ce79 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Move CertUtils.createCertInfo()
The CertUtils.createCertInfo() has been moved into
CertificateAuthority.
- - - - -
bbcd0d43 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Clean up CertificateAuthority.init()
- - - - -
a8a9f61a by Endi S. Dewata at 2020-11-30T20:09:21-06:00
Rename CA's SigningUnit to CASigningUnit
- - - - -
dcf6fbfa by Endi S. Dewata at 2020-11-30T20:09:22-06:00
Rename OCSP's SigningUnit to OCSPSigningUnit
- - - - -
a62efcaa by Endi S. Dewata at 2020-11-30T20:09:23-06:00
Move ISigningUnit to pki-server
- - - - -
3cea0627 by Endi S. Dewata at 2020-11-30T20:12:28-06:00
Rename ISigningUnit to SigningUnit
- - - - -
47751a92 by Endi S. Dewata at 2020-11-30T21:46:19-06:00
Convert SigningUnit into base class
The SigningUnit has been converted into a base class which
provides the common code for CASigningUnit and OCSPSigningUnit.
- - - - -
1167082c by Endi S. Dewata at 2020-11-30T21:46:33-06:00
Merge ConsoleLog into ConsoleError
- - - - -
60bd08ba by Endi S. Dewata at 2020-12-01T18:13:26-06:00
Clean up log messages in KRAPolicy
- - - - -
7d0940c2 by Endi S. Dewata at 2020-12-01T18:14:12-06:00
Replace SystemEvent with System.err.println()
- - - - -
7f429199 by Endi S. Dewata at 2020-12-01T18:14:25-06:00
Remove unused SystemEventFactory
- - - - -
ffde646e by Endi S. Dewata at 2020-12-01T18:14:46-06:00
Remove unused SystemEvent
- - - - -
bd633512 by Endi S. Dewata at 2020-12-01T18:18:07-06:00
Replace ConsoleError with System.err.println()
- - - - -
ae673db0 by Endi S. Dewata at 2020-12-01T18:43:57-06:00
Refactor CertInfoProfile constructor
The CertInfoProfile constructor has been modified to take
an IConfigStore object.
- - - - -
49599c44 by Endi S. Dewata at 2020-12-01T18:45:49-06:00
Move CertUtils.createCertRecord() to CertificateAuthority
- - - - -
cd99a648 by Endi S. Dewata at 2020-12-01T19:29:54-06:00
Move CertUtils.initLocalRequest() to CertificateAuthority
- - - - -
24480717 by Endi S. Dewata at 2020-12-01T19:29:54-06:00
Move CertInfoProfile to pki-ca
- - - - -
3d954027 by Endi S. Dewata at 2020-12-02T13:49:22-06:00
Add subordinate CA test
A new CI test has been added to verify subordinate CA
installation.
- - - - -
2de91738 by Endi S. Dewata at 2020-12-02T16:22:39-06:00
Update default metadata.conf
- - - - -
b7bd0322 by Endi S. Dewata at 2020-12-02T17:49:34-06:00
Add CA clone test
- - - - -
257b4200 by Endi S. Dewata at 2020-12-02T17:57:46-06:00
Refactor ServerXml.load()
The ServerXml.load() has been modified to determine the
connector type based on the "scheme" attribute instead of
"name" which is not guaranteed to be available.
- - - - -
8791f5d7 by Endi S. Dewata at 2020-12-02T17:57:51-06:00
Replace PKIInstance constructor
The PKIInstance constructor invocations have been replaced
with PKIServerFactory.create() so they will return either
a PKIServer or a PKIInstance object depending on the actual
instance.
- - - - -
19f066d0 by Endi S. Dewata at 2020-12-04T10:34:27-06:00
Add admin verification
- - - - -
a00bd235 by Endi S. Dewata at 2020-12-07T13:04:45-06:00
Fix KRA/OCSP installation with external certs on HSM
The NSSDatabase.export_cert_from_db() has been modified
to use the fullname when exporting a cert from HSM.
The MigrateCLI.migrate_nssdb() has also been modified
to split the token name from the nickname properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1890639
- - - - -
1cf7f72b by Endi S. Dewata at 2020-12-07T15:15:07-06:00
Merge usn.ldif into database.ldif
The code that enables the USN plugin has been merged into
LDAPConfigurator.initDatabase().
- - - - -
6afc2202 by Endi S. Dewata at 2020-12-07T15:15:07-06:00
Move ou=csusers,cn=config creation
The code that creates ou=csusers,cn=config has been moved into
LDAPConfigurator.initDatabase().
- - - - -
edd3bcf6 by Endi S. Dewata at 2020-12-07T15:43:30-06:00
Add cert extension config for CA signing cert
- - - - -
6ff7e303 by Endi S. Dewata at 2020-12-07T15:43:30-06:00
Add test for installing CA with external signing cert
- - - - -
b0c30fdd by Endi S. Dewata at 2020-12-07T16:00:28-06:00
Add LDAPConfigurator.params
The code that generates the customization parameters in
LDAPConfigurator.customizeFile() have been moved into the
constructor.
- - - - -
3c87a159 by Endi S. Dewata at 2020-12-07T16:00:28-06:00
Remove unused Configurator.importLDIFS()
- - - - -
af71ed1a by Christina Fu at 2020-12-07T18:11:20-08:00
Bug 1392616 - KRA key recovery cli kra-key-retrieve generates an invalid p12 file
This patch is to add back the try/catch block that was in place back in
DOGTAG_10_5_BRANCH. Initially I was going to just remove the two lines:
queue.processRequest(request);
queue.markAsServiced(request);
however, it's unclear to me if there is any scenario where they will be needed.
I'm leaving them the same as before.
Also, the reported issue might be misunderstanding due to unclear documentation.
>From the code, it seems the only way to download p12 is through the use
of a template file, which I will give example in the bug.
Man page has been updated as well in the area of PKCS12 key recovery.
fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1392616
- - - - -
e966b3da by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Add SubsystemDBVLVFindCLI
The code that lists the VLV indexes in KRADBVLVFindCLI and
TPSDBVLVFindCLI has been converted into SubsystemDBVLVFindCLI.
- - - - -
7a3ec565 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Add pki-server <subsystem>-db-vlv-find
The pki-server <subsystem>-db-vlv-find has been added
to wrap SubsystemDBVLVFindCLI.
- - - - -
6b792079 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Replace pki-server kra-db-vlv-find
The pki-server kra-db-vlv-find has been replaced with
pki-server <subsystem>-db-vlv-find.
- - - - -
43290391 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Replace pki-server tps-db-vlv-find
The pki-server tps-db-vlv-find has been replaced with
pki-server <subsystem>-db-vlv-find.
- - - - -
c294327f by Christina Fu at 2020-12-08T10:33:21-06:00
Bug1875563-part2-auditProfileUpgrade
This patch addresses the issue where when caSignedLogCert.cfg was renamed
caAuditSigningCert where
* The profileIDMapping and profileSetIDMapping params in the following
profile still contains the old names:
base/ca/shared/conf/caAuditSigningCert.profile
* at renewal time, the profile will no longer be available
The solution provided is to
* correct the two mapping param names in caAuditSigningCert.profile
* re-enable caSignedLogCert.cfg (but kept invisible)
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563
- - - - -
b95f9262 by Endi S. Dewata at 2020-12-08T11:41:57-06:00
Add SubsystemDBVLVAddCLI
The code that adds the VLV indexes in KRADBVLVAddCLI and
TPSDBVLVAddCLI has been converted into SubsystemDBVLVAddCLI.
- - - - -
1c403e95 by Endi S. Dewata at 2020-12-08T11:42:14-06:00
Add pki-server <subsystem>-db-vlv-add
The pki-server <subsystem>-db-vlv-add has been added
to wrap SubsystemDBVLVAddCLI.
- - - - -
c7051d8c by Endi S. Dewata at 2020-12-08T11:42:30-06:00
Replace pki-server kra-db-vlv-add
The pki-server kra-db-vlv-add has been replaced with
pki-server <subsystem>-db-vlv-add.
- - - - -
d3761d1b by Endi S. Dewata at 2020-12-08T11:42:50-06:00
Replace pki-server tps-db-vlv-add
The pki-server tps-db-vlv-add has been replaced with
pki-server <subsystem>-db-vlv-add.
- - - - -
1dcd21aa by Endi S. Dewata at 2020-12-08T12:11:00-06:00
Move AddProfileCaAuditSigningCert.py
The upgrade script for adding a new audit signing cert and
deprecating the old audit signing cert has been moved from
10.10.0 to 10.10.2 to ensure that the changes will be
applied properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1875563
- - - - -
71487da1 by Endi S. Dewata at 2020-12-08T14:41:59-06:00
Add tools tests workflow
The PKICertImport test has been moved into a new tools
tests workflow to shorten the build time without reducing
test coverage.
- - - - -
3df33f3e by Endi S. Dewata at 2020-12-08T15:15:46-06:00
Fix pylint issue in AddProfileCaAuditSigningCert.py
https://bugzilla.redhat.com/show_bug.cgi?id=1875563
- - - - -
95e69484 by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Add SubsystemDBVLVDeleteCLI
The code that deletes the VLV indexes in KRADBVLVDeleteCLI
and TPSDBVLVDeleteCLI has been converted into
SubsystemDBVLVDeleteCLI.
- - - - -
ceecc6dd by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Add pki-server <subsystem>-db-vlv-del
The pki-server <subsystem>-db-vlv-del has been added to
wrap SubsystemDBVLVDeleteCLI.
- - - - -
8598316f by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Replace pki-server kra-db-vlv-del
The pki-server kra-db-vlv-del has been replaced with
pki-server <subsystem>-db-vlv-del.
- - - - -
ad76abbc by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Replace pki-server tps-db-vlv-del
The pki-server tps-db-vlv-del has been replaced with
pki-server <subsystem>-db-vlv-del.
- - - - -
d7f3b757 by Endi S. Dewata at 2020-12-08T20:20:22-06:00
Add SubsystemDBVLVReindexCLI
The code that rebuilds the VLV indexes in KRADBVLVReindexCLI
and TPSDBVLVReindexCLI has been converted into
SubsystemDBVLVReindexCLI.
- - - - -
f4161488 by Endi S. Dewata at 2020-12-08T20:20:29-06:00
Add pki-server <subsystem>-db-vlv-reindex
The pki-server <subsystem>-db-vlv-reindex has been added
to wrap SubsystemDBVLVReindexCLI.
- - - - -
94db8437 by Endi S. Dewata at 2020-12-08T20:20:30-06:00
Replace pki-server kra-db-vlv-reindex
The pki-server kra-db-vlv-reindex has been replaced with
pki-server <subsystem>-db-vlv-reindex.
- - - - -
52db8677 by Endi S. Dewata at 2020-12-08T20:20:31-06:00
Replace pki-server tps-db-vlv-reindex
The pki-server tps-db-vlv-reindex has been replaced with
pki-server <subsystem>-db-vlv-reindex.
- - - - -
57c1c13b by Endi S. Dewata at 2020-12-09T14:37:39-06:00
Replace KRADBCLI with SubsystemDBCLI
- - - - -
0852834b by Endi S. Dewata at 2020-12-09T14:37:40-06:00
Replace TPSDBCLI with SubsystemDBCLI
- - - - -
a341e97f by Endi S. Dewata at 2020-12-09T16:20:31-06:00
Fix CA install doc
- - - - -
a2836b4c by Endi S. Dewata at 2020-12-09T20:39:57-06:00
Refactor PKISubsystem.init_database() (part 1)
The options to set up database manager and VLV indexes in
PKISubsystem.init_database() have been removed since those
operations will be executed regardless of the options.
- - - - -
24f4f0a2 by Endi S. Dewata at 2020-12-09T20:40:33-06:00
Refactor PKISubsystem.init_database() (part 2)
The code that sets up database manager and VLV indexes
have been moved out of PKISubsystem.init_database().
- - - - -
6dbd65fa by dpuniaredhat at 2020-12-11T18:31:08+05:30
Bugzilla automation 1392616 kra key recovery cli generates .p12 file (#3409)
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
9eee5382 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Refactor NSSDatabase.addExtensions()
The NSSDatabase.addExtensions() has been modified to take
a temporary directory to store files containing the data
for the new extension being added.
- - - - -
e7a50c98 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add support for OCSPNoCheckExtension in pki nss-cert
The NSSDatabase and NSSExtensionGenerator have been modified
to support OCSPNoCheckExtension such that pki nss-cert commands
can generate requests and certificates with this extension.
- - - - -
e00863f8 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add support for ocspResponder extended key usage in pki nss-cert
- - - - -
e1bcc99f by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add --serial parameter for pki nss-cert-issue
The pki nss-cert-issue has been modified to provide an
optional parameter to specify a serial number for the
new certificate.
- - - - -
50a37f08 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add cert extension configs for CA certs
- - - - -
4da75450 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add test for installing CA with existing certs
- - - - -
94c82751 by Endi S. Dewata at 2020-12-14T13:29:43-06:00
Add PKISubsystem.configure_security_domain()
The code that configures the security domain parameters has
been moved into PKISubsystem.configure_security_domain().
- - - - -
c25b4380 by Endi S. Dewata at 2020-12-14T20:29:01-06:00
Fix SystemCertClient creation
The calls to SystemCertClient constructor have been modified
to provide the subsystem name. This is required to run the
healthcheck tool on a KRA installed separately from the CA.
- - - - -
592ad26b by Endi S. Dewata at 2020-12-14T20:29:01-06:00
Add test for installing KRA on separate instance
- - - - -
1d064b25 by Endi S. Dewata at 2020-12-16T08:54:13-06:00
Clean up CI tests
- - - - -
e1d79587 by Endi S. Dewata at 2020-12-16T08:55:41-06:00
Revert SystemCertClient changes
The commit c25b438024e4a0f3b6e91e359bd0aa34c25ea4e9 broke
IPA vault, so it has been reverted. The test for installing
KRA on a separate instance has been modified to disable the
healthcheck test.
- - - - -
0a7cb8d0 by Endi S. Dewata at 2020-12-17T09:46:39-06:00
Fix python3-pki dependency
The python3-pki package has been modified to depend on
python3-ldap since it is needed by pki Python module.
- - - - -
a82988e6 by Endi S. Dewata at 2020-12-17T10:16:43-06:00
Add log messages in MainCLI.loadPasswordConfig()
- - - - -
ac8f64a5 by Endi S. Dewata at 2020-12-17T10:53:04-06:00
Add log messages in PlainPasswordFile.init()
- - - - -
f6674677 by Christina Fu at 2020-12-21T15:40:02-05:00
Bug1664435-SCEP ChallengePassword Class not found
This patch, together with the fix for "Bug1908541 jss broke SCEP - missing PasswordChallenge class", addresses the issue where the class PasswordChallenge cannot be loaded due to Class Loader differences.
jss is installed in the common CL (/usr/share/pki/server/common/lib/jss4.jar)
the servlet classes are in webapp CL (/usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cms.jar)
In addition, this patch adds the upgrade sscript for the new path of ChallengePassword class which has been moved from pki into JSS.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1664435
- - - - -
27ddb1db by Endi S. Dewata at 2021-01-04T09:31:11-06:00
Fix log messages in MainCLI.loadPasswordConfig()
- - - - -
fd926efc by Endi S. Dewata at 2021-01-04T09:35:01-06:00
Replace sslserver variable in configuration.py
The variable that stores the SSL server cert info in configuration.py
has been replaced with a map that stores all system certs info.
- - - - -
f3070f31 by Endi S. Dewata at 2021-01-04T09:37:26-06:00
Refactor OCSPConfigurator.configureCloneRefresh()
The code that configures ocsp.store.defStore.refreshInSec param
in OCSPConfigurator.configureCloneRefresh() has been moved into
subsystem_layout.py.
- - - - -
14926872 by Endi S. Dewata at 2021-01-04T09:37:37-06:00
Refactor Configurator.getSubsystemCert()
The Configurator.getSubsystemCert() has been converted into
CASystemCertClient.getSubsystemCert().
- - - - -
fbe8be02 by Pritam Singh at 2021-01-04T13:13:45-05:00
Added_boolean_fix_for_fips_check
Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
a400653b by Endi S. Dewata at 2021-01-04T13:04:43-06:00
Add pki nss-cert-show
The pki nss-cert-show has been added to display a cert in
NSS database.
- - - - -
35308631 by Endi S. Dewata at 2021-01-04T13:05:15-06:00
Add pki ca-cert-subsystem-show
The pki ca-cert-subsystem-show has been added to display the
subsystem cert in CA.
- - - - -
29bd3da1 by Endi S. Dewata at 2021-01-04T13:05:17-06:00
Add pki ca-cert-subsystem-export
The pki ca-cert-subsystem-show has been added to export the
subsystem cert in CA.
- - - - -
09a046a3 by Endi S. Dewata at 2021-01-04T13:24:21-06:00
Disable ipa-healtcheck test
The ipa-healthcheck has been failing due to this issue:
https://github.com/freeipa/freeipa-healthcheck/issues/163
The ipa-healthcheck test has temporarily been disabled to
allow other IPA tests to pass.
- - - - -
da0abd3d by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 1)
The code that configures the groups for subsystem user in
Configurator.setupUser() has been moved into configuration.py.
- - - - -
3dbd56d4 by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 2)
The code that configures the cert for subsystem user in
Configurator.setupUser() has been moved to configuration.py.
- - - - -
e0cd36af by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 3)
The code that creates the subsystem user in
Configurator.setupUser() has been moved into configuration.py.
- - - - -
699b0bb7 by Endi S. Dewata at 2021-01-04T16:18:35-06:00
Clean up ipa-tests.yml
- - - - -
6f448d9a by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Fix issuing CA configuration during installation
The configuration.py has been modified to store the issuing CA
parameters in all cases except when installing CA with external
certs and standalone KRA/OCSP. This is necessary to fix KRA
installation with external certs.
- - - - -
29d3423d by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add support for emailProtection extended key usage in pki nss-cert
- - - - -
cad7d4d5 by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add cert extension configs for KRA certs
- - - - -
5ccfa106 by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add test for installing KRA with external certs
- - - - -
7b461e5c by Endi S. Dewata at 2021-01-05T17:24:07-06:00
Add test for installing IPA clone
- - - - -
cebf2a70 by Endi S. Dewata at 2021-01-05T19:01:51-06:00
Fix preop.ca.pkcs7 for external and standalone installations
- - - - -
d1b91cc6 by Endi S. Dewata at 2021-01-06T19:38:08-05:00
Disable GPG check in CI
The GPG check has been disabled due to the following issue
during build dependency installation on F32:
Package libuv-1.40.0-1.fc32.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
- - - - -
c3c1ea11 by Endi S. Dewata at 2021-01-06T21:01:37-06:00
Fix KRA/OCSP installation with external certs on HSM
Previously pkispawn did not update serverCertNick.conf during
KRA or OCSP installation with external certs or standalone
installation. If the SSL server cert was stored in HSM the file
would not have the token name so the installation would fail.
To fix the problem the deployment scriptlet has been modified
to store the SSL server cert nickname and token name in
serverCertNick.conf in all installation cases.
https://bugzilla.redhat.com/show_bug.cgi?id=1890639
- - - - -
41f5d031 by Alexander Scheel at 2021-01-07T15:35:10-05:00
Remove dependency on jakarta-commons-httpclient
This package has been deprecated in Fedora and isn't actually required
by our build system. Note that, while apache-commons-httpclient actually
provides the exception removed from PKIConnection. Note however, that
ConnectTimeoutException inherits from IOException and thus is redundant.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c45a9407 by Endi S. Dewata at 2021-01-07T20:35:57-06:00
Clean up CA clone test
- - - - -
d9025c13 by Alexander Scheel at 2021-01-11T11:36:14-05:00
Update usage for CRMFPopClient -y option
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
28a262c6 by Alexander Scheel at 2021-01-11T11:36:23-05:00
Fix usage for CMCResponse -d
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a2a5ec19 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move KRAAdminServlet to pki-kra
- - - - -
27d9fc82 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move OCSPAdminServlet to pki-ocsp
- - - - -
f5afb573 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move get_cert_chain() into PKIDeployer
- - - - -
91f2aad1 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move get_cert_id() into PKIDeployer
- - - - -
b4b6a17f by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert_request() into PKIDeployer
- - - - -
0949ae9f by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Merge import_ca_signing_csr()
The import_ca_signing_csr() has been merged into
PKIDeployer.import_system_cert_request().
