[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream-next] 1437 commits: Update version to 11.2.0-0.4.beta3

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Aug 10 09:11:01 BST 2023



Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / dogtag-pki


Commits:
6eea322f by Chris Kelley at 2022-05-06T14:05:46+01:00
Update version to 11.2.0-0.4.beta3

- - - - -
567b9616 by Chris Kelley at 2022-05-06T16:14:10+01:00
Clean up ConfigurationTest

* Remove unused method parameters and not-thrown exceptions
* The pin, port and subsystem type options are therefore not used, so
are removed also
* Remove unused variables
* Use switch expression
- - - - -
b26d94d1 by Jack Magne at 2022-05-06T17:43:10-07:00
 Bug 2017514 - Directory authentication plugin requires directory admin password just for user authentication (rhcs-11.0)

    Co-authored-by: Andrew Wnuk <awnuk at purestorage.com>

    Current directory authentication plugin works in two steps:

        it verifies ability to connect to the directory

        it retrieves password from user entry to compare it against password provided by user during enrollment

    Unfortunately in both steps, the directory authentication plugin is using directory admin password.
    It is also not the best security wise solution to retrieve a user's password just for comparison.

    If you would like to preserve two steps approach, then it would be better to

        anonymously access RootDSE in directory (to verify ability to connect to the directory or ignore this step)

        verify if plugin can authenticate as a user, with credential provided during the enrollment (additionally plugin could check user's membership attribute or specified attribute)

    This way you could avoid storing (in CS.cfg) and using directory admin credentials and retrieving user credentials.

    This fix accomplishes the above. Ported to the v10.12 branch.

- - - - -
a0ee9bf2 by Chris Kelley at 2022-05-09T14:45:16+01:00
Clean up UserPwdDirAuthentication

* Remove unnecessary semicolon, imports and casts
- - - - -
ca52102d by Endi S. Dewata at 2022-05-10T11:42:48-05:00
Fix COPR build failure

The .copr/Makefile has been updated to fix COPR build failure
caused by changes in Git 2.35.2:
fatal: unsafe repository (<current dir> is owned by someone else)

https://stackoverflow.com/questions/71901632/fatal-unsafe-repository-home-repon-is-owned-by-someone-else

- - - - -
ba2f22a2 by Chris Kelley at 2022-05-10T22:02:48+01:00
Tidy up in RequestProcessor

* Remove count variable from updateValues() which doesn't get used
* Remove un-thrown exceptions.
- - - - -
dc9103df by Chris Kelley at 2022-05-11T17:43:10+01:00
Tidy up CAAdminServlet

* Remove un-thrown exceptions
* Simplify if-else statements that return Boolean literals
* Access static fields in a static manner
* Remove unused HttpServletRequest parameters
- - - - -
4ffd5924 by Endi S. Dewata at 2022-05-11T20:38:27-05:00
Update version number to 11.3.0-alpha1

- - - - -
160f7442 by Endi S. Dewata at 2022-05-12T12:18:43-05:00
Add issuer param for NSSDatabase.__create_cert()

- - - - -
00c5901a by Endi S. Dewata at 2022-05-16T15:51:23+01:00
Update NSSDatabase.__create_cert()

The NSSDatabase.__create_cert() has been updated to create
a temporary file to store the cert extension config.

- - - - -
a2f54c20 by Endi S. Dewata at 2022-05-17T15:10:24+01:00
Add NSSDatabase.__create_basic_constraints_ext()

The code that creates the basic constraints extension config has
been moved into NSSDatabase.__create_basic_constraints_ext() such
that it can be reused by __create_cert().

- - - - -
4b17b765 by Endi S. Dewata at 2022-05-17T15:10:24+01:00
Add NSSDatabase.__create_key_usage_ext()

The code that creates the key usage extension config has been
moved into NSSDatabase.__create_key_usage_ext() such that it can
be reused by __create_cert().

- - - - -
b304b432 by Endi S. Dewata at 2022-05-17T15:10:24+01:00
Add NSSDatabase.__create_extended_key_usage_ext()

The code that creates the extended key usage extension config has
been moved into NSSDatabase.__create_extended_key_usage_ext() such
that it can be reused by __create_cert().

- - - - -
02e31915 by Endi S. Dewata at 2022-05-17T15:10:24+01:00
Add NSSDatabase.__create_ski_ext()

The code that generates the subject key ID extension config has
been moved into NSSDatabase.__create_ski_ext() such that it can
be reused by __create_cert().

- - - - -
920b14b7 by Endi S. Dewata at 2022-05-18T15:35:23+01:00
Add NSSDatabase.__create_aki_ext()

The NSSDatabase.__create_aki_ext() has been added to generate
the authority key ID extension config for __create_cert().

- - - - -
2c58baeb by Endi S. Dewata at 2022-05-18T15:35:23+01:00
Add NSSDatabase.__create_aia_ext()

The NSSDatabase.__create_aia_ext() has been added to generate the
authority info access extension config for __create_cert().

- - - - -
bb8be414 by Endi S. Dewata at 2022-05-18T15:35:23+01:00
Update PKISubsystem.temp_cert_create()

The PKISubsystem.temp_cert_create() has been modified to use JSS
(i.e. pki nss-cert-create) instead of NSS (i.e. certutil) to
generate a temporary SSL server cert since certutil is unable to
handle large serial numbers.

Resolves: https://github.com/dogtagpki/pki/issues/3996

- - - - -
19ce4b5e by Endi S. Dewata at 2022-05-18T18:47:16+01:00
Fix installation with RSA/PSS

The pki ca-cert-import and pki nss-cert-import CLIs have been
modified to parse the cert data after initializing JSS to ensure
that it works with RSA/PSS.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083575

- - - - -
77242c8f by Endi S. Dewata at 2022-05-18T18:47:16+01:00
Add test for installing CA with RSA/PSS

- - - - -
1d4f51f4 by Endi S. Dewata at 2022-05-18T18:47:16+01:00
Add doc for installing CA with RSA/PSS

- - - - -
13e60878 by Chris Kelley at 2022-05-19T12:17:58+01:00
Add missing @Override annotations
- - - - -
6985bb12 by Chris Kelley at 2022-05-24T12:57:38+01:00
Simplify logic on RequestTransfer and RollingLogFile

* Don't return Boolean literals
* Remove unnecessary else clause
- - - - -
1ca4e256 by Chris Kelley at 2022-05-26T14:15:37+01:00
Set deactivateDefaultTyping() on JSONSerializer ObjectMapper objects

With this setting activated it is possible for bad actors to create
objects not of the type clazz - e.g. a class that extends clazz - which
could introduce malicious code into the application. Explicitly
disabling it guarantees that only an object of type clazz can be
produced.

The remaining ObjectMapper objects in the code should me migrated to use
this class.

Also throw the more specific JsonProcessingException instead of
Exception.
- - - - -
70f08778 by Marco Fargetta at 2022-06-07T12:18:45+02:00
Add SonarCloud analysis action (#4013)

* Add SonarCloud analysis action

* Make cache key a parameter
- - - - -
82008840 by Endi S. Dewata at 2022-06-07T14:36:46+01:00
Update OCSP test

The latest OpenSSL OCSP client generates additional error
messages when it talks to an OCSP responder that does not
have any CRLs. The OCSP test has been updated to expect the
extra messages.

- - - - -
8318ff9d by Endi S. Dewata at 2022-06-07T19:37:28+01:00
Fix pki ca-cert-request-unassign

The pki ca-cert-request-unassign command is supposed to remove
the owner of a cert request. Previously the server would call
the RequestProcessor.processRequest() to set the request owner
attribute to an empty string. However, this value would violate
the LDAP schema so the command failed. The code has been fixed
to set the owner to null instead such that the attribute will
be removed from LDAP.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1858702

- - - - -
d55aad6d by Chris Kelley at 2022-06-08T13:47:24+01:00
Make AuthenticatorData implement JSONSerializer

There is a common utility interface for this, so use it.
- - - - -
5db76dc9 by Chris Kelley at 2022-06-08T13:47:47+01:00
Make TokenData implement JSONSerializer

There is a common utility interface for this, so use it.
- - - - -
f7c831e3 by Endi S. Dewata at 2022-06-08T14:00:25+01:00
Fix pki-lint script

Previously the pki-lint script relied on sysconfig.get_path()
to get the RPM installation path of PKI module. In Fedora 36
the method no longer returns the RPM installation path so the
Python test has failed.

To fix the problem the pki-lint script has been modified to
go through sys.path entries to find the PKI module installed
on the system.

https://docs.fedoraproject.org/en-US/fedora/f36/release-notes/developers/Development_Python/

- - - - -
24a0f68b by Endi S. Dewata at 2022-06-08T14:38:36+01:00
Update OpenLDAP clients to use -H option

The latest OpenLDAP clients no longer have the -h option so the
the docs and tests have been updated to use the -H option instead.

- - - - -
a30f1b99 by Endi S. Dewata at 2022-06-08T15:18:00+01:00
Remove unused SystemConfigService subclasses

- - - - -
b8b11e07 by Endi S. Dewata at 2022-06-08T15:18:00+01:00
Remove unused CMSEngine.createConfigurator()

- - - - -
92f787ee by Endi S. Dewata at 2022-06-08T15:18:00+01:00
Remove unused Configurator subclasses

- - - - -
04379e99 by Endi S. Dewata at 2022-06-08T15:18:00+01:00
Remove unused Configurator constants

- - - - -
a658e135 by Endi S. Dewata at 2022-06-08T20:45:44+01:00
Remove unused NSSDatabase.create_self_signed_ca_cert()

- - - - -
37560131 by Endi S. Dewata at 2022-06-08T20:45:44+01:00
Update log messages in CACertRequestSubmitCLI

- - - - -
86a9d285 by Endi S. Dewata at 2022-06-08T20:46:22+01:00
Update log messages in UGSubsystem

- - - - -
d1d5f2be by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki module

- - - - -
95262918 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.cli.pkcs12 module

- - - - -
29a9a8cd by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.nssdb module

- - - - -
a3528366 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.pkcs12 module

- - - - -
a8fe9f4f by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.profile module

- - - - -
87d07c02 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server module

- - - - -
ee77d9d8 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.audit module

- - - - -
4f95ffc9 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.banner module

- - - - -
21b0f688 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.cert module

- - - - -
1b266888 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.nss module

- - - - -
fd8e5f02 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.nuxwdog module

- - - - -
6af42a75 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.cli.subsystem module

- - - - -
e082a530 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.deployment module

- - - - -
70e75f40 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.deployment.pkihelper module

- - - - -
13368b9b by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.deployment.pkimanifest module

- - - - -
673932a5 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.deployment.pkiparser module

- - - - -
ce18f87d by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.deployment.scriptlets module

- - - - -
2ced95b1 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.instance module

- - - - -
c96e02c2 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.pkidestroy module

- - - - -
80a7591f by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.server.subsystem module

- - - - -
45a601d1 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.upgrade module

- - - - -
dee60f0b by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in pki.util module

- - - - -
1857aab9 by Endi S. Dewata at 2022-06-09T14:08:29+01:00
Fix pylint warnings in upgrade scripts

- - - - -
57b06351 by Chris Kelley at 2022-06-09T14:54:40+01:00
Make remaining classes with to/fromJSON methods implement JSONSerializer
- - - - -
2e541722 by Chris Kelley at 2022-06-09T15:40:26+01:00
Fix serial type in nss-cert-issue request in nssdb.py

The command expects a str input but we were providing numerical input.
We didn't notice before as this code path had no coverage but now we use
JSS instead of NSS for issuing temporary certs we now have coverage of
this method, unearthing this issue.
- - - - -
47b3affc by Chris Kelley at 2022-06-09T15:52:04+01:00
Replace raw use of ObjectMapper with JSONObject

Ensures consistency of mapped JSON objects
- - - - -
2056910d by Endi S. Dewata at 2022-06-10T18:16:07+01:00
Fix incorrect Obsoletes: for symkey

- - - - -
3659ef28 by Endi S. Dewata at 2022-06-10T18:43:57+01:00
Move CTest into %build stage

- - - - -
749e3821 by Endi S. Dewata at 2022-06-10T18:44:01+01:00
Update CMake NSS_DEFAULT_DB_TYPE

The CMake NSS_DEFAULT_DB_TYPE variable has been changed into
"sql" by default so it's no longer necessary to specify it
in pki.spec.

- - - - -
e1eb44a9 by Endi S. Dewata at 2022-06-10T18:44:01+01:00
Update CMake VERSION variable

Previously the CMake VERSION variable contained both the version
and the release numbers. For clarity the version and the release
numbers are now stored in separate variables, and the combined
numbers are now stored in IMPL_VERSION variable.

- - - - -
4e893243 by Chris Kelley at 2022-06-10T23:36:35+01:00
Disable access to external entities when parsing XML

This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.

The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
- - - - -
4a88cdd4 by Chris Kelley at 2022-06-13T13:57:24+01:00
Remove redundant type specification
- - - - -
6bc4706b by Endi S. Dewata at 2022-06-13T15:36:39+01:00
Replace %package_option macro

Previously the %package_option macro was used to include
packages into the build or exclude them from the build
depending on whether the build.sh was called using
--with-pkgs or --without-pkgs param. The problem is the
code has become complicated and difficult to maintain.

To simplify the code the macro has been replaced with a
simple %bcond_without, then the build.sh will convert it
into %bcond_with if the package is excluded.

- - - - -
0a5e1866 by Endi S. Dewata at 2022-06-15T08:05:16-05:00
Update build.sh

The build.sh has been updated to parse the spec file using
regular expressions to get the version and release numbers
instead of relying on rpmspec which may not be available on
all platforms.

- - - - -
be72be09 by Endi S. Dewata at 2022-06-15T08:31:39-05:00
Update IPA test

The IPA test has been updated to check the certs for DS, PKI,
and HTTPD.

- - - - -
4a18916d by Endi S. Dewata at 2022-06-15T18:06:52-05:00
Fix incorrect install() commands

- - - - -
a755b94b by Endi S. Dewata at 2022-06-15T18:58:25-05:00
Update pki-healthcheck install dirs

Previously pki-healthcheck script and library were installed by
the setup.py into locations which might not match BIN_INSTALL_DIR
or PYTHON3_SITE_PACKAGES depending on the environment.

To avoid the problem the install dirs have been changed into fixed
locations under CMAKE_CURRENT_BINARY_DIR.

- - - - -
b5c89218 by Endi S. Dewata at 2022-06-16T09:03:15-05:00
Update log messages in AuthInfoAccessExtDefault

- - - - -
9543d4bc by Chris Kelley at 2022-06-16T17:59:03+01:00
Fix incorrect record parsing in EnrollDefault

Some refactoring to improve the code caused a regression.
The original code is restored, with the exception of the unnecessary else clause.

- - - - -
a1c58a83 by Marco Fargetta at 2022-06-16T22:46:16+02:00
Split SonarCloud in two workflows (#4025)

* Split SonarCloud in two workflow

The pull request fork run in a separate workflow triggered by the main
solarcloud workflow.

NOTE: additional tests for pull requests to secondary branch should be
done but these are less frequent

* Move the build for PR forks to the run workflow

* Fix dependencies problems
- - - - -
599a9099 by Endi S. Dewata at 2022-06-16T16:32:04-05:00
Move com.netscape.cms.crl to pki-ca

- - - - -
bb0620f1 by Endi S. Dewata at 2022-06-16T16:32:04-05:00
Move ICMSCRLExtension and ICMSCRLExtensions to pki-ca

- - - - -
db97bbf2 by Endi S. Dewata at 2022-06-16T16:32:04-05:00
Convert IConnector into Connector class

- - - - -
204fef64 by Endi S. Dewata at 2022-06-16T16:32:04-05:00
Merge IHttpConnection into HttpConnection

- - - - -
be041296 by Endi S. Dewata at 2022-06-16T16:32:04-05:00
Merge IKeyRepository into KeyRepository

- - - - -
1cd939a2 by Endi S. Dewata at 2022-06-16T17:05:23-05:00
Merge IKeyRecordList into KeyRecordList

- - - - -
6e77f2d4 by Endi S. Dewata at 2022-06-16T17:05:23-05:00
Merge IKeyRecord into KeyRecord

- - - - -
1a63c0b0 by Endi S. Dewata at 2022-06-16T17:05:23-05:00
Merge IRepository into Repository

- - - - -
877e8461 by Endi S. Dewata at 2022-06-16T17:05:23-05:00
Merge IRepositoryRecord into RepositoryRecord

- - - - -
fb8670ca by Endi S. Dewata at 2022-06-16T18:50:44-05:00
Move FlatFileAuth to pki-ca

- - - - -
b7b10fa9 by Endi S. Dewata at 2022-06-16T19:16:08-05:00
Move constants from EnrollProfile to Profile

- - - - -
86f1c9d7 by Endi S. Dewata at 2022-06-16T19:19:49-05:00
Move EnrollProfile to pki-ca

- - - - -
47b506a9 by Endi S. Dewata at 2022-06-16T19:19:49-05:00
Move EnrollInput to pki-ca

- - - - -
5a676925 by Endi S. Dewata at 2022-06-16T19:19:49-05:00
Move EnrollOutput to pki-ca

- - - - -
a937d9ea by Endi S. Dewata at 2022-06-16T19:22:50-05:00
Move SubsystemGroupUpdater to pki-ca

- - - - -
658a292c by Endi S. Dewata at 2022-06-16T20:16:29-05:00
Merge IProofOfArchival into ProofOfArchival

- - - - -
961ef6f0 by Endi S. Dewata at 2022-06-16T20:24:24-05:00
Update TempCRLIssuingPointRecord hierarchy

- - - - -
66343a38 by Endi S. Dewata at 2022-06-16T20:39:38-05:00
Merge ICRLIssuingPointRecord into CRLIssuingPointRecord

- - - - -
83a1f769 by Endi S. Dewata at 2022-06-17T09:47:29-05:00
Refactor CAInstallerService.createCert()

Previously the CAInstallerService.createCert() would get the
request type and CSR from the REST API parameters. Since these
values are actually already stored in the request record in the
CA database, the code has been modified to get the values from
the database instead.

- - - - -
88111547 by Endi S. Dewata at 2022-06-17T09:47:29-05:00
Remove unused fields in SystemCertData

- - - - -
2fd97a24 by ckelleyRH at 2022-06-17T15:47:32+01:00
Add SonarCloud badge to README.md
- - - - -
b9d64edd by Endi S. Dewata at 2022-06-17T12:07:20-05:00
Update pki.spec and build.sh

The pki.spec has been modified to call build.sh, and the
build.sh has been modified to call CMake. This way build.sh
should work on platforms that do not support RPM, and later
on it would be easier to replace CMake with Maven.

- - - - -
16cfccae by Endi S. Dewata at 2022-06-20T09:10:19-05:00
Update docs

The docs have been updated to reflect the latest changes.

- - - - -
28fabe09 by Endi S. Dewata at 2022-06-20T09:11:03-05:00
Add Azure pipeline

An Azure pipeline has been added to build and install PKI
on Fedora without RPM. In the future the pipeline will be
expanded to test PKI operations and to run on other
platforms as well.

- - - - -
6fdf8dc7 by Endi S. Dewata at 2022-06-20T11:42:48-05:00
Clean up ConfigurationTest

Most of the code in ConfigurationTest has been removed since
it doesn't actually perform an installation/configuration test.

The remaining code that generates a CRMF request is left intact
for future investigation. It might be possible to use the code
in some tools.

- - - - -
05e590be by Chris Kelley at 2022-06-21T13:20:41+01:00
Remove legacy acceptance tests
- - - - -
53cd7acc by Chris Kelley at 2022-06-21T13:23:30+01:00
Remove unnecessary casts
- - - - -
46c57840 by Endi S. Dewata at 2022-06-21T09:19:27-05:00
Add build.sh --product-name, --product-id, and --theme options

New build options have been added to customize product name,
product ID, and theme.

- - - - -
990c14d5 by Endi S. Dewata at 2022-06-21T09:29:26-05:00
Fix missing SKI in CSR

The NSSCertRequestCLI has been modified to provide a public key
to the NSSExtensionGenerator such that it can be used to generate
an SKI extension for the CSR.

The NSSExtensionGenerator.createExtensions() has been extended
to support CSR (with subject key) and cert (with issuer and
request).

The NSSExtensionGenerator.createSKIDExtension() has been modified
to take a subject key instead of PKCS10 object.

The preop.cert.signing.subject_key_id config param is no longer
needed since the value is only used within the same process (i.e.
pkispawn) so it has been removed.

The CA test has been updated to validate pki_req_ski=DEFAULT. The
support for pki_req_ski=<hex> will be restored separately later.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2099312

- - - - -
35060657 by Endi S. Dewata at 2022-06-21T18:13:23-05:00
Update build and install logs

- - - - -
6c116bf5 by Endi S. Dewata at 2022-06-22T10:35:14-05:00
Troubleshooting improvement for ExternalProcessKeyRetriever

The ExternalProcessKeyRetriever has been updated to provide
more detailed log messages and to perform proper JsonNode
validations of the result to help troubleshooting.

A new constructor has been added to create a JSONObject from
a String.

https://github.com/dogtagpki/pki/issues/4032

- - - - -
1d456ba3 by Endi S. Dewata at 2022-06-23T14:44:34-05:00
Restore support for custom SKI in CSR

The NSSExtensionGenerator.createSKIDExtension() has been updated
to support custom (user-provided) SKI.

The Python code has been updated to transform the hex value from
pki_req_ski into the format required by NSSExtensionGenerator.

The CA test has been updated to use pki_req_ski=<hex>, but for
now the result will need to be validated manually in the CI.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2099312

- - - - -
2466f033 by Endi S. Dewata at 2022-06-24T09:35:46-05:00
Add build.sh --python-exec and --python-dir options

New build.sh options have been added to specify the Python
executable and modules locations.

- - - - -
6b33e65d by Endi S. Dewata at 2022-06-24T09:35:46-05:00
Add test for PKI CLI in Azure pipeline

The Azure pipeline has been updated to perform basic tests
using PKI CLI (which is partially Python) without building an
RPM. However, for this to work the Python module installation
directory needs to be hard-coded due to changes in F36:
https://docs.fedoraproject.org/en-US/fedora/f36/release-notes/developers/Development_Python/

Currently PKI modules are installed into "purelib" directory.
Inside RPM build environment this directory translates into
/usr/lib/python3.10/site-packages which works just fine.

Outside RPM build environment this directory translates into
/usr/local/lib/python3.10/site-packages, but for some reason
Python could not load modules from this directory.

As a workaround the build command was updated to install the
modules into the same directory used in RPM build environment.
Further investigation might be needed to see if there's a
better solution that works consistently in any environment.

- - - - -
84347683 by Endi S. Dewata at 2022-06-24T13:18:43-05:00
Clean up build logs

The build tool has been modified to show deprecation warnings
in verbose mode only.

- - - - -
6088c67c by Endi S. Dewata at 2022-06-24T13:26:36-05:00
Fix anchors in CONTRIBUTING.md

- - - - -
d3356b8d by Endi S. Dewata at 2022-06-24T13:36:39-05:00
Convert IProfileUpdater into ProfileUpdater

- - - - -
11c6942a by Endi S. Dewata at 2022-06-24T13:43:06-05:00
Remove unused Resender.mAuthority

- - - - -
55006f4d by Endi S. Dewata at 2022-06-24T13:43:06-05:00
Remove unused HttpConnFactory.mSource

- - - - -
20fa4330 by Endi S. Dewata at 2022-06-24T13:43:06-05:00
Remove unused HttpConnector.mSource

- - - - -
4f951298 by Endi S. Dewata at 2022-06-24T13:52:42-05:00
Update EnrollProfile.getAuthority() to return CertificateAuthority

- - - - -
e0ed5810 by Endi S. Dewata at 2022-06-24T13:52:45-05:00
Update CAPublisherProcessor.getAuthority() to return CertificateAuthority

- - - - -
6bb027fc by Endi S. Dewata at 2022-06-24T15:53:09-05:00
Remove unused CMSServlet.getRelPath()

- - - - -
78d0c36e by Endi S. Dewata at 2022-06-24T17:49:38-05:00
Fix config class hierarchy

Some config classes have been modified to extend ConfigStore
directly.

- - - - -
0ec49f62 by Endi S. Dewata at 2022-06-27T08:06:28-05:00
Refactor PolicyAdminServlet

Previously the PolicyAdminServlet.init() contained both CA and
KRA-specific code so the class had to be stored in a common
base/server folder and it could only access CA and KRA objects
indirectly through a generic IAuthority interface which made it
difficult to maintain.

The servlet has been split into CAPolicyAdminServlet and
KRAPolicyAdminServlet which are stored in base/ca and base/kra
folders and have their own init() methods. This way the code can
access CA and KRA objects directly using CertificateAuthority
and KeyRecoveryAuthority classes.

The web.xml files have also been updated to use the new classes.

- - - - -
7ac8f660 by Endi S. Dewata at 2022-06-27T12:08:18-05:00
Update log messages in EnrollConstraint and EnrollDefault

- - - - -
32e8e337 by Endi S. Dewata at 2022-06-27T12:38:59-05:00
Refactor Profile.init()

The Profile.init() has been updated to take a PluginRegistry param
to reduce the dependency on CMSEngine.

- - - - -
94799103 by Endi S. Dewata at 2022-06-27T12:45:12-05:00
Add Profile.engineConfig and BootstrapProfile.engineConfig

The Profile and BootstrapProfile have been modified to store the
engine config.

- - - - -
7b9719d2 by Endi S. Dewata at 2022-06-27T12:45:12-05:00
Add PolicyDefault.engineConfig

The PolicyDefault has been modified to store the engine config.
The mConfig in EnrollDefault and NoDefault has been moved into
PolicyDefault as well.

- - - - -
3c137c15 by Endi S. Dewata at 2022-06-27T13:42:37-05:00
Update ProfileUpdater.init()

The ProfileUpdater.init() has been updated to remove the unused
Profile parameter.

- - - - -
6489ca15 by Endi S. Dewata at 2022-06-27T14:59:42-05:00
Update ProfileAuthenticator.init()

The ProfileAuthenticator.init() has been updated to remove the
unused Profile parameter.

- - - - -
dbb7633e by Endi S. Dewata at 2022-06-27T14:59:42-05:00
Move request-related Profile constants to Request

- - - - -
d35d7b2d by Endi S. Dewata at 2022-06-27T14:59:42-05:00
Move Profile classes to pki-ca

- - - - -
14eb3209 by Endi S. Dewata at 2022-06-27T15:14:53-05:00
Replace CMSEngine with CAEngine in pki-ca

- - - - -
366a3f33 by Endi S. Dewata at 2022-06-27T15:15:50-05:00
Replace CMSEngine with KRAEngine in pki-kra

- - - - -
c9d64023 by Endi S. Dewata at 2022-06-28T09:32:43-05:00
Add error message for pki ca-profile-add

The pki ca-profile-add has been modified to display an error
message instead of generating an exception if the input file
does not exist.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2015151

- - - - -
d407224a by Endi S. Dewata at 2022-06-28T09:33:26-05:00
Remove unused CMSStartServlet

In the past the CMSStartServlet was used to start and shut down
the CMSEngine in each PKI subsystem, but that role has actually
been replaced sometime ago by the ServletContextListener in the
CMSEngine itself, so now the servlet can be removed.

The code in CommandQueue.registerProcess() that checks whether
the currentServlet is not an instance of CMSStartServlet has
been removed since it has always been true (the servlet does
not call this method).

- - - - -
733f79d0 by Marco Fargetta at 2022-06-29T17:31:14+02:00
Build a single package (#4043)

* Build a single package

The build option --with-pkgs does not work for sub-systems if not the
server package is specified. This will build the server in case it is
needed although only the rpm for the specified packages are generated.

Fix #4039

* Immprove macro expression on subpackage build

* Remove useless comment

* Move the server package inclusion to cmake
- - - - -
f4416a6a by Endi S. Dewata at 2022-06-30T08:53:25-05:00
Merge SecurityDomainHostService into SecurityDomainService

The SecurityDomainHostService has been merged into
SecurityDomainService to avoid duplicate code errors reported
by SonarCloud.

- - - - -
494d1ff0 by Endi S. Dewata at 2022-06-30T08:53:25-05:00
Refactor security domain services

Previously the CA, KRA, and OCSP subsystems would check the
engine's state/config at startup to see if they needed to
create security domain services. This code created a startup
dependency on the engine object and the service availability
could not be changed without restarting the server.

To avoid these issues the subsystems have been modified to
always create the security domain services using subsystem-
specific subclasses. The code that checks the engine's
config has been moved into these classes so they will be
executed when a request comes in. The code that checks the
engine's state has been removed since it's redundant.

- - - - -
04f87f81 by Marco Fargetta at 2022-06-30T15:58:22+02:00
Override cmake cache (#4045)

Building two subpackages in different runs does not work because cmake
will set the list of packages in the first run and cache it for the
following runs. The patch force to update the list of packages at each run.
- - - - -
8d70edec by Endi S. Dewata at 2022-06-30T11:55:25-05:00
Move CMSServlet.getCertRecord() to GetBySerial

The CMSServlet.getCertRecord() has been moved to GetBySerial
since it's only used by that servlet.

- - - - -
906d548f by Endi S. Dewata at 2022-06-30T12:43:16-05:00
Remove IAuthority.registerPendingListener()

The IAuthority.registerPendingListener() has been replaced with
direct calls to CMSEngine.registerPendingListener().

- - - - -
7881e2e6 by Endi S. Dewata at 2022-06-30T12:43:57-05:00
Remove IAuthority.registerRequestListener()

The IAuthority.registerRequestListener() has been replaced with
direct calls to CMSEngine.registerRequestListener().

- - - - -
a15927a1 by Endi S. Dewata at 2022-06-30T12:44:07-05:00
Remove ICertificateAuthority.getCAService()

The ICertificateAuthority.getCAService() has been replaced with
direct calls to CAEngine.getCAService().

- - - - -
8830e989 by Endi S. Dewata at 2022-06-30T12:44:14-05:00
Remove ICertificateAuthority.getRequestNotifier()

The ICertificateAuthority.getRequestNotifier() has been replaced
with direct calls to CMSEngine.getRequestNotifier().

- - - - -
44e1bf48 by Endi S. Dewata at 2022-06-30T12:44:20-05:00
Remove ICertificateAuthority.getRequestListener()

The ICertificateAuthority.getRequestListener() has been replaced
with direct calls to CMSEngine.getRequestListener().

- - - - -
c8dd9d71 by Endi S. Dewata at 2022-06-30T12:44:25-05:00
Remove ICertificateAuthority.removeRequestListener()

The CertificateAuthority.removeRequestListener() has been
replaced with direct calls to CMSEngine.removeRequestListener().

- - - - -
7a140b89 by Endi S. Dewata at 2022-06-30T12:44:30-05:00
Remove ICertificateAuthority.registerRequestListener()

The ICertificateAuthority.registerRequestListener() has been
replaced by direct calls to CMSEngine.registerRequestListener().

- - - - -
e79cdb8e by Endi S. Dewata at 2022-06-30T12:49:09-05:00
Remove unused methods in CertificateAuthority

- - - - -
030d489e by Endi S. Dewata at 2022-06-30T16:13:58-05:00
Refactor LdapRule.init()

The LdapRule.init() has been modified to take mapper and
publisher instances instead of a PublisherProcessor object.

- - - - -
87f645d1 by Endi S. Dewata at 2022-06-30T16:19:19-05:00
Move some PublisherProcessor constants to LdapRule

The constants in PublisherProcessor that are only used by
LdapRule have been moved to LdapRule.

- - - - -
19711b97 by Endi S. Dewata at 2022-06-30T16:24:50-05:00
Move publishing classes to pki-ca

- - - - -
a47ed00b by Endi S. Dewata at 2022-06-30T16:45:43-05:00
Move com.netscape.cms.publish.publishers to pki-ca

- - - - -
b3d7ae7b by Endi S. Dewata at 2022-06-30T16:45:43-05:00
Move com.netscape.cms.publish.mappers to pki-ca

- - - - -
5d4d8011 by Endi S. Dewata at 2022-06-30T16:45:43-05:00
Move com.netscape.cmscore.ldap to pki-ca

- - - - -
8d76e26b by Endi S. Dewata at 2022-06-30T16:45:43-05:00
Move RegistryAdminServlet to pki-ca

- - - - -
b66b2994 by Endi S. Dewata at 2022-06-30T16:45:43-05:00
Move policy classes to pki-ca

- - - - -
e0c48baa by Endi S. Dewata at 2022-07-06T10:13:24-05:00
Remove non-functional cache for build dependencies

The cache for build dependencies in the CI was originally added
in 66a6e594ae0e89e0d0411f78d2ac7c716f7cc9e7 to reduce build time
but it never worked properly so it has been removed.

- - - - -
5bc2aca0 by Fraser Tweedale at 2022-07-07T09:18:43+10:00
PKIService: add more general variants of resolveFormat

PKIService.resolveFormat is used to check a media type, or list of
media types (possibly including wildcards) against the default list
of content types understood and produced or processed by Dogtag.

The current variants compare the parameter against a hardcoded list
of supported content types.  However, it would be useful to also
provide general variants that allow the caller to specify both the
candidate type(s) and the valid/accepted types.  This commit adds
those variants.

Related: https://github.com/dogtagpki/pki/issues/3297
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
70496404 by Fraser Tweedale at 2022-07-07T10:48:55+10:00
cli: handle t.getCause() == null in exception handler

It is possible that the cause of a ProcessingException is not set.
In that case, t.getCause() returns null.  As a consequence,
handleException() throws an unhandled NullPointerException.

Check that the cause Throwable is non-null before "drilling down" to
it.

Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
536b9923 by Endi S. Dewata at 2022-07-07T11:15:26-05:00
Move ACL classes into pki-server

- - - - -
f99cb9f6 by Endi S. Dewata at 2022-07-07T11:15:28-05:00
Merge IACLEntry into ACLEntry

- - - - -
f42b0dc4 by Endi S. Dewata at 2022-07-07T11:15:31-05:00
Merge IACL into ACL

- - - - -
0eaee9dd by Endi S. Dewata at 2022-07-07T11:15:34-05:00
Merge IRemoteAuthority into RemoteAuthority

- - - - -
57259630 by Endi S. Dewata at 2022-07-07T11:15:36-05:00
Merge IRequestEncoder into HttpRequestEncoder

- - - - -
c7411261 by Endi S. Dewata at 2022-07-07T11:15:41-05:00
Move com.netscape.certsrv.template into pki-ca

- - - - -
b4539f23 by Endi S. Dewata at 2022-07-07T11:15:43-05:00
Move com.netscape.certsrv.pattern into pki-ca

- - - - -
d691f9e5 by Endi S. Dewata at 2022-07-07T16:19:05-05:00
Move ISharedToken into pki-server

- - - - -
001d0549 by Endi S. Dewata at 2022-07-07T16:20:29-05:00
Move IAccessEvaluator into pki-server

- - - - -
4362ad64 by Endi S. Dewata at 2022-07-07T16:20:29-05:00
Remove duplicate AuthCredentials

- - - - -
a7607a8c by Endi S. Dewata at 2022-07-07T16:20:29-05:00
Merge IAuthCredentials into AuthCredentials

- - - - -
8b0c2c85 by Endi S. Dewata at 2022-07-07T17:18:58-05:00
Update ISharedToken.getSharedToken() to take AuthToken

- - - - -
04d8af02 by Endi S. Dewata at 2022-07-07T17:27:35-05:00
Update ExternalAuthToken to extend AuthToken

- - - - -
c57074b5 by Endi S. Dewata at 2022-07-07T17:32:22-05:00
Merge IAuthToken.set() into AuthToken

- - - - -
8de7111f by Endi S. Dewata at 2022-07-07T20:24:06-05:00
Merge IAuthToken.getInByteArrayArray() into AuthToken

- - - - -
8752b5fe by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Merge IAuthToken.getInCertificates() into AuthToken

- - - - -
6e49c530 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Merge IPKIProcessor into PKIProcessor

- - - - -
61fdd189 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update PKIProcessor to use AuthToken

- - - - -
563f9e6a by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update HashAuthentication.mData to use AuthToken

- - - - -
7689b415 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update PKIPrincipal.authToken to use AuthToken

- - - - -
df7e14e1 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update AuthManager.authenticate() to return AuthToken

- - - - -
c6664c17 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update AuthSubsystem.authenticate() to return AuthToken

- - - - -
613900a9 by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update CMSServlet.authenticate() to return AuthToken

- - - - -
dd6a58bf by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update CAProcessor.authenticate() to return AuthToken

- - - - -
e5f7151b by Endi S. Dewata at 2022-07-07T20:24:10-05:00
Update CRSEnrollment.authenticate() to return AuthToken

- - - - -
a3fa0f94 by Endi S. Dewata at 2022-07-08T10:48:04-05:00
Update Maven project

New pom.xml files have been added to define Maven modules
for PKI. The dependencies have also been updated to match
the available packages on Fedora.

- - - - -
9503bd01 by Endi S. Dewata at 2022-07-08T10:48:04-05:00
Update build test

The build test has been updated to build PKI with Maven and
compare the build artifacts with the original CMake build
artifacts.

- - - - -
a9616e2c by Endi S. Dewata at 2022-07-08T10:52:14-05:00
Merge pki-cmsbundle.jar into pki-cms.jar

It's not clear why the message bundles were originally stored
separately in pki-cmsbundles.jar, but that doesn't seem to be
needed anymore. To simplify the packaging the pki-cmsbundle.jar
has now been merged into pki-cms.jar.

- - - - -
3157e649 by Endi S. Dewata at 2022-07-08T13:50:20-05:00
Clean up TPS tests

- - - - -
228d0883 by Endi S. Dewata at 2022-07-11T17:03:29-05:00
Fix missing dependency on jss-symkey.jar

- - - - -
b81eb0c3 by Endi S. Dewata at 2022-07-11T18:01:36-05:00
Update Request ext data to use AuthToken

- - - - -
cefd382b by Endi S. Dewata at 2022-07-11T18:01:46-05:00
Update CMSServlet.authorize() to take AuthToken

- - - - -
0920111d by Endi S. Dewata at 2022-07-11T18:02:41-05:00
Update CAProcessor.authorize() to take AuthToken

- - - - -
d937237f by Endi S. Dewata at 2022-07-11T18:02:41-05:00
Update AuthzSubsystem.checkRealm() to take AuthToken

- - - - -
a39fa3bf by Endi S. Dewata at 2022-07-11T18:03:07-05:00
Update IAuthzManager.authorize() to take AuthToken

- - - - -
9f357284 by Endi S. Dewata at 2022-07-11T18:05:16-05:00
Update Profile.submit() to take AuthToken

- - - - -
05433c35 by Endi S. Dewata at 2022-07-11T18:08:19-05:00
Update ProfileAuthentica.populate() to take AuthToken

- - - - -
7f073626 by Endi S. Dewata at 2022-07-11T18:11:29-05:00
Update CMCUserSignedAuth.verifySignerInfo() to return AuthToken

- - - - -
97221023 by Endi S. Dewata at 2022-07-11T18:14:05-05:00
Update SubjAltNameExt to use AuthToken

- - - - -
1d85f994 by Endi S. Dewata at 2022-07-12T12:53:53-05:00
Update pki nss-key-create/find to support AES

The pki nss-key-create command has been updated to support
creating AES keys. The pki nss-key-find command has been
updated to include symmetric keys in the result. A new test
has been added to validate these changes.

- - - - -
0f18146b by Endi S. Dewata at 2022-07-12T13:15:07-05:00
Clean up pki-server ca-cert-remove

The pki-server ca-cert-remove has been modified to use
CertificateRepository instead of direct LDAP connection.

- - - - -
3ecb3ab9 by Endi S. Dewata at 2022-07-12T15:39:43-05:00
Fix key type validation

- - - - -
77fd08d7 by Endi S. Dewata at 2022-07-12T15:44:52-05:00
Update IAccessEvaluator to use AuthToken

- - - - -
51b19238 by Endi S. Dewata at 2022-07-12T15:57:21-05:00
Move remaining IAuthToken methods into AuthToken

- - - - -
4394a399 by Endi S. Dewata at 2022-07-12T16:00:48-05:00
Move IAuthToken constants into AuthToken

- - - - -
c7441fde by Endi S. Dewata at 2022-07-12T16:56:48-05:00
Merge IAuthToken into AuthToken

- - - - -
2e7c342c by Endi S. Dewata at 2022-07-12T17:13:08-05:00
Add getters/setters for CMSEngine.id/name

- - - - -
3b3c48ad by Endi S. Dewata at 2022-07-12T17:13:13-05:00
Rename ACMEEngine.name to id

- - - - -
d745b390 by Endi S. Dewata at 2022-07-12T17:13:13-05:00
Clean up CMSEngine.start()

The code that stores the CMSEngine instance and registers a
PKIRealm has been moved out of CMSEngine.start().

- - - - -
4cc8264f by Endi S. Dewata at 2022-07-13T08:32:28-05:00
Move PKICertImport into base/tools

PKICertImport is part of pki-tools package so the sources have
been moved into base/tools.

- - - - -
68ddbcb8 by Endi S. Dewata at 2022-07-13T08:35:59-05:00
Update pki nss tests

The pki nss tests for RSA, EC, and HSM have been updated to
validate pki nss-key-create/find by creating a new key first
then use the key to issue a certificate.

- - - - -
39e6feb9 by Endi S. Dewata at 2022-07-13T08:46:02-05:00
Remove obsolete references to IAuthToken

- - - - -
f4aeb603 by Endi S. Dewata at 2022-07-13T12:15:58-05:00
Add WebListener classes

Previously the engine classes were marked as WebListeners so the
the engine instances would be created and destroyed automatically
by Tomcat. However, this also means that it's not possible to
customize the engine using a custom class.

To avoid the problem, new WebListener classes have been added
which will explicitly create and destroy the engine instances.
This way it will be possible to add a config parameter that
will specify the custom engine class in the future.

Note: Currently the ACMEEngine does not inherit from CMSEngine
so the ACMEWebListener cannot inherit from PKIWebListener either.
In the future it might be possible to merge these classes.

- - - - -
346de07e by Endi S. Dewata at 2022-07-13T12:31:00-05:00
Fix validation error in pki nss test for HSM

- - - - -
9fc7717f by Endi S. Dewata at 2022-07-13T14:30:18-05:00
Replace CMSEngine with CAEngine in pki-ca

- - - - -
8cd91c1d by Endi S. Dewata at 2022-07-13T19:00:48-05:00
Update CAEnrollDefault.getCAKeyIdentifier() to take X509CertImpl

- - - - -
24dab1f9 by Endi S. Dewata at 2022-07-13T19:01:31-05:00
Update AuthorityKeyIdentifierExtDefault.createExtension() to take KeyIdentifier

- - - - -
bfe475f2 by Endi S. Dewata at 2022-07-13T20:09:51-05:00
Remove ICertificateAuthority.noncesEnabled()

The ICertificateAuthority.noncesEnabled() has been replaced with
direct calls to CAEngine.getEnableNonces().

- - - - -
c40eddab by Endi S. Dewata at 2022-07-13T20:10:13-05:00
Remove ICertificateAuthority.allowExtCASignedAgentCerts()

The ICertificateAuthority.allowExtCASignedAgentCerts() has been
replaced with direct calls to CAEngine.getAllowExtCASignedAgentCerts().

- - - - -
0c54a658 by Endi S. Dewata at 2022-07-13T20:13:31-05:00
Remove ICertificateAuthority.getPolicyProcessor()

The ICertificateAuthority.getPolicyProcessor() has been replaced
with direct calls to CAPolicy.getPolicyProcessor().

- - - - -
9793d390 by Endi S. Dewata at 2022-07-13T20:17:15-05:00
Remove ICertificateAuthority.publishCRLNow()

The ICertificateAuthority.publishCRLNow() has been replaced with
direct calls to CRLIssuingPoint.publishCRL().

- - - - -
ddbee9f7 by Endi S. Dewata at 2022-07-13T20:20:51-05:00
Remove unused ICertificateAuthority.updateCRLNow()

- - - - -
ae4e2348 by Endi S. Dewata at 2022-07-13T20:22:57-05:00
Remove unused ICertificateAuthority.getIssuanceProtCert()

- - - - -
60b66c37 by Endi S. Dewata at 2022-07-13T20:26:33-05:00
Remove ICertificateAuthority.getIssuanceProtPubKey()

The ICertificateAuthority.getIssuanceProtPubKey() has been replaced
with direct calls to CAEngine.getIssuanceProtectionPublicKey().

- - - - -
b01ca9bc by Endi S. Dewata at 2022-07-14T11:18:19-05:00
Add SigningUnitConfig

The SigningUnitConfig class has been added to encapsulate the
config params for CA, OCSP, and CRL signing units. The SigningUnit
classes have been updated to use this class.

- - - - -
f5f183cd by Endi S. Dewata at 2022-07-14T15:59:50-05:00
Replace EngineConfig with CAEngineConfig in pki-ca

- - - - -
7f7ca83a by Endi S. Dewata at 2022-07-14T16:00:33-05:00
Replace EngineConfig with KRAEngineConfig in pki-kra

- - - - -
c0f541e1 by Endi S. Dewata at 2022-07-14T16:04:26-05:00
Replace EngineConfig with OCSPEngineConfig in pki-ocsp

- - - - -
db3d14e9 by Endi S. Dewata at 2022-07-14T16:04:26-05:00
Replace EngineConfig with TKSEngineConfig in pki-tks

- - - - -
9e03d25b by Endi S. Dewata at 2022-07-14T16:04:26-05:00
Replace EngineConfig with TPSEngineConfig in pki-tps

- - - - -
571c4d80 by Fraser Tweedale at 2022-07-15T08:45:20+10:00
AuthorityService: recognise .../authorities/host-authority/(chain|cert)

The LWCA REST API recognises the special identifier "host-authority"
in the getCA method, as well as as a parameter in some other methods
(e.g. nominating the parent CA when creating a new LWCA).  However,
"host-authority" is not recognised when retrieving the certificate
or certificate chain of a CA.  The following resources respond with
400 Bad Request because "host-authority" is not a UUID:

   /ca/rest/authorities/host-authority/(chain|cert)

Update these resources to recognise "host-authority" as referring to
the primary CA in the instance.

As well as being a general improvement to the API, this work was
undertaken specifically to make cert chain retrieval easier for the
EST service.

Related: https://github.com/dogtagpki/pki/issues/3297

- - - - -
2475fdf9 by Fraser Tweedale at 2022-07-15T08:45:34+10:00
AuthorityClient: add getChainPEM method

Extend AuthorityClient with a method to retrieve the certificate
chain of a LWCA.

This enhancement is required by the EST feature.

Related: https://github.com/dogtagpki/pki/issues/3297

- - - - -
56e41d23 by Endi S. Dewata at 2022-07-15T09:05:29-05:00
Add offline support for CAValidityDefault

Previously the CAValidityDefault could only be used inside the
server since it got the signing cert from the signing unit object
which was only available if the server was running.

To improve its usability the code has been modified to get the
signing cert from the signing unit config if it's running outside
of the server, so it no longer needs the signing unit object.

The SigningUnitConfig.getFullName() has been added to get the
signing cert fullname like in CASigningUnit.init().

- - - - -
345ebb04 by Endi S. Dewata at 2022-07-15T15:48:44-05:00
Fix missing console build option

- - - - -
6e4375d2 by Endi S. Dewata at 2022-07-15T15:48:46-05:00
Rename base/console/templates to base/console/bin

- - - - -
58af54d0 by Endi S. Dewata at 2022-07-18T10:00:21-05:00
Add offline support for AuthorityKeyIdentifierExtDefault

Previously the AuthorityKeyIdentifierExtDefault could only be used
inside the server since it got the signing cert from the signing
unit object of a certificate authority (identified by its ID) which
was only available if the server was running.

To improve its usability the code has been modified to get the
signing cert from the signing unit config if it's running outside
of the server, mainly for installation. Since there will be only
one certificate authority during installation (the host CA), this
is not going to be an issue.

The CAValidityDefault.getSigningCert() has been moved into
EnrollDefault so that it can be reused. The code has also been
modified to optionally take a certificate authority ID.

- - - - -
47015a9b by Endi S. Dewata at 2022-07-18T14:18:01-05:00
Update CryptoUtil.decodeKeyID()

The CryptoUtil.decodeKeyID() has been updated to handle key IDs
that start with "0x".

- - - - -
a5e9e8df by Endi S. Dewata at 2022-07-19T09:07:09-05:00
Add offline support for AuthInfoAccessExtDefault

Previously the AuthInfoAccessExtDefault could only be used inside
the server since it got the port number for the OCSP URL from the
engine object, which obtained the port from the config files (see
CMSEngine.configurePorts()) on startup.

To improve its usability the code has been modified to get the
port number directly from the config files if it's running outside
of the server.

- - - - -
92b918ca by Endi S. Dewata at 2022-07-19T09:10:23-05:00
Remove EnrollProfile.getAuthority()

The EnrollProfile.getAuthority() has been replaced with direct
calls to CAEngine.getCA().

- - - - -
9044bc19 by Endi S. Dewata at 2022-07-19T09:10:23-05:00
Remove EnrollProfile.getIssuerName()

The EnrollProfile.getIssuerName() has been replaced with direct
calls to CertificateAuthority.getX500Name().

- - - - -
a3d2648d by Endi S. Dewata at 2022-07-19T09:10:23-05:00
Remove CertificateAuthority.getDefaultValidity()

The CertificateAuthority.getDefaultValidity() has been replaced
with direct calls to CAEngine.getDefaultCertValidity().

- - - - -
42653366 by Endi S. Dewata at 2022-07-19T09:10:23-05:00
Clean up CertificateAuthority.getCertificateRepository()

Calls to CertificateAuthority.getCertificateRepository()
in pki-ca have been replaced with direct calls to
CAEngine.getCertificateRepository().

- - - - -
fe4f5801 by Endi S. Dewata at 2022-07-19T17:01:10-05:00
Fix AuthInfoAccessExtDefault.getBuiltinOCSPPort()

The AuthInfoAccessExtDefault.getBuiltinOCSPPort() has been
modified to check for null or empty proxy.unsecurePort.

- - - - -
6dbc9b9f by Endi S. Dewata at 2022-07-19T19:24:30-05:00
Merge ICRLIssuingPoint into CRLIssuingPoint

- - - - -
430b3692 by Endi S. Dewata at 2022-07-19T19:32:58-05:00
Remove CertificateAuthority.getReplicaRepository()

The CertificateAuthority.getReplicaRepository() has been replaced
with direct calls to CAEngine.getReplicaIDRepository().

- - - - -
44c7cd58 by Endi S. Dewata at 2022-07-19T19:42:45-05:00
Move ChallengePhraseAuthentication constants to Request

- - - - -
2e4cdf7b by Endi S. Dewata at 2022-07-20T10:19:55-05:00
Add pki-server ca-cert-create

The CAInstallerService.createCert() has been converted into
pki-server ca-cert-create CLI. The CLI provides a way to create
a system certificate without the server running, which would be
useful for system recovery.

The installer has been updated to call CASubsystem.create_cert()
which will call the CLI.

- - - - -
c50cbcdd by Endi S. Dewata at 2022-07-20T18:23:36-05:00
Remove unused CAInstallerService.initSubsystem()

- - - - -
fc0699e7 by Endi S. Dewata at 2022-07-20T18:23:36-05:00
Move CRL methods in ICertificateAuthority to CertificateAuthority

- - - - -
e98bd6cd by Endi S. Dewata at 2022-07-20T18:23:36-05:00
Add CRLConfig

The CRLConfig has been added to encapsulate the config params
for CRL, replacing the generic ConfigStore.

- - - - -
56c8e250 by Endi S. Dewata at 2022-07-20T18:23:36-05:00
Add CRLConfig.getCRLIssuingPointConfig()

The CRLConfig.getCRLIssuingPointConfig() has been added to
get the CRL issuing point config params.

- - - - -
5111b771 by Endi S. Dewata at 2022-07-20T19:13:50-05:00
Update CRLIssuingPoint.init()

The CRLIssuingPoint.init() has been updated to take
CertificateAuthority and CRLIssuingPointConfig params.

- - - - -
6f99946d by Endi S. Dewata at 2022-07-20T19:14:04-05:00
Update log messages in LdapCaSimpleMap.formDN()

- - - - -
3f2446aa by Endi S. Dewata at 2022-07-20T19:14:04-05:00
Clean up file-based CRL publishing test

- - - - -
358d0dc0 by Chris Kelley at 2022-07-21T12:32:25+01:00
Run shellcheck as GitHub action in PKI CI

* Rename sonarcloud.yml to code-analysis.yml, add any additional future
linters/scanners into this workflow.
* Temporarily fail only on error, when errors have been fixed remove
that and fix the warnings too.
- - - - -
3081b35c by Chris Kelley at 2022-07-21T16:49:17+01:00
Fix shellcheck errors in pki

Ignore the legacy tests.
- - - - -
8ae0690d by Chris Kelley at 2022-07-21T17:01:32+01:00
Remove legacy dogtag acceptance tests we no longer use
- - - - -
5050685d by Chris Kelley at 2022-07-21T17:17:31+01:00
Tidy bash in build.sh

- - - - -
f63efd21 by Endi S. Dewata at 2022-07-21T16:51:33-05:00
Replace ICertificateAuthority in pki-ca with CertificateAuthority

- - - - -
e7bbb37a by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move lightweight CA methods in ICertificateAuthority to CertificateAuthority

- - - - -
743c9f9e by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move OCSP methods in ICertificateAuthority to CertificateAuthority

- - - - -
ffcf7821 by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move serial number methods in ICertificateAuthority to CertificateAuthority

- - - - -
7af98318 by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move algorithm methods in ICertificateAuthority to CertificateAuthority

- - - - -
8a089da6 by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move signing methods in ICertificateAuthority to CertificateAuthority

- - - - -
a09be812 by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move cert methods in ICertificateAuthority to CertificateAuthority

- - - - -
734bf043 by Endi S. Dewata at 2022-07-21T16:51:40-05:00
Move CA-only methods in ICertificateAuthority to CertificateAuthority

- - - - -
3ea5209e by Marco Fargetta at 2022-07-22T09:59:29+02:00
Rebase to master before analyse the pull request (#4069)

* Rebase to master before analyse the pull request

* Fix remote name
- - - - -
65cc1f34 by Endi S. Dewata at 2022-07-22T11:24:14-05:00
Add CRLIssuingPointExtensionsConfig

The CRLIssuingPointExtensionsConfig has been added to encapsulate
the config params for CRL issuing point extensions.

- - - - -
c94add30 by Endi S. Dewata at 2022-07-22T12:22:47-05:00
Update file-based CRL publishing test

- - - - -
30833014 by Endi S. Dewata at 2022-07-22T12:23:00-05:00
Clean up OCSP test

The OCSP test has been updated to parse command outputs and store
the values into variables for clarity.

- - - - -
14dcbe64 by Endi S. Dewata at 2022-07-22T12:23:06-05:00
Update standalone OCSP test to use separate CA

The standalone OCSP test has been updated to generate the system
certs using a separate CA subsystem instead of NSS database.

- - - - -
01c0b18a by Endi S. Dewata at 2022-07-25T12:37:22-05:00
Add test for CMC shared token

A new test has been added for issuing a user cert using CMC
shared token authentication.

The files in base/ca/auth/ds provide a sample authentication
database.

The files in base/server/examples/cmc provide a sample CMC
configuration for generating the issuance protection cert.

The file in base/tools/examples/certs provides a sample pki
nss CLI configuration for generating a CSR for the user cert.

The files in base/tools/examples/cmc provide a sample CMC
configuration for generating the user cert.

- - - - -
afc0e01c by Endi S. Dewata at 2022-07-25T13:26:16-05:00
Add test for LDAP-based CRL publishing

- - - - -
12857e09 by Marco Fargetta at 2022-07-26T15:26:50+02:00
Make the base branch generic (#4073)


- - - - -
f4208182 by Chris Kelley at 2022-07-26T15:02:43+01:00
Run RPMInspect against new builds
- - - - -
327fea57 by Endi S. Dewata at 2022-07-26T11:04:32-05:00
Update PKIDeployer.create_cert()

Previously during installation PKIDeployer.create_cert() would
always call the server to generate a cert ID (using either legacy
or random generator), then call pki ca-cert-create CLI to create
a cert with that ID.

The code has been modified such that in case random ID generator
is used it will no longer call the server but instead it will let
the CLI generate the random cert ID locally. For legacy generator
it will still call the server since legacy generator can only work
inside the server.

- - - - -
ef6b4290 by Endi S. Dewata at 2022-07-27T15:42:24-05:00
Update deprecation URLs

- - - - -
ffa72379 by Endi S. Dewata at 2022-07-27T16:17:33-05:00
Merge IKeyService into KeyRecoveryAuthority

- - - - -
84720a99 by Endi S. Dewata at 2022-07-27T16:21:43-05:00
Rename AJobBase to Job

- - - - -
1ea375ae by Endi S. Dewata at 2022-07-27T16:43:18-05:00
Merge IJob into Job

- - - - -
6fdabda5 by Endi S. Dewata at 2022-07-27T16:43:18-05:00
Merge IJobCron into JobCron

- - - - -
3b636b19 by Endi S. Dewata at 2022-07-27T17:46:32-05:00
Merge ISelfTestSubsystem into SelfTestSubsystem

- - - - -
84bec247 by Endi S. Dewata at 2022-07-27T17:48:51-05:00
Rename ASelfTest to SelfTest

- - - - -
74af9a71 by Endi S. Dewata at 2022-07-27T17:50:32-05:00
Merge ISelfTest into SelfTest

- - - - -
6f119ded by Marco Fargetta at 2022-07-28T14:31:02+02:00
Fix broken PKICertImport test (#4075)


- - - - -
13da472d by Chris Kelley at 2022-07-28T15:57:24+01:00
Replace exclusion of i686 with new %{java_arches} macro

- - - - -
dce39143 by Endi S. Dewata at 2022-07-28T13:58:12-05:00
Merge pki-cmsutil.jar into pki-certsrv.jar

pki-cmsutil.jar has been merged into pki-certsrv.jar since they
are distributed in the same RPM package and usually used together.

- - - - -
009de428 by Endi S. Dewata at 2022-07-28T19:50:15-05:00
Remove remaining references to base/util

- - - - -
f5e0b815 by Christian Heimes at 2022-07-29T11:18:11+02:00
Don't use deprecated python-ldap options (#4082)

- `OPT_X_TLS` is deprecated since python-ldap 3.3.0 and was removed in
  3.4.2.
- `OPT_X_TLS_DEMAND` is not a valid option key.

`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)` is
sufficient to enforce cert validation.

Closes: #4081
- - - - -
1109294d by Endi S. Dewata at 2022-07-29T08:45:58-05:00
Bump redhat-rpm-config dependency

java_arches macro was add into redhat-rpm-config in version 201
on F35 and in version 219 on F36 or later.

https://src.fedoraproject.org/rpms/redhat-rpm-config/c/1926c37598951ae30749eb212b2412973a0300e5?branch=f35
https://src.fedoraproject.org/rpms/redhat-rpm-config/c/42b3f9289ae0764e3737eb380e620d3028dc6ce3?branch=f36
https://src.fedoraproject.org/rpms/redhat-rpm-config/c/f8b207df3be5c6de96864d25514d22e136b1fe87?branch=rawhide

- - - - -
148c6883 by Endi S. Dewata at 2022-07-29T13:15:49-05:00
Remove default serverCertNickFile attribute

Previously during installation the server.xml was always created
with a serverCertNickFile attribute. This attribute is supposed
to point to serverCertNick.conf which stores the nickname of the
SSL server cert. If the attribute exists, Tomcat JSS will read
the attribute, load the file, then load the cert. Since the
installation also calls some pki-server commands that depend on
Tomcat JSS, a temporary SSL server cert had to be created early
to prevent failures.

In the future the process might be optimized to reduce/eliminate
the need of a temporary SSL server cert, so the code has been
changed as follows:

- the server.xml will no longer include the attribute by
  default
- the create_temp_sslserver_cert() will be called only if
  the server needs to be started
- the set_sslserver_cert_nickname() will add the attribute
  into the server.xml
- the get_sslserver_cert_nickname() will read the attribute
  from server.xml instead of using a hard-coded value

- - - - -
6f395f02 by Endi S. Dewata at 2022-07-29T13:37:12-05:00
Add test for CA cert publishing

- - - - -
3ecc5867 by Endi S. Dewata at 2022-07-29T15:26:01-05:00
Clean up configuration.py

The configuration.py has been updated to replace the temporary
SSL server cert with the permanent one only when installing the
first subsystem.

- - - - -
dfc50e23 by Endi S. Dewata at 2022-07-29T19:06:16-05:00
Clean up configuration.py (part 2)

The configuration.py has been modified to always install the
permanent SSL server cert when installing the first subsystem.

- - - - -
fee7cca9 by Endi S. Dewata at 2022-08-01T09:27:13-05:00
Reduce server startup during installation

Previously during installation the server had to be started twice.
First it had to be started with a temporary SSL cert so the server
could generate system certs (including the permanent SSL cert),
then it had to be restarted in order to use the permanent cert.

If the server is configured without legacy ID generators it's no
longer necessary to start the server with a temporary cert since
now the system certs can be created offline, so the code has been
updated to skip the first startup for that particular case.

- - - - -
40bcb3fb by Endi S. Dewata at 2022-08-01T12:36:44-05:00
Add ProfileSubsystemConfig

The ProfileSubsystemConfig has been added to encapsulate the
config params for profile subsystem.

- - - - -
ec0cc7dc by Endi S. Dewata at 2022-08-01T12:36:44-05:00
Add ProfileEntryConfig

The ProfileEnryConfig has been added to encapsulate the config
params for profile entries in CS.cfg.

- - - - -
d05e5356 by Endi S. Dewata at 2022-08-01T12:36:44-05:00
Add ProfileConfig

The ProfileConfig has been added to encapsulate the actual
profile configuration (in file or LDAP).

- - - - -
00b9889e by Endi S. Dewata at 2022-08-01T12:36:44-05:00
Update pkispawn/pkidestroy logging

pkispawn and pkidestroy have been updated to use a basic console
logging by default. The pkilogging.enable_pki_logger() has been
updated to optionally configure file logging.

- - - - -
3e1698ac by Endi S. Dewata at 2022-08-01T14:56:41-05:00
Clean up log messages in pkispawn/pkidestroy

- - - - -
8bc92891 by Endi S. Dewata at 2022-08-02T09:00:40-05:00
Update PKIConfigParser.validate_user_config()

Previously the PKIConfigParser.validate_user_config() would
generate a deprecation warning for pkispawn params listed in
the DEPRECATED_PARAMS list and show the new section and/or
the replacement param.

The code has been updated to generate a removal warning if
there is no new section or param name specified in the list.

- - - - -
f3f28b5f by Endi S. Dewata at 2022-08-02T09:00:40-05:00
Remove pki_restart_configured_instance

In the past when installing an additional subsystem (after the
first one) the subsystem had to be started first to execute some
installation steps, then restarted to actually run the subsystem.
The pki_restart_configured_instance param provided an option to
skip the restart to optimize the installation process in IPA.

Now the subsystem no longer needs to be restarted since those
steps can be executed offline, so the code has been modified to
skip the initial startup. The param has been removed as well
since it's no longer used. The DEPRECATED_PARAMS list has also
been updated to generate a removal warning for this param.

- - - - -
30b33810 by Endi S. Dewata at 2022-08-02T09:01:42-05:00
Add test for publishing CRL to OCSP responder

The standalone OCSP test has been modified to configure the CA
to publish the CRLs to the OCSP responder.

- - - - -
4b1ace4a by Fraser Tweedale at 2022-08-03T23:21:37+10:00
fix LWCA key replication

Commit 47b3affc0dd576cb11dc93561cafffe1a25c2e8e refactors the JSON
handling in ExternalProcessKeyRetriever.  It introduced a regression
that causes lightweight CA key replication to fail.  It scrutinises
an empty node instead of the JSON node containing the object loaded
from the InputStream.  Update the code to scrutinise the correct
node.

Separately, commit 6c116bf52f9691a5e7727d087a615f5009474316 enhanced
the ExternalProcessKeyRetriever diagnostic output.  It also broke
key retrieval.  The `wrapped_key` field value is expected to be a
text node containing base64-encoded data.  We retrieve its decoded
value using `.binaryValue()`.  That commit added a check that throws
an exception if `node.isBinary()` is false.  However, the node is
parsed as a com.fasterxml.jackson.databind.node.TextNode, for which
`.isBinary()` returns false.  This commit removes the check.
`.binaryValue()` will (as before) throw an `IOException` if base64
decoding fails.

Fixes: https://github.com/dogtagpki/pki/issues/4032

- - - - -
5eb7fec3 by Endi S. Dewata at 2022-08-03T17:54:02-05:00
Clean up CA install test with existing certs (part 1)

The pki commands in CA install test with existing certs have
been modified to generate JSON output.

- - - - -
fb325608 by Endi S. Dewata at 2022-08-03T17:54:08-05:00
Clean up CA install test with existing certs (part 2)

The pki commands in CA install tests with existing certs have
been modified to use the default NSS database.

- - - - -
cdab3f3d by Endi S. Dewata at 2022-08-03T17:54:08-05:00
Clean up CA install test with existing certs (part 3)

The CA install test with existing certs has been modified to
use the basic sample CA config file with random serial numbers.

- - - - -
e7b79f2c by Marco Fargetta at 2022-08-04T10:22:35+02:00
Fix miss email in sonarcloud rebase (#4091)


- - - - -
13fb7ddf by Endi S. Dewata at 2022-08-04T09:33:57-05:00
Add pki_self_signed_nickname

Previously the installation code was using the same nickname for
the temporary (self-signed) and permanent SSL server certs, so
the permanent cert could not be imported into the NSS database
until the temporary one is removed.

The pki_self_signed_nickname parameter has been added to define a
separate nickname for the temporary cert, allowing the permanent
cert to be imported earlier along with other system certs.

The PKIDeployer.temp_sslserver_cert_created is no longer used so
it has been removed.

- - - - -
115e8bea by Endi S. Dewata at 2022-08-04T09:41:42-05:00
Merge IPluginInfo into PluginInfo

- - - - -
2fc3a581 by Endi S. Dewata at 2022-08-04T09:48:08-05:00
Merge IXcertPublisherProcessor into PublisherProcessor

- - - - -
37fdf993 by Endi S. Dewata at 2022-08-04T09:53:14-05:00
Merge INotify into IRequestNotifier

- - - - -
d99ae9a1 by Endi S. Dewata at 2022-08-04T13:06:25-05:00
Merge IRequestNotifier into RequestNotifier

- - - - -
a3d82ca6 by Endi S. Dewata at 2022-08-04T20:21:22-05:00
Merge PKIDeployer.import_perm_sslserver_cert()

The code in PKIDeployer.import_perm_sslserver_cert() that imports
the permanent SSL server cert into NSS database has been merged
into setup_system_cert(). The code that fixes the NSS database
permissions has been moved into setup_system_certs().

- - - - -
afeea918 by Christina Fu at 2022-08-05T17:41:14+01:00
Bug2070766-caServerKeygen_DirUserCert subject constraints

This patch replaces input of cert subject to that of the auth token.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2070766

- - - - -
bf1ed2ba by Christina Fu at 2022-08-05T17:42:59+01:00
Bug2070766 - upgrade-caServerKeygen_DirUserCert-profile

This patch provides the upgrade script to change the profile
 caServerKeygen_DirUserCert.cfg in an existing ca instance.

fix 2 for bug https://bugzilla.redhat.com/show_bug.cgi?id=2070766

- - - - -
d97adfa0 by Endi S. Dewata at 2022-08-05T11:53:35-05:00
Fix pki-server run

The pki-server run command was supposed to run the server on
the foreground for troubleshooting and for future containers,
but it was not working due to missing JVM parameters.

The code has been updated to include the --add-opens options
as defined in Tomcat configuration:
/etc/tomcat/conf.d/java-9-start-up-parameters.conf

- - - - -
852885d9 by Endi S. Dewata at 2022-08-05T14:20:30-05:00
Add test for pki-server upgrade

A new test has been added to verify the pki-server upgrade tool
using a basic upgrade script.

- - - - -
bd264c07 by Endi S. Dewata at 2022-08-08T13:37:48-05:00
Clean up log messages in AddCRLServlet

- - - - -
d696b6a6 by Endi S. Dewata at 2022-08-08T13:37:48-05:00
Clean up log messages in DefStore

- - - - -
503605f3 by Endi S. Dewata at 2022-08-08T13:37:48-05:00
Clean up log messages in OCSPAuthority

- - - - -
e235965f by Endi S. Dewata at 2022-08-08T14:40:09-05:00
Clean up log messages in LDAPStore

- - - - -
92f8ceaf by Endi S. Dewata at 2022-08-08T17:12:32-05:00
Update basic CA test to use RSNv3

The basic CA test has been updated to use RSNv3. The RSNv3
test has been converted into a test for migrating from
sequential serial numbers to RSNv3.

- - - - -
78772e4f by Endi S. Dewata at 2022-08-09T09:07:22-05:00
Remove pki_<tag>_cert_path default values

The pki_external_<tag>_cert_path params had been deprecated some
time ago and replaced with pki_<tag>_cert_path, but they were
still included in the man page. These params also had default
values which were redundant since the admin would override them
during installation.

Similarly, the pki_external_<tag>_csr_path params had also been
deprecated some time ago and replaced with pki_<tag>_csr_path,
but they were also still included in the man page. These params
did not actually have default values even though the man page
said otherwise.

Now the man page has been updated to include the new params with
no default values. The default.cfg has also been updated to remove
pki_external_<tag>_cert_path default values.

- - - - -
08028879 by Endi S. Dewata at 2022-08-09T09:08:38-05:00
Add test for OCSP with LDAP-based CRL publishing

A new test has been added to verify that OCSP can consume the
CRL published by CA through LDAP.

The tests for CA cert and CRL publishing have been updated to
use the same DN pattern, predicate, and search filter for
consistency.

- - - - -
6762d57c by Endi S. Dewata at 2022-08-09T13:23:47-05:00
Remove unused preop.internaldb.dbuser

- - - - -
629760d3 by Endi S. Dewata at 2022-08-09T13:31:14-05:00
Add PKIDeployer.configure_tps()

The code that configures TPS params has been moved into
PKIDeployer.configure_tps().

- - - - -
39c3e2a0 by Endi S. Dewata at 2022-08-09T13:31:22-05:00
Add PKIDeployer.configure_kra()

The code that configures KRA params has been moved into
PKIDeployer.configure_kra().

- - - - -
537ed38a by Endi S. Dewata at 2022-08-09T14:03:04-05:00
Add PKIDeployer.configure_ca()

The code that configures CA params has been moved into
PKIDeployer.configure_ca().

- - - - -
2b76fb86 by Endi S. Dewata at 2022-08-09T14:03:04-05:00
Add PKIDeployer.configure_subsystem()

The code that configures general subsystem params has been
moved into PKIDeployer.configure_subsystem().

- - - - -
3f1f6fb2 by Endi S. Dewata at 2022-08-09T15:24:45-05:00
Add PKIDeployer.finalize_tps()

The code that finalizes TPS installation has been moved into
PKIDeployer.finalize_tps().

- - - - -
73e43848 by Endi S. Dewata at 2022-08-09T15:25:12-05:00
Add PKIDeployer.finalize_ocsp()

The code that finalizes OCSP installation has been moved into
PKIDeployer.finalize_ocsp().

- - - - -
d3a43025 by Endi S. Dewata at 2022-08-09T15:25:19-05:00
Add PKIDeployer.finalize_kra()

The code that finalizes KRA installation has been moved into
PKIDeployer.finalize_kra().

- - - - -
42f9558b by Endi S. Dewata at 2022-08-09T15:25:28-05:00
Add PKIDeployer.finalize_ca()

The code that finalizes CA installation has been moved into
PKIDeployer.finalize_ca().

- - - - -
2f9ce264 by Endi S. Dewata at 2022-08-09T15:25:37-05:00
Add PKIDeployer.finalize_tks()

The code that finalizes TKS installation has been moved into
PKIDeployer.finalize_tks().

- - - - -
f704c428 by Endi S. Dewata at 2022-08-09T18:47:01-05:00
Clean up PKIDeployer.load_admin_cert()

The conditional in PKIDeployer.load_admin_cert() has been updated
to return early, eliminating the else clause.

- - - - -
3145706e by Endi S. Dewata at 2022-08-09T18:47:16-05:00
Refactor PKIDeployer.load_admin_cert() (part 1)

The PKIDeployer.load_admin_cert() has been updated to load/store
the admin cert from/into pki_admin_cert_file in PEM format.

- - - - -
080ec41a by Endi S. Dewata at 2022-08-09T18:47:18-05:00
Refactor PKIDeployer.load_admin_cert() (part 2)

The PKIDeployer.load_admin_cert() has been updated to load the
admin cert from the NSS database in PEM format.

- - - - -
37331ede by Endi S. Dewata at 2022-08-09T19:09:32-05:00
Refactor PKIDeployer.load_admin_cert() (part 3)

The PKIDeployer.load_admin_cert() has been updated to load the
admin cert from pki_admin_cert_file only if the file exists.

- - - - -
914a2a38 by Endi S. Dewata at 2022-08-09T19:09:40-05:00
Refactor PKIDeployer.load_admin_cert() (part 4)

The PKIDeployer.load_admin_cert() has been updated to load the
admin cert only if the pki_admin_cert_path is specified.

- - - - -
73d226b0 by Endi S. Dewata at 2022-08-09T19:10:02-05:00
Update PKIDeployer.load_admin_cert() to return PEM cert

- - - - -
cbb4cf12 by Endi S. Dewata at 2022-08-09T20:14:46-05:00
Update PKIDeployer.create_admin_cert() to return PEM cert

- - - - -
d8222681 by Endi S. Dewata at 2022-08-09T20:15:23-05:00
Update PKIDeployer.request_cert() to return PEM cert

- - - - -
9526b5cb by Endi S. Dewata at 2022-08-09T20:15:23-05:00
Update PKIDeployer.store_admin_cert() to take PEM cert

- - - - -
ba743e6f by Endi S. Dewata at 2022-08-09T20:15:23-05:00
Update PKIDeployer.get_admin_cert() to return PEM cert

- - - - -
bd107524 by Endi S. Dewata at 2022-08-10T19:09:46-05:00
Update PKIDeployer.setup_admin_user() to take PEM cert

- - - - -
04dd08de by Endi S. Dewata at 2022-08-10T19:09:46-05:00
Add PKIDeployer.is_using_legacy_id_generator()

The code that checks whether the subsystem uses a legacy ID
generator was moved to PKIDeployer.is_using_legacy_id_generator().

- - - - -
a8e1e3e8 by Endi S. Dewata at 2022-08-10T19:09:46-05:00
Fix PKIDeployer.load_admin_cert()

The pki_admin_cert_file is supposed to be used to import the
admin cert, and the pki_client_admin_cert is supposed to be
used to export the cert, so the PKIDeployer.load_admin_cert()
has been updated accordingly.

- - - - -
12df899e by Chris Kelley at 2022-08-12T00:14:58+01:00
Fix shellcheck warnings

Don't run checks against legacy tests

There was a typo in test_PKICertImport which should probably have caused
a test to fail, but it didn't.

- - - - -
6a677587 by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Rename PKIDeployer.get_admin_cert() to setup_admin_cert()

- - - - -
76f387e0 by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Clean up PKIDeployer.setup_admin_cert()

The PKIDeployer.setup_admin_cert() has been updated to store/export
the admin cert as needed, then return early.

- - - - -
bc9addd3 by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Clean up PKIDeployer.load_admin_cert()

The code that exports the admin cert into pki_client_admin_cert
has been merged into store_admin_cert().

- - - - -
29ef0791 by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Consolidate code for importing existing admin cert

The code that determines whether to import an existing admin
cert has been moved into PKIDeployer.setup_admin_cert().

- - - - -
be46ec4f by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Remove redundant code in PKIDeployer.setup_admin_cert()

- - - - -
c1641915 by Endi S. Dewata at 2022-08-11T20:53:25-05:00
Refactor PKIDeployer.load_admin_cert()

The code that loads the admin cert from pki_admin_cert_path has
been moved into setup_admin_cert().

- - - - -
220ce1e9 by Endi S. Dewata at 2022-08-15T17:22:50-05:00
Update test for installing CA with existing certs

The test for installing CA with existing certs has been updated
to include existing subsystem, SSL server, and admin certs in
addition to CA signing, CA OCSP signing, and CA audit signing
certs.

The test has been updated to validate the system certs and keys
by comparing the original certs and keys and the ones actually
installed on the server.

The test has also been updated to validate the admin cert by
using the original cert for authentication against the server.

- - - - -
ce9011e1 by Endi S. Dewata at 2022-08-15T17:23:22-05:00
Merge IDBSearchResults into DBSearchResults

- - - - -
86e56a9f by Endi S. Dewata at 2022-08-15T17:23:22-05:00
Convert ElementProcessorStub into ElementProcessor

- - - - -
c1bd5db5 by Endi S. Dewata at 2022-08-15T17:23:22-05:00
Merge IElementProcessor into ElementProcessor

- - - - -
52585e78 by Endi S. Dewata at 2022-08-15T17:23:22-05:00
Convert IFilterConverter into FilterConverter

- - - - -
10444464 by Endi S. Dewata at 2022-08-16T09:29:20-05:00
Update build test

The build test has been updated to ensure that CMake installs
the same files included in RPM packages (except for RPM-specific
files).

In the future the CI tests might be modified to use CMake build
instead of RPM packages to shorten the execution time.

- - - - -
dba33a10 by Jack Magne at 2022-08-16T18:20:57-04:00
Fix: Bug 2094066 - CC: missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect

This simple fix allows a testing scenario where faiiled connections attempts when the given CS subsystem is acting as a client can be
viewed properly early during the subsystme's startup sequence. This is needed because the CA often attempts to make a pool of persistent SSL connections
to it's ldap server. This fix solves this issue with 2 approaches.

1. We establish an undocumented test-only config setting that allows the subsystem at startup to skip the early connection test to LDAP.
The reason we want to do this is because this test takes place very early in the startup sequence, well before the audit logging system or
the logging system has had a chance to come up. This can result in unreported connection failures.

This can be set simply like this in the CS.cfg:

cms.password.skipLdapConnTest=true

This setting will always default to false since we only want to skip this test very rarely.

2. Slightly switch the order of startup in a subysystem by  making sure the ldap DB section is started up before
the logging section. This allows any failures to establish the previously mentioned connection to be properly logged
in the audit log.

audit 3.

- - - - -
393017b1 by Endi S. Dewata at 2022-08-16T18:13:44-05:00
Add FULL_VERSION variable in build.sh

The FULL_VERSION variable has been added to store the version
number and the development phase.

- - - - -
4608848a by Endi S. Dewata at 2022-08-16T18:49:10-05:00
Update help message for pki-server <subsystem>-user-add

- - - - -
c87bf294 by Christina Fu at 2022-08-17T08:29:46-07:00
Bug2093114-cs-tls-client-ciphers

This patch fixes the issue introdued when the JSS engine was replaced
and the original control (inherited from server.xml) of ciphers when
acting as a client no longer works.
The controls are in two places.  One for when connecting with internal
ldap, while the other when a cs instance is connecting with each other.

It also narrowed the suggested cipher lists, such as the removal of the
SHA1 ciphers.

- - - - -
a45af417 by Christina Fu at 2022-08-17T08:29:46-07:00
Bug2093114-performance-improvement-for-cs-tls-client-ciphers

This patch added the performance improvement that was tabled from
earlier check-in due to time concern.
Instead of per socket-level cipher setting, we opt for cipher
setting at thread level in the class constructors.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2093114

- - - - -
11feb6c9 by Chris Kelley at 2022-08-17T17:14:32+01:00
Use ternary operator in BasicConstraintsExtDefault
- - - - -
621cf9c9 by Chris Kelley at 2022-08-17T17:40:07+01:00
Reorder modifiers in DefStore

- - - - -
6df36514 by Christina Fu at 2022-08-17T10:51:34-07:00
simple comment changes for Bug2093114

- - - - -
412b79fe by Endi S. Dewata at 2022-08-18T11:05:27-05:00
Fix typos in OCSP test

- - - - -
f805cc71 by Endi S. Dewata at 2022-08-18T16:22:32-05:00
Remove unused pki_ca_hostname and pki_ca_port params

- - - - -
6fe2934e by Endi S. Dewata at 2022-08-18T16:40:31-05:00
Remove unused SSL range slots

- - - - -
a03e5d22 by Endi S. Dewata at 2022-08-18T16:54:18-05:00
Remove unused TOMCAT_CFG slot

- - - - -
352e570e by Endi S. Dewata at 2022-08-18T16:54:19-05:00
Replace PKI_SECURITY_MANAGER slot with direct substitution

- - - - -
9ac1fc71 by Endi S. Dewata at 2022-08-18T16:54:48-05:00
Replace MASTER_CRL_ENABLE slot with direct substitution

- - - - -
ba131378 by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace PKI_SYSTEMD_SERVICENAME slot with direct substitution

- - - - -
5819cec9 by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace PKI_TMPDIR slot with direct substitution

- - - - -
d835109e by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace TPS_DIR slot with direct substitution

- - - - -
2bd0d3f4 by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace PKI_PIDDIR slot with direct substitution

- - - - -
3b9243a1 by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace INSTALL_TIME slot with direct substitution

- - - - -
73f920c3 by Endi S. Dewata at 2022-08-18T16:54:49-05:00
Replace APPLICATION_VERSION slot with direct subtitution

- - - - -
61bcddbf by Endi S. Dewata at 2022-08-18T17:00:43-05:00
Replace TOMCAT_LOG_DIR log with direct substitution

- - - - -
ecb84f8e by Endi S. Dewata at 2022-08-18T17:10:48-05:00
Replace TOKENDB_HOST slot with direct substitution

- - - - -
a970f270 by Endi S. Dewata at 2022-08-18T17:12:01-05:00
Replace TOKENDB_ROOT slot with direct substitution

- - - - -
29375718 by Endi S. Dewata at 2022-08-18T17:14:08-05:00
Replace PKI_SSL_SERVER_NICKNAME slot with direct substitution

- - - - -
6d04dbd4 by Endi S. Dewata at 2022-08-18T17:17:39-05:00
Replace PKI_RANDOM_NUMBER slot with direct substitution

- - - - -
45802061 by Endi S. Dewata at 2022-08-18T21:05:22-05:00
Update comments in instance_layout.py

- - - - -
b08d27aa by Endi S. Dewata at 2022-08-18T22:13:44-05:00
Move server startup to finalization.py

The code that starts the systemd service during installation
has been moved into finalization.py.

- - - - -
520bbade by Stanislav Levin at 2022-08-19T06:37:23+01:00
flake8: Fix whitespace warning

New `pycodestyle` 2.9.0 introduced:
> E275: requires whitespace around keywords

https://pycodestyle.pycqa.org/en/latest/developer.html#changes

`flake8` 5.0 that integrates `pycodestyle` found 1 issue in code:
```
./base/server/healthcheck/pki/server/healthcheck/clones/plugin.py:133:11: E275 missing whitespace after keyword
        if(ca_subsystem):
          ^
```

Fixes: https://github.com/dogtagpki/pki/issues/4101
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
60bfe6cd by Endi S. Dewata at 2022-08-19T11:24:40-05:00
Update tests for CRL publishing

The CA tests with file-based and LDAP-based CRL publishing and
the OCSP tests with direct OCSP and LDAP-based CRL publishing
have been updated to call the UpdateCRL service to publish the
initial CRL.

Since the CRL update happens asynchronously the tests will wait
for a few seconds before using the initial CRL.

Since the initial CRL is a valid CRL that contains no revoked
certs, the OCSP will return a "good" status to the clients
(instead of returning an error like in case it has no CRLs at
all).

- - - - -
74057f0d by Endi S. Dewata at 2022-08-19T14:20:02-05:00
Remove unused registry_instance

- - - - -
c5a25300 by Endi S. Dewata at 2022-08-19T14:50:40-05:00
Remove unused PKI_WEBAPPS_NAME slot

- - - - -
eb7532b9 by Endi S. Dewata at 2022-08-19T14:50:42-05:00
Remove unused PKI_SERVER_XML_CONF slot

- - - - -
9cb98d2a by Endi S. Dewata at 2022-08-19T14:50:42-05:00
Remove unused PKI_REGISTRY_FILE slot

- - - - -
41069583 by Endi S. Dewata at 2022-08-19T14:50:42-05:00
Remove unused PKI_CFG_PATH_NAME slot

- - - - -
e5e0b10d by Endi S. Dewata at 2022-08-19T14:50:42-05:00
Remove unused PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT slot

- - - - -
bacc6905 by Endi S. Dewata at 2022-08-19T14:50:42-05:00
Remove unused PKI_EE_SECURE_CLIENT_AUTH_PORT_UI slot

- - - - -
51eaac5d by Endi S. Dewata at 2022-08-19T14:51:05-05:00
Remove unused PKI_EE_SECURE_PORT_SERVER_COMMENT slot

- - - - -
c9afd9ac by Endi S. Dewata at 2022-08-19T15:08:58-05:00
Replace PKI_SECURE_PORT_CONNECTOR_NAME slot with direct substitution

- - - - -
8d98a29e by Endi S. Dewata at 2022-08-19T15:08:58-05:00
Replace PKI_SECURE_PORT_SERVER_COMMENT slot with direct substitution

- - - - -
8cfbce72 by Endi S. Dewata at 2022-08-19T15:08:58-05:00
Replace PKI_UNSECURE_PORT_CONNECTOR_NAME slot with direct substitution

- - - - -
687dd72f by Endi S. Dewata at 2022-08-19T15:09:52-05:00
Replace PKI_UNSECURE_PORT_SERVER_COMMENT slot with direct substitution

- - - - -
836fbc23 by Endi S. Dewata at 2022-08-19T15:27:00-05:00
Replace PKI_USER slot with direct substitution

- - - - -
d8763e3e by Endi S. Dewata at 2022-08-19T15:27:00-05:00
Replace PKI_GROUP slot with direct substitution

- - - - -
f2e19933 by Endi S. Dