[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream] 329 commits: Remove references to xml-commons.api.jar

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Tue Oct 19 15:55:03 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / dogtag-pki


Commits:
d36b82bd by Chris Kelley at 2021-05-13T22:15:42+01:00
Remove references to xml-commons.api.jar

This JAR contains packages/classes that are present in OpenJDK 11. As of
Java 9 it is a compile time failure for packages/classes to be available
from multiple modules. In order to be Java 11 compatible this JAR needs
to be removed and the multiply-sourced code sourced from the JDK.

References to the JAR in scripts, build tools etc have also been
removed.
- - - - -
c2f88ba3 by Endi S. Dewata at 2021-05-13T17:17:41-05:00
Fix installation with HSM

During installation with HSM the server is
stopped to import the permanent SSL server cert
into the NSS database. This operation creates
new files in the NSS database directory with a
wrong ownership and permissions, so the server
fails to start again.

To fix the problem the NSS database ownership
and permissions need to be reset after importing
the permanent SSL server cert.

- - - - -
3ef7c2b3 by Endi S. Dewata at 2021-05-13T20:21:14-05:00
Clean up deployment loggers

All loggers used for deployment have been changed to
use the module name such that they can be referred to
collectively as 'pki'.

- - - - -
f7f0a7e8 by Endi S. Dewata at 2021-05-14T18:50:20-05:00
Merge base/test into base/util/src/test

- - - - -
f22acd73 by Chris Kelley at 2021-05-17T16:23:08+01:00
Add new constructor to com.netscape.certsrv.base.Link class

The deprecated org.jboss.resteasy.plugins.providers.atom.Link has a
constructor with signature Link(String, URI), but our chosen temporary
replacement does not. As we are attempting to preserve the API by making
this temporary switch, I create a new constructor with the current
signature instead of modifying the calling code.

- - - - -
6c4c0759 by Chris Kelley at 2021-05-17T16:23:08+01:00
Fix createCreatedResponse methods that now expect URI, but take String
- - - - -
0db142b6 by Chris Kelley at 2021-05-17T16:23:08+01:00
Switch org.jboss.resteasy.plugins.providers.atom.Link for
com.netscape.certsrv.base.Link.Link

Converts old Link.getRel() -> new Link.getRelationship()
- - - - -
bef84e33 by Chris Kelley at 2021-05-17T21:57:21+01:00
Remove dependency on resteasy-atom-provider
- - - - -
6561bd3b by dpuniaredhat at 2021-05-18T19:55:27+05:30
Updating the IMG_NAME to execute QE test on Fedora 33 (#3531)

Currently QE test are getting executed on Fedora 32 and updating that to execute test cases on Fedora 33

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
33e15f8b by Endi S. Dewata at 2021-05-18T17:59:54-05:00
Drop pytest-runner dependency

The dependency on pytest-runner has been dropped since
it has been deprecated.

Resolves: #1961613

- - - - -
73062597 by Christina Fu at 2021-05-18T16:09:32-07:00
Bug 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued Past Issuing CA's Validity

This RFE was to request for a boolean to disallow ca certs being issued past
the CA's own validity.  As it turns out, such a boolean does exist in
CAValidityDefault.java which is a profile default plugin that's used
by the profile caCACert.cfg.  The variable is called bypassCAnotafter.
When it's true, the requested ca signing cert is allowed  to past the
signing CA's notAfter, while if false (which is the default), the natAfter time
would be reset to match that of the signing CA's.
The problem is, as I found out during my investigation, there is a bug in
the plugin so it is always treated as false.  I have it fixed in this patch.
However, I think the reporter didn't use this profile default plugin, as
if so they would not have reported the issue;  I think the proper solution
should be a system-wide boolean in CS.cfg, although the additional one in
the plugin to allows for finer control.
I'm leaving the fix in CAValidityDefault.java to get some feedback from
the reviewer.
The new bolean in CS.cfg is called ca.enablePastCATime

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1925311

- - - - -
1deeb245 by Chris Kelley at 2021-05-19T16:01:57+01:00
Replace deprecated PosixParser with DefaultParser
- - - - -
78e49942 by Chris Kelley at 2021-05-19T21:59:41+01:00
Remove redundant superinterface implementations
- - - - -
db7c9ee3 by Chris Kelley at 2021-05-20T10:26:04+01:00
Add missing @Deprecated annotations
- - - - -
82c94c27 by Chris Kelley at 2021-05-20T10:26:04+01:00
Add missing @Override annotations
- - - - -
f953f627 by Chris Kelley at 2021-05-20T21:46:11+01:00
Update Java.cmake to use Java 11 source and target
- - - - -
ea0b5782 by Chris Kelley at 2021-05-20T21:52:15+01:00
Remove unnecessary type specification and replace with diamond operator

Automatically generated by Eclipse
- - - - -
a9e560d6 by Chris Kelley at 2021-05-20T21:52:43+01:00
Replace deprecated Double constructor
- - - - -
4de8ba6a by Chris Kelley at 2021-05-21T15:37:26+01:00
Convert CertificateRepository to use try-with-resources
- - - - -
a2b4be29 by Chris Kelley at 2021-05-21T15:38:44+01:00
Remove unnecessary type specifications from anonymous inner classes
- - - - -
540b7c34 by Endi S. Dewata at 2021-05-26T16:42:16-05:00
Drop git dependency

- - - - -
b61557dc by Chris Kelley at 2021-06-01T22:38:44+01:00
Simplify AAclAuthz.isTypeUnique() method
- - - - -
75c6e375 by Chris Kelley at 2021-06-01T22:48:55+01:00
Remove unused log() method from JssSSLSocketFactory

No references to this method in the workspace
- - - - -
fc6bf07b by Chris Kelley at 2021-06-01T22:48:55+01:00
Autoformat JssSSLSocketFactory
- - - - -
8eb74c29 by Chris Kelley at 2021-06-01T22:49:40+01:00
Remove getExtensionAt() method

No references in the workspace
- - - - -
61fa1cb1 by Chris Kelley at 2021-06-01T22:49:40+01:00
Autoformat SingleResponse
- - - - -
156cac41 by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Fix build.sh --without-test

The build.sh and pki.spec file have been modified not to
run the test when the --without-test option is specified.

- - - - -
0fe70dad by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Fix CMake files to optionally build without test

The CMake files have been modified not to build the test
classes when the --without-test is specified.

- - - - -
52c44e40 by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Remove unused code

- - - - -
51b7b226 by dpuniaredhat at 2021-06-02T13:41:26+05:30
Bug Automation 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued past issuing CA's Validity (#3545)

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
bd22a320 by Chandan Pinjani at 2021-06-03T16:10:15+05:30
Enabled beaker provisioning for pytest-ansible (#3542)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
4f80e99c by Christina Fu at 2021-06-03T09:18:50-07:00
Bug1889434 Unable to start HSM configured CA with after enabling Nuxwdog

The bug itself was actually a "not a bug" according to Chandan's latest
finding how it was working again when setup on a different vm.
However, I found a possible issue that could only be seen on the vm
where he initially had issue with.  I don't know how to reproduce other
than being able to see the correct message if my debugging was enabled
in this patch.
The nature of the issue that this patch tries to fix is that in case
when pwd is returned with "keyctl_read_alloc:..." regarding password not
found, and it treated the result as thought it was a password to be
saved.

relating to https://bugzilla.redhat.com/show_bug.cgi?id=1889434

- - - - -
b35672f1 by Endi S. Dewata at 2021-06-03T21:22:16-05:00
Clean up Java dependency

The spec file has been modified to explicitly require Java 11.

- - - - -
c62c4d6c by Endi S. Dewata at 2021-06-03T22:09:43-05:00
Fix JAVA_HOME

- - - - -
3ef27289 by Endi S. Dewata at 2021-06-03T23:32:59-05:00
Update version number to 10.11.0-alpha2

- - - - -
5b09fcaf by Endi S. Dewata at 2021-06-09T11:23:12-05:00
Use password file when creating admin user

The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.

Resolves: CVE-2021-3551

- - - - -
b01cd8cc by Endi S. Dewata at 2021-06-09T11:23:15-05:00
Fix permission for new installation logs

The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -
0c2f3b84 by Endi S. Dewata at 2021-06-09T11:23:15-05:00
Fix permission for existing installation logs

The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -
e3cf3373 by Chris Kelley at 2021-06-10T10:59:00+01:00
Remove IConfigPasswordCheck interface

There is only one implementation in PasswordChecker, and it 1)
duplicates the functionality of the IPasswordCheck interface/impl and 2)
is not referenced anywhere in the workspace.