- - - - -
1ae81a84 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert_requests() into PKIDeployer
- - - - -
f1bfe6b8 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_ca_signing_cert() into PKIDeployer
- - - - -
93f20950 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert() into PKIDeployer
- - - - -
fb2f0598 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_admin_cert() into PKIDeployer
- - - - -
ce511ad8 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_certs_and_keys() into PKIDeployer
- - - - -
3894a262 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_cert_chain() into PKIDeployer
- - - - -
d8af0f2b by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_certs() into PKIDeployer
- - - - -
5149e9b5 by Endi S. Dewata at 2021-01-11T11:53:06-06:00
Move configure_system_cert() into PKIDeployer
- - - - -
6feb9b51 by Endi S. Dewata at 2021-01-11T15:22:13-06:00
Move configure_system_certs() into PKIDeployer
- - - - -
96134d74 by Endi S. Dewata at 2021-01-11T15:22:55-06:00
Move update_system_cert() into PKIDeployer
- - - - -
86651f2d by Endi S. Dewata at 2021-01-11T15:26:59-06:00
Move update_admin_cert() into PKIDeployer
- - - - -
4e4a4b01 by Endi S. Dewata at 2021-01-11T15:27:01-06:00
Move update_system_certs() into PKIDeployer
- - - - -
733eedc0 by Endi S. Dewata at 2021-01-11T15:30:22-06:00
Move validate_system_cert() into PKIDeployer
- - - - -
d25ef1e7 by Endi S. Dewata at 2021-01-11T15:50:59-06:00
Move validate_system_certs() into PKIDeployer
- - - - -
85652776 by dpuniaredhat at 2021-01-13T16:03:51+05:30
upstream qe pipeline fixes (#3429)
Pipeline fixed in this MR
1. topo-03-kra-bugzilla
2. installation_podman_acme-dp
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
b4f617c8 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-request
- - - - -
29e2f729 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-issue
- - - - -
fed017dd by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-import
- - - - -
e4be93e1 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add test for PKI NSS CLI with and without HSM
- - - - -
7a2de9b7 by Endi S. Dewata at 2021-01-13T12:53:49-06:00
Add test for installing OCSP with external certs
- - - - -
cd35b81c by Endi S. Dewata at 2021-01-13T12:54:29-06:00
Add test for installing ACME
- - - - -
ed1bbbde by Endi S. Dewata at 2021-01-13T12:55:02-06:00
Add test for installing KRA clone
- - - - -
130b5af4 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused SystemConfigClient
- - - - -
41784233 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused CertificateInfo.updateConfig()
- - - - -
75d89311 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused param in OCSPSigningUnit.init()
- - - - -
44b59dab by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused SystemConfigResource
- - - - -
db3fca20 by Endi S. Dewata at 2021-01-13T16:46:05-06:00
Clean up CA clone test
- - - - -
5febfb6d by Endi S. Dewata at 2021-01-13T16:46:05-06:00
Clean up KRA clone test
- - - - -
f33259ae by Endi S. Dewata at 2021-01-13T16:48:40-06:00
Clean up IPA clone test
- - - - -
05057f7c by root at 2021-01-14T10:18:59-05:00
Modify PKI to use RSA-OAEP wrapping alg for RSA keys.
This first cut is a simple reworking any instances of
RSA wrapping in the code to use RSA-OAEP.
Code tested to work in software. Using an hsm, several
issues occur with respect to wrapping using AES sym keys
to wrap and unwrap RSA private keys.
This first attempt is to get the basic code out for review.
Subsequently, we can refine some of this code to allow things
to work better with the hardware hsm.
Make oeap configurable.
- - - - -
950bf76d by Alexander Scheel at 2021-01-14T10:40:36-05:00
Remove additional lines from CRMFPopClient usage
Resolves: rh-bz#1584550
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
03981b0c by Chandan Pinjani at 2021-01-18T14:10:29+05:30
Added BZ Automation for 1590942 & 1584550 (#3431)
[skip-ci]
Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>
Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
7985861c by Endi S. Dewata at 2021-01-19T11:23:35-06:00
Fix indentations in qe-tests.yml
- - - - -
c2c8f9bd by Endi S. Dewata at 2021-01-19T11:23:37-06:00
Update upload/download actions in qe-tests.yml
- - - - -
b1985fbe by Endi S. Dewata at 2021-01-20T09:38:48+10:00
Add persistent option for ACME nonces
Previously ACME nonces were stored in ACME database, which
could generate a lot of database traffic and might not work
well in clustered environment due to replication latency.
To address the performance issue, the ACME engine has been
modified to store the nonces in memory by default, and provide
an option to store the nonces in the database if necessary.
The replication latency issue should be addressed using other
mechanisms (e.g. using static base URL in ACME directory).
- - - - -
8fcc847f by Endi S. Dewata at 2021-01-19T18:12:01-06:00
Consolidate CI runner container build
The GitHub workflows have been modified to build the CI runner
container in the build job instead of test jobs.
- - - - -
dd3b5399 by gswami90 at 2021-01-20T13:18:47+05:30
Added test automation for BZ 1664435 (#3428)
Signed-off-by: Gaurav Swami <gswami at redhat.com>
- - - - -
ab8561c6 by Pritam Singh at 2021-01-20T17:44:23+05:30
Added_bz_1912493_automation (#3437)
[skip ci]
Signed-off-by: Pritam Singh <prisingh at redhat.com>
Co-authored-by: Pritam Singh <prisingh at redhat.com>
- - - - -
15b6771c by Endi S. Dewata at 2021-01-21T13:29:24-06:00
Add pki-server acme-deploy/undeploy --wait option
A new option has been added to pki-server acme-deploy/undeploy
commands to wait until ACME web application is actually
deployed/undeployed on the server. This option can be used to
prevent the subsequent command from executing before the ACME
deployment/undeployment is complete. The CI test has been updated
to use this option to improve its reliability.
- - - - -
35c19805 by =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= at 2021-01-21T15:49:58-08:00
SCEP: Add support for dynammically chosen profileId
Community contribution (two patches combined):
From: =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= <matous.borak at platanus.cz>
Date: Wed, 12 Aug 2020 15:57:31 +0200
Subject: [PATCH 1&2] Add support for dynamically chosen ProfileId in SCEP
This is implemented via a new URL, /ca/scep/PROFILE_ID/pkiclient.exe, that allows to dynamically choose the profile via the SCEP request URL.
This URL is mapped to the same CRSEnrollment servlet class as the "static" profile URL (/ca/cgi-bin/pkiclient.exe). The implementation tries not to collide with the original "static" version in any way but to only extend it.
In addition:
A SCEP client will be able to request a SCEP operation only for the allowed list of profiles, see the `ca.scep.allowedDynamicProfileIds` config item in CS.cfg.
Usage: http://dogtag.example.com:8080/ca/scep/<PROFILE_ID>/pkiclient.exe
ladycfu: original two patches from borama must be accompanied by supplemental
post-review patch (from cfu at redhat.com) that follows to address various issues.
Signed-off-by: Christina Fu <cfu at redhat.com>
- - - - -
a8472653 by Christina Fu at 2021-01-21T15:49:58-08:00
SCEP: suplemental patch for Add support of Dynamic profileId
This patch addresses issues revealed by review of previous community patches
in "SCEP: Add support for dynammically chosen profileId".
This patch must accompany the original patches, and as such it will be checked
in along with them.
Changes include:
- mainly, profiles intended for manual approval by agents will now function as
expected.
- caServerCert is removed from default setting for allowedDynamicProfileIds
- misc code style update
- - - - -
0afd0b5f by Endi S. Dewata at 2021-01-22T10:08:47-06:00
Add ACME test using certbot
The ACME test has been modified to perform certificate enrollment,
certificate revocation, and account management using certbot.
- - - - -
b1ec8540 by Endi S. Dewata at 2021-01-25T08:58:55-06:00
Move Instance.wait_for_startup() to PKISubsystem
- - - - -
4dc01883 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Refactor PKIDeployer.finalize_subsystem()
Some of the code that finalizes subsystem configuration has been
moved from configuration.py to PKIDeployer.finalize_subsystem().
- - - - -
788aca27 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Remove unused ConfigClient.security_domain_type
- - - - -
0429747f by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Add KRAConnectorInfo.hashCode() and equals()
- - - - -
9aab73f1 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Add XML converters for KRAConnectorInfo
- - - - -
48531a59 by Endi S. Dewata at 2021-01-25T11:14:08-06:00
Clean up IPA test
The code that installs and uninstalls IPA server has been
moved from ipa-test.sh to ipa-tests.yml.
- - - - -
610135eb by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Fix security domain tools
The pki-server sd-* commands have been moved into
pki-server <ca/kra/ocsp>-* such that it can be used to
create the security domain properly in CA, KRA, and OCSP.
- - - - -
d6676bf7 by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Fix PKIDeployer.setup_admin()
The PKIDeployer.setup_admin() has been modified to use
the proper admin groups for CA, KRA, and OCSP.
- - - - -
325eea1f by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Add test for standalone KRA
- - - - -
82705993 by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Add test for standalone OCSP
- - - - -
45c5e1f4 by Endi S. Dewata at 2021-01-25T16:40:25-06:00
Add CAClient.addKRAConnector()
The code that creates the KRA connector in CA has been
moved from KRAConfigurator.configureKRAConnector() to
CAClient.addKRAConnector().
- - - - -
621137ab by Endi S. Dewata at 2021-01-25T16:56:05-06:00
Update pki ca-kraconnector-add
The pki ca-kraconnector-add has been modified to provide
a mechanism to call CAClient.addKRAConnector().
- - - - -
c24c5484 by Endi S. Dewata at 2021-01-25T16:56:05-06:00
Add PKIDeployer.add_kra_connector()
The remaining code that creates the KRA in CA has been
converted from KRAConfigurator.configureKRAConnector()
into PKIDeployer.add_kra_connector().
- - - - -
28db4983 by Endi S. Dewata at 2021-01-25T19:49:26-06:00
Add CAClient.addOCSPPublisher()
Some of the code that creates the OCSP publisher in CA has
been moved from OCSPConfigurator.updateOCSPConfiguration()
to CAClient.addOCSPPublisher().
- - - - -
684d643f by Endi S. Dewata at 2021-01-25T20:18:59-06:00
Add pki ca-publisher-ocsp-add
The pki ca-publisher-ocsp-add has been added to provide
a CLI for CAClient.addOCSPPublisher().
- - - - -
3b8a63aa by Endi S. Dewata at 2021-01-25T20:18:59-06:00
Add PKIDeployer.add_ocsp_publisher()
The remaining code that creates the OCSP publisher in CA has
been converted from OCSPConfigurator.updateOCSPConfiguration()
into PKIDeployer.add_ocsp_publisher().
- - - - -
11c28798 by Endi S. Dewata at 2021-01-26T09:38:26-06:00
Move key backup operation
The PKIDeployer.backup_keys() invocation has been moved
from configuration.py to finalization.py.
- - - - -
8a444da0 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Refactor IOCSPStore.validate()
The IOCSPStore.validate() has been modified to take an
IOCSPAuthority parameter.
- - - - -
8be9037f by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Refactor IOCSPStore.init()
The IOCSPStore.init() has been modified to drop the
IOCSPAuthrotity parameter.
- - - - -
162aef5c by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPAuthority.getOCSPStore() to OCSPAuthority
- - - - -
67f470e8 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPAuthority.getDefStore() to OCSPAuthority
- - - - -
9a2faebe by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move LDAPStore to pki-ocsp
- - - - -
e8c03476 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move DefStore to pki-ocsp
- - - - -
4d7aad46 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IDefStore to pki-ocsp
- - - - -
5dd68016 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPStore to pki-ocsp
- - - - -
9547a392 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move OCSPPresence to pki-ocsp
- - - - -
1c6f9cda by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move OCSPValidity to pki-ocsp
- - - - -
3bf3fccf by Endi S. Dewata at 2021-01-26T14:57:01-06:00
Fix profile auth in PKIIssuer.issueCertificate()
In commit 1b6b426ad4724e2f9595340027482a0a36fc3655 the
PKIClient.login() was removed from PKIIssuer.issueCertificate()
and that caused enrollments with a profile that requires
authentication to fail.
To fix the problem the PKIClient.login() has been restored.
https://bugzilla.redhat.com/show_bug.cgi?id=1919282
- - - - -
882e81f2 by Endi S. Dewata at 2021-01-26T14:57:01-06:00
Add ACME tests for IPA
The IPA test has been modified to perform ACME tests
using certbot.
- - - - -
3ce1d7e3 by Endi S. Dewata at 2021-01-26T14:59:42-06:00
Fix exception handling in EnrollProfile.createEnrollmentRequest()
- - - - -
b03a460c by Endi S. Dewata at 2021-01-26T14:59:42-06:00
Replace CMSEngine.reinit()
The CMSEngine.reinit() has been replaced with a direct call
to ISubsystem.init().
- - - - -
1f23b0f7 by Endi S. Dewata at 2021-01-28T18:40:21-06:00
Add test for installing TKS clone
- - - - -
537fb8ed by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Fix clone of clone installation
In commit e0b249636e2ea24d3d0633e65bf1d6e0a3dbd35f the
CMSEngine.configurePorts() invocation was moved later
during server startup process. It's not clear how, but
apparently the cert number range assignment depends on
this code so it failed when installing a clone of an
existing clone.
To fix the problem the invocation has been moved back
into its original position.
Resolves: https://github.com/dogtagpki/pki/issues/3330
- - - - -
4498b6b7 by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Add test for installing CA clone of clone
- - - - -
26508cba by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Add test for installing KRA clone of clone
- - - - -
b05ce69b by Endi S. Dewata at 2021-01-29T19:36:21-06:00
Clean up CA test
- - - - -
c1639c9c by Endi S. Dewata at 2021-01-29T19:36:21-06:00
Clean up KRA test
- - - - -
e29cf869 by Endi S. Dewata at 2021-02-01T11:46:02-06:00
Add ACME base URL parameter
By default the ACME directory will return ACME service URLs
with the same hostname that the client uses to access the
directory. If the hostname is load-balanced, the client might
get redirected to different servers, which could trigger other
issues.
A new parameter has been added into engine.conf to override
the base URL of ACME services. This mechanism can be used to
pin the client to the current server.
- - - - -
cf686780 by Endi S. Dewata at 2021-02-01T11:46:02-06:00
Add ACME server switchover test
- - - - -
889169c3 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Fixed error handling during replica setup
Originally the LDAPConfigurator.createReplicaObject() would
return true if it managed to add a new replica object. If the
object already existed, it would only add the new replica bind
DN and return false. If an error happened it would get ignored
and the method would return false as well.
In 4abfdc77508545fb90ef127fbbf373ae1609d705 the behavior of
accidentally got changed return true if the replica object
already exists and this caused OCSP and TKS clone of clone
installation to fail.
To fix the problem the behavior has been reverted except that
now any error will be reported as an exception.
https://bugzilla.redhat.com/show_bug.cgi?id=1912418
- - - - -
505fbd92 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing OCSP clone
- - - - -
8bfb53f3 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing OCSP clone of clone
- - - - -
15dff4e9 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing TKS clone of clone
- - - - -
05b79de3 by Endi S. Dewata at 2021-02-01T17:37:53-06:00
Add PKIDeployer.setup_system_certs()
The code that sets up the system certificates has been
moved into PKIDeployer.setup_system_certs().
- - - - -
37e738dd by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Add PKIDeployer.setup_subsystem_user()
The code that sets up the subsystem user has been moved
into PKIDeployer.setup_subsystem_user().
- - - - -
3f6264d7 by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKIDeployer.sd_connect()
The PKIDeployer.sd_connect() has been modified to use
the security domain URL parameter from the deployment
configuration.
- - - - -
661a055d by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKIDeployer.join_domain()
The PKIDeployer.join_domain() has been renamed to
join_security_domain() and modified to use the security
domain URL parameter from the deployment configuration.
- - - - -
aedf9384 by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKISubsystem.join_security_domain()
The PKISubsystem.join_security_domain() has been modified
to take a security domain URL parameter.
- - - - -
6b56f40a by Endi S. Dewata at 2021-02-01T17:40:49-06:00
Update CA clone doc
- - - - -
c294425a by Endi S. Dewata at 2021-02-01T17:40:49-06:00
Update KRA clone doc
- - - - -
5abeb0ef by Endi S. Dewata at 2021-02-02T10:20:12-06:00
Rename pki ca-kraconnector-add --session-file option
- - - - -
7faa7347 by Endi S. Dewata at 2021-02-02T10:20:21-06:00
Rename pki ca-publisher-ocsp-add --session-file option
- - - - -
0d3b8855 by Endi S. Dewata at 2021-02-02T10:20:30-06:00
Add pki <subsystem>-range-request --install-token option
- - - - -
f216c59c by Endi S. Dewata at 2021-02-02T10:20:37-06:00
Add pki <subsystem>-config-export --install-token option
- - - - -
b16f7efd by Endi S. Dewata at 2021-02-02T10:20:43-06:00
Add pki securitydomain-join --install-token option
- - - - -
c744c5f5 by Rob Crittenden at 2021-02-04T09:07:42-05:00
Fix missing options in PKI healthcheck
As reported by Pritam Singh in rh-bz#1922257, several options in
pki-healthcheck were missing. This was due to a recent change in
freeipa-healthcheck's core, making these arguments optional. Fix
provided by Rob Crittenden via mail.
See also: https://github.com/freeipa/freeipa-healthcheck/issues/144
Resolves: rh-bz#1922257
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
33b06e95 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Fix calculation in test_cert_enrollment.py
The test_cert_enrollment.py has been modified to use float
instead of int when calculating the elapsed time for better
accuracy.
- - - - -
544859b5 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add default values for test_cert_enrollment.py parameters
Some parameters for test_cert_enrollment.py have been modified
to provide a default value to make it easier to use.
- - - - -
6f778fb9 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Update log messages in test_cert_enrollment.py
The test_cert_enrollment.py has been modified to provide
a --verbose and a --debug options to show the test progress
and some debugging information.
- - - - -
ea910e89 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Fix calculation in test_acme_cert_enrollment.py
The test_acme_cert_enrollment.py has been modified to use
float instead of int when calculating the elapsed time for
better accuracy.
- - - - -
c6a34a9e by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add default values for test_acme_cert_enrollment.py parameters
The parameters for test_acme_cert_enrollment.py have been
modified to provide a default value to make it easier to use.
- - - - -
76ac8fdf by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Update log messages in test_acme_cert_enrollment.py
The test_acme_cert_enrollment.py has been modified to provide
a --verbose and a --debug options to show the test progress and
some debugging information.
- - - - -
eedf3b01 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add performance tests scripts into pki-tests
- - - - -
a3f8963b by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add doc for CA performance test
- - - - -
f26ac448 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add doc for ACME performance test
- - - - -
356fbc54 by Endi S. Dewata at 2021-02-04T12:18:34-06:00
Add CLI.deprecated field
The CLI.deprecated field has been added for deprecating
CLI commands.
- - - - -
1c8bb363 by Endi S. Dewata at 2021-02-04T12:18:36-06:00
Refactor Configurator.registerUser()
Some of the code in Configurator.registerUser() has been moved
to the caller.
- - - - -
fa9ff7e8 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Move Configurator.registerUser() to SubsystemClient
- - - - -
500f913f by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureCAConnector()
The TPSConfigurator.configureCAConnector() has been converted
into Python in configuration.py.
- - - - -
dafa0f08 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureTKSConnector()
The TPSConfigurator.configureTKSConnector() has been converted
into Python in configuration.py.
- - - - -
54e9610f by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureKRAConnector()
The TPSConfigurator.configureKRAConnector() has been converted
into Python in configuration.py.
- - - - -
13f9757a by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Remove unused TPSInstaller
- - - - -
94332c72 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.exportTransportCert()
Some of the code in TPSConfigurator.exportTransportCert()
has been moved to the caller.
- - - - -
33ee01a3 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Move TPSConfigurator.exportTransportCert() to TKSClient
- - - - -
f699f704 by Endi S. Dewata at 2021-02-04T17:24:48-06:00
Fix TPS clone installation
The TPS clone installation has been fixed by adding
the GetConfigEntries servlet into TPS's web.xml.
Resolves: https://github.com/dogtagpki/pki/issues/1841
- - - - -
23c3d215 by Endi S. Dewata at 2021-02-04T17:24:48-06:00
Add test for installing TPS clone
- - - - -
4b7eacd3 by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Fix PKIClient usage in PKIIssuer
The PKIIssuer has been modified to close PKIClient objects
explicitly using try-with-resources to avoid excessive open
connections.
https://bugzilla.redhat.com/show_bug.cgi?id=1916686
- - - - -
4778bc80 by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Add SessionAuthentication for acmeServerCert
The acmeServerCert profile has been modified to use
SessionAuthentication instead of manual agent approval
to improve ACME cert enrollment performance.
https://bugzilla.redhat.com/show_bug.cgi?id=1916686
- - - - -
e6f04b3c by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Add ACME indexes for DS
Currently ACME indexes are defined in the CA's index.ldif so
when the CA is created the ACME indexes will be created as
well in the same DS backend. However, if later the ACME is
installed on a different DS backend, the ACME indexes need to
be created in that backend instead.
To simplify the installation process a new index.ldif has been
added to define the ACME indexes for DS. A new indextask.ldif
has been added as well to reindex an existing database.
In the future the ACME indexes may be removed from the CA's
index.ldif.
https://bugzilla.redhat.com/show_bug.cgi?id=1916686
- - - - -
a3234cdd by Alexander Scheel at 2021-02-08T14:23:54-05:00
Add RSA-OAEP support to SecurityDataProcessor
org.mozilla.jss.netscape.security.util.WrappingParams in JSS has an
shortcoming that it believes all RSA is RSA-PKCS1v1.5 and additionally,
that anything that isn't a EC key is RSA. :-)
Read the value of keyWrap.useOAEP to determine whether to override the
secret key wrapping algorithm with OAEP, prior to using and storing the
wrapping parameters.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f63a88b4 by Alexander Scheel at 2021-02-08T14:23:54-05:00
Make CryptoUtil respect FIPS Status
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
4ee16689 by Alexander Scheel at 2021-02-08T14:23:54-05:00
Add OAEP support to pki client-cert-request
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d3db4209 by Endi S. Dewata at 2021-02-08T17:54:49-06:00
Remove TPSConfigurator.getTransportCert()
The TPSConfigurator.getTransportCert() has been replaced
with KRASystemCertClient.getTransportCert().
- - - - -
7d02b510 by Endi S. Dewata at 2021-02-08T18:11:26-06:00
Add pki tks-cert-transport-import
The pki tks-cert-transport-import has been added to wrap
TKSClient.importTransportCert().
- - - - -
8fffc1b1 by Endi S. Dewata at 2021-02-08T18:11:26-06:00
Add PKIDeployer.get_kra_transport_cert()
The PKIDeployer.get_kra_transport_cert() has been added
to wrap pki kra-cert-transport-export.
- - - - -
8047e3b4 by Endi S. Dewata at 2021-02-08T18:14:56-06:00
Add PKIDeployer.set_tks_transport_cert()
The PKIDeployer.set_tks_transport_cert() has been added to
wrap pki tks-cert-transport-import.
- - - - -
e3b33ba4 by Endi S. Dewata at 2021-02-08T18:14:56-06:00
Refactor TKS transport cert configuration
The code that configures the TKS transport cert has been
moved into PKIDeployer.finalize_subsystem().
- - - - -
c3edb455 by Endi S. Dewata at 2021-02-08T18:19:03-06:00
Refactor pki <subsystem>-user-add
The pki <subsystem>-user-add has been modified to support
calling SubsystemClient.addUser() during installation.
- - - - -
7c95db42 by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Add PKIDeployer.add_subsystem_user()
The PKIDeployer.add_subsystem_user() has been added to
wrap pki <subsystem>-user-add.
- - - - -
f8bb2a1d by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Refactor TPS registration
The code that creates the CA, KRA, and TKS connectors during
TPS installation has been moved into PKIDeployer.
- - - - -
5c33b083 by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Remove unused Configurator.getSubsystemCert()
- - - - -
6dd8a49e by Endi S. Dewata at 2021-02-09T09:50:33-06:00
Refactor PKIDeployer.setup_admin()
The PKIDeployer.setup_admin() has been split into
get_admin_cert() and setup_admin_user().
- - - - -
9899e298 by Endi S. Dewata at 2021-02-09T09:50:38-06:00
Refactor pki_import_admin_cert setup
- - - - -
23eff335 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Add PKIDeployer.load_admin_cert()
The code in ConfigClient.set_admin_parameters() that loads the
admin cert has been moved to PKIDeployer.load_admin_cert().
- - - - -
731e3b37 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Add PKIDeployer.create_admin_cert()
The code in ConfigClient.set_admin_parameters() that creates
the admin cert has been moved to PKIDeployer.create_admin_cert().
- - - - -
64184418 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Remove redundant AdminSetupRequest.importAdminCert
The AdminSetupRequest.importAdminCert will no longer have
a value 'true' anymore, so the code that depends on it has
been removed.
- - - - -
25798ad7 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Remove unused fields in AdminSetupRequest
- - - - -
88d1837a by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Refactor Configurator.createRemoteAdminCert()
Some of the code in Configurator.createRemoteAdminCert()
has been moved to the caller.
- - - - -
2d52e542 by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Move Configurator.createRemoteAdminCert() to CACertClient
- - - - -
1a47986d by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Update pki ca-cert-request-submit
The pki ca-cert-request-submit has been added to wrap
CACertClient.submitRequest().
- - - - -
7030bea1 by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Add PKIDeployer.create_admin_csr()
The code that generates the admin CSR has been moved
to PKIDeployer.create_admin_csr().
- - - - -
e9842803 by Endi S. Dewata at 2021-02-09T15:33:43-06:00
Add PKIDeployer.request_admin_cert()
The code that requests the admin cert from the CA has been
moved to PKIDeployer.request_admin_cert().
- - - - -
7499f968 by Endi S. Dewata at 2021-02-10T16:09:57-06:00
Remove unused IDBSSession.getDBSubsystem()
- - - - -
df58faeb by Endi S. Dewata at 2021-02-10T17:49:21-06:00
Refactor DBSubsystem.init()
The DBSubsystem.init() has been modified to take a
DatabaseConfig, a PKISocketConfig, and an IPasswordStore.
- - - - -
f7bbbb8c by Endi S. Dewata at 2021-02-10T17:50:36-06:00
Refactor IOCSPStore.init()
The IOCSPStore.init() has been modified to take a DBSubsystem
parameter.
- - - - -
8feaa991 by Endi S. Dewata at 2021-02-10T17:56:02-06:00
Move IOCSPStore.validate() to OCSPAuthority
- - - - -
918987c7 by Endi S. Dewata at 2021-02-10T17:56:02-06:00
Refactor CAConfigurator.createLocalCert()
Some of the code in CAConfigurator.createLocalCert() has
been moved to the caller.
- - - - -
82b0f76d by Endi S. Dewata at 2021-02-10T18:02:45-06:00
Replace CAConfigurator.createLocalAdminCert()
The CAConfigurator.createLocalAdminCert() has been replaced
with CAConfigurator.createLocalCert().
- - - - -
e730e179 by Endi S. Dewata at 2021-02-10T18:02:48-06:00
Refactor Configurator.loadCert()
Some of the code in Configurator.loadCert() has been moved
to the caller.
- - - - -
024eeeba by Endi S. Dewata at 2021-02-10T18:02:48-06:00
Replace CertUtils.createRemoteCert()
The CertUtils.createRemoteCert() has been replaced with
CACertClient.submitRequest().
- - - - -
57651ca3 by Endi S. Dewata at 2021-02-11T09:26:22-06:00
Add CLIModule
The CLIModule has been added to store the CLI class name
such that the CLI object can be created only when needed.
- - - - -
df4734d7 by Endi S. Dewata at 2021-02-11T09:26:24-06:00
Move pki-server ca classes to pki-ca
- - - - -
9ebcf321 by Endi S. Dewata at 2021-02-11T09:26:26-06:00
Move pki-server kra classes to pki-kra
- - - - -
092760ef by Endi S. Dewata at 2021-02-11T09:26:29-06:00
Move pki-server ocsp classes to pki-ocsp
- - - - -
1e2f0605 by Endi S. Dewata at 2021-02-11T09:26:30-06:00
Move pki-server tks classes to pki-tks
- - - - -
4cc7b9f6 by Endi S. Dewata at 2021-02-11T09:26:47-06:00
Move pki-server tps classes to pki-tps
- - - - -
e4311673 by Alexander Scheel at 2021-02-11T12:43:03-05:00
Only depend on pki-servlet-engine in real RHEL
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
6450d3de by Endi S. Dewata at 2021-02-11T17:28:44-06:00
Exclude node_modules from Eclipse project
- - - - -
d92efa39 by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Add OCSPCRLIssuingPointFindCLI
The OCSPCRLIssuingPointFindCLI has been added to list
the CRL issuing points in OCSP.
- - - - -
0c3f7e05 by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Add pki-server ocsp-crl-issuingpoint-find
The pki-server ocsp-crl-issuingpoint-find has been added
to wrap OCSPCRLIssuingPointFindCLI.
- - - - -
eb166fee by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Clean up tools tests
- - - - -
1add419d by Endi S. Dewata at 2021-02-16T09:25:42-06:00
Fix exception message in PKIServer.webapp_undeploy()
- - - - -
6ac853db by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add pki <subsystem>-deploy/undeploy
The ACMEDeployCLI and ACMEUndeployCLI have been converted
into generic SubsystemDeployCLI and SubsystemUndeployCLI
that can be used by all subsystems.
- - - - -
79280447 by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add --wait option for pki-server webapp-deploy/undeploy
The pki-server webapp-deploy/undeploy commands have been
modified to provide an option to wait until the process
is fully completed.
- - - - -
a2e57fd9 by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add --wait option for pki-server start/stop/restart
The pki-server start/stop/restart commands have been
modified to provide an option to wait until the process
is fully completed.
- - - - -
753ae78f by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Add OCSPCRLIssuingPointAddCLI
The code that creates a CRL issuing point in
OCSPConfigurator.finalizeConfiguration() has been
converted into OCSPCRLIssuingPointAddCLI.
- - - - -
360dc97b by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Add pki-server ocsp-crl-issuingpoint-add
The pki-server ocsp-crl-issuingpoint-add has been added
to call OCSPSubsystem.add_crl_issuing_point() which wraps
OCSPCRLIssuingPointAddCLI.
- - - - -
6e868102 by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Refactor OCSP CRL issuing point creation
The code that creates the CRL issuing point in
OCSPConfigurator.finalizeConfiguration() has been
replaced with OCSPSubsystem.add_crl_issuing_point().
- - - - -
d88c48fe by Matouš Borák at 2021-02-17T10:12:14-08:00
Add the GetCACaps operation handling to the SCEP servlet
- - - - -
16e4cad4 by Christina Fu at 2021-02-17T10:12:14-08:00
SCEP - supplemental patch for Add the GetCACaps operation handling to the SCEP servlet
This is a supplemental patch for the previous community-contributed patch from borama:
Add the GetCACaps operation handling to the SCEP servlet
It can be used like the following:
curl http://<host>/ca/cgi-bin/pkiclient.exe?operation=GetCACaps
It removes the claim for support of "POST" request until the patch for
that is approved for check in.
- - - - -
6abb56f3 by Endi S. Dewata at 2021-02-17T12:58:13-06:00
Add test for tpsclient
The TPS test has been modified to verify token format and
token enrollment operations using tpsclient.
- - - - -
8a78fa07 by Endi S. Dewata at 2021-02-17T13:57:23-06:00
Add --no-ntp in IPA tests
NTP is not necessary for testing IPA in containers
so it has been disabled.
- - - - -
137d7728 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/setup
- - - - -
4013f6f7 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/etc
- - - - -
23f507ab by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/apache
- - - - -
eb5479a5 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/ui
- - - - -
d72b17dd by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/stubs
- - - - -
de17f693 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/applets
- - - - -
4a71173d by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/doc
- - - - -
3f9fc7b9 by Endi S. Dewata at 2021-02-17T18:22:37-06:00
Remove unused SystemConfigService.finalizeConfiguration()
- - - - -
e20ae778 by Endi S. Dewata at 2021-02-17T18:22:37-06:00
Remove unused FinalizeConfigRequest
- - - - -
b0831d2e by Endi S. Dewata at 2021-02-17T18:26:10-06:00
Remove unused ConfigClient.set_tps_parameters()
- - - - -
1e3f2cd1 by dependabot[bot] at 2021-02-22T11:28:04-06:00
Bump jackson-databind from 2.10.1 to 2.10.5.1
Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.10.1 to 2.10.5.1.
- [Release notes](https://github.com/FasterXML/jackson/releases)
- [Commits](https://github.com/FasterXML/jackson/commits)
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
c35bb9b5 by Endi S. Dewata at 2021-02-22T11:44:01-06:00
Update doc for installing PostgreSQL JDBC driver
- - - - -
95cfaa8d by Christina Fu at 2021-02-22T10:50:49-08:00
userOAEP erronously enabled in ServerKeygenUserKeyDefault.java
This patch fixes an error in ServerKeygenUserKeyDefault.java where
userOAEP is erronously enabled regardless of the CS.cfg config setting
for keyWrap.useOAEP
- - - - -
48778b2f by jmagne at 2021-02-22T13:44:20-08:00
pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465)
Add suggested patch from stanislavlevin to solve this issue.
Also add f34 to the ipa tests,this time really add the tests.
Upon further review, back out of f34 tests until the infractructure
supports it.
Also hardcode tomcat app setting in spec file for the moment to
avoid possible glitches on certain platform.
Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
dd0f7171 by Endi S. Dewata at 2021-02-24T09:18:48-06:00
Refactor Configurator.createRemoteCert()
The Configurator.createRemoteCert() has been modified to take
an install token instead of session ID.
- - - - -
14219af5 by Endi S. Dewata at 2021-02-24T09:18:54-06:00
Refactor Configurator.createCert()
The Configurator.createCert() has been modified to take a clone
flag, a master URL, and an install token instead of the request
object.
- - - - -
b91e6547 by Endi S. Dewata at 2021-02-24T09:18:54-06:00
Refactor Configurator.processCert()
The Configurator.processCert() has been modified to take a
subsystem type, a cert tag, a profile ID, and DNS names.
- - - - -
71e9fbb9 by Endi S. Dewata at 2021-02-24T10:39:11-06:00
Add Configurator.trustCert()
The code that configures the system cert trust flags has been
moved into Configurator.trustCert().
- - - - -
16c766cf by Endi S. Dewata at 2021-02-24T10:39:18-06:00
Add Configurator.setupNewCert()
The code that creates a new system cert has been moved into
Configurator.setupNewCert().
- - - - -
6a63aca3 by Endi S. Dewata at 2021-02-24T10:39:39-06:00
Add Configurator.setupExistingCert()
The code that imports an existing system cert has been moved
into Configurator.setupExistingCert().
- - - - -
f8065af2 by Endi S. Dewata at 2021-02-25T10:40:34-06:00
Refactor Configurator.createECCKeyPair()
The Configurator.createECCKeyPair() has been modified to take
an EC type parameter.
- - - - -
c154da5d by Endi S. Dewata at 2021-02-25T11:30:30-06:00
Refactor Configurator.createKeyPair()
The Configurator.createKeyPair() has been merged into setupCert().
- - - - -
e5cb1427 by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Refactor Configurator.createCertRequest()
The Configurator.createCertRequest() has been modified to take
DN, algorithm, extension OID, extension data, and extension
critical parameters.
- - - - -
5476881a by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Refactor Configurator.setupNewCert()
The Configurator.setupNewCert() has been modified to take
DN, algorithm, extension OID, extension data, and extension
critical parameters.
- - - - -
e414962c by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Remove unused constants in SystemCertData
- - - - -
21dee807 by Endi S. Dewata at 2021-02-25T17:17:24-06:00
Convert QE test to Docker
Previously the QE test was running on Vagrant which can only
run on macOS runners on GitHub:
https://stackoverflow.com/questions/66261101/using-vagrant-on-github-actions-ideally-incl-virtualbox
However, there is a performance issue with the macOS runners
which is causing the test to fail occasionally:
https://github.com/actions/virtual-environments/issues/1336
To improve the reliability, the QE test has been converted
to run on Docker instead. Some steps for configuring the
machine hostname in configure_common.yml have been removed
since it's no longer necessary.
- - - - -
f7aefd19 by Endi S. Dewata at 2021-03-01T09:26:49-06:00
Move server classes to pki-server
- - - - -
83cf370f by Endi S. Dewata at 2021-03-01T09:26:53-06:00
Move enrollment constraints to pki-ca
- - - - -
7871b7ae by Endi S. Dewata at 2021-03-01T09:26:58-06:00
Move enrollment extension defaults to pki-ca
- - - - -
9c1e2d21 by Endi S. Dewata at 2021-03-01T09:27:03-06:00
Move enrollment defaults to pki-ca
- - - - -
803ebabe by Endi S. Dewata at 2021-03-01T09:27:09-06:00
Move profile factories to pki-ca
- - - - -
107bb049 by Endi S. Dewata at 2021-03-01T09:27:14-06:00
Move CA classes to pki-ca
- - - - -
37432d64 by Endi S. Dewata at 2021-03-01T09:27:20-06:00
Move KRA classes to pki-kra
- - - - -
a1275b41 by Endi S. Dewata at 2021-03-01T09:27:29-06:00
Move TKS classes to pki-tks
- - - - -
8e885fba by Endi S. Dewata at 2021-03-01T10:57:08-06:00
Replace CMS.getCMSEngine() in pki-ca
- - - - -
aa443318 by Endi S. Dewata at 2021-03-01T10:57:11-06:00
Replace CMS.getCMSEngine() in pki-kra
- - - - -
c4b56d74 by Endi S. Dewata at 2021-03-01T10:57:15-06:00
Replace CMS.getCMSEngine() in pki-ocsp
- - - - -
62c76777 by Endi S. Dewata at 2021-03-01T10:57:17-06:00
Replace CMS.getCMSEngine() in pki-tks
- - - - -
7fe37ee2 by Endi S. Dewata at 2021-03-01T14:49:27-06:00
Refactor CASigningUnit.sign()
The CASigningUnit.sign() has been modified to throw all
exceptions and let them be handled by the caller.
- - - - -
99d0c09c by Endi S. Dewata at 2021-03-01T14:49:28-06:00
Refactor OCSPSigningUnit.sign()
The OCSPSigningUnit.sign() has been modified to throw all
exceptions and let them be handled by the caller.
- - - - -
e5b61a19 by Endi S. Dewata at 2021-03-01T14:49:29-06:00
Refactor CASigningUnit.verify()
The CASigningUnit.verify() has been modified to throw all
exceptions and let them be handled by the caller.
- - - - -
3ccd775a by Endi S. Dewata at 2021-03-01T14:49:31-06:00
Refactor OCSPSigningUnit.verify()
The OCSPSigningUnit.verify() has been modified to throw all
exceptions and let them be handled by the caller.
- - - - -
2f6f1df8 by Endi S. Dewata at 2021-03-01T17:16:57-06:00
Refactor CertificateAuthority.getCertChain()
The CertificateAuthority.getCertChain() has been moved into
SigningUnit class.
- - - - -
0f4044e7 by Endi S. Dewata at 2021-03-01T17:22:39-06:00
Clean up OCSP fields in CertificateAuthority
The CertificateAuthority has been modified to get OCSP
info directly from OCSP signing unit instead of storing
them into fields.
- - - - -
7432d4ca by Endi S. Dewata at 2021-03-01T17:24:51-06:00
Clean up CRL fields in CertificateAuthority
The CertificateAuthority has been modified to get CRL
info directly from CRL signing unit instead of storing
them into fields.
- - - - -
4904b366 by Endi S. Dewata at 2021-03-01T17:25:01-06:00
Clean up CA fields in CertificateAuthority
The CertificateAuthority has been modified to get CA
info directly from CA signing unit instead of storing
them into fields.
- - - - -
59b7a954 by Endi S. Dewata at 2021-03-01T17:25:12-06:00
Clean up OCSP fields in OCSPAuthority
The OCSPAuthority has been modified to get OCSP info directly
from OCSP signing unit instead of storing them into fields.
- - - - -
78c3e04e by Endi S. Dewata at 2021-03-01T18:35:50-06:00
Refactor DBRegistry
The DBRegistry has been modified to no longer implement
ISubsystem.
- - - - -
d58fe66e by Endi S. Dewata at 2021-03-01T18:38:25-06:00
Convert ICMSExtension into CMSExtension
The ICMSExtension interface has been converted into
CMSExtension abstract class. The init() method has been
modified to no longer take an owner parameter.
- - - - -
6fe9c812 by Endi S. Dewata at 2021-03-01T18:41:47-06:00
Refactor CMSExtensionsMap
The CMSExtensionsMap has been modified to no longer
implements ISubsystem.
- - - - -
28c03981 by Endi S. Dewata at 2021-03-01T18:48:15-06:00
Refactor RequestSubsystem.init()
The RequestSubsystem has been modified to no longer implement
ISubsystem. The RequestSubsystem.init() has been modified to
take a DBSubsystem parameter.
- - - - -
0c4f95fe by Endi S. Dewata at 2021-03-01T18:50:43-06:00
Remove RequestSubsystem.getRequestQueue()
The RequestSubsystem.getRequestQueue() has been replaced with
direct calls to RequestQueue constructor.
- - - - -
f7b82ae6 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add pki pkcs7-export
The pki pkcs7-export has been added to export certs from
NSS database into a PKCS #7 file.
- - - - -
8f50ed3f by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add pki pkcs7-cert-import
The pki pkcs7-cert-import has been added to import certs
into a PKCS #7 file.
- - - - -
72bba1c1 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-import
The pki pkcs7-import has been updated to deprecate the
--input-file and --trust-flags params.
- - - - -
79f147c7 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-cert-find
The pki pkcs7-cert-find has been updated to replace the
--pkcs7-file param with --pkcs7.
- - - - -
5bb47100 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-cert-export
The pki pkcs7-cert-export has been updated to replace
--pkcs7-file param with --pkcs7, and add --output-file.
- - - - -
3cfc09c4 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add doc for pki pkcs7 CLI
- - - - -
75ed2b96 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add test for pki pkcs7 CLI
- - - - -
13f4c7fe by Alexander Scheel at 2021-03-02T16:57:16-05:00
Resolve XSS in ca queryCert pagination
Several values in ListCerts were reflected back to the caller, making a
reflected XSS attack possible. These values were sanitized and the
front-end template fixed to prevent this type of attack in general.
Resolves: CVE-2020-25715
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
147fbdc5 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RecoverThread into a separate file
- - - - -
d1499526 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestList into a separate file
- - - - -
6f24b967 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestListByStatus into a separate file
- - - - -
82b37d94 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move EnrollmentRequest into a separate file
- - - - -
1d35199e by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestIAttrSetWrapper into a separate file
- - - - -
0d6c9951 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move Request into a separate file
- - - - -
9a7e2311 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RunListeners into a separate file
- - - - -
4c47bd44 by Endi S. Dewata at 2021-03-02T18:56:02-06:00
Merge RequestRepository constructors
- - - - -
e062dc83 by Endi S. Dewata at 2021-03-02T18:56:27-06:00
Move RequestRepository.getBaseDN() to Repository
- - - - -
942119a5 by Endi S. Dewata at 2021-03-02T18:57:23-06:00
Refactor RequestQueueTest.cmsTestSetUp()
The RequestQueueTest.cmsTestSetUp() has been modified to
throw all exceptions.
- - - - -
9306d50e by Endi S. Dewata at 2021-03-02T20:49:08-06:00
Refactor RequestQueue constructor
The RequestQueue constructor has been modified to take
a RequestRepository parameter.
- - - - -
1160c27f by Endi S. Dewata at 2021-03-03T10:45:29-06:00
Update dependency to JSS 4.8.2
The dependency has been updated due to the use of new APIs
in JSS 4.8.2.
- - - - -
fa0c12a7 by Endi S. Dewata at 2021-03-03T14:02:07-06:00
Add test for installing CA with ECC
- - - - -
479244d2 by Endi S. Dewata at 2021-03-03T14:05:29-06:00
Update CI Dockerfile
The CI Dockerfile has been modified to install PKI packages
in the container image.
- - - - -
fac85511 by Endi S. Dewata at 2021-03-03T14:06:34-06:00
Remove redundant PKI package installations
The CI tests have been modified to no longer install PKI
packages since they are already installed in the container
image.
- - - - -
ea7060f1 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Clean up redundant CI dependencies
- - - - -
5cefaa99 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Add COPR_REPO argument in CI Dockerfile
The CI Dockerfile has been modified to provide an argument
to override the COPR repository used for building the
container image.
- - - - -
928c06c2 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Update CI to use multi-stage builds
The CI has been modified to build PKI packages and the
container image using multi-stage builds.
- - - - -
eee2fb90 by Endi S. Dewata at 2021-03-03T15:04:51-06:00
Rename ARequestNotifier to RequestNotifier
- - - - -
77271aa8 by Endi S. Dewata at 2021-03-03T16:07:46-06:00
Remove unused KRANotify.mKRA field
- - - - -
848f0cae by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Add CANotify
The code in RequestNotifier that depends on CA object
has been moved into a new CANotify class.
- - - - -
214b2282 by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Move CertificateAuthority.initCertRequest() into CAConfigurator
- - - - -
0b857676 by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Move CertificateAuthority.createCertRecord() into CAConfigurator
- - - - -
d0e53c57 by Endi S. Dewata at 2021-03-03T16:12:22-06:00
Rename Configurator.loadCert() to importCert()
- - - - -
a89a612b by Endi S. Dewata at 2021-03-03T16:12:24-06:00
Rename PKISubsystem.update_subsystem_cert() to update_system_cert()
- - - - -
714c710a by Endi S. Dewata at 2021-03-03T16:12:25-06:00
Fix indentation in Configuration.setupCert()
- - - - -
f230dcb9 by Endi S. Dewata at 2021-03-03T18:37:48-06:00
Refactor PKIDeployer.setup_system_certs()
The code that handles the server response in
PKIDeployer.setup_system_certs() has been moved
into setup_cert().
- - - - -
ac1da830 by Endi S. Dewata at 2021-03-03T19:43:13-06:00
Refactor Configurator.setupCert() (part 1)
The Configurator.setupCert() has been modified to get the
token name, profile ID, and cert type through SystemCertData
instead of directly from preop properties.
- - - - -
cfeb3d99 by Endi S. Dewata at 2021-03-03T19:43:21-06:00
Refactor Configurator.setupCert() (part 2)
The Configurator.setupCert() has been modified to get the
DNS names for SAN extension through SystemCertData instead
of directly from service.sslserver.san property.
- - - - -
cad787dc by Endi S. Dewata at 2021-03-03T19:52:27-06:00
Update dependency to JSS 4.9.0
- - - - -
714ef899 by Fraser Tweedale at 2021-03-05T22:34:47+10:00
cert-fix: avoid crash on missing CS.cfg param
`pki-server cert-fix` reads (and writes) the CS.cfg parameter
`selftests.container.order.startup`. If this parameter is missing,
the resulting `KeyError` crashes the program. We have seen several
cases where this parameter is missing, and its absense is otherwise
benign.
Update the relevant subroutine to avoid a crash in the case where
the `selftests.container.order.startup` parameter is missing.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1930586
- - - - -
269a38ba by Fraser Tweedale at 2021-03-05T22:34:47+10:00
cert-fix: emit warning if subsystem has selftests configured
A subsystem having no startup selftests configured might have been
deliberately configured that way. But it is not a desirable
configuration for the long term. Update `pki-server cert-fix` to
emit a warning when a subsystem has no startup selftests configured
in CS.cfg.
- - - - -
2ecfd0d5 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Move CI Dockerfile
The CI Dockerfile has been moved to the top-level folder.
- - - - -
79064f40 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Move list of IPA CI tests
The list of IPA CI tests has been moved into ipa-test.sh.
- - - - -
19bd8ae7 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Clean up CI build options
The CI BUILD_OPTS have been modified to no longer use timestamps
and commit IDs in PKI package names. The build-push-action has
also been modified to use the default Git context.
- - - - -
dfdb253c by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Rename CI runner container image
- - - - -
4da7bb9e by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Remove unused CI LOGS variable
- - - - -
1e080448 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update exception for unsupported cert revocation
The ACMEIssuer.revokeCeritifcate() has been modified to generate
a urn:ietf:params:acme:error:unsupported error message instead of
NotImplementedException.
- - - - -
712f2015 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update ACMEEngine.parseCSRExtensions()
The ACMEEngine.parseCSRExtensions() has been modified to
downcast CSR extensions into Extension class.
- - - - -
95308c6b by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update ACMEEngine.validateRevocation()
The ACMEEngine.validateRevocation() has been modified to use
X509CertImpl to parse cert data.
- - - - -
f309fa26 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Clean up ACME CI tests
- - - - -
6a1623a8 by Endi S. Dewata at 2021-03-08T20:41:11-06:00
Update ACME Dockerfile
The ACME Dockerfile has been updated to work with Quay and
Docker Hub.
- - - - -
745dbf0d by Endi S. Dewata at 2021-03-09T15:05:36-06:00
Add SystemConfigService.loadCert()
The SystemConfigService.loadCert() has been added to load
existing system certs.
The CAConfigurator.loadCert() has been added to initialize
the CA with existing signing certificate.
- - - - -
9ff8bd5e by Endi S. Dewata at 2021-03-09T15:05:39-06:00
Refactor Configurator.setupCert()
The code that loads existing certs in Configurator.setupCert()
has been moved into PKIDeployer.setup_cert().
- - - - -
431e99d5 by Endi S. Dewata at 2021-03-09T15:05:41-06:00
Clean up Configurator.loadCert()
The unused code that stores the request and cert data into
the Cert object in Configurator.loadCert() has been removed.
- - - - -
fbabcb62 by Endi S. Dewata at 2021-03-09T15:05:43-06:00
Removed unused fields in CertificateSetupRequest
The external and standAlone fields in CertificateSetupRequest
are no longer used so they have been removed.
- - - - -
a1d5fe72 by Endi S. Dewata at 2021-03-09T16:35:53-06:00
Merge Configurator.setupNewCert() into setupCert()
- - - - -
10feff62 by Endi S. Dewata at 2021-03-09T16:35:55-06:00
Refactor Configurator.setupCert()
The code that stores the request and cert data into
CS.cfg in Configurator.setupCert() has been moved
into PKIDeployer.setup_system_certs().
- - - - -
89e05244 by Endi S. Dewata at 2021-03-09T16:43:30-06:00
Refactor Configurator.createCert()
The code that calls Configurator.createLocalCert() in
createCert() has been moved into setupCert().
- - - - -
481d3253 by Endi S. Dewata at 2021-03-09T19:36:50-06:00
Copy ACME Dockerfile into main Dockerfile
The ACME Dockerfile has been copied from base/acme/Dockerfile
which uses a single build stage into the main Dockerfile which
uses multiple build stages.
- - - - -
dd0dd0ef by Endi S. Dewata at 2021-03-09T19:38:39-06:00
Add test for ACME container
- - - - -
cc9b8778 by Endi S. Dewata at 2021-03-10T12:00:43-06:00
Restored timestamp and commit ID in CI build options
Commit 19bd8ae703d0c4c9e2f56380b93c3452a112ce33 has been
reverted to avoid conflicts with COPR builds.
- - - - -
0e9fa98a by Endi S. Dewata at 2021-03-10T15:22:31-06:00
Fix PKIServer.restart()
The PKIServer.restart() has been modified to always wait
until the server is stopped before starting it again.
- - - - -
b9e80c95 by Endi S. Dewata at 2021-03-10T15:36:29-06:00
Move startup_timeout and request_timeout into PKIDeployer
- - - - -
c95163a6 by Endi S. Dewata at 2021-03-10T15:36:29-06:00
Update PKIServer.start(), stop(), and restart()
The PKIServer.start(), stop(), and restart() invocations in
pkispawn and pkidestroy has been modified to wait until the
operation is complete.
- - - - -
5b2ef508 by Endi S. Dewata at 2021-03-10T16:18:13-06:00
Add PKISubsystem.restart()
A new PKISubsystem.restart() has been added to disable
a subsystem then reenable it again.
- - - - -
69e147c9 by Alexander Bokovoy at 2021-03-10T20:25:55-06:00
Update pki.spec to not depend on esc for s390(x) architectures
- - - - -
537d923f by Endi S. Dewata at 2021-03-10T21:02:32-06:00
Clean up spec file
- - - - -
cd1f8d0a by Alexander Scheel at 2021-03-15T09:39:07-05:00
Remove i686 builds in the future
For Fedora and RHEL-9, we probably should drop i686 builds. This is
partially due to the lack md2man (for converting our man pages) but also
due to the lack of multilib compatible Java packages. Best to ship
64-bit only packages then.
Discussed with Alexander Bokovoy in #freeipa.
Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>
- - - - -
9cfd14b0 by Fraser Tweedale at 2021-03-15T11:37:44-05:00
Fix renewal profile approval process
Due to a recent change in PKI CLI, the CLI now passes along user
authentication with submissions to the renewal endpoint. Unlike the EE
pages, the REST API has passed along this authentication for a while.
Due to a bug in the RenewalProcessor, requests with credentials against
profiles with no authentication method and no ACLs result in the
certificiate automatically being approved. This occurs because, when
an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
the code to allow Light-Weight SubCAs to issue certificates, validation
wasn't done on the passed principal, to see if it was a trusted agent..
Because profiles requring Agent approval have an empty ACL list (as, no
user should be able to submit a certificate request and have it
automatically signed without agent approval), authorize allows any user
to approve this request and thus accepts the AuthToken.
Critical analysis: the RenewalProcessor code interprets (authToken
!= null) as evidence that the authenticated user is /authorized/ to
immediately issue the certificate. This mismatch of concerns (authn
vs authz) resulted in a misunderstanding of system behaviour. The
"latent" AuthToken (from the HTTP request) was assigned to authToken
without realising that authorization needed to be performed.
We fix this by splitting the logic on whether the profile defines an
authenticator. If so, we (re)authenticate and authorize the user
according to the profile configuration.
If the profile does not define an authenticator but there is a
principal in the HTTP request, if (and only if) the user has
permission to approve certificate requests *and* the requested
renewal profile is caManualRenewal (which is hardcoded to be used
for LWCA renewal), then we issue the certificate immediately. This
special case ensures that LWCA renewal keeps working.
Otherwise, if there is no principal in the HTTP request or the
principal does not have permission to approve certificate requests,
we leave the authToken unset. The resulting renewal request will be
created with status PENDING, i.e. enqueued for agent review.
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
7e450d62 by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Fix QE tests reliability
- - - - -
f436e39b by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Update pki.spec for ELN/RHEL
- - - - -
a88d0efe by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Clean up CryptoUtil.signCert()
The CryptoUtil.signCert() has been modified to throw a generic
Exception.
- - - - -
a60ccb8e by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Replace SigningUnit.mapAlgorithmToJss()
The SigningUnit.mapAlgorithmToJss() has been replaced with
direct calls to Cert.mapAlgorithmToJss().
- - - - -
a3537f34 by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Refactor PKIInstance.get_sslserver_cert_nickname()
The code that loads the SSL server cert nickname from server.xml
has been moved to PKIServer.get_sslserver_cert_nickname().
- - - - -
00e6351b by Endi S. Dewata at 2021-03-15T21:51:20-05:00
Refactor PKIInstance.set_sslserver_cert_nickname()
The code that stores the SSL server cert nickname into server.xml
has been moved into PKIServer.set_sslserver_cert_nickname().
- - - - -
1b2109a6 by Endi S. Dewata at 2021-03-15T21:51:20-05:00
Remove unused CertUtils.createCertInfo()
- - - - -
4cef6ee1 by Endi S. Dewata at 2021-03-16T16:53:59-05:00
Replace CertificateExtensions with Extensions
- - - - -
51936fde by Endi S. Dewata at 2021-03-16T20:39:59-05:00
Clean up CryptoUtil.createCertificationRequest()
- - - - -
bfa34094 by Endi S. Dewata at 2021-03-16T20:39:59-05:00
Refactor CryptoUtil.createCertificationRequest()
The CryptoUtil.createCertificationRequest() has been modified
to take a KeyPair parameter.
- - - - -
2a3e776c by Endi S. Dewata at 2021-03-17T10:24:43-05:00
Fix files listed twice in pki.spec
https://github.com/dogtagpki/pki/issues/3321
- - - - -
fc993db1 by Endi S. Dewata at 2021-03-17T10:24:45-05:00
Remove unused imports
- - - - -
d65daa05 by Endi S. Dewata at 2021-03-17T10:24:47-05:00
Move com.netscape.cms.shares to pki-kra
- - - - -
a4ec02e4 by Endi S. Dewata at 2021-03-17T10:44:09-05:00
Drop Tomcat 7.0 from pki-server migrate
The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 7.0 since it's no longer supported.
- - - - -
4111b795 by Endi S. Dewata at 2021-03-17T10:44:25-05:00
Remove unused Tomcat 7.0 files
- - - - -
2c9616ae by Endi S. Dewata at 2021-03-17T12:14:24-05:00
Drop Tomcat 8.0 from pki-server migrate
The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 8.0 since it's no longer supported.
- - - - -
d16a0129 by Endi S. Dewata at 2021-03-17T12:14:26-05:00
Remove unused Tomcat 8.0 files
- - - - -
96d9cd5d by Endi S. Dewata at 2021-03-17T13:35:06-05:00
Drop Tomcat 8.5 from pki-server migrate
The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 8.5 since it's no longer supported.
- - - - -
be6f5653 by Endi S. Dewata at 2021-03-17T15:47:10-05:00
Convert Tomcat 8.5 files into Tomcat 9.0
- - - - -
83b8feaf by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_nssdb() into upgrade script
- - - - -
e70373ab by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_server_xml() into upgrade script
- - - - -
4f2af1c5 by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_context_xml() into upgrade script
- - - - -
1bae09ce by Endi S. Dewata at 2021-03-17T17:24:02-05:00
Convert MigrateCLI.migrate_service() into upgrade script
- - - - -
2bac2ea7 by Endi S. Dewata at 2021-03-18T12:31:22-05:00
Move MigrateCLI.export_ca_cert() into PKIServer
The code that exports the CA certificate during startup
has been moved into PKIServer.export_ca_cert().
- - - - -
0246930f by Endi S. Dewata at 2021-03-18T12:31:24-05:00
Add PKIServer.enable_subsystems()
The code that enables all subsystems during startup
has been moved into PKIServer.enable_subsystems().
- - - - -
db8c0d3a by Endi S. Dewata at 2021-03-18T12:31:26-05:00
Add PKIInstance.validate_banner()
The code that validates banner during startup has been
moved into PKIInstance.validate_banner().
- - - - -
69d39dd3 by Endi S. Dewata at 2021-03-18T12:31:28-05:00
Add PKIServer.create_catalina_policy()
The code that creates catalina.policy during startup has
been moved into PKIServer.create_catalina_policy().
- - - - -
cf497f10 by Endi S. Dewata at 2021-03-18T12:31:31-05:00
Remove restart_server_after_configuration file
The code that creates and removes the
restart_server_after_configuration file has been removed
since the server is restarted automatically by pkispawn.
- - - - -
f3d93530 by Endi S. Dewata at 2021-03-18T19:30:06-05:00
Clean up log messages during installation
- - - - -
ac51d75c by Endi S. Dewata at 2021-03-18T19:30:13-05:00
Update subsystem deployment
pkispawn has been modified to deploy/redeploy a subsystem
without restarting the server.
- - - - -
7a536cab by Endi S. Dewata at 2021-03-23T09:08:17-05:00
Add test for installing CA with secure DS
- - - - -
199a1b58 by Endi S. Dewata at 2021-03-23T16:29:31-05:00
Clean up CA test with secure DS
The CA test with secure DS has been modified to validate
the SSL connection without modifying the ldap.conf.
- - - - -
65d3d83c by Endi S. Dewata at 2021-03-23T16:29:31-05:00
Clean up CA test artifacts
The CA tests have been modified to store PKI and DS config files
and log files into a single file.
- - - - -
4bbcc190 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Add log messages in CryptoUtil.signCert()
- - - - -
3a9994f8 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Refactor CryptoUtil.generateECCKeyPair()
The CryptoUtil.generateECCKeyPair() has been modified to
throw a generic Exception.
- - - - -
944f7fc8 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Clean up log messages during cloning
- - - - -
38b8e698 by Endi S. Dewata at 2021-03-24T11:26:37-05:00
Remove redundant type casts
- - - - -
1166ae3a by Endi S. Dewata at 2021-03-24T17:58:08-05:00
Add CACMSAdminServlet
The CACMSAdminServlet has been added to store CA-specific
code from CMSAdminServlet.
- - - - -
120703a8 by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.isSubsystemInstalled()
The CA-specific code in CMSAdminServlet.isSubsystemInstalled()
has been moved into CACMSAdminServlet.
- - - - -
b52f2cec by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.readEncryption()
The CA-specific code in CMSAdminServlet.readEncryption() has
been moved into CACMSAdminServlet.
- - - - -
bd10f87c by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.modifyEncryption()
The CA-specific code in CMSAdminServlet.modifyEncryption() has
been moved into CACMSAdminServlet.
- - - - -
05fcfcb3 by Endi S. Dewata at 2021-03-24T18:21:21-05:00
Refactor CMSAdminServlet.issueImportCert()
The CA-specific code in CMSAdminServlet.issueImportCert() has
been moved into CACMSAdminServlet.
- - - - -
75effdc6 by Endi S. Dewata at 2021-03-24T18:30:17-05:00
Refactor CMSAdminServlet.installCert()
The CA-specific code in CMSAdminServlet.installCert() has been
moved into CACMSAdminServlet.
- - - - -
38c955e5 by Endi S. Dewata at 2021-03-24T18:30:17-05:00
Refactor CMSEngine.isRevoked()
The CA-specific code in CMSEngine.isRevoked() has been moved
into CAEngine.
- - - - -
1b61ce01 by Endi S. Dewata at 2021-03-25T09:22:34-05:00
Add test for installing CA clone with secure DS
- - - - -
04f9040b by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move RenewableCertificateCollection to pki-server
- - - - -
3f93003c by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move CertRecordMapper to pki-ca
- - - - -
7f01deea by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move RenewalServlet to pki-ca
- - - - -
476ce4ab by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move IPublishRuleSet to pki-ca
- - - - -
d0c3e267 by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move KeyRepository to pki-kra
- - - - -
5e711b1c by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Replace IKeyRecoveryAuthority with KeyRecoveryAuthority
- - - - -
9b5c65cf by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Replace IKeyRepository with KeyRepository
- - - - -
abf1b56a by Endi S. Dewata at 2021-03-25T11:12:24-05:00
Replace ILdapRule with LdapRule
- - - - -
743c8760 by Endi S. Dewata at 2021-03-25T11:12:26-05:00
Replace ICertRecordList with CertRecordList
- - - - -
93ce0115 by Endi S. Dewata at 2021-03-25T11:12:28-05:00
Replace ICertRecord with CertRecord
- - - - -
c0690048 by Endi S. Dewata at 2021-03-25T11:12:30-05:00
Remove unused IRegistrationAuthority.getPublisherProcessor()
- - - - -
be38f7c2 by Endi S. Dewata at 2021-03-25T11:13:38-05:00
Replace CertificateAuthority.getPublisherProcessor()
The CertificateAuthority.getPublisherProcessor() has been
replaced with direct calls to CAEngine.getPublisherProcessor().
- - - - -
86a17456 by Endi S. Dewata at 2021-03-25T15:29:02-05:00
Rename DBSSession into LDAPSession
- - - - -
9b192416 by Endi S. Dewata at 2021-03-25T15:29:04-05:00
Rename DBSSessionDefaultStub into DBSSession
- - - - -
b09818b0 by Endi S. Dewata at 2021-03-25T16:12:43-05:00
Merge IDBSSession into DBSSession
- - - - -
89d73c3a by Endi S. Dewata at 2021-03-25T16:12:48-05:00
Rename DBRegistry into LDAPRegistry
- - - - -
08ba391b by Endi S. Dewata at 2021-03-25T16:12:48-05:00
Rename DBRegistryDefaultStub into DBRegistry
- - - - -
cde2a125 by Endi S. Dewata at 2021-03-25T16:12:54-05:00
Merge IDBRegistry into DBRegistry
- - - - -
b83697db by Pritam Singh at 2021-03-26T20:18:56+05:30
Added_doc_for_installing_CA_clone_with_secure_DS (#3486)
Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
48013da6 by Endi S. Dewata at 2021-03-26T10:36:27-05:00
Consolidate ECC key pair usages masks
Previously the ECC key pair usages masks were defined
multiple times in various locations. They now have been
consolidated into CryptoUtil.
- - - - -
6ce4026d by Endi S. Dewata at 2021-03-26T13:01:29-05:00
Clean up KRA test artifacts
The KRA tests have been modified to store PKI and DS config
files and log files into a single file.
- - - - -
e0a734a2 by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Rename DBDynAttrMapperDefaultStub into DBDynAttrMapper
- - - - -
8205b85e by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Merge IDBDynAttrMapper into DBDynAttrMapper
- - - - -
3bba14dd by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Convert IDBAttrMapper into DBAttrMapper
- - - - -
ed8423a3 by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Refactor CMSEngine.initAuthSubsystem()
The CMSEngine.initAuthSubsystem() has been modified to create
a new AuthSubsystem object instead of using a singleton.
- - - - -
c384e55a by Endi S. Dewata at 2021-03-26T15:04:55-05:00
Add AuthSubsystem.loadAuthManagerPlugins()
The code that loads the auth manager plugins has been moved
into AuthSubsystem.loadAuthManagerPlugins().
- - - - -
e55c61ad by Endi S. Dewata at 2021-03-26T15:06:46-05:00
Add AuthSubsystem.loadAuthManagerInstances()
The code that loads the auth manager instances have been
moved into AuthSubsystem.loadAuthManagerInstances().
- - - - -
fa29c2a5 by Endi S. Dewata at 2021-03-26T19:58:31-05:00
Move RetrieveModificationsTask into separate file
- - - - -
181a068a by Endi S. Dewata at 2021-03-26T19:58:39-05:00
Move SerialNumberUpdateTask into separate file
- - - - -
745c262c by Endi S. Dewata at 2021-03-26T19:58:40-05:00
Move CertStatusUpdateTask into separate file
- - - - -
06685701 by Endi S. Dewata at 2021-03-26T19:58:46-05:00
Move KeyStatusUpdateTask into separate file
- - - - -
fc737b19 by Endi S. Dewata at 2021-03-26T19:58:55-05:00
Move CertificateRepository.setSerialNumberUpdateInterval() into CAEngine
- - - - -
505909d8 by Endi S. Dewata at 2021-03-26T19:58:55-05:00
Move CertificateRepository.setCertStatusUpdateInterval() into CAEngine
- - - - -
0a21a71d by Endi S. Dewata at 2021-03-29T09:44:31-05:00
Move CertRecProcessor into a separate file
- - - - -
81081a34 by Endi S. Dewata at 2021-03-29T10:09:58-05:00
Move RevocationRequestListener into a separate file
- - - - -
90b218a7 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Add CRLIssuingPoint.handleUnexpectedFailure()
The code that handles unexpected failures has been moved from
CRLIssuingPoint.run() to handleUnexpectedFailure().
- - - - -
f6c087cb by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in CRLRepository.updateRevokedCerts()
- - - - -
5f371f21 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in CRLRepository.updateCRLIssuingPointRecord()
- - - - -
11d7047f by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in DBAttrMapper.mapObjectToLDAPAttributeSet()
- - - - -
d9063df0 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in LDAPRegistry.createLDAPAttributeSet()
- - - - -
026093c0 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in LDAPSession.add()
- - - - -
9fdfebc3 by Endi S. Dewata at 2021-03-29T11:08:32-05:00
Update log messages in LDAPSession.modify()
- - - - -
c1f2d41e by Endi S. Dewata at 2021-03-29T12:04:30-05:00
Move KeyRepository.updateKeyStatus() into KeyStatusUpdateTask
- - - - -
7870ddfd by Endi S. Dewata at 2021-03-29T12:05:27-05:00
Move KeyRepository.setKeyStatusUpdateInterval() into KeyRecoveryAuthority
- - - - -
e01ff7f2 by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CA tasks to pki-ca
- - - - -
e731cfaa by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CertificateRepository.getModifications() into RetrieveModificationsTask
- - - - -
5f6bfa73 by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CertificateRepository.updateCertStatus() into CertStatusUpdateTask
- - - - -
0362dc56 by Endi S. Dewata at 2021-03-29T14:30:34-05:00
Remove unused CertificateRepository.mSkipIfInconsistent
- - - - -
e641e2ac by Endi S. Dewata at 2021-03-29T15:26:24-05:00
Clean up CertificateRepository.transitCertList()
Previously the CertificateRepository.transitCertList() was
taking either a list of cert records or the serial numbers
depending on the value of mConsistencyCheck. Since the cert
records are guaranteed to be non-null, the code has been
simplified to take list of serial numbers in all cases.
- - - - -
ad6f1ac4 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Update log messages in CertificateRepository.updateStatus()
- - - - -
8a3c2a97 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Move CertificateRepository.transitInvalidCertificates() to CertStatusUpdateTask
- - - - -
0744f1a6 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Move CertificateRepository.transitValidCertificates() to CertStatusUpdateTask
- - - - -
3893fc05 by Endi S. Dewata at 2021-03-29T15:34:12-05:00
Move CertificateRepository.transitRevokedExpiredCertificates() to CertStatusUpdateTask
- - - - -
232fa71e by Endi S. Dewata at 2021-03-29T15:34:12-05:00
Move transit attributes from CertificateRepository to CertStatusUpdateTask
- - - - -
955a1199 by Endi S. Dewata at 2021-03-29T17:09:52-05:00
Clean up CertificateRepository.transitCertList() (part 2)
The code that notifies CRL issuing points on revoked and expired
certs has been moved from CertificateRepository.transitCertList()
to CertStatusUpdateTask.updateRevokedExpiredCertificates().
- - - - -
6abb91c5 by Endi S. Dewata at 2021-03-29T17:09:55-05:00
Remove redundant CertificateRepository.mCRLIssuingPoints
- - - - -
c8c2db56 by Endi S. Dewata at 2021-03-29T17:09:57-05:00
Remove redundant CAService.mCRLIssuingPoints
- - - - -
0285ce46 by Endi S. Dewata at 2021-03-29T17:10:00-05:00
Update log messages in AuthSubsystem.init()
- - - - -
15fef884 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in CertificateRepository.addCertificateRecord()
- - - - -
93a0d250 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in PublisherProcessor.init()
- - - - -
8eaac030 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in ProfileSubsystem.init()
- - - - -
c9955024 by Endi S. Dewata at 2021-03-30T11:18:56-05:00
Remove unused CertificateRepository.mRequestBaseDN
- - - - -
6286d12e by Endi S. Dewata at 2021-03-30T11:18:59-05:00
Clean up CertificateRepository constructor
The CertificateRepository constructor has been modified to
remove the base DN params.
- - - - -
ba964bec by Endi S. Dewata at 2021-03-30T11:19:01-05:00
Remove redundant CertificateRepository.dbSubsystem
- - - - -
35c0c3e4 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CertificateRepository.getDN()
- - - - -
4a39266b by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Clean up CRLRepository constructor
The CRLRepository constructor has been modified to remove the
base DN param.
- - - - -
d90b561c by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CRLRepository.dbSubsystem
- - - - -
4011e9b2 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CRLRepository.getDN()
- - - - -
279fbc79 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Clean up ReplicaIDRepository constructor
The ReplicaIDRepository constructor has been modified to remove
the base DN param.
- - - - -
5d61ec14 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant RequestRepository.dbSubsystem
- - - - -
b917a2d8 by Endi S. Dewata at 2021-03-30T16:48:51-05:00
Update log messages in CRLIssuingPoint.updateCRLNow()
- - - - -
3ec3a553 by Endi S. Dewata at 2021-03-30T16:48:53-05:00
Update log messages in CRLIssuingPoint.generateFullCRL()
- - - - -
db6ad974 by Endi S. Dewata at 2021-03-30T16:48:54-05:00
Update log messages in CRLIssuingPoint.generateDeltaCRL()
- - - - -
929451d3 by Endi S. Dewata at 2021-03-30T19:31:22-05:00
Update log messages in RevocationProcessor.processRevocationRequest()
- - - - -
2938dca4 by Endi S. Dewata at 2021-03-30T19:32:07-05:00
Update log messages in RevocationProcessor.processUnrevocationRequest()
- - - - -
24749820 by Endi S. Dewata at 2021-03-30T19:32:07-05:00
Update log messages in CertificateRepository.isCertificateRevoked()
- - - - -
c7125abb by Endi S. Dewata at 2021-03-31T10:20:16-05:00
Clean up tests for PKI tools
- - - - -
f56c7f48 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Update CryptoUtil.createX509CertInfo()
The CryptoUtil.createX509CertInfo() has been modified to take
a CertificateExtensions parameter.
- - - - -
458cfb94 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Update default params for pki nss-cert-request and nss-cert-issue
- - - - -
b162c939 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Add hash parameter for pki nss-cert-issue
- - - - -
7267186b by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for creating CA agent
- - - - -
ee0badcd by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for creating and revoking CA agent cert
- - - - -
44d8ba0c by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for issuing SSL server cert using PKI NSS CLI
- - - - -
eefa742e by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add pki-server ca-cert-find
The pki-server ca-cert-find has been added to list the
certs in the DS when PKI server is not running.
- - - - -
2e5f79e3 by Endi S. Dewata at 2021-04-01T10:37:02-05:00
Update log messages in NSSDatabase
- - - - -
1279f195 by Endi S. Dewata at 2021-04-01T12:25:54-05:00
Add test for generating cert with existing key
- - - - -
515e7f51 by Endi S. Dewata at 2021-04-01T19:36:38-05:00
Fix PKCS10Client -x parameter
Previously the -x parameter in PKCS10Client was parsed but
never used. The code has been modified to use the parameter
to select the key usage mask when generating an EC key.
- - - - -
b6fb1a50 by Endi S. Dewata at 2021-04-05T09:39:28-05:00
Move notifiers from CAEngine to CMSEngine
- - - - -
fdc56a0b by Endi S. Dewata at 2021-04-05T09:39:32-05:00
Move notifiers from KeyRecoveryAuthority to CMSEngine
- - - - -
947fc3d9 by Endi S. Dewata at 2021-04-05T10:58:11-05:00
Move LdapUnrevocationListener into separate file
- - - - -
9391d644 by Endi S. Dewata at 2021-04-05T11:00:10-05:00
Move LdapRevocationListener into separate file
- - - - -
2f5fad2b by Endi S. Dewata at 2021-04-05T11:01:59-05:00
Move LdapRenewalListener into separate file
- - - - -
15aba464 by Endi S. Dewata at 2021-04-05T11:03:59-05:00
Move LdapEnrollmentListener into separate file
- - - - -
e6e92e27 by Endi S. Dewata at 2021-04-05T11:24:47-05:00
Remove redundant ICertAuthority.getCertificateRepository()
- - - - -
16e3840b by Endi S. Dewata at 2021-04-05T11:24:49-05:00
Refactor RequestNotifier.checkAvailablePublishingConnections()
The code in RequestNotifier.checkAvailablePublishingConnections()
only works in CA so it has been moved into CANotify.
- - - - -
5fca754f by Endi S. Dewata at 2021-04-05T11:39:07-05:00
Refactor PublisherProcessor.mLdapRequestListener
The PublisherProcessor.mLdapRequestListener has been converted
into IRequestListener to remove dependency on LdapRequestListener.
- - - - -
39612940 by Endi S. Dewata at 2021-04-05T14:35:20-05:00
Merge IReplicaIDRepository into ReplicaIDRepository
- - - - -
dd25b87b by Endi S. Dewata at 2021-04-05T14:35:21-05:00
Add PublishingConfig
The PublishingConfig has been added to encapsulate ca.publish.*
parameters.
- - - - -
429af6fe by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingPublisherConfig
The PublishingPublisherConfig has been added to encapsulate
ca.publish.publisher.* parameters.
- - - - -
79d6af4c by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingMapperConfig
The PublishingMapperConfig has been added to encapsulate
ca.publish.mapper.* parameters.
- - - - -
8c7ee283 by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingRuleConfig
The PublishingRuleConfig has been added to encapsulate
ca.publish.rule.* parameters.
- - - - -
1612f615 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Split PublisherProcessor into CAPublisherProcessor
The CA-specific code in PublisherProcessor has been moved
into CAPublisherProcessor.
- - - - -
40c44d47 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move LdapRequestListener to pki-ca
- - - - -
232d60c7 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move CAPublisherProcessor to pki-ca
- - - - -
e5f2cafc by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move LocalConnector to pki-ca
- - - - -
4d209526 by Endi S. Dewata at 2021-04-06T12:53:06-05:00
Move GetTransportCert to pki-kra
- - - - -
f046985b by Endi S. Dewata at 2021-04-06T12:53:08-05:00
Move IRequestQueue.getRequestRepository() to CAEngine
- - - - -
57aa2f37 by Endi S. Dewata at 2021-04-06T12:53:11-05:00
Refactor Repository constructor
The Repository constructor has been modified to take radix and
repository ID parameters.
- - - - -
994f0135 by Endi S. Dewata at 2021-04-06T12:53:13-05:00
Replace Repository.mRepo with repository config
The Repository.mRepo field that contains the repository ID
has been replaced with a repositoryConfig Hashtable.
- - - - -
90db55c8 by Endi S. Dewata at 2021-04-06T12:53:16-05:00
Remove unused methods in DBSubsystem
- - - - -
8f68df8f by Endi S. Dewata at 2021-04-06T12:53:16-05:00
Refactor repository config initialization
The code that initializes repository configs in DBSubsystem
has been moved into each repository constructor.
- - - - -
93893132 by Endi S. Dewata at 2021-04-06T17:33:41-05:00
Remove DBSubsystem singleton
The CMSEngine has been modified to create a new DBSubsystem
instance instead of use a singleton.
- - - - -
c0c1983f by Endi S. Dewata at 2021-04-06T17:34:20-05:00
Merge IRequestQueue into ARequestQueue
- - - - -
ecfbd717 by Endi S. Dewata at 2021-04-06T18:02:51-05:00
Refactor ARequestQueue.newRequest()
The ARequestQueue.newRequest() has been modified to take a
request ID.
- - - - -
3001de08 by Endi S. Dewata at 2021-04-06T18:04:25-05:00
Refactor CANotify constructor
The CANotify constructor has been modified to no longer
take a CertificateAuthority object.
- - - - -
7a618296 by Endi S. Dewata at 2021-04-06T18:09:35-05:00
Add RequestNotifier.getRequestRepository()
The RequestNotifier.getRequestRepository() has been added
to provide the request repository object.
- - - - -
c7e41c46 by Endi S. Dewata at 2021-04-06T18:09:54-05:00
Remove unused methods in ARequestQueue
- - - - -
925006c4 by Endi S. Dewata at 2021-04-06T18:11:42-05:00
Refactor KeyRequestDAO.getTransientData()
The KeyRequestDAO.getTransientData() has been modified to
get the KeyRecoveryAuthority object from KRAEngine.
- - - - -
520a02da by Endi S. Dewata at 2021-04-06T18:16:23-05:00
Refactor CMSRequestDAO.queue
The CMSRequestDAO.queue has been modified such that it will
be initialized by CMSRequestDAO subclasses.
- - - - -
82f7d2c5 by dpuniaredhat at 2021-04-07T19:36:59+05:30
Disable allow failure on QE upstream pipeline (#3494)
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
07f4c43a by Endi S. Dewata at 2021-04-07T09:19:51-05:00
Remove unused DBSubsystem.mRepos
- - - - -
bcd4b32c by Endi S. Dewata at 2021-04-07T09:19:53-05:00
Move DBSubsystem.setMin/MaxSerialConfig() to Repository
- - - - -
8ce2f2dc by Endi S. Dewata at 2021-04-07T09:19:54-05:00
Move DBSubsystem.setNextMin/MaxSerialConfig() to Repository
- - - - -
3b7ab61d by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.getNextRange() to Repository
- - - - -
96786ec9 by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.hasRangeConflict() to Repository
- - - - -
f5849ec1 by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.getNextMin/MaxSerialConfig() to Repository
- - - - -
c3ca0959 by Endi S. Dewata at 2021-04-07T10:36:42-05:00
Remove redundant DBSubsystem.NAME
- - - - -
961ffdd3 by Endi S. Dewata at 2021-04-07T15:20:58-05:00
Replace DBSubsystem.PROP_BASEDN with Repository.mBaseDN
- - - - -
cf5e092f by Endi S. Dewata at 2021-04-07T15:21:20-05:00
Replace DBSubsystem.PROP_RANGE_DN with Repository.rangeDN
- - - - -
8a9bb61d by Endi S. Dewata at 2021-04-07T15:22:00-05:00
Replace DBSubsystem.PROP_MIN with Repository.mMinSerialNo
- - - - -
3146efa5 by Endi S. Dewata at 2021-04-07T15:29:07-05:00
Replace DBSubsystem.PROP_MAX with Repository.mMaxSerialNo
- - - - -
f1edf67c by Endi S. Dewata at 2021-04-07T15:29:07-05:00
Replace DBSubsystem.PROP_NEXT_MIN with Repository.mNextMinSerialNo
- - - - -
1be8e849 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_NEXT_MAX with Repository.mNextMaxSerialNo
- - - - -
8c27fa49 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_LOW_WATER_MARK with Repository.mLowWaterMarkNo
- - - - -
734c06c7 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_INCREMENT with Repository.mIncrementNo
- - - - -
144234ea by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Clean up OCSP test artifacts
The OCSP tests have been modified to store PKI and DS config
files and log files into a single file.
- - - - -
2824c7e5 by Endi S. Dewata at 2021-04-07T19:10:32-05:00
Update log messages in PublisherProcessor.getRules()
- - - - -
a1eeb629 by Endi S. Dewata at 2021-04-07T19:10:32-05:00
Update log messages in LdapSimpleMap
- - - - -
f5a02cd2 by Endi S. Dewata at 2021-04-07T19:17:41-05:00
Update log messages in LdapCaSimpleMap
- - - - -
43613046 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapCrlPublisher
- - - - -
7c25ef38 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapUserCertPublisher
- - - - -
ec110e58 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapRule
- - - - -
8e719766 by Endi S. Dewata at 2021-04-07T19:25:36-05:00
Update log messages in LdapSimpleExpression
- - - - -
7306e97e by Endi S. Dewata at 2021-04-08T09:30:22-05:00
Update docs for deploying ACME with DS on OpenShift
- - - - -
988939d0 by Endi S. Dewata at 2021-04-08T11:32:05-05:00
Remove redundant Repository.setSerialNumber()
- - - - -
b4114079 by Endi S. Dewata at 2021-04-08T11:32:08-05:00
Remove unused Repository.mNext
- - - - -
b3ff1117 by Endi S. Dewata at 2021-04-08T11:32:10-05:00
Remove unused Repository.BI_INCREMENT
- - - - -
f0d33a2f by Endi S. Dewata at 2021-04-08T11:32:13-05:00
Remove unused IRepository.resetSerialNumber()
- - - - -
4b56cbdd by Endi S. Dewata at 2021-04-08T11:32:16-05:00
Remove unused ARequestQueue.getPagedRequests()
- - - - -
081eb1e9 by Endi S. Dewata at 2021-04-08T11:32:17-05:00
Move ListEnumeration into separate file
- - - - -
8b58bf79 by Endi S. Dewata at 2021-04-08T11:32:21-05:00
Move SearchEnumeration into separate file
- - - - -
97f3daf9 by Endi S. Dewata at 2021-04-08T13:07:22-05:00
Add test for PKI NSS CLI with ECC
- - - - -
ea9ddaf5 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Move KRA's request repository and queue into CMSEngine
- - - - -
e6d0bd00 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ARequestNotifier.getRequestQueue()
- - - - -
b7606ee8 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant Profile.getRequestQueue()
- - - - -
288c4927 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IAuthority.getRequestQueue()
- - - - -
dcb87d4c by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ICertificateAuthority.getRequestQueue()
- - - - -
05929a14 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IKeyRecoveryAuthority.getRequestQueue()
- - - - -
d2560cf1 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IRegistrationAuthority.getRequestQueue()
- - - - -
393766d1 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ITKSAuthority.getRequestQueue()
- - - - -
4439263d by Endi S. Dewata at 2021-04-08T13:34:35-05:00
Remove redundant CertificateAuthority.getRequestQueue()
- - - - -
ba213056 by Endi S. Dewata at 2021-04-08T13:34:38-05:00
Remove redundant KeyRecoveryAuthority.getRequestQueue()
- - - - -
c16db929 by Endi S. Dewata at 2021-04-08T13:34:41-05:00
Remove redundant OCSPAuthority.getRequestQueue()
- - - - -
05f750a7 by Endi S. Dewata at 2021-04-08T13:35:00-05:00
Remove redundant TKSAuthority.getRequestQueue()
- - - - -
49867ef2 by Endi S. Dewata at 2021-04-08T13:35:06-05:00
Remove redundant TPSSubsystem.getRequestQueue()
- - - - -
30aa783a by Endi S. Dewata at 2021-04-08T13:35:12-05:00
Remove redundant ChallengePhraseAuthentication.getReqQueue()
- - - - -
ae4a72a9 by Endi S. Dewata at 2021-04-08T13:35:20-05:00
Remove redundant SSLClientCertAuthentication.getReqQueue()
- - - - -
045d59cc by Endi S. Dewata at 2021-04-08T13:35:24-05:00
Remove redundant CMSEngine.getReqQueue()
- - - - -
02f2da00 by Endi S. Dewata at 2021-04-08T13:35:27-05:00
Remove redundant KeyRecoveryAuthority.getRequestRepository()
- - - - -
40ea7b87 by Endi S. Dewata at 2021-04-08T13:35:32-05:00
Remove redundant RequestNotifier.getRequestRepository()
- - - - -
7c044623 by Endi S. Dewata at 2021-04-08T15:55:01-05:00
Remove redundant EnrollmentRequest
- - - - -
e734153b by Endi S. Dewata at 2021-04-08T17:53:54-05:00
Remove redundant ARequestQueue.createRequest()
- - - - -
185f62f2 by Endi S. Dewata at 2021-04-08T17:53:58-05:00
Merge ARequestRecord into RequestRecord
- - - - -
7a8775b1 by Endi S. Dewata at 2021-04-08T18:36:23-05:00
Merge IRequestRecord into RequestRecord
- - - - -
69e08bec by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Convert anonymous RequestAttr into RequestType
- - - - -
31fc25ef by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Add IRequest.setCreationTime() and setModificationTime()
- - - - -
2e38b81c by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod from RequestAttr.read()
- - - - -
0eb3f190 by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod from RequestRecord.read()
- - - - -
b4d4ceeb by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod
- - - - -
05275461 by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Add RequestRecord.toRequest()
- - - - -
5b6a6f7b by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Replace RequestQueue.makeRequest() with RequestRecord.toRequest()
- - - - -
ed07e270 by Endi S. Dewata at 2021-04-09T11:32:10-05:00
Merge RequestQueue.getLastRequestIdInRange() into RequestRepository
- - - - -
7f806d08 by Endi S. Dewata at 2021-04-09T11:32:10-05:00
Merge ARequestQueue.getPagedRequestsByFilter()
- - - - -
f68f86e0 by Endi S. Dewata at 2021-04-09T12:37:22-05:00
Move RequestQueue.getPagedRequestsByFilter() into RequestRepository
- - - - -
2b178ff4 by Endi S. Dewata at 2021-04-09T12:37:22-05:00
Remove unused RequestRepository.mRequestQueue
- - - - -
49d4716a by Endi S. Dewata at 2021-04-09T13:46:35-05:00
Remove unused Repository.getSerialNumber()
- - - - -
88e095e0 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Remove unused DBSubsystem.mNextSerialConfig
- - - - -
9aaf6868 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newRequestId() into RequestRepository
- - - - -
03e2a855 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newEphemeralRequestId() into RequestRepository
- - - - -
c8044bbe by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.cloneRequest() into RequestQueue
- - - - -
204c2dcf by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newRequest() into RequestRepository
- - - - -
4df39b8c by Endi S. Dewata at 2021-04-09T13:54:38-05:00
Move RequestQueue.newRequest() to RequestRepository
- - - - -
f2168b8d by Endi S. Dewata at 2021-04-09T13:54:38-05:00
Move RequestQueue.addRequest() to RequestRepository
- - - - -
86497d8f by Endi S. Dewata at 2021-04-09T16:31:04-05:00
Remove redundant CertificateRepository.createCertRecord()
- - - - -
ba94e261 by Endi S. Dewata at 2021-04-09T16:52:14-05:00
Move CAConfigurator.createCertRecord() into CertificateRepository
- - - - -
0beb04af by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Move ARequestQueue.updateRequest() to RequestQueue
- - - - -
9fd8bdc2 by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Move RequestQueue.modifyRequest() to RequestRepository
- - - - -
daebec6f by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Remove redundant ARequestQueue.setRequestStatus()
- - - - -
f3b674c5 by Endi S. Dewata at 2021-04-09T17:01:05-05:00
Rename CertInfoProfile into BootstrapProfile
- - - - -
b449cdf2 by Endi S. Dewata at 2021-04-09T17:17:19-05:00
Move CAConfigurator.initCertRequest() to CAEngine
- - - - -
589b3828 by Endi S. Dewata at 2021-04-09T17:17:19-05:00
Move CAConfigurator.updateLocalRequest() to CAEngine
- - - - -
8099d25c by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Add scripts to save test artifacts
- - - - -
bffbb0ca by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Clean up TKS test artifacts
The TKS tests have been modified to store PKI and DS config
and log files into a single tarball.
- - - - -
4997c3e8 by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Clean up TPS test artifacts
The TPS tests have been modified to store PKI and DS config
and log files into a single tarball.
- - - - -
2afe6141 by Endi S. Dewata at 2021-04-12T13:31:36-05:00
Clean up ACME test artifacts
The ACME tests have been modified to store PKI and DS config
and log files into a single tarball.
- - - - -
70ca1ab0 by Endi S. Dewata at 2021-04-12T15:27:53-05:00
Clean up IPA test artifacts
The IPA tests have been modified to store IPA, PKI, and DS
config and log files into a single tarball.
- - - - -
27e6e67f by Endi S. Dewata at 2021-04-12T15:27:53-05:00
Clean up QE test artifacts
The QE tests have been modified to store PKI and DS config
and log files into a single tarball.
- - - - -
6fc465f8 by Endi S. Dewata at 2021-04-12T18:24:37-05:00
Fix UpdateAllowLinking.update_context_xml()
The UpdateAllowLinking.update_context_xml() has been modified
to check whether the context.xml exists before upgrading it.
- - - - -
6cb4fd96 by Endi S. Dewata at 2021-04-12T18:24:40-05:00
Split RequestRepository for certs and keys
The RequestRepository has been split into CertRequestRepository
and KeyRequestRepository which use different filters.
- - - - -
64d22050 by dpuniaredhat at 2021-04-13T17:52:36+05:30
acme upstream pipeline fixes (#3496)
Fixes the acme openshift database file entry. earlier it was using the default commented postgress entry.
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
cfbff0cd by Endi S. Dewata at 2021-04-13T18:27:01-05:00
Clean up CryptoUtil.generateECCKeyPair() parameters
The CryptoUtil.generateECCKeyPair() parameters have been
reordered for consistency with generateRSAKeyPair().
- - - - -
edb7204a by Endi S. Dewata at 2021-04-14T10:45:30-05:00
Move GenerateKeyPairServlet to pki-kra
- - - - -
86ca2d43 by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Move RequestQueue.readRequest() to RequestRepository
- - - - -
b20fb3f0 by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Add CAEngine.getCertRequestRepository()
- - - - -
8c6aff1e by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Add KRAEngine.getKeyRequestRepository()
- - - - -
ed885382 by Endi S. Dewata at 2021-04-14T20:49:00-05:00
Merge CertificateAuthority.createCertInfo() into CAConfigurator
- - - - -
1acf07a5 by Endi S. Dewata at 2021-04-14T20:49:03-05:00
Refactor CAEngine.updateCertRequest()
The CAEngine.updateCertRequest() has been modified to take
an X500Name subjectName instead of String.
- - - - -
ce4d7551 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Refactor Configurator.createLocalCert()
The Configurator.createLocalCert() has been modified to take
issuer DN and signing private key parameters.
- - - - -
899f5ed5 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Remove unused fields reported by Eclipse
- - - - -
93251e37 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Boolean constructor
- - - - -
4149088e by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Integer constructor
- - - - -
78998acc by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Long constructor
- - - - -
567692b4 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Class.newInstance()
- - - - -
af8664e7 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated IOUtils.toString()
- - - - -
47597173 by Endi S. Dewata at 2021-04-15T16:01:47-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 1)
- - - - -
064f7e16 by Endi S. Dewata at 2021-04-15T16:01:47-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 2)
- - - - -
01fbbafb by Endi S. Dewata at 2021-04-15T16:05:59-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 3)
- - - - -
b190a9ed by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Move ARequestQueue.recoverWillBlock() to RequestQueue
- - - - -
25a0911b by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() in CMSRequestDAO
- - - - -
921a0717 by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() in CMSServlet
- - - - -
a170d8a9 by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() with RequestRepository.readRequest()
- - - - -
00c0c419 by Endi S. Dewata at 2021-04-15T20:17:12-05:00
Split ProcessReq for certs and keys
- - - - -
bd423877 by Endi S. Dewata at 2021-04-15T20:17:12-05:00
Split SearchReqs for certs and keys
- - - - -
35f3a973 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Split QueryReq for certs and keys
- - - - -
38ddfb50 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move GetCertFromRequest to pki-ca
- - - - -
84cbbe9f by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move ImportCertsTemplateFiller to pki-ca
- - - - -
a6efac62 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move GetEnableStatus to pki-ca
- - - - -
96dac5fa by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move CertReqParser to pki-ca
- - - - -
c90ae080 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move KeyReqParser to pki-kra
- - - - -
f7d15bed by Endi S. Dewata at 2021-04-19T10:02:59-05:00
Replace RequestStatus.fromString() with valueOf()
- - - - -
c86aca59 by Endi S. Dewata at 2021-04-19T13:28:55-05:00
Add JSON converter for CertRequestInfos
- - - - -
b4ccf4b8 by Endi S. Dewata at 2021-04-19T14:37:48-05:00
Move CMSEngine.initCertRequest() to CertRequestRepository
- - - - -
85810814 by Endi S. Dewata at 2021-04-19T14:53:47-05:00
Move CAEngine.updateCertRequest() to CertRequestRepository
- - - - -
0835ad75 by Endi S. Dewata at 2021-04-19T15:29:22-05:00
Swap params in CertRequestRepository.initRequest() and updateRequest()
- - - - -
76fff8d7 by Christina Fu at 2021-04-20T17:13:50-07:00
Update ServerSideKeygen.adoc
- - - - -
287bfdac by Christina Fu at 2021-04-22T16:14:11-07:00
Bug1952628 CRMF requests with non-SKID extensions
This patch address the issue where if a CRMF request bears any extension
other than SKID then it fails to process.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1952628
- - - - -
642e25a3 by Endi S. Dewata at 2021-04-23T07:02:46-05:00
Fix cert file loading in CryptographyCryptoProvider
As suggested by cheimes, the CryptographyCryptoProvider
has been modified to load the cert file as binary.
Resolves: https://github.com/dogtagpki/pki/issues/3499
- - - - -
396241d1 by Christian Heimes at 2021-04-23T10:12:05-05:00
Make python-nss optional
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
e02f3934 by Christian Heimes at 2021-04-23T10:12:05-05:00
Remove deprecated DRM client
The code was marked as deprecated in commit f4aafb999e from 2014.
- - - - -
e005cb74 by Endi S. Dewata at 2021-04-23T10:30:56-05:00
Move ARequestQueue.markRequestPending() to RequestQueue
- - - - -
ea613d16 by Endi S. Dewata at 2021-04-23T10:30:59-05:00
Move ARequestQueue.cancelRequest() to RequestQueue
- - - - -
83873611 by Endi S. Dewata at 2021-04-23T10:31:02-05:00
Move ARequestQueue.rejectRequest() to RequestQueue
- - - - -
48dc1ba4 by Endi S. Dewata at 2021-04-23T10:31:06-05:00
Move ARequestQueue.approveRequest() to RequestQueue
- - - - -
5203e26e by Endi S. Dewata at 2021-04-23T10:31:08-05:00
Move ARequestQueue.markAsServiced() to RequestQueue
- - - - -
c03c8c87 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused SecurityDomainLogin servlet
- - - - -
30274623 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused LoginServlet
- - - - -
cdf7fe10 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused BaseServlet
- - - - -
87ec464c by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove velocity dependency
The remaining servlets that use velocity have been removed
since they are no longer used so the velocity dependency
can be removed as well.
Resolves: #1952969
- - - - -
fd06a6d6 by Endi S. Dewata at 2021-04-27T07:58:56-05:00
Reorganized ACME database configuration docs
- - - - -
41d0ddab by Chris Kelley at 2021-04-30T17:54:29+01:00
Remove unused istack-commons-runtime.jar from classpath
Resolves build issue in f33+
- - - - -
994650a9 by Endi S. Dewata at 2021-05-03T21:53:57-05:00
Fix missing pip3 in QE test
- - - - -
93eed0ce by Endi S. Dewata at 2021-05-03T23:25:14-05:00
Reorganize CA sources
The CA main and test code has been moved into base/ca/src/main
and base/ca/src/test. All references have been updated.
- - - - -
6928ce60 by dependabot[bot] at 2021-05-04T14:21:00-05:00
Bump commons-io from 2.6 to 2.7
Bumps commons-io from 2.6 to 2.7.
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
c78b43c2 by Endi S. Dewata at 2021-05-04T14:44:19-05:00
Reorganize KRA sources
The KRA main and test code has been moved into base/kra/src/main
and base/kra/src/test. All references have been updated.
- - - - -
7fd5cb49 by Endi S. Dewata at 2021-05-04T15:45:05-05:00
Reorganize OCSP sources
The OCSP sources have been moved into base/ocsp/src/main.
All references have been updated.
- - - - -
9f8abf63 by Endi S. Dewata at 2021-05-04T17:04:41-05:00
Reorganize TKS sources
The TKS sources have been moved into base/tks/src/main.
All references have been updated.
- - - - -
0f95c778 by Endi S. Dewata at 2021-05-04T17:48:15-05:00
Reorganize TPS sources
The TPS sources have been moved into base/tps/src/main.
All references have been updated.
- - - - -
5b1578e4 by Endi S. Dewata at 2021-05-04T17:50:35-05:00
Reorganize Console sources
The Console sources have been moved into base/console/src/main.
All references have been updated.
- - - - -
189d16fa by Endi S. Dewata at 2021-05-04T18:31:05-05:00
Reorganize Server sources
The Server main and test sources have been moved into
base/server/src/main and base/server/src/test. All references
have been updated.
- - - - -
5271e8af by Endi S. Dewata at 2021-05-04T19:05:25-05:00
Remove unused CMake variables
- - - - -
1e947dc5 by Endi S. Dewata at 2021-05-04T19:54:37-05:00
Reorganize Tomcat sources
The Tomcat sources have been moved into base/tomcat/src/main
and base/tomcat-9.0/src/main. All references have been updated.
- - - - -
6b610b53 by Pritam Singh at 2021-05-05T15:05:53+05:30
Added_fix_for_upstream_topo_00_master (#3507)
[SKIP CI]
Added_fix_for_upstream_topo_00_master
Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
1599f78a by Chris Kelley at 2021-05-06T14:49:37+01:00
Replace deprecated java.awt.Dialog::{hide,show} with setVisible(boolean)
These methods were deprecated in Java 1.5. They are overrides of methods
defined in java.awt.Component, which were themselves deprecated back in
Java 1.1! Some care required was required as we could change behaviour
if we defined a subclass of Dialog and override show() or hide(), but I
couldn't find any examples of this in the codebase so I think we're
fine.
- - - - -
a1afd954 by Endi S. Dewata at 2021-05-06T18:16:12-05:00
Update QE tests
The QE tests have been modified to run on the latest
Ubuntu container and use the latest python-ansible.
- - - - -
b36fe2ee by Endi S. Dewata at 2021-05-06T18:16:20-05:00
Remove unused commons-httpclient.jar from .classpath
- - - - -
4cdf952a by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace JTable.createScrollPaneForTable with JScrollPane constructor
The JTable method is deprecated.
- - - - -
5528d202 by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace deprecated JTable::sizeColumnsToFit(true) with JTable.doLayout()
- - - - -
193ce9d6 by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace deprecated Sui{OptionPane,Table} with J{OptionPane,Table}
I couldn't find any source for
com.netscape.management.nmclf.SuiOptionPane, but the bytecode says it
extends JOptionPane. Replacing references with the superclass compiles
but my bytecode reading isn't strong enough to see if the Sui version,
whatever it is, overloaded either of these methods.
- - - - -
6d318e74 by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unnecessary @SuppressWarnings annotations
No functional change, just unnecessary instructions for the compiler.
- - - - -
f8c62034 by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unused private methods
Not called within their classes so just clutter.
ConfigurationTest.generateCRMFRequest has been made public, we want to
keep this method and make it accessible via CLI
- - - - -
932e4dad by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unused field mQueue from CheckRequest
Removing this field makes the local variable engine redundant, so this
too is removed.
- - - - -
6dc331a4 by Endi S. Dewata at 2021-05-07T09:58:13-05:00
Remove JNA dependency
The SystemdStartupNotifier has been renamed to SystemdNotifier
and modified to use systemd-notify instead of JNA to notify
other systems when the subsystem is ready.
Since the SystemdNotifier is no longer dependent on JNA, it
has been moved into pki-server.jar and the JNA dependency has
been dropped.
The StartupNotifier has been renamed into SubsystemListener
such that it can be expanded to listen to other subsystem
events (e.g. shutdown).
Resolves: #1953671
- - - - -
ef9b9bdf by Fraser Tweedale at 2021-05-07T09:58:13-05:00
SystemdNotifier: document how to configure systemd unit
- - - - -
e202ef69 by Endi S. Dewata at 2021-05-07T11:04:22-05:00
Reorganize ACME issuer doc
- - - - -
6d706a47 by Endi S. Dewata at 2021-05-07T13:07:14-05:00
Reorganize ACME realm doc
- - - - -
b79c8e87 by Endi S. Dewata at 2021-05-07T14:27:00-05:00
Add ACME metadata doc
- - - - -
a497903c by Endi S. Dewata at 2021-05-07T17:18:40-05:00
Update ACME install doc
- - - - -
0a8a1083 by fdelehay at 2021-05-10T17:51:12+02:00
Update Nuxwdog.md
typo in command
- - - - -
400fbaec by Tomasz Torcz at 2021-05-10T12:59:55-05:00
acme: don't fail on resubmitted valid challenges
Some acme clients, like cert-manager, happen to resubmit already
valid challenges. This is not 100% in line with RFC8555, but it is
not a reason to throw Exception.
- - - - -
82ab12ac by Endi S. Dewata at 2021-05-11T11:30:20-05:00
Restore pytest-ansible 2.2.3
Previously the requirements.txt was changed in commit
a1afd9548bd241520d0ef3924fa57ef9569056be to remove
the explicit version number for pytest-ansible. Since
it's causing some problems the change is reverted.
- - - - -
c92a0bb9 by Chris Kelley at 2021-05-13T16:27:03+01:00
Update GitHub workflows to run against F34 and not EOL F32
- - - - -
7bc7d443 by Endi S. Dewata at 2021-06-14T16:59:52-05:00
Fix installation with HSM
During installation with HSM the server is
stopped to import the permanent SSL server cert
into the NSS database. This operation creates
new files in the NSS database directory with a
wrong ownership and permissions, so the server
fails to start again.
To fix the problem the NSS database ownership
and permissions need to be reset after importing
the permanent SSL server cert.
- - - - -
da72a3cf by Endi S. Dewata at 2021-06-14T16:59:52-05:00
Clean up deployment loggers
All loggers used for deployment have been changed to
use the module name such that they can be referred to
collectively as 'pki'.
- - - - -
6e62953d by Endi S. Dewata at 2021-06-14T16:59:53-05:00
Merge base/test into base/util/src/test
- - - - -
1f01f0fb by Chris Kelley at 2021-06-14T16:59:53-05:00
Add new constructor to com.netscape.certsrv.base.Link class
The deprecated org.jboss.resteasy.plugins.providers.atom.Link has a
constructor with signature Link(String, URI), but our chosen temporary
replacement does not. As we are attempting to preserve the API by making
this temporary switch, I create a new constructor with the current
signature instead of modifying the calling code.
- - - - -
d1b7869a by Chris Kelley at 2021-06-14T16:59:53-05:00
Fix createCreatedResponse methods that now expect URI, but take String
- - - - -
39180502 by Chris Kelley at 2021-06-14T16:59:53-05:00
Switch org.jboss.resteasy.plugins.providers.atom.Link for
com.netscape.certsrv.base.Link.Link
Converts old Link.getRel() -> new Link.getRelationship()
- - - - -
61008e97 by Chris Kelley at 2021-06-14T16:59:53-05:00
Remove dependency on resteasy-atom-provider
- - - - -
8a6e21e2 by dpuniaredhat at 2021-06-14T16:59:53-05:00
Updating the IMG_NAME to execute QE test on Fedora 33 (#3531)
Currently QE test are getting executed on Fedora 32 and updating that to execute test cases on Fedora 33
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
4d10b4a5 by Endi S. Dewata at 2021-06-14T16:59:53-05:00
Drop pytest-runner dependency
The dependency on pytest-runner has been dropped since
it has been deprecated.
Resolves: #1961613
- - - - -
1e859ed9 by Christina Fu at 2021-06-14T16:59:53-05:00
Bug 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued Past Issuing CA's Validity
This RFE was to request for a boolean to disallow ca certs being issued past
the CA's own validity. As it turns out, such a boolean does exist in
CAValidityDefault.java which is a profile default plugin that's used
by the profile caCACert.cfg. The variable is called bypassCAnotafter.
When it's true, the requested ca signing cert is allowed to past the
signing CA's notAfter, while if false (which is the default), the natAfter time
would be reset to match that of the signing CA's.
The problem is, as I found out during my investigation, there is a bug in
the plugin so it is always treated as false. I have it fixed in this patch.
However, I think the reporter didn't use this profile default plugin, as
if so they would not have reported the issue; I think the proper solution
should be a system-wide boolean in CS.cfg, although the additional one in
the plugin to allows for finer control.
I'm leaving the fix in CAValidityDefault.java to get some feedback from
the reviewer.
The new bolean in CS.cfg is called ca.enablePastCATime
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1925311
- - - - -
9c759ce4 by Chris Kelley at 2021-06-14T16:59:53-05:00
Replace deprecated PosixParser with DefaultParser
- - - - -
d6b99d08 by Chris Kelley at 2021-06-14T16:59:53-05:00
Remove redundant superinterface implementations
- - - - -
3e4f14de by Chris Kelley at 2021-06-14T16:59:53-05:00
Add missing @Deprecated annotations
- - - - -
c8efa0ac by Chris Kelley at 2021-06-14T16:59:53-05:00
Add missing @Override annotations
- - - - -
1dd53e02 by Chris Kelley at 2021-06-14T16:59:53-05:00
Remove unnecessary type specification and replace with diamond operator
Automatically generated by Eclipse
- - - - -
d34f793b by Chris Kelley at 2021-06-14T16:59:53-05:00
Replace deprecated Double constructor
- - - - -
521b57bd by Chris Kelley at 2021-06-14T16:59:53-05:00
Convert CertificateRepository to use try-with-resources
- - - - -
7bc0f33d by Endi S. Dewata at 2021-06-14T16:59:53-05:00
Drop git dependency
- - - - -
e4573377 by Chris Kelley at 2021-06-14T16:59:53-05:00
Simplify AAclAuthz.isTypeUnique() method
- - - - -
7f919e40 by Chris Kelley at 2021-06-14T16:59:53-05:00
Remove unused log() method from JssSSLSocketFactory
No references to this method in the workspace
- - - - -
b4cb7ca0 by Chris Kelley at 2021-06-14T16:59:53-05:00
Autoformat JssSSLSocketFactory
- - - - -
32cb06bd by Chris Kelley at 2021-06-14T16:59:54-05:00
Remove getExtensionAt() method
No references in the workspace
- - - - -
a147e0b9 by Chris Kelley at 2021-06-14T16:59:54-05:00
Autoformat SingleResponse
- - - - -
a8538181 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Fix build.sh --without-test
The build.sh and pki.spec file have been modified not to
run the test when the --without-test option is specified.
- - - - -
c214e43e by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Fix CMake files to optionally build without test
The CMake files have been modified not to build the test
classes when the --without-test is specified.
- - - - -
4ac30852 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Remove unused code
- - - - -
26c9ff81 by dpuniaredhat at 2021-06-14T16:59:54-05:00
Bug Automation 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued past issuing CA's Validity (#3545)
Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
15eaaaa1 by Chandan Pinjani at 2021-06-14T16:59:54-05:00
Enabled beaker provisioning for pytest-ansible (#3542)
Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>
Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
22f705c5 by Christina Fu at 2021-06-14T16:59:54-05:00
Bug1889434 Unable to start HSM configured CA with after enabling Nuxwdog
The bug itself was actually a "not a bug" according to Chandan's latest
finding how it was working again when setup on a different vm.
However, I found a possible issue that could only be seen on the vm
where he initially had issue with. I don't know how to reproduce other
than being able to see the correct message if my debugging was enabled
in this patch.
The nature of the issue that this patch tries to fix is that in case
when pwd is returned with "keyctl_read_alloc:..." regarding password not
found, and it treated the result as thought it was a password to be
saved.
relating to https://bugzilla.redhat.com/show_bug.cgi?id=1889434
- - - - -
7fc6c648 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Update Java dependency
The spec file has been modified to use Java 1.8.0 on
Fedora 32 and RHEL 8, and Java 11 on other platforms.
- - - - -
c3f860e3 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Use password file when creating admin user
The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.
Resolves: CVE-2021-3551
- - - - -
b022fafa by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Fix permission for new installation logs
The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.
Resolves: CVE-2021-3551
- - - - -
9e213c22 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Fix permission for existing installation logs
The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.
Resolves: CVE-2021-3551
- - - - -
dd5bb9cd by Chris Kelley at 2021-06-14T16:59:54-05:00
Remove IConfigPasswordCheck interface
There is only one implementation in PasswordChecker, and it 1)
duplicates the functionality of the IPasswordCheck interface/impl and 2)
is not referenced anywhere in the workspace.
Also, we don't care about the distinction between an empty password and
a password that is too short when we are deciding if the password is
good, which greatly simplifies isGoodPassword().
- - - - -
7f0e089c by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Add missing apache-commons-logging dependency
- - - - -
c6158ec3 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Remove unused references to commons-httpclient.jar
- - - - -
12a38611 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Update contact information
- - - - -
e1454409 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Move CI files into tests folder
- - - - -
5fde498d by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Move pki-lint files into tests folder
- - - - -
7395f164 by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Update JSS references
- - - - -
3194dddf by Endi S. Dewata at 2021-06-14T16:59:54-05:00
Update version number to 10.11.0-alpha3
- - - - -
2c3d5a3a by Endi S. Dewata at 2021-06-16T16:20:45-05:00
Clean up IPA test
- - - - -
adbacb5b by Endi S. Dewata at 2021-06-16T16:21:02-05:00
Add configurable test matrix
The test workflows have been modified to load the
matrix from MATRIX secret variable. If the secret is
undefined it will use Fedora 33 and 34 by default.
- - - - -
37fc3591 by Endi S. Dewata at 2021-06-28T16:52:49-05:00
Update COPR repo
- - - - -
23de8ab1 by Christina Fu at 2021-06-28T15:29:35-07:00
Bug1976010-restrict EE profile list and enrollment submission per LDAP group without immediate issuance
It's always been the case by design that if authentication (auth.instance_id=X) is specified in a profile, then as long as a request passes both authentication and authorization (authz.Y) then the issuance would be granted.
In this patch, an option per profile is added to override such design and would require explicit agent approval even when both auth and authz passed.
This new option is auth.explicitApprovalRequired and the value is true
or false,with false being the default if not set.
An example configuration in a directory-based authentication profile
would have something like the following:
auth.instance_id=UserDirEnrollment
auth.explicitApprovalRequired=true
authz.acl=group=requestors
addressed https://bugzilla.redhat.com/show_bug.cgi?id=1976010
- - - - -
741af10f by Christina Fu at 2021-06-28T16:32:24-07:00
Bug1963220-RevokeViaRestAPIwExtAgent
This patch resolves the issue that when a client cert is issued by an
external CA, the revocation check inside the CA REST service handler
(ca/src/org/dogtagpki/server/ca/rest/CertService.java)
assumes that all client certs are issued by this CA.
The fix is to check the issuer, and add an option, allowExtCASignedAgentCerts
to allow for external CA signed agent certs.
If the issuer is external, and ca.allowExtCASignedAgentCerts is true, then the
internal cert status check is bypassed and to rely on OCSP enablement
(enableOCSP) in server.xml.
The ca.allowExtCASignedAgentCerts config param currently is only used in
the rest revocation case. It is not used anywhere else (not even unrevocation)
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1963220
- - - - -
f6eb0c2b by Chris Kelley at 2021-06-28T20:34:36-05:00
Allow automatic determination of Fedora versions to test against
- - - - -
4e08fff0 by Endi S. Dewata at 2021-06-28T20:37:29-05:00
Fix Javadoc warnings
- - - - -
8aa0e81b by Endi S. Dewata at 2021-06-28T20:37:43-05:00
Add test script for creating CA agent
The test code that creates a CA agent has been moved
into a shell script.
- - - - -
e1c15ad1 by Endi S. Dewata at 2021-06-28T20:37:52-05:00
Add test scripts for CA agent cert revocation
The test code that creates, revokes, and unrevokes
a CA agent cert has been moved into shell scripts.
- - - - -
3ee1d2c2 by Endi S. Dewata at 2021-06-28T20:39:12-05:00
Fix build classpaths
- - - - -
e799395f by Endi S. Dewata at 2021-06-29T17:53:02-05:00
Add doc for PKI TPS Configuration CLI
[skip ci]
- - - - -
4a5f4bb5 by Christina Fu at 2021-07-01T11:04:40-07:00
Bug1978017 PKCS10Client Attribute Encoding
PKCS10Client has an option "-k" which allows for individual DN
attributes to be encoded differently and separately.
For example:
PKCS10Client -p <passwd> -d . -k true -o req.txt -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
This option might have been accidentally disabled. In this patch, the
attribute encoding code is moved to CryptoUtil.java with some
refactoring, and calls to getJssName() is re-enabled for subjectName
in PKCS10Client;
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1978017
- - - - -
75e4599d by Endi S. Dewata at 2021-07-02T17:10:14-05:00
Remove unused references to commons-collections.jar
- - - - -
d21ab44f by Endi S. Dewata at 2021-07-02T17:41:40-05:00
Fix HAMCREST_JAR for Rawhide
- - - - -
3b53145b by Endi S. Dewata at 2021-07-08T14:19:17-05:00
Add doc for pki <subsystem>-audit
[skip ci]
- - - - -
dcd12299 by Endi S. Dewata at 2021-07-08T14:19:31-05:00
Add doc for pki ca-cert
[skip ci]
- - - - -
77814174 by Endi S. Dewata at 2021-07-13T14:55:40-05:00
Update dependencies
- - - - -
45ba4b03 by Endi S. Dewata at 2021-07-16T19:11:59-05:00
Add GitLab synchronization job
The .gitlab-ci.yml has been added to define a job to
synchronize a branch from an upstream repository to a
GitLab repository.
- - - - -
2c9d5afc by Endi S. Dewata at 2021-07-20T12:11:38-05:00
Update version number to 10.11.0
- - - - -
1b18560b by c-dorney at 2021-07-23T11:41:48+01:00
BZ-1981850 Check directory for files on load subsystems (#3666)
* BZ-1981850 Check directory for files on load subsystems
- - - - -
8119bf50 by Chris Kelley at 2021-07-23T15:16:04-05:00
Remove jboss-annotations-1.2-api from .classpath
This dependency is satisfied through resteasy-client -> resteasy-core,
so no need to explicitly depend on it like this.
- - - - -
88a486de by Endi S. Dewata at 2021-07-23T15:20:29-05:00
Fix javax.annotation path for RHEL 8
- - - - -
6be3018a by Endi S. Dewata at 2021-07-26T20:30:36-05:00
Update pki.spec
The pki.spec has been updated to require PKI packages
with the same version and release numbers to ensure
that the packages installed are from the same build.
- - - - -
60be0d25 by Christina Fu at 2021-08-04T17:08:26-07:00
Bug1973870 SubCA two-step installation fails with error while validating SubCA ca signing certificate
This patch fixes the issue where the CA signing cert is not imported
properly into the nssdb with trust.
The pki cli command is changed from 'nss-import-cert' to 'client-import-cert'
and '--cert' changed to '--ca-cert'.
See https://github.com/dogtagpki/pki/wiki/PKI-Client-CLI#importing-ca-certificate
In addition, if pkispawn fails the pki-server subsystem-cert-validate call,
it will provide more detail on the failure while allow pkispawn to complete.
This would allow admins to manually add the ca signing cert manually.
(Although with the fix mentioned above, it should not be encountered)
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1973870
- - - - -
17eccb47 by Christina Fu at 2021-08-04T17:52:09-07:00
revert accidental check-in of pki.spec
- - - - -
a2a93780 by Christina Fu at 2021-08-05T14:42:06-07:00
Bug1990608 PS Allowing Token Transactions while the CA is Down
This patch propagates the exception thrown when revocation/unrevocation
fails so that the token record is not updated on TPS; This allows
the TPS token to be consistent with the certs on the CA.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990608
- - - - -
63cf2895 by Christina Fu at 2021-08-11T09:19:59-07:00
Bug 1992337 - Double issuance of non-CA subsystem certs at installation
This patch removes an extra profile.submit() call that was accidentally left
off during manual cherry-picking of another bug (1905374):
commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1905374
- - - - -
e7ab6a0e by Chris Kelley at 2021-08-11T17:39:31+01:00
Cherry-pick fix for BZ 1955633 to v10.11
- - - - -
e92aa7c4 by Chris Kelley at 2021-08-11T17:39:44+01:00
Cherry-pick fix for BZ 1960743 to v10.11
Simple cherry-pick was not possible as the files have been moved and the
CMS class log methods replaced with an SLF4J logger instance. Also the
config store is pulled from the subsystem and not the CMS.
- - - - -
d999da77 by Chris Kelley at 2021-08-11T12:09:15-05:00
Remove duplicate buttons from Retrieval List Certificates page
- - - - -
0af94a5e by Endi S. Dewata at 2021-08-11T12:09:15-05:00
Fix navigation buttons in CA EE list certs page
The renderNextButtonElement() has been modified to fix a
typo in commit 13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6.
https://bugzilla.redhat.com/show_bug.cgi?id=1978345
- - - - -
57445347 by Endi S. Dewata at 2021-08-11T12:09:15-05:00
Fix thread safety in ListCerts
The mReverse, mHardJumpTo, and mDirection fields in ListCerts
servlet has been converted into regular variables to avoid
potential concurrency issues.
- - - - -
b9db71b9 by Christina Fu at 2021-08-16T11:24:19-07:00
Bug1990105- TPS Not properly enforcing Token Profile Separation
This patch addresses the issue that TPS agent operations on tokens, activities, and profiles are not limited by the types (profiles) permmtted to the agent (as described in the documentation). This is a regression from 8.x.
The affected operations are:
- findProfiles
- getProfiles
- updateProfile
- changeStatus (of a profile)
- retrieveTokens
- getToken
- modifyToken
- changeTokenStatus
- retrieveActivities
- getActivity
Note that some operations that seem like should be affected are not
due to the fact that they are TPS admin operations and are shielded
from entering the TPS service at the activity level. For example,
deleting a token would be such a case.
The authorization enforcement added in this patch should affect both
access from the web UI as well as access from PKI CLI.
Reference: https://github.com/dogtagpki/pki/wiki/PKI-TPS-CLI
Another note: the VLV complicates the resulting page. If the returned
entries on the page are all restricted then nothing would be shown. To
add a bit more clarity, an <restricted> entry is added to reflect such
effect so that it would be less confusing to the role user.
The <restricted> entries are left with the epoch date.
This would affect both WEB UI and PKI CLI.
Also, a list minute addition to address an issue with 1911472 in
CertService.java where the subject DN of the CA signing cert should
be used instead of the issuer.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990105
- - - - -
28b99f8d by Endi S. Dewata at 2021-08-18T15:23:12-05:00
Remove unused BUILDDIR var
- - - - -
69af2a37 by Endi S. Dewata at 2021-08-18T15:23:12-05:00
Remove unused COPR_REPO var
- - - - -
1b2dbfef by Endi S. Dewata at 2021-08-18T15:23:56-05:00
Update Python tests
The Python tests have been modified to build a test
container and run the tests in the container.
The pki-lint script has been modified to use pylint
and flake8 configuration files from the parent folder.
The script has also been modified to get the sources
from Python library path and upgrade folders.
The script dependencies have been moved into pki.spec.
The direct dependency on python3-pyflakes has been
removed since it's already required by python3-flake8.
- - - - -
37de3c56 by Chris Kelley at 2021-08-18T15:23:57-05:00
Replace use of python with python3 on Ubuntu
TIL that on Ubuntu, there isn't a python module per se - but python2 and
python3. There is supposedly some symlink chicanery you can do if your
project requires "python" explicitly, but we have no requirement for
python2 so just state python3 explicitly.
Fixes currently broken CI pipeline
- - - - -
cf70ee2b by Endi S. Dewata at 2021-08-18T15:23:57-05:00
Add init-workflow.sh
The init-workflow.sh has been added to configure the test
matrix based on the BASE64_MATRIX variable. The test matrix
needs to be base64-encoded since otherwise GitHub will mask
the value rendering it unusable.
- - - - -
43ea6eb3 by Endi S. Dewata at 2021-08-18T15:23:57-05:00
Add test repository configuration
The init-workflow.sh has been modified to load the test
repository from BASE64_REPO variable. The test repository
will be configured in the runner image so all tests using
the same image will automatically use the same repository.
- - - - -
fab433de by Endi S. Dewata at 2021-08-18T15:23:57-05:00
Update default test matrix
The init-workflow.sh has been modified to test
against the latest Fedora version by default.
- - - - -
5d158447 by Endi S. Dewata at 2021-08-18T15:23:57-05:00
Clean up test names
- - - - -
df983177 by Endi S. Dewata at 2021-08-18T16:42:46-05:00
Rename PKI packages
The pki-* packages have been renamed into dogtag-pki-*.
The Obsoletes: directives have been added to replace
installed pki-* packages. The Provides: directives have
been added for backward compatibility.
The vendor_id and brand macros have been replaced with
product_name, product_id, and theme macros.
- - - - -
616b5239 by Endi S. Dewata at 2021-08-18T16:42:46-05:00
Update version number to 10.11.1
- - - - -
fc4f9d2a by Chris Kelley at 2021-08-25T21:24:00+01:00
Fix KRA List Requests by using correct parser
- - - - -
ceec7f52 by jmagne at 2021-08-25T19:00:05-07:00
Fix: Bug 1964176 - KRA PKCS12 support for nCipher sw v12.60+. (#3691)
Note much of this work is based on original work by Alex Scheel.
aka, cipherboy : alexander.m.scheel at gmail.com
This is the pki portion of this bug. Features:
- Import and create our own version of nss's pk12util and name it p12tool.
The reason to do this is to add 3 new KWP algorithm SEC_OIDS dynamically to
nss. This allows the tool to be able to import p12 file that is wrapped with one
of these new algorithms. Otherwise this tool operates exactly like the nss pk1util,
but it's invokded with the name "p12tool".
- Added support to the KRA to be able to create a p12 file using one of the following algs:
"AES/None/PKCS5Padding/Kwp/128"
"AES/None/PKCS5Padding/Kwp/192"
"AES/None/PKCS5Padding/Kwp/256"
Note this requires a new version of jss upcoming that registers these 3 new algs.
They can be referenced by these names in java jss code. These algs are needed when
using an hsm of a certain firmware version that is more restrictive, especially under
FIPS mode.
If the admin knows that the kra is hooked up with such an hsm, the kra can be configured to use
one of those algs as follows:
In the KRA's CS.cfg:
kra.legacyPKCS12=false
kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256
This setting defaults to what we have orignally "AES/CBC/NoPadding".
Also note if we are using the most restrictive scenario with a given hsm, we
want to install both the CA and the KRA with PSS and have oaep enabled for both post configuration:
keyWrap.useOAEP=true
When attempting to recover a key, the code in jss attempts the current method, and
then tries our enhanced method, if the current method fails. This is to disturb original
functionality as little as possible if not needed.
- CRMFPopClient has been lightly modified to be able to use the AES_KEY_WRAP_KWP wrapping mechanism:
Here is an example of generating a cert request :
CRMFPopClient -d . -p ****** -n "cn=ladycfu, uid=ladycfu" -q POP_SUCCESS -l 2048 -b transport.txt -oaep -w "AES KeyWrap/Wrapped" -h NHSM-CONN-XC -y -v -o test1.req
Note the alg "AES KeyWrap/Wrapped" will wrap up the private key with this alg, and the archival routing on the server's kra subsystem will be able to deal with it.
When emplying the KRA's gui to recover a key, the kra must be configured with the "kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256, an example,
to be able to deal with this key and recover it to a p12 file.
Then when importing such a p12 into a software nss db, we must use the new "p12tool" to do so, since it's the only one that recognizes the noew algorithms:
ex: p12tool -i test.p12 -d .
Note: That this import only works on software for now, since we need further support in nss to make this a reality. The goal of this fix and the corresponding
jss fix was to be able to get this use case working on the hsm in fips mode without modifying nss at all.
- - - - -
07d358ed by Endi S. Dewata at 2021-08-25T22:20:14-05:00
Update PKIConnection logging
The PKIConnection has been modified to log the content of
HTTP requests and responses in debug mode.
- - - - -
bb00fdf0 by Christina Fu at 2021-08-25T20:34:16-07:00
Bug1694417-TLS Session audit events establish/terminate when CS acting as a client
The description of this bug could be a litte off so I'll try to explain
when CLIENT_ACCESS_SESSION_ESTABLISH and CLIENT_ACCESS_SESSION_ERMINATED
are supposed to happen first before explaining the patch.
CLIENT_ACCESS_SESSION_ESTABLISH is supposed to happen when a CS instance
tries to connect to its TLS server (for a CA, that'd be a DS server or
KRA). And CLIENT_ACCESS_SESSION_ERMINATED is supposed to happen when
a connection closes, be it initiated by the CS instance itself, or the
TLS server.
In the case when the TLS server is the DS server, CS actually tries to
create a minimum # of connections at system startup for every "module"
of CS. This minimum number is specified in the CS.cfg parameter
internaldb.minConns, which is defaulted to 3. It is because of this
mechanism, you will not see these establish/terminated events triggered
per action.
The "modules" I spoke of can be found by search for the following string
in the debug log (if debug.level=0) :
"Creating LdapBoundConnFactor"
e.g.
"Creating LdapBoundConnFactor(DBSubsystem)"
In my observation, DS seems to send a CLOSE_NOTIFY alert to CS after one
hour of inactivity. In other words, you'd see 3 "sets" of the
TERMINATED after one hour of inactivity (see example later on what my patch
does). I also notice how CS is reacting to such "receiveAlert" with a
"sendAlert", so we essentially see two terminated events when DS times
out on CS. Another thing I observe is that after a connection is
"terminated", further actions don't trigger any more "establish" events.
I think the connections just go back to the connection pool to be reused
at "terminate".
KRA is different from DS. For every key archival action, CA->KRA
connection is established and then terminated when done. It is
therefore easier to see these audit events more clearly.
Now about the this patch. I actually am not sure if there's anything
not working as expected as far as the two audit events go.
However, I find the events to be not as descriptive as it's hard to tell
when an CLIENT_ACCESS_SESSION_ERMINATED alert was triggered by the
server(DS or KRA) or by the client (CS). For this reason, I prepend
"alertSent:" or "alertReceived:" before the CLOSE_NOTIFY in the audit
Info.
Here are a couple examples:
CA->KRA when crmf is submitted for key archival
0.ConnectAsync - [25/Aug/2021:19:31:05 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
0.https-jsse-nio-8443-exec-17 - [25/Aug/2021:19:31:06 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
CA->DS
At system (CS) startup:
0.main - [25/Aug/2021:12:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
...
Do something such as
pki -d . -c pAssword.123 -P https -p 8443 -n "PKI Administrator for example.com" ca-user-find
Notice how neither of the establish/terminated events get triggered.
...
After one hour (imposed by DS by default):
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.19.34.104][ServerHost=10.19.34.104][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertReceived: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
Notice how one has "clientAlertReceived: CLOSE_NOTIFY" and the second one has
"clientAlertSent: CLOSE_NOTIFY", possible when CS received a timeout
notification it responded with a close notify.
I also adjusted some of the debug messages to make them easier to debug.
addresses https://bugzilla.redhat.com/show_bug.cgi?id=1694417
- - - - -
786ed0b6 by c-dorney at 2021-08-26T11:24:24+01:00
Encode cert request as bytes before writing to file (#3718)
- - - - -
077e4e4a by Christina Fu at 2021-08-31T15:14:24-07:00
Bug1999146-TPS-install-Python-error-text
This patch is an attempt to fix the TPS installation issue regarding:
TypeError: __init__() got an unexpected keyword argument 'text'
My research shows that it's likely having to do with Python version
differences. In Python 3.6.8, "text" is possibly not yet introduced
so I"m trying out "universal_newlines".
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1999146
- - - - -
e83a488b by jmagne at 2021-09-16T15:48:50-07:00
Fix Bug 2001576 - pki instance creation fails for IPA server in FIPS mode (RHEL-8.5) (#3741)
It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
that runs before the server runs. In order for this command to succeed, we must alter the python script that
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
fips mode.
- - - - -
f7f04b1d by Christina Fu at 2021-09-16T16:27:18-07:00
Bug2000184-hsm CMC shared Secret failed unwrap
With the latest nCipher firmware version (> v.12.60) in FIPS mode,
CMC Shared Secret authentication would fail since the HSM does not
allow the default issuance protection cert (CA subsystme cert) keys
to do unwrap (Application error: Key 0x000004FA doesn't allow decrypt).
To overcome the issue, the issuance protection cert needs to be replaced
with one that has such capability. The tool 'certutil' came to mind as
it advertised the '--keyOpFlagsOn opflags' option. However, my experiment
has shown that certutil has trouble processing the one of the needed opflag
"sign_recover" ("Unknown flag (recover)")
This patch modifies PKCS10Client so that a new option '-w' is added to
allow for generation of an RSA key pair (thus CSR) which is capable of
handling wrapping/unwrapping on the aformentioned hsm version.
The steps to issue a new CA issuance protection cert involves the following:
A. generate a CSR:
e.g. PKCS10Client -d /var/lib/pki/<ca instance>/alias -h hsm-module -a rsa -l 2048 -n "CN=CA issuanceProt cert" -w -v -o ca-issuanceProt-cfu.csr.b64
B. create a CMCRequest cfg file to be signed by a CA agent (instruction
can be found in doc;
C. Use HttpClient to submit the cmc request to the CA using caCMCcaIssuanceProtectionCert
D. Use CMCResponse with -v to print out certs in the chain (pick Cert:0) in b64 encoding; then save the b64 of the cert into a file (e.g. caIssuanceProt.cert)
Be sure to add the "brackets" above and below the b64 blob:
-----BEGIN CERTIFICATE-----
cert b64 blob
-----END CERTIFICATE-----
E. stop the CA
F. import the cert in caIssuanceProt.cert into both the hsm that the CA uses
and the nssdb where the CA agent will be generating the cmc shared secret..
Assume CA agent nssdb has been set up with the proper CA cert trust and
agent (bootstrap admin user by default) cert:
* certutil -d /var/lib/pki/<ca instance>/alias -h <hsm module> -A -t "u,u,u" -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert
* certutil -d <agent nssdb dir> -A -t ",," -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert
G. edit CA CS.cfg by adding (or modirying, if it exists):
ca.cert.issuance_protection.nickname=<hsm module>:<issuance protection cert nickname>
e.g.
ca.cert.issuance_protection.nickname=myHSM:issuanceProt-091521b.cert
While in there, add the following as well:
keyWrap.useOAEP=true
And setup cmc Shared Secret authentication
e.g. (for better security, set up secure ldap)
auths.instance.SharedToken.dnpattern=
auths.instance.SharedToken.ldap.basedn=ou=People,dc=sjc,dc=redhat,dc=com
auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth
auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken
auths.instance.SharedToken.ldap.ldapauth.clientCertNickname=
auths.instance.SharedToken.ldap.ldapconn.host=test.example.com
auths.instance.SharedToken.ldap.ldapconn.port=389
auths.instance.SharedToken.ldap.ldapconn.secureConn=false
auths.instance.SharedToken.ldap.ldapconn.version=3
auths.instance.SharedToken.ldap.maxConns=
auths.instance.SharedToken.ldap.minConns=
auths.instance.SharedToken.ldapByteAttributes=
auths.instance.SharedToken.ldapStringAttributes=
auths.instance.SharedToken.pluginName=SharedToken
auths.instance.SharedToken.shrTokAttr=shrTok
G. start CA
After this, you'll need to rerun CMCSharedToken to regenerate the shared secret,
and then modify the "shrTok" value of the user entry if
it contains another value generated using the previous issuanceProt cert
(default is CA's subsystem cert, which doesn't work with the aformentioned
hsm version)
Finally, in the case of CRMF requests, where KRA is involved, please note
that if the 2-step procedure is followed to install KRA, at copmletion
add the DRM (KRA) transport cert to each CA and KRA's CS.cfg files.
e.g.
CA's CS.cfg:
ca.connector.KRA.transportCert=MIIEbjCC...kw==
KRA's CS.cfg:
kra.transport.cert=MIIEIjCCA...kw==
and while in there, add the following:
keyWrap.useOAEP=true
kra.legacyPKCS12=false
kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256
Restart both CA and KRA after configuration changes.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2000184
- - - - -
9ecbea99 by Ciarán Dorney at 2021-09-21T10:24:24+01:00
Bump version for tag
- - - - -
5b339525 by Timo Aaltonen at 2021-10-06T16:49:22+03:00
Merge tag 'v10.10.6' into master-next
- - - - -
306b4d71 by Timo Aaltonen at 2021-10-06T16:49:27+03:00
Merge branch 'master' into master-next
- - - - -
a65c87dd by Timo Aaltonen at 2021-10-06T16:59:35+03:00
Bump the version
- - - - -
1ac73100 by Timo Aaltonen at 2021-10-06T17:10:11+03:00
dont-install-deleted-files.diff: Dropped, obsolete.
- - - - -
a2eaa28f by Timo Aaltonen at 2021-10-06T20:42:07+03:00
patches: Refreshed.
- - - - -
925edc29 by Timo Aaltonen at 2021-10-06T20:42:17+03:00
rules: Bump tomcat source path.
- - - - -
b415e191 by Timo Aaltonen at 2021-10-06T20:42:51+03:00
add-freebl-headers.diff: Add headers that libnss3-dev doesn't ship.
- - - - -
4c149e19 by Timo Aaltonen at 2021-10-06T20:48:11+03:00
pki-tools: Add p12tool.
- - - - -
30 changed files:
- .classpath
- .github/workflows/acme-tests.yml
- .github/workflows/ca-tests.yml
- .github/workflows/ipa-tests.yml
- .github/workflows/kra-tests.yml
- .github/workflows/ocsp-tests.yml
- .github/workflows/python-tests.yml
- .github/workflows/qe-tests.yml
- .github/workflows/tks-tests.yml
- .github/workflows/tools-tests.yml
- .github/workflows/tps-tests.yml
- + .gitlab-ci.yml
- .project
- CMakeLists.txt
- CONTRIBUTING.md
- Dockerfile
- README.md
- base/CMakeLists.txt
- base/acme/CMakeLists.txt
- base/acme/Dockerfile
- base/acme/src/main/java/org/dogtagpki/acme/database/ACMEDatabaseConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/database/InMemoryDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPConfigMonitor.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLConfigMonitor.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuerConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/2a993f7c8d072a51df5165b5bfc96c74dc85582c...4c149e19faa830d2829b6cc4d34e0419dcacf316
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/2a993f7c8d072a51df5165b5bfc96c74dc85582c...4c149e19faa830d2829b6cc4d34e0419dcacf316
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211006/48f4105f/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list