Also, we don't care about the distinction between an empty password and
a password that is too short when we are deciding if the password is
good, which greatly simplifies isGoodPassword().
- - - - -
a6aeca19 by Endi S. Dewata at 2021-06-10T08:31:44-05:00
Add missing apache-commons-logging dependency

- - - - -
922c4d5c by Endi S. Dewata at 2021-06-10T08:32:59-05:00
Remove unused references to commons-httpclient.jar

- - - - -
4104740d by Endi S. Dewata at 2021-06-10T08:33:43-05:00
Fix HAMCREST_JAR for Rawhide

- - - - -
e790f34d by Endi S. Dewata at 2021-06-10T09:34:07-05:00
Update contact information

- - - - -
5627de5c by Endi S. Dewata at 2021-06-10T12:26:33-05:00
Move CI files into tests folder

- - - - -
4a25b89c by Endi S. Dewata at 2021-06-10T14:31:45-05:00
Move pki-lint files into tests folder

- - - - -
8bf522e9 by Endi S. Dewata at 2021-06-10T17:49:40-05:00
Update version number to 11.0.0-alpha1

- - - - -
894293a6 by Endi S. Dewata at 2021-06-10T20:26:22-05:00
Update JSS references

- - - - -
97debc7b by 06shalini at 2021-06-13T22:21:03+05:30
Added exception handeling in performance tests (#3488)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
287489bc by Endi S. Dewata at 2021-06-16T15:24:35-05:00
Clean up IPA test

- - - - -
8643e03b by Endi S. Dewata at 2021-06-16T16:11:03-05:00
Add configurable test matrix

The test workflows have been modified to load the
matrix from MATRIX secret variable. If the secret is
undefined it will use Fedora 33 and 34 by default.

- - - - -
58e69a97 by Endi S. Dewata at 2021-06-16T17:08:06-05:00
Update JSS, TomcatJSS, and LDAPJDK dependencies

- - - - -
a6a24bcc by Alexander Scheel at 2021-06-16T19:45:05-05:00
Remove pki-console from Fedora 35+, RHEL 9+

- - - - -
81adacee by Endi S. Dewata at 2021-06-16T19:45:05-05:00
Add build.sh --with-console option

- - - - -
abdbbc6a by Chris Kelley at 2021-06-17T14:29:35+01:00
Allow automatic determination of Fedora versions to test against

- - - - -
91ba383d by Alexander Scheel at 2021-06-17T15:19:51-05:00
Remove Legacy VBScript Web Code

No modern browser supports VBScript except IE 11. Microsoft announced its
removal and deprecation in August 2019. Every modern, graphical browser
supports JavaScript, including IE 2+, Edge, Safari, Chrome, and Firefox.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
80e64e5c by Endi S. Dewata at 2021-06-17T21:46:31-05:00
Fix Javadoc warnings

- - - - -
7a74753c by Endi S. Dewata at 2021-06-18T09:56:22+01:00
Add test script for creating CA agent

The test code that creates a CA agent has been moved
into a shell script.

- - - - -
b78d76a8 by Endi S. Dewata at 2021-06-18T09:56:22+01:00
Add test scripts for CA agent cert revocation

The test code that creates, revokes, and unrevokes
a CA agent cert has been moved into shell scripts.

- - - - -
d4119692 by Endi S. Dewata at 2021-06-18T09:13:44-05:00
Add JSON mapper for UserCertData

- - - - -
f02f08fc by Chris Kelley at 2021-06-18T21:25:30+01:00
Add JSON mapper for Account
- - - - -
f8f4a583 by Chris Kelley at 2021-06-18T21:26:04+01:00
Add JSON wrapper for AuthorityData

* Make fields of AuthorityData private and provide setters for test
* Remove unused Link setter
- - - - -
582e4c26 by Pritam Singh at 2021-06-21T15:16:34+05:30
clone_job_fix (#3573)

[SKIP CI]

Signed-off-by: Pritam Singh <prisingh at redhat.com>

Co-authored-by: Pritam Singh <prisingh at redhat.com>
- - - - -
1ae9fc63 by Chris Kelley at 2021-06-21T17:19:04+01:00
Add JSON wrappers for classes in com.netscape.certsrv.base

Also adds AuthorityDataTest to the cmake file, I forgot to do it in a
previous PR
- - - - -
963883e2 by Chris Kelley at 2021-06-21T17:22:50+01:00
Add JSON mapper for ClientConfig
- - - - -
8bb1536e by Chris Kelley at 2021-06-21T21:44:04+01:00
Add JSON wrappers for classes org.dogtagpki.common

Requires overriding equals() and hashCode() in Link class, otherwise the
equals check for ConfigData fails on object equivalence for the Links
- - - - -
a3de157d by Chris Kelley at 2021-06-21T21:45:05+01:00
Add JSON wrappers for classes in com.netscape.certsrv.group

Also adds annotations to AuthorityData, which were missed in a previous
PR.
- - - - -
75619288 by Chris Kelley at 2021-06-21T23:55:59+01:00
Remove jakarta-activation from .classpath

This dependency is satisfied through resteasy-client -> resteasy-core,
so no need to explicitly depend on it like this.
- - - - -
9f409750 by Chris Kelley at 2021-06-22T14:10:50-05:00
Remove jboss-annotations-1.2-api from .classpath

This dependency is satisfied through resteasy-client -> resteasy-core,
so no need to explicitly depend on it like this.
- - - - -
94f698f6 by Chris Kelley at 2021-06-22T22:29:30+01:00
Add JSON wrappers for classes in com.netscape.certsrv.logging

Also removes unused AuthorityData.toString() I missed in earlier PR
- - - - -
866c632a by Chris Kelley at 2021-06-22T23:14:50+01:00
Add JSON wrapper for Descriptor
- - - - -
3a1c75d9 by Chris Kelley at 2021-06-22T23:55:33+01:00
Reorder modifiers in Constants to match the JLS
- - - - -
860e80ba by Christina Fu at 2021-06-22T17:46:50-07:00
Bug1963220-RevokeViaRestAPIwExtAgent

This patch resolves the issue that when a client cert is issued by an
external CA, the revocation check inside the CA REST service handler
(ca/src/org/dogtagpki/server/ca/rest/CertService.java)
assumes that all client certs are issued by this CA.

The fix is to check the issuer, and add an option, allowExtCASignedAgentCerts
to allow for external CA signed agent certs.

If the issuer is external, and ca.allowExtCASignedAgentCerts is true, then the
internal cert status check is bypassed and to rely on OCSP enablement
(enableOCSP) in server.xml.

The ca.allowExtCASignedAgentCerts config param currently is only used in
the rest revocation case.  It is not used anywhere else (not even unrevocation)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1963220

- - - - -
aa4406c7 by Endi S. Dewata at 2021-06-22T20:24:17-05:00
Fix build classpaths

- - - - -
9b698d6c by Chris Kelley at 2021-06-23T10:49:47+01:00
Add JSON wrappers for classes in com.netscape.certsrv.key
- - - - -
bfcc6d52 by Chris Kelley at 2021-06-23T10:51:50+01:00
Add JSON wrappers for classes in com.netscape.certsrv.request
- - - - -
bcde3dc9 by Chris Kelley at 2021-06-23T10:56:41+01:00
Add JSON wrappers for classes in com.netscape.certsrv.selftests
- - - - -
80464590 by Chris Kelley at 2021-06-23T17:22:41+01:00
Add JSON wrappers for classes in com.netscape.certsrv.cert
- - - - -
6fe2e290 by Endi S. Dewata at 2021-06-23T20:56:03-05:00
Drop httpcomponents dependency

The direct dependency on httpcomponents has been dropped
from pom.xml since it is already provided by resteasy.
There is no such dependency in pki.spec.

- - - - -
649ec1c0 by Chris Kelley at 2021-06-24T10:54:10+01:00
Add JSON wrappers for classes in com.netscape.certsrv.profile
- - - - -
2a5a7485 by Chris Kelley at 2021-06-24T22:25:14+01:00
Code cleanup in TokenStatus

* Reorder modifiers to match JLS
* Simplify isValid()
* Some whitespace added
- - - - -
30b3b411 by Chris Kelley at 2021-06-24T22:30:12+01:00
Add JSON wrappers for classes in com.netscape.certsrv.tps
- - - - -
4f62a962 by Chris Kelley at 2021-06-24T23:04:37+01:00
Autoformat CryptoUtil
- - - - -
36450f67 by Chris Kelley at 2021-06-24T23:04:37+01:00
Tidy up some if statements in CryptoUtil
- - - - -
77bd3464 by Chris Kelley at 2021-06-24T23:04:37+01:00
Remove superfluous throws declarations in CryptoUtil
- - - - -
39da6dbd by Chandan Pinjani at 2021-06-25T18:21:31+05:30
Added Automation for BZ 1930586 (#3594)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
1f5d4472 by Chris Kelley at 2021-06-25T15:11:36+01:00
Add JSON wrappers for classes in com.netscape.certsrv.system

- - - - -
8b53e1ca by Endi S. Dewata at 2021-06-25T16:27:59+01:00
Update client's default message format

- - - - -
fbc37bfb by Chris Kelley at 2021-06-25T21:26:41+01:00
Add JSONSerializer interface

Provide default methods for classes that wish to serialize to/from JSON
to reduce boilerplate code, as all classes do the same thing.

Also beneficial as a marker interface for the REST API, as this is the
dominant use case of the serialization to/from JSON.
- - - - -
751ae5e0 by Chris Kelley at 2021-06-25T21:26:41+01:00
Make ACME classes implement JSONSerializer to reduce boilerplate code
- - - - -
c0b42872 by Christina Fu at 2021-06-25T17:31:58-07:00
Bug1976010-restrict EE profile list and enrollment submission per LDAP group without immediate issuance

It's always been the case by design that if authentication (auth.instance_id=X) is specified in a profile, then as long as a request passes both authentication and authorization (authz.Y) then the issuance would be granted.
In this patch, an option per profile is added to override such design and would require explicit agent approval even when both auth and authz passed.

This new option is auth.explicitApprovalRequired and the value is true
or false,with false being the default if not set.

An example configuration in a directory-based authentication profile
would have something like the following:

         auth.instance_id=UserDirEnrollment
         auth.explicitApprovalRequired=true
         authz.acl=group=requestors

addressed https://bugzilla.redhat.com/show_bug.cgi?id=1976010

- - - - -
59dcf7e2 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Add PKIConnection.target

The PKIConnection has been modified to create the
WebTarget object from the server URL.

- - - - -
0252a415 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Add PKIClient.messageFormat

The PKIClient has been modified to construct the
content type object from the client configuration.

- - - - -
f1971c02 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.createProxy()

The PKIClient.createProxy() method has been modified
to no longer require a leading slash in the path.

- - - - -
5d010ab7 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.get()

The PKIClient.get() methods have been modified to
no longer require a leading slash in the path.

- - - - -
009f0edd by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.post()

The PKIClient.post() methods have been modified to
no longer require a leading slash in the path.

- - - - -
2b6749b9 by Endi S. Dewata at 2021-06-25T20:50:43-05:00
Merge PKIConnection.target() methods

- - - - -
c93ee9e1 by Chris Kelley at 2021-06-28T17:20:47+01:00
Remove XML tagging from Descriptor
- - - - -
9a37dbf5 by Christian Heimes at 2021-06-28T15:29:29-07:00
PKCS#12 export: encrypt private key with AES (#3590)

pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
PBES2 with AES-128-CBC to encrypt private key and leave public certs
unencrypted.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
85d4d23d by Chris Kelley at 2021-06-29T10:22:19+01:00
Make CA classes implement JSONSerializer to reduce boilerplate code
- - - - -
869e1180 by Chris Kelley at 2021-06-29T22:52:16+01:00
Move JSONSerializer to common directory from server only directory
- - - - -
b60d8218 by Endi S. Dewata at 2021-06-29T17:48:52-05:00
Add doc for PKI TPS Configuration CLI

- - - - -
878a7020 by Endi S. Dewata at 2021-06-29T18:08:07-05:00
Clean up CA tests

- - - - -
08ffba17 by Chris Kelley at 2021-06-30T09:29:20+01:00
Remove XML mappers from AuthorityData
- - - - -
d1124d33 by Chris Kelley at 2021-06-30T09:29:48+01:00
Remove XML mappers from com.netscape.cersrv.selftests
- - - - -
f62f8951 by Christina Fu at 2021-06-30T17:51:44-07:00
Bug1978017 PKCS10Client Attribute Encoding

PKCS10Client has an option "-k" which allows for individual DN
attributes to be encoded differently and separately.
For example:
    PKCS10Client -p <passwd> -d . -k true -o req.txt -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'

This option might have been accidentally disabled.  In this patch, the
attribute encoding code is moved to CryptoUtil.java with some
refactoring, and calls to getJssName() is re-enabled for subjectName
in PKCS10Client;

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1978017

- - - - -
131850d9 by Endi S. Dewata at 2021-06-30T20:16:09-05:00
Add test for CA certs

- - - - -
47e3be52 by Chris Kelley at 2021-07-01T10:37:41+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In org.dogtagpki.common package
- - - - -
7b245ced by Chris Kelley at 2021-07-01T15:52:49+01:00
Consolidate the building step in the CI to a separate workflow
- - - - -
40f114b6 by Chris Kelley at 2021-07-01T15:52:49+01:00
fop
- - - - -
9676dfdc by Christina Fu at 2021-07-01T09:49:59-07:00
Bug1978017 (clean up imports) PKCS10Client Attribute Encoding
This patch is to clean up some imports that were missed in the previous
patch for
  Bug1978017 PKCS10Client Attribute Encoding

additional cleanup for https://bugzilla.redhat.com/show_bug.cgi?id=1978017

- - - - -
9bbcec92 by Chris Kelley at 2021-07-01T18:09:20+01:00
Revert "fop"

This reverts commit 40f114b6f38c839fcf52fa334f4a8b0202696446.

- - - - -
b4f93dd6 by Chris Kelley at 2021-07-01T18:09:20+01:00
Revert "Consolidate the building step in the CI to a separate workflow"

This reverts commit 7b245cedbc02977d0b12c96e1110f77363cbc756.

- - - - -
a91518c1 by Chris Kelley at 2021-07-01T23:03:53+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.account
com.netscape.certsrv.authority
com.netscape.certsrv.cert
com.netscape.certsrv.base

Introduces additional methods to provide access to private fields if
required
- - - - -
bf2d303e by Chris Kelley at 2021-07-01T23:03:53+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.logging
com.netscape.certsrv.request
com.netscape.certsrv.property
com.netscape.certsrv.profile

- - - - -
f36bd103 by Chris Kelley at 2021-07-01T23:04:11+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.system
com.netscape.certsrv.selftests
- - - - -
52819513 by Endi S. Dewata at 2021-07-01T19:32:51-05:00
Display CLI exception stack trace

The pki CLI has been modified to show the exception
stack trace by default to help troubleshooting.

- - - - -
6e1db6ef by Endi S. Dewata at 2021-07-01T19:51:22-05:00
Drop unnecessary sudo dependency

- - - - -
f4fb25e4 by Chris Kelley at 2021-07-02T09:02:28+01:00
Remove XML tagging from com.netscape.certsrv.group
- - - - -
d9f35385 by Endi S. Dewata at 2021-07-02T12:41:26-05:00
Add tests for CA auditor

New tests have been added to verify creating CA auditor
with basic auth and client cert auth and retrieving
audit logs.

- - - - -
21fde138 by Chris Kelley at 2021-07-02T22:27:15+01:00
Remove XML tagging from ClientConfig
- - - - -
92b0df5b by Chris Kelley at 2021-07-02T22:29:41+01:00
Remove field visibility functionality from JSONSerializer

Only required to make one prvivate field visible, so just make it public
- - - - -
33b86f35 by Endi S. Dewata at 2021-07-02T17:04:18-05:00
Remove unused references to commons-collections.jar

- - - - -
8d1cc0c2 by Endi S. Dewata at 2021-07-07T20:47:13-05:00
Add doc for pki <subsystem>-audit

- - - - -
7cbdc90f by Chris Kelley at 2021-07-08T10:42:54+01:00
Automatically detect unit tests in CMakeLists files

Currently if you add a JUnit test case you have to know/remember to add
it in the cmake files, which is brittle process.
- - - - -
4917f7be by Chris Kelley at 2021-07-08T10:43:13+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.key
com.netscape.certsrv.client
com.netscape.certsrv.group

- - - - -
16e89c9e by dpuniaredhat at 2021-07-08T15:20:30+05:30
Bug Automation 1963220 revoke with allowExtCASignedAgentCerts parms (#3642)

1. Install CA and SubCA.
2. Create certificate on external CA for agent with name extCA-agent.
3. Create agent on main CA and import extCA-agent certificate.
4. Test with default value of ca.allowExtCASignedAgentCerts=false without any changes.
5. Test with parameter ca.allowExtCASignedAgentCerts=true in CS.cfg parameter

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
c781ab61 by Chris Kelley at 2021-07-08T09:39:07-05:00
Remove XML tagging from org.dogtagpki.common
- - - - -
a010fa7c by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Update Link constructor

The Link constructor has been modified not to set the type
if it's not specified to match RESTEasy's Link constructor:
https://github.com/resteasy/Resteasy/blob/3.0.26.Final/providers/resteasy-atom/src/main/java/org/jboss/resteasy/plugins/providers/atom/Link.java#L54-L58

- - - - -
8d37206a by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Update pki tps-config doc

The doc for pki tps-config has been updated to use
JSON instead of XML file format.

- - - - -
a51f61a6 by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Add doc for switching from XML to JSON REST API

- - - - -
18f86a4c by Endi S. Dewata at 2021-07-08T12:02:13-05:00
Add doc for pki ca-cert

[skip ci]

- - - - -
80f93b9e by Chris Kelley at 2021-07-08T23:01:35+01:00
Remove XML tagging from com.netscape.certsrv.logging
- - - - -
d91c8a73 by Endi S. Dewata at 2021-07-08T23:01:50+01:00
Fix pki <subsystem>-audit CLIs

The pki <subsystem>-audit-show and -mod commands have been
modified to store the output file in JSON format.

https://bugzilla.redhat.com/show_bug.cgi?id=1980368

- - - - -
629cb441 by Endi S. Dewata at 2021-07-08T23:01:50+01:00
Update pki <subsystem>-audit doc

The doc for pki <subsystem>-audit has been updated to use
JSON instead of XML file format.

- - - - -
9d280f73 by dpuniaredhat at 2021-07-09T17:05:53+05:30
fix upstream nightly pipeline (#3646)

installation_podman_acme-dp

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
6cfbf958 by Endi S. Dewata at 2021-07-09T10:35:58-05:00
Remove deprecated pki commands

- - - - -
0c161e74 by Chris Kelley at 2021-07-12T14:30:09+01:00
Remove XML mapping from com.netscape.cersrv.tps

Adds in JSON mapping to ProfileData which I missed in an earlier PR
- - - - -
1747c2af by Chris Kelley at 2021-07-12T14:35:18+01:00
Replace XML Response object in GetTransportCert with a JSON object
- - - - -
10a789a7 by Endi S. Dewata at 2021-07-12T18:55:10-05:00
Add jakarta-activation to .classpath

The jakarta.activation.jar has been added into .classpath
since it's needed to run unit tests in Eclipse.

[skip ci]

- - - - -
98ec4987 by Chris Kelley at 2021-07-13T10:53:37+01:00
Remove XML mappers from com.netscape.certsrv.user

Also adds some missing JSON mapping/tests
- - - - -
a713f1e7 by Chris Kelley at 2021-07-14T08:39:32+01:00
Remove XML tagging from com.netscape.certsrv.system
- - - - -
0cbc2861 by Chris Kelley at 2021-07-14T22:54:53+01:00
Remove XML tagging from Link
- - - - -
9b08876a by Chris Kelley at 2021-07-14T23:07:21+01:00
Remove XML mapping from com.netscape.certsrv.key
- - - - -
e95e27fb by Kees Bakker at 2021-07-15T15:02:05-05:00
Use get_token_password instead of get_password

The function get_password will not normalize the token name and then it
fails to find the password in the config file. After that it will prompt
for the password.

The solution is to use get_token_password instead.

- - - - -
4e1b040f by Endi S. Dewata at 2021-07-16T15:41:53-05:00
Add GitLab synchronization job

The .gitlab-ci.yml has been added to define a job to
synchronize a branch from an upstream repository to a
GitLab repository.

- - - - -
98adff64 by Chris Kelley at 2021-07-19T20:55:58+01:00
Remove XML mappers from CertRequestInfo{s}
- - - - -
bc3739a1 by Endi S. Dewata at 2021-07-19T19:57:24-05:00
Remove unused BUILDDIR var

- - - - -
e41fa4c3 by Endi S. Dewata at 2021-07-19T20:39:38-05:00
Remove unused COPR_REPO var

- - - - -
5a6b1afc by dpuniaredhat at 2021-07-21T12:38:00+05:30
fix upstream nightly pipeline (#3658)

pipeline fixes under this PR
externalca_nssdb-topo-03-sk
topology_02_ldaps_sk
topo-03-kra-bugzilla

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
1d186dce by Chandan Pinjani at 2021-07-21T20:37:20+05:30
Clone Job Fix (#3663)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
76457449 by Endi S. Dewata at 2021-07-21T12:03:01-05:00
Update Python tests

The Python tests have been modified to build a test
container and run the tests in the container.

The pki-lint script has been modified to use pylint
and flake8 configuration files from the parent folder.

The script has also been modified to get the sources
from Python library path and upgrade folders.

The script dependencies have been moved into pki.spec.
The direct dependency on python3-pyflakes has been
removed since it's already required by python3-flake8.

- - - - -
89d2c255 by c-dorney at 2021-07-22T18:02:31+01:00
BZ-1981850 Check directory for files on load subsystems (#3666)

* BZ-1981850 Check directory for files on load subsystems
- - - - -
1b405f1d by Endi S. Dewata at 2021-07-23T14:11:38-05:00
Add test for SCEP responder

A CI test has been added to set up SCEP responder,
build SSCEP client, then run an enrollment test.

- - - - -
441a4688 by dpuniaredhat at 2021-07-26T17:30:01+05:30
fix acme assertion changes (#3672)

Executed Pipeline : https://gitlab.com/dpunia/pki/-/pipelines/342821832

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
58e03f50 by Chris Kelley at 2021-07-26T16:18:11+01:00
Replace use of python with python3 on Ubuntu

TIL that on Ubuntu, there isn't a python module per se - but python2 and
python3. There is supposedly some symlink chicanery you can do if your
project requires "python" explicitly, but we have no requirement for
python2 so just state python3 explicitly.

Fixes currently broken CI pipeline
- - - - -
0f858253 by Endi S. Dewata at 2021-07-26T12:46:31-05:00
Ignore failures when gathering CI artifacts

- - - - -
6ba18315 by Endi S. Dewata at 2021-07-26T16:32:11-05:00
Ignore known JSS issue

The CI has been modified to ignore a known JSS issue:
https://github.com/dogtagpki/jss/issues/781

- - - - -
309337ed by Endi S. Dewata at 2021-07-26T19:04:30-05:00
Update pki-console dependency

The pki.spec has been modified to obsolete older pki-console,
pki-console-theme, and idm-console-framework packages such that
they will be uninstalled on upgrade. The current pki-console
can still be installed optionally.

- - - - -
539b84e0 by Chris Kelley at 2021-07-27T08:17:58+01:00
Remove XML tagging from ProfileRetrievalRequest
- - - - -
5ec82d3f by Endi S. Dewata at 2021-07-27T17:10:11-05:00
Update pki.spec

The pki.spec has been updated to require PKI packages
with the same version and release numbers to ensure
that the packages installed are from the same build.

- - - - -
4932ef6d by Endi S. Dewata at 2021-07-28T15:57:11-05:00
Add init-workflow.sh

The init-workflow.sh has been added to configure the test
matrix based on the BASE64_MATRIX variable. The test matrix
needs to be base64-encoded since otherwise GitHub will mask
the value rendering it unusable.

- - - - -
6f2c0f00 by 06shalini at 2021-07-29T12:19:32+05:30
Fixed performance issues#3481 by fixing the session object sharing among threads (#3569)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
d42954ec by Endi S. Dewata at 2021-07-29T15:57:21-05:00
Add test repository configuration

The init-workflow.sh has been modified to load the test
repository from BASE64_REPO variable. The test repository
will be configured in the runner image so all tests using
the same image will automatically use the same repository.

- - - - -
eef1f62d by Endi S. Dewata at 2021-07-29T17:28:56-05:00
Update default test matrix

The init-workflow.sh has been modified to test
against the latest Fedora version by default.

- - - - -
2d99d278 by Christina Fu at 2021-07-30T09:33:51-07:00
Bug 708162 - DRM error reporting page for noOfRequiredRecoveryAgents has a typo

quick typo fix
fixes https://bugzilla.redhat.com/show_bug.cgi?id=708162

- - - - -
9a6cb98f by Endi S. Dewata at 2021-08-03T16:37:56-05:00
Remove unused Requires(preun) in pki.spec

- - - - -
acc08128 by Endi S. Dewata at 2021-08-04T18:38:36-05:00
Clean up test names

- - - - -
3e367124 by Christina Fu at 2021-08-04T17:47:45-07:00
Bug1973870 SubCA two-step installation fails with error while validating SubCA ca signing certificate

This patch fixes the issue where the CA signing cert is not imported
properly into the nssdb with trust.
The pki cli command is changed from 'nss-import-cert' to 'client-import-cert'
and '--cert' changed to '--ca-cert'.
See https://github.com/dogtagpki/pki/wiki/PKI-Client-CLI#importing-ca-certificate
In addition, if pkispawn fails the pki-server subsystem-cert-validate call,
it will provide more detail on the failure while allow pkispawn to complete.

This would allow admins to manually add the ca signing cert manually.
(Although with the fix mentioned above, it should not be encountered)

fixes master for  https://bugzilla.redhat.com/show_bug.cgi?id=1973870

- - - - -
196f4494 by Christina Fu at 2021-08-05T15:13:22-07:00
Bug1990608 PS Allowing Token Transactions while the CA is Down

This patch propagates the exception thrown when revocation/unrevocation
fails so that the token record is not updated on TPS; This allows
the TPS token to be consistent with the certs on the CA.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990608

- - - - -
d5eecddf by Endi S. Dewata at 2021-08-06T16:11:31-05:00
Add PKI PKCS12 CLI test

A new CI test has been added to validate pki pkcs12
commands.

https://github.com/dogtagpki/pki/wiki/PKI-PKCS12-CLI

- - - - -
2586825d by Chris Kelley at 2021-08-09T15:37:39+01:00
Make getStatus return JSON instead of XML

Introduces JSONObject class to begin to replace instances of the
XMLObject class.
- - - - -
e16a3c76 by Chris Kelley at 2021-08-09T16:48:59+01:00
Replace XMLObjects with JSONObjects in com.netscape.cms.servlet.csadmin
- - - - -
d1a02c89 by Chris Kelley at 2021-08-09T11:42:13-05:00
Remove duplicate buttons from Retrieval List Certificates page
- - - - -
15182145 by Endi S. Dewata at 2021-08-09T11:42:39-05:00
Fix navigation buttons in CA EE list certs page

The renderNextButtonElement() has been modified to fix a
typo in commit 13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6.

https://bugzilla.redhat.com/show_bug.cgi?id=1978345

- - - - -
4289cecf by Endi S. Dewata at 2021-08-09T11:42:39-05:00
Fix thread safety in ListCerts

The mReverse, mHardJumpTo, and mDirection fields in ListCerts
servlet has been converted into regular variables to avoid
potential concurrency issues.

- - - - -
2f953491 by Chris Kelley at 2021-08-10T10:02:29+01:00
Replace XMLObject with JSONObject in PortsServlet
- - - - -
b8e6015b by Endi S. Dewata at 2021-08-10T13:35:38-05:00
Reorganize changes docs

[skip ci]

- - - - -
3e25eeda by Christina Fu at 2021-08-11T09:31:25-07:00
Bug 1992337 - Double issuance of non-CA subsystem certs at installation

This patch removes an extra  profile.submit() call that was accidentally
left off during manual cherry-picking of another bug (1905374):
commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1992337

- - - - -
1be7cb19 by Chris Kelley at 2021-08-11T17:39:56+01:00
Cherry-pick fix for BZ 1955633 to master
- - - - -
c3707a54 by Chris Kelley at 2021-08-11T17:40:10+01:00
Port fix for BZ 1960743 to master

Simple cherry-pick was not possible as the files have been moved and the
CMS class log methods replaced with an SLF4J logger instance. Also the
config store is pulled from the subsystem and not the CMS,
- - - - -
39ac8234 by Endi S. Dewata at 2021-08-11T12:25:13-05:00
Rename PKI packages

The pki-* packages have been renamed into dogtag-pki-*.
The Obsoletes: directives have been added to replace
installed pki-* packages. The Provides: directives have
been added for backward compatibility.

The vendor_id and brand macros have been replaced with
product_name, product_id, and theme macros.

- - - - -
edaab139 by Endi S. Dewata at 2021-08-11T20:54:24-05:00
Fix Javadoc directory

- - - - -
83452b29 by Endi S. Dewata at 2021-08-11T21:29:05-05:00
Update version number to 11.0.0-alpha2

- - - - -
e8a03bcb by Endi S. Dewata at 2021-08-12T13:01:36-05:00
Add --log-file option for pkispawn/pkidestroy

pkispawn and pkidestroy have been modified to provide a
--log-file option to specify the installation log file path.

- - - - -
715861f9 by Endi S. Dewata at 2021-08-17T21:13:31-05:00
Update PKIConnection logging

The PKIConnection has been modified to log the content of
HTTP requests and responses in debug mode.

- - - - -
405a1853 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add support for custom XML mapping

The PKIClient and PKIService classes have been modified
to support optional XML mapping using fromXML() and
toXML(). This can be used to implement a custom XML
mapping using DOM instead of JAXB.

- - - - -
8e5f2bc8 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for Link

- - - - -
52b6c0dc by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for CertDataInfo

- - - - -
648bf64c by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for CertDataInfos

- - - - -
8b25d201 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add XML mapping using DOM for CertDataInfos

- - - - -
15703570 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Drop JAXB from CertDataInfo

- - - - -
3d44a8dc by Endi S. Dewata at 2021-08-18T10:29:38-05:00
Add DOM mapping for Account

- - - - -
d39acd9d by Endi S. Dewata at 2021-08-18T10:29:38-05:00
Drop JAXB from Account

The Account class has been modified to use DOM
instead of JAXB for XML mapping.

- - - - -
78f6d6b1 by Endi S. Dewata at 2021-08-18T11:35:09-05:00
Add DOM mapping for CertData

- - - - -
214b3cc3 by Endi S. Dewata at 2021-08-18T11:35:09-05:00
Drop JAXB from CertData

The CertData class has been modified to use DOM
instead of JAXB for XML mapping.

- - - - -
be299603 by Endi S. Dewata at 2021-08-18T15:44:01-05:00
Add DOM mapping for CertRetrievalRequest

- - - - -
318e05c2 by Endi S. Dewata at 2021-08-18T15:44:01-05:00
Drop JAXB from CertRetrievalRequest

- - - - -
8112771d by Chris Kelley at 2021-08-18T23:25:26+01:00
Drop jaxb from ProfileDataInfo
- - - - -
26f3f176 by Chris Kelley at 2021-08-19T11:00:59+01:00
Drop jaxb from ProfileDataInfos
- - - - -
279be2c3 by Chandan Pinjani at 2021-08-19T18:05:45+05:30
Added BZ_1426572_fix (#3701)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
9e734330 by Endi S. Dewata at 2021-08-19T11:18:12-05:00
Reorganize IPA tests

To simplify troubleshooting the basic IPA tests have
been split into separate steps, and the tests will stop
immediately on error. The IPA ACME test has also been
moved into a separate job.

- - - - -
4c2cdbc8 by Endi S. Dewata at 2021-08-19T13:31:30-05:00
Clean up CACertFindCLI

The CACertFindCLI has been modified to use Files.readString()
to read the input file into a String.

- - - - -
0c955aef by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Refactor CertRevokeRequest

The CertRevokeRequest.reason has been converted into String
to remove dependency on RevocationReasonAdapter which is also
dependent on JAXB.

- - - - -
633d7553 by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Add DOM mapping for CertRevokeRequest

- - - - -
64f44a53 by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Drop JAXB from CertRevokeRequest

- - - - -
9b6a9358 by Endi S. Dewata at 2021-08-20T10:00:40+01:00
Add DOM mapping for CertSearchRequest

- - - - -
6a62a24d by Endi S. Dewata at 2021-08-20T10:00:40+01:00
Replace JAXB with DOM in CertSearchRequest

The CertSearchRequest has been modified to use DOM
instead of JAXB in toXML() and fromXML().

- - - - -
070c45f8 by Chris Kelley at 2021-08-20T11:15:59+01:00
Modify PolicyConstraintTest to produce more accurate XML output

So we can see whether the DOM replacement for jaxb produces equivalent

- - - - -
670c8377 by Chris Kelley at 2021-08-20T11:15:59+01:00
Replace jaxb with DOM in PolicyConstraintValue
- - - - -
9f3c03e0 by Chris Kelley at 2021-08-20T11:15:59+01:00
Replace jaxb with DOM in PolicyConstraint
- - - - -
70521f55 by Chris Kelley at 2021-08-20T11:33:41+01:00
Drop jaxb from ProfileParameter
- - - - -
3fa319f8 by Chris Kelley at 2021-08-20T11:33:41+01:00
Drop jaxb from ProfileAttribute
- - - - -
7e54b4f2 by Chris Kelley at 2021-08-20T15:12:09+01:00
Improve PolicyOutputTest by adding in ProfileAttributes
- - - - -
39b4569d by Chris Kelley at 2021-08-20T15:12:09+01:00
Drop jaxb from ProfileOutput
- - - - -
6c5f4600 by Endi S. Dewata at 2021-08-20T15:11:32-05:00
Replace RevocationReason.fromInt() with valueOf()

- - - - -
f128af5a by Endi S. Dewata at 2021-08-20T15:11:33-05:00
Replace RevocationReason.toInt() with getCode()

- - - - -
2a66010d by Ciarán Dorney at 2021-08-20T22:19:47+01:00
Add DOM mapping for ProfileInput

- - - - -
6ee96a4a by Chris Kelley at 2021-08-20T23:04:33+01:00
Improve PolicyDefaultTest by filling out more fields in test object
- - - - -
a19a6dd2 by Chris Kelley at 2021-08-20T23:04:33+01:00
Drop jaxb from PolicyDefault
- - - - -
5bacbd1e by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Add DOM mapping for ResourceMessage

- - - - -
582e8144 by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Add XML mapping for Info

- - - - -
57658046 by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Replace JAXB with DOM in PKIException

- - - - -
68904bac by Chris Kelley at 2021-08-21T00:01:29+01:00
Improve ProfilePolicyTest by adding Policy{Constraint,Default}
- - - - -
25d23ba6 by Chris Kelley at 2021-08-21T00:01:29+01:00
Drop jaxb from ProfilePolicy
- - - - -
241eb238 by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Fix JSON mapping in Info

- - - - -
5ce9d586 by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Clean up PKIClient.handleErrorResponse()

- - - - -
d14aa68a by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Add PKIClient.unmarshall()

The code that unmarshalls response object in
PKIClient.getEntity() has been moved into a new
unmarshall() method. The handleErrorResponse()
has been modified to use unmarshall() as well.

- - - - -
731c8f18 by Endi S. Dewata at 2021-08-23T10:37:22-05:00
Add JSON mapping for PKIException

- - - - -
5dc388d6 by Endi S. Dewata at 2021-08-23T10:37:22-05:00
Drop JAXB from PKIException

- - - - -
63813fd7 by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix XML mapping in CertSearchRequest

- - - - -
9f695cec by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix JSON mapping in CertDataInfo

- - - - -
f453271a by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix JSON and XML mapping in Link

- - - - -
d03c6661 by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix XML mapping in ResourceMessage

- - - - -
169b6750 by Endi S. Dewata at 2021-08-23T11:16:02-05:00
Rename PKIService.convert() to marshall()

- - - - -
c0867bb9 by Endi S. Dewata at 2021-08-23T13:22:23-05:00
Refactor PKIService.marshall()

The if-statement has been moved into the try-catch
block so it can be extended to handle JSON later.

- - - - -
22b89df1 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Add support for custom request mapping

The PKIClient.marshall() and PKIService.unmarshall()
have been added to suport custom mapping of request
objects.

- - - - -
a745bab3 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Refactor CertService.searchCerts()

The CACertClient.findCerts() has been modified
to marshall the CertSearchRequest into a String.
The CertService.searchCerts() has been modified to
unmarshall the String back into CertSearchRequest.

- - - - -
90767089 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Drop JAXB from CertSearchRequest

- - - - -
8230a17d by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for CMSRequestInfo

- - - - -
c119193e by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for CertRequestInfo and CertRequestInfos

- - - - -
4af33c33 by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for KeyRequestInfo and KeyRequestInfoCollection

- - - - -
121da3ea by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add serializer/deserializer for RequestStatus

- - - - -
35ccbe20 by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Drop JAXB from CMSRequestInfo

- - - - -
fb1c70cc by c-dorney at 2021-08-24T10:19:22+01:00
Add CertEnrollmentRequest DOM mappings (#3711)


- - - - -
148a155d by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Refactor CertEnrollmentRequest

The toDOM() and fromDOM() in CertEnrollmentRequest have
been modified such that they can be reused by its subclass,
i.e. CertReviewResponse.

- - - - -
5d4ed1a3 by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Add DOM mapping for CertReviewResponse

- - - - -
5498e40d by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Replace JAXB with DOM in CertReviewResponse

- - - - -
6e4dfd29 by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Drop JAXB from CertReviewResponse

- - - - -
8be1e7c7 by Chris Kelley at 2021-08-24T17:11:16+01:00
Improve ProfileDataTest to produce better test object
- - - - -
e17bb5fc by Chris Kelley at 2021-08-24T17:11:16+01:00
Drop Jaxb from ProfileData

Also fixes mapping bug in PolicyConstraint
- - - - -
53584cb3 by Endi S. Dewata at 2021-08-24T11:47:23-05:00
Fix XML mapping in CertRequestInfos and KeyRequestInfoCollection

- - - - -
cfbf3dee by Endi S. Dewata at 2021-08-24T12:45:01-05:00
Update TestRunner output

- - - - -
15dc1dc5 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for ResourceMessage

The ResourceMessage class has been modified to provide
a JSON serializer/deserializer for the attributes to
match the original JAXB mapping.

- - - - -
e65e4aa5 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for Profile classes

- - - - -
9c049a31 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for CertReviewResponse

- - - - -
3fe17043 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Add XML mapping for ProfileDataInfos

- - - - -
2acff95a by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Refactor CertRequestService.enrollCert()

The CACertClient.enrollRequest() has been modified to
marshall the CertEnrollmentRequest into a String. The
CertRequestService.enrollCert() has been modified to
unmarshall the String back into CertEnrollmentRequest.

- - - - -
1d09759d by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Drop JAXB from CertEnrollmentRequest

- - - - -
0715b7b0 by Chris Kelley at 2021-08-24T22:28:52+01:00
Remove XML mapping in com.netscape.certsrv.request
- - - - -
e636a57a by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused DateAdapter

- - - - -
c6786aee by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused RequestIdAdapter

- - - - -
b7009151 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused KeyIdAdapter

- - - - -
23b75ac2 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused CertIdAdapter

- - - - -
af236210 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused TokenStatusAdapter

- - - - -
bb0c1fa0 by Endi S. Dewata at 2021-08-24T18:37:12-05:00
Refactor KRAKeyRecoverCLI

The code that parses XML file has been moved into
KeyRecoveryRequest.fromXML().

- - - - -
643beaa6 by Endi S. Dewata at 2021-08-24T19:06:01-05:00
Update InfoService

The InfoService has been modified to capture generic
exceptions instead of JAXB exception.

- - - - -
8bebc433 by Endi S. Dewata at 2021-08-24T20:09:16-05:00
Remove unused methods

- - - - -
ff798889 by Endi S. Dewata at 2021-08-24T20:10:26-05:00
Refactor KeyRecoveryRequest.fromXML()

The KeyRecoveryRequest.fromXML() has been modified to
reuse the ResourceMesssage.fromDOM().

- - - - -
0d0e4e6f by Endi S. Dewata at 2021-08-24T20:58:47-05:00
Drop JAXB from DataCollection

- - - - -
4978a9b6 by Endi S. Dewata at 2021-08-24T20:58:47-05:00
Refactor ProfileCLI.saveEnrollmentTemplateToFile()

- - - - -
92cf53a9 by Endi S. Dewata at 2021-08-24T21:32:47-05:00
Refactor ProfileCLI.saveProfileToFile()

- - - - -
f84acce1 by c-dorney at 2021-08-25T16:28:03+01:00
Encode cert request as bytes before writing to file (#3718)


- - - - -
f52ef72c by Endi S. Dewata at 2021-08-25T10:34:21-05:00
Fix XML mapping in CertRequestInfos

- - - - -
c1354df2 by Chris Kelley at 2021-08-25T18:21:53+01:00
Fix KRA List Requests by using correct parser
- - - - -
7317586a by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Fix XML mapping in ProfileOutput

The ProfileOutput.toDOM() has been modified to reuse
the XML mapping code in ProfileAttribute.

- - - - -
3e6618df by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Add XML mapping for ResourceMessage

- - - - -
359904b4 by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Update ResourceMessage test and subclasses

The ResourceMessage test and subclasses have been modified
to use the new XML mapping in ResourceMessage.

- - - - -
a7a36fc8 by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Update pki kra-key-template CLIs

The pki kra-key-template-find and -show commands have been
modified to use the XML mapping in ResourceMessage.

- - - - -
50e8abfa by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Refactor ProfileCLI.readProfileFromFile()

- - - - -
d0c68148 by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Update ProfileClient and ProfileService to use custom mapping

The ProfileClient has been modified to marshall ProfileData
into a String. The ProfileService has been modified to
unmarshall the String back into ProfileData.

- - - - -
07e79dcb by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix XML mapping for Descriptor

The XML mapping for Descriptor has been consolidated into the
Descriptor class for consistency and to match PKI 10.11.

- - - - -
fe28acdc by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix XML mapping for PolicySet

The ProfileData.fromDOM() has been modified to iterate through
the immediate children of <PolicySet> to find <id> and <value>.

- - - - -
3f7ae8ca by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix miscellaneous issues in XML mapping for profile

- - - - -
62a9e659 by Endi S. Dewata at 2021-08-26T13:47:47-05:00
Fix XML mapping for ProfilePolicySet

- - - - -
d37eb804 by Endi S. Dewata at 2021-08-26T13:47:47-05:00
Drop JAXB annotations from profile classes

- - - - -
490935d6 by Christina Fu at 2021-08-26T17:27:24-07:00
Bug1694417-TLS Session audit events establish/terminate when CS acting as a client

The description of this bug could be a litte off so I'll try to explain
when CLIENT_ACCESS_SESSION_ESTABLISH and CLIENT_ACCESS_SESSION_ERMINATED
are supposed to happen first before explaining the patch.

CLIENT_ACCESS_SESSION_ESTABLISH is supposed to happen when a CS instance
tries to connect to its TLS server (for a CA, that'd be a DS server or
KRA).  And CLIENT_ACCESS_SESSION_ERMINATED is supposed to happen when
a connection closes, be it initiated by the CS instance itself, or the
TLS server.

In the case when the TLS server is the DS server, CS actually tries to
create a minimum # of connections at system startup for every "module"
of CS.  This minimum number is specified in the CS.cfg parameter
internaldb.minConns, which is defaulted to 3. It is because of this
mechanism, you will not see these establish/terminated events triggered
per action.
The "modules" I spoke of can be found by search for the following string
in the debug log (if debug.level=0) :
  "Creating LdapBoundConnFactor"
e.g.
  "Creating LdapBoundConnFactor(DBSubsystem)"

In my observation, DS seems to send a CLOSE_NOTIFY alert to CS after one
hour of inactivity.  In other words, you'd see 3 "sets" of the
TERMINATED after one hour of inactivity (see example later on what my patch
does). I also notice how CS is reacting to such "receiveAlert" with a
"sendAlert", so we essentially see two terminated events when DS times
out on CS.  Another thing I observe is that after a connection is
"terminated", further actions don't trigger any more "establish" events.
I think the connections just go back to the connection pool to be reused
at "terminate".

KRA is different from DS. For every key archival action, CA->KRA
connection is established and then terminated when done.  It is
therefore easier to see these audit events more clearly.

Now about the this patch.  I actually am not sure if there's anything
not working as expected as far as the two audit events go.
However, I find the events to be not as descriptive as it's hard to tell
when an CLIENT_ACCESS_SESSION_ERMINATED alert was triggered by the
server(DS or KRA) or by the client (CS). For this reason, I prepend
"alertSent:" or "alertReceived:" before the CLOSE_NOTIFY in the audit
Info.

Here are a couple examples:
CA->KRA when crmf is submitted for key archival
0.ConnectAsync - [25/Aug/2021:19:31:05 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
0.https-jsse-nio-8443-exec-17 - [25/Aug/2021:19:31:06 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client

CA->DS
At system (CS) startup:
0.main - [25/Aug/2021:12:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
...
Do something such as
  pki -d . -c pAssword.123 -P https -p 8443 -n "PKI Administrator for example.com" ca-user-find
Notice how neither of the establish/terminated events get triggered.
...

After one hour (imposed by DS by default):
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.19.34.104][ServerHost=10.19.34.104][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertReceived: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
Notice how one has "clientAlertReceived: CLOSE_NOTIFY" and the second one has
"clientAlertSent: CLOSE_NOTIFY", possible when CS received a timeout
notification it responded with a close notify.

I also adjusted some of the debug messages to make them easier to debug.

addresses https://bugzilla.redhat.com/show_bug.cgi?id=1694417

- - - - -
92cb2c3a by Endi S. Dewata at 2021-08-26T20:59:53-05:00
Update log messages in QueryReq

- - - - -
0ad78277 by Endi S. Dewata at 2021-08-26T20:59:53-05:00
Remove unused methods in ResourceMessage

- - - - -
3bef46fd by Endi S. Dewata at 2021-08-26T22:05:58-05:00
Use GH action cache for QE tests

- - - - -
ccdde3bc by Endi S. Dewata at 2021-08-26T22:05:58-05:00
Use GH action cache for IPA tests

- - - - -
ad2c1b05 by Chris Kelley at 2021-08-27T09:27:18+01:00
Remove jaxb-impl dependency
- - - - -
447d9605 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Add RESTMessage

The RESTMessage has been added as a copy of ResourceMessage
but without the JAXB annotations. Some of ResourceMessage's
subclasses have been changed to extend RESTMessage instead.

- - - - -
f72e3eb5 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Add XML mapping for key generation/archival/recovery classes

- - - - -
ccd723d2 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Update key generation/archival/recovery classes

The key generation/archival/recovery classes have been
modified to extend RESTMessage.

- - - - -
31657394 by Chris Kelley at 2021-08-27T16:10:15+01:00
Convert CertEnrollmentRequest to extend RESTMessage
- - - - -
82da3f15 by Chris Kelley at 2021-08-27T16:10:15+01:00
Improve CertReviewResponseTest object
- - - - -
b49e01cb by Chris Kelley at 2021-08-27T16:10:15+01:00
Replace ResourceMessage with RESTMessage in KRAKeyTemplate{find,show}CLI
- - - - -
9529ec19 by Chris Kelley at 2021-08-27T16:47:42+01:00
Remove unused ResourceMessage class (and test class)
- - - - -
9eb08e95 by jmagne at 2021-08-27T10:15:01-07:00
Fix: Bug 1964176 - KRA PKCS12 support for nCipher sw v12.60+. (#3691) (#3700)

Note much of this work is based on original work by Alex Scheel.
    aka, cipherboy : alexander.m.scheel at gmail.com
This is the pki portion of this bug. Features:

- Import and create our own version of nss's pk12util and name it p12tool.
The reason to do this is to add 3 new KWP algorithm SEC_OIDS dynamically to
nss. This allows the tool to be able to import p12 file that is wrapped with one
of these new algorithms. Otherwise this tool operates exactly like the nss pk1util,
but it's invokded with the name "p12tool".

- Added support to the KRA to be able to create a p12 file using one of the following algs:

"AES/None/PKCS5Padding/Kwp/128"
"AES/None/PKCS5Padding/Kwp/192"
"AES/None/PKCS5Padding/Kwp/256"

Note this requires a new version of jss upcoming that registers these 3 new algs.
They can be referenced by these names in java jss code. These algs are needed when
using an hsm of a certain firmware version that is more restrictive, especially under
FIPS mode.

If the admin knows that the kra is hooked up with such an hsm, the kra can be configured to use
one of those algs as follows:

In the KRA's CS.cfg:

kra.legacyPKCS12=false
kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256

This setting defaults to what we have orignally "AES/CBC/NoPadding".

Also note if we are using the most restrictive scenario with a given hsm, we
want to install both the CA and the KRA with PSS and have oaep enabled for both post configuration:

keyWrap.useOAEP=true

When attempting to recover a key, the code in jss attempts the current method, and
then tries our enhanced method, if the current method fails. This is to disturb original
functionality as little as possible if not needed.

- CRMFPopClient has been lightly modified to be able to use the AES_KEY_WRAP_KWP wrapping mechanism:

Here is an example of generating a cert request :

CRMFPopClient -d . -p ******  -n "cn=ladycfu, uid=ladycfu" -q POP_SUCCESS -l 2048 -b transport.txt -oaep -w "AES KeyWrap/Wrapped" -h NHSM-CONN-XC -y -v -o test1.req

Note the alg "AES KeyWrap/Wrapped" will wrap up the private key with this alg, and the archival routing on the server's kra subsystem will be able to deal with it.

When emplying the KRA's gui to recover a key, the kra must be configured with the "kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256, an example,
to be able to deal with this key and recover it to a p12 file.

Then when importing such a p12 into a software nss db, we must use the new "p12tool" to do so, since it's the only one that recognizes the noew algorithms:

ex:  p12tool -i test.p12 -d .

Note: That this import only works on software for now, since we need further support in nss to make this a reality. The goal of this fix and the corresponding
jss fix was to be able to get this use case working on the hsm in fips mode without modifying nss at all.
- - - - -
50495e5e by Endi S. Dewata at 2021-08-27T16:02:11-05:00
Stop QE tests immediately on error

- - - - -
7dc75c82 by Endi S. Dewata at 2021-08-27T16:02:11-05:00
Drop resteasy-jaxb-provider dependency

- - - - -
52af304b by Christina Fu at 2021-08-30T10:54:57-07:00
Bug1990105- TPS Not properly enforcing Token Profile Separation

This patch addresses the issue that TPS agent operations on tokens, activities, and profiles are not limited by the types (profiles) permmtted to the agent (as described in the documentation). This is a regression from 8.x.

The affected operations are:
 - findProfiles
 - getProfiles
 - updateProfile
 - changeStatus (of a profile)
 - retrieveTokens
 - getToken
 - modifyToken
 - changeTokenStatus
 - retrieveActivities
 - getActivity

Note that some operations that seem like should be affected are not
due to the fact that they are TPS admin operations and are shielded
from entering the TPS service at the activity level.  For example,
deleting a token would be such a case.

The authorization enforcement added in this patch should affect both
access from the web UI as well as access from PKI CLI.
Reference: https://github.com/dogtagpki/pki/wiki/PKI-TPS-CLI

Another note: the VLV complicates the resulting page.  If the returned
entries on the page are all restricted then nothing would be shown.  To
add a bit more clarity, an <restricted> entry is added to reflect such
effect so that it would be less confusing to the role user.
The <restricted> entries are left with the epoch date.
This would affect both WEB UI and PKI CLI.

Also, a list minute addition to address an issue with 1911472 in
CertService.java where the subject DN of the CA signing cert should
be used instead of the issuer.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990105

- - - - -
b758c038 by Chris Kelley at 2021-09-01T17:03:53+01:00
Remove UserResource.replaceUser() method

This REST endpoint is not used internally, nor is it exposed via the PKI
CLI interface. It is accessible however using curl, with strange
results, so it is probably safest to simply remove this method.
- - - - -
8a137b51 by Chris Kelley at 2021-09-01T21:23:49+01:00
Update API-changes doc after UserService.replaceUser() removal
- - - - -
03fdf6bc by Dino at 2021-09-01T14:31:53-06:00
Return an ACME badSignatureAlgorithm response instead of Unsupported JWS algorithm exception

- - - - -
2c2876a5 by Chris Kelley at 2021-09-02T16:59:35+01:00
Make JSON the default message format in PKIService
- - - - -
18405361 by Chris Kelley at 2021-09-03T11:00:08+01:00
Update version number to 11.0.0-beta1

- - - - -
9cd75761 by Chris Kelley at 2021-09-03T11:18:19+01:00
Update version number to 11.0.0-beta1

- - - - -
37e4ad05 by Chris Kelley at 2021-09-03T11:21:58+01:00
Update _phase to -beta1

- - - - -
0c463036 by Chris Kelley at 2021-09-06T11:16:29+01:00
Simplify getSW{1,2}() methods in APDUResponse

These complicated if-else blocks contain 3 return statements, two of
which are the same. It can be drastically simplified by using the
ternary operator and taking advantage of the short-circuit evaluation of
the || operator to reduce to a one-liner.
- - - - -
e82b196e by Chris Kelley at 2021-09-07T14:38:36+01:00
Simplify boolean expressions in ArgBlock

Remove redundant boolean literal comparisons
Invert if (!exp) to if (exp) for readability
Use ternary operator where possible
Remove unnecessary else clauses
- - - - -
e9e9b353 by Chris Kelley at 2021-09-07T14:44:57+01:00
Tidy up logical expressions in CAService

Remove redundant boolean literal comparisons
Invert if (!exp) to if (exp) for readability
Use ternary operator where possible
Remove unnecessary else clauses

- - - - -
1a7e9b49 by jmagne at 2021-09-16T15:48:37-07:00
Fix Bug 2001576 - pki instance creation fails for IPA server in FIPS mode (RHEL-8.5) (#3742)

It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
that runs before the server runs. In order for this command to succeed, we must alter the python script that
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".

This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
fips mode.
- - - - -
04344b2f by Endi S. Dewata at 2021-09-22T15:30:26-05:00
Disable CI caching

The actions/cache has been replaced with upload/download-artifact
since it's causing problems.

- - - - -
4afe6c7b by Endi S. Dewata at 2021-09-22T15:30:30-05:00
Remove unused RESTEASY_ATOM_PROVIDER_JAR

- - - - -
fa5dc71f by Endi S. Dewata at 2021-09-22T18:30:33-05:00
Clean up comments

- - - - -
af60791a by Endi S. Dewata at 2021-09-22T22:09:41-05:00
Drop glassfish-jaxb-api dependency

- - - - -
115778bf by Jack Magne at 2021-09-23T14:24:31-04:00
Fix Bug 2001576 - pki instance creation fails for IPA server in FIPS mode (RHEL-8.5).
Additional fix to this issue to account for our standalone java tools.

- - - - -
077c137c by Endi S. Dewata at 2021-09-24T13:17:10-05:00
Drop NSSCryptoProvider

The pki.crypto.NSSCryptoProvider has been removed since
python-nss is no longer supported.

The unused pki.crypto.CKM_DES3_CBC_PAD has been removed
as well.

- - - - -
df9b4a2c by Chris Kelley at 2021-09-27T17:14:24+01:00
Don't check for null when using instanceof in TokenService

instanceof returns false if the object to be compared is null so
explicitly checking for null is unnecessary.
- - - - -
7df059bb by Chris Kelley at 2021-09-27T17:42:26+01:00
Remove boolean literals from logical expressions

They're not necessary and make code harder to read/increase probability
of mistakes.
- - - - -
81bb4474 by Christina Fu at 2021-09-29T13:39:22-07:00
Bug1984431- pkispawn:SEC_ERROR_ADDING_CERT for KRA admin cert

The issue reported in Bug1984431 was with pkispawn two-step installation
for KRA where if pki_import_admin_cert is specified in the pkispawn config
file, installation would fail with the following error:
  INFO: Importing admin certificate into /opt/topology-cc-KRA/kra/alias
  DEBUG: Command: certutil -A -d /opt/topology-cc-KRA/kra/alias -f /opt/topology-cc-KRA/kra/password.conf -n PKI KRA Administrator for Example.Org -a -i /opt/topology-cc-KRA/kra_admin.cert -t ,,
  certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
  CalledProcessError: Command '['certutil', '-A', '-d', '/opt/topology-cc-KRA/kra/alias', '-f', '/opt/topology-cc-KRA/kra/password.conf', '-n', 'PKI KRA Administrator for Example.Org', '-a', '-i', '/opt/topology-cc-KRA/kra_admin.cert', '-t', ',,']' returned non-zero exit status 255.

My investigation reveals the following:
The code didn't put into account that the KRA admin cert was already being
manually issued (after pkispawn step 1) and imported into the kra admin nssdb.
It errornously generates a 2nd CSR and sent directly to the CA and received
a new cert.  It was at the time when it attempts to import the 2nd admin cert,
using the same nickname where certutil blows up and breaks the installation.

While it was observed that if it were the exact same cert, certutil would
function without issue, but this is a different cert.  Also, the format of
the 2nd csr is not CMC, which is the requirement that's breached.

This patch detects the "step 2" status of a non-CA and skips over the
re-generation of the 2nd csr for KRA admin.

My test of the patch is able to get past the reported SEC_ERROR_ADDING_CERT issue.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
2cec6775 by Christina Fu at 2021-09-29T13:50:49-07:00
Bug1984431-issue2-missing system certs in config

This fixes the 2nd issue with regards to failed KRA (or non-ca) two-step
installation with HSM, where system certs are missing from CS.cfg:
  <subsystem type>.<cert id>.cert=
e.g. kra.transport.cert=

The issue was due to missing token name when nssdb.get_cert is called
inside def update_system_cert, causing certutil -L in nssdb.get_cert to
silently return nothing for each cert on the HSM.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
dd7ac58c by Christina Fu at 2021-09-29T14:11:07-07:00
Bug2000184-hsm CMC shared Secret failed unwrap

With the latest nCipher firmware version (> v.12.60) in FIPS mode,
CMC Shared Secret authentication would fail since the HSM does not
allow the default issuance protection cert (CA subsystme cert) keys
to do unwrap (Application error: Key 0x000004FA doesn't allow decrypt).

To overcome the issue, the issuance protection cert needs to be replaced
with one that has such capability.  The tool 'certutil' came to mind as
it advertised the '--keyOpFlagsOn opflags' option. However, my experiment
has shown that certutil has trouble processing the one of the needed opflag
 "sign_recover"  ("Unknown flag (recover)")

This patch modifies PKCS10Client so that a new option '-w' is added to
allow for generation of an RSA key pair (thus CSR) which is capable of
handling wrapping/unwrapping on the aformentioned hsm version.

The steps to issue a new CA issuance protection cert involves the following:

A. generate a CSR:
  e.g. PKCS10Client -d /var/lib/pki/<ca instance>/alias -h hsm-module -a rsa -l 2048 -n "CN=CA issuanceProt cert" -w -v -o ca-issuanceProt-cfu.csr.b64

B. create a CMCRequest cfg file to be signed by a CA agent (instruction
can be found in doc;

C. Use HttpClient to submit the cmc request to the CA using caCMCcaIssuanceProtectionCert

D. Use CMCResponse with -v to print out certs in the chain (pick Cert:0) in b64 encoding; then save the b64 of the cert into a file (e.g. caIssuanceProt.cert)
Be sure to add the "brackets" above and below the b64 blob:
-----BEGIN CERTIFICATE-----
 cert b64 blob
-----END CERTIFICATE-----

E. stop the CA

F. import the cert in caIssuanceProt.cert into both the hsm that the CA uses
and the nssdb where the CA agent will be generating the cmc shared secret..
Assume CA agent nssdb has been set up with the proper CA cert trust and
agent (bootstrap admin user by default) cert:
  * certutil -d /var/lib/pki/<ca instance>/alias -h <hsm module> -A -t "u,u,u" -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert
  * certutil -d <agent nssdb dir> -A -t ",," -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert

G. edit CA CS.cfg by adding (or modirying, if it exists):
ca.cert.issuance_protection.nickname=<hsm module>:<issuance protection cert nickname>
e.g.
  ca.cert.issuance_protection.nickname=myHSM:issuanceProt-091521b.cert
While in there, add the following as well:
  keyWrap.useOAEP=true
And setup cmc Shared Secret authentication
e.g. (for better security, set up secure ldap)
  auths.instance.SharedToken.dnpattern=
  auths.instance.SharedToken.ldap.basedn=ou=People,dc=sjc,dc=redhat,dc=com
  auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth
  auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager
  auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken
  auths.instance.SharedToken.ldap.ldapauth.clientCertNickname=
  auths.instance.SharedToken.ldap.ldapconn.host=test.example.com
  auths.instance.SharedToken.ldap.ldapconn.port=389
  auths.instance.SharedToken.ldap.ldapconn.secureConn=false
  auths.instance.SharedToken.ldap.ldapconn.version=3
  auths.instance.SharedToken.ldap.maxConns=
  auths.instance.SharedToken.ldap.minConns=
  auths.instance.SharedToken.ldapByteAttributes=
  auths.instance.SharedToken.ldapStringAttributes=
  auths.instance.SharedToken.pluginName=SharedToken
  auths.instance.SharedToken.shrTokAttr=shrTok

G. start CA

After this, you'll need to rerun CMCSharedToken to regenerate the shared secret,
and then modify the "shrTok" value of the user entry if
it contains another value generated using the previous issuanceProt cert
(default is CA's subsystem cert, which doesn't work with the aformentioned
 hsm version)

Finally, in the case of CRMF requests, where KRA is involved, please note
that if the 2-step procedure is followed to install KRA, at copmletion
add the DRM (KRA) transport cert to each CA and KRA's CS.cfg files.
e.g.
CA's CS.cfg:
  ca.connector.KRA.transportCert=MIIEbjCC...kw==

KRA's CS.cfg:
  kra.transport.cert=MIIEIjCCA...kw==
and while in there, add the following:
  keyWrap.useOAEP=true
  kra.legacyPKCS12=false
  kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256

Restart both CA and KRA after configuration changes.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2000184

- - - - -
6350bc1c by Christina Fu at 2021-09-29T14:11:30-07:00
Bug1984431-issue3-pkispawn-kra-wrapKeys-v10.11

The main issue this patch fixes is to replace the certutil tool with
PKCS10Client so that keys with proper capabilities can be generated
for the CSR so that they can be used for KRA key storage and transport
cert to perform key wrapping/unwrapping with the latest hsm in fips mode.
This change also includes adding a new '-P' option for PKCS10Client
to accept a password file.

Additionally, it also addresses some other misc issues such as missing
token in calls to do cert validation (causing certs on hsm not being
verified), as well as adding more debug messages.

As the fix focuses mainly on getting KRA to install and function in
two steps in fips mode with HSM, other subsystems such as OCSP, TPS,
 and TKS are out of scope and could possibly need additional work to
install and function in the same environment.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
dd627b30 by Endi S. Dewata at 2021-09-29T16:37:50-05:00
Clean up CI scripts

- - - - -
7bd67c3b by Endi S. Dewata at 2021-09-29T17:31:14-05:00
Fix flake8 errors

- - - - -
cda0d54d by Chris Kelley at 2021-09-30T11:35:55+01:00
Get config store from Engine not subsystem engine in TPSProcessor

This fixes the outstanding issue where various config is erroneously
prefixed with TPS

Resolves #1960743

- - - - -
e8660ffe by Endi S. Dewata at 2021-09-30T20:09:28-05:00
Update version number to 11.0.0

- - - - -


30 changed files:

- .classpath
- .github/workflows/acme-tests.yml
- .github/workflows/ca-tests.yml
- .github/workflows/ipa-tests.yml
- .github/workflows/kra-tests.yml
- .github/workflows/ocsp-tests.yml
- .github/workflows/python-tests.yml
- .github/workflows/qe-tests.yml
- .github/workflows/tks-tests.yml
- .github/workflows/tools-tests.yml
- .github/workflows/tps-tests.yml
- + .gitlab-ci.yml
- CMakeLists.txt
- CONTRIBUTING.md
- Dockerfile
- README.md
- base/CMakeLists.txt
- base/acme/CMakeLists.txt
- base/acme/Dockerfile
- base/acme/src/main/java/org/dogtagpki/acme/database/ACMEDatabaseConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/database/InMemoryDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPConfigMonitor.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLConfigMonitor.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuerConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/realm/ACMERealmConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/realm/InMemoryRealm.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/9ecbea99affda2b6256237a81be7fc6d954b3e52...e8660ffea9a73d81a0627387691f255a20f585a7

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/9ecbea99affda2b6256237a81be7fc6d954b3e52...e8660ffea9a73d81a0627387691f255a20f585a7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211019/6ee76c9a/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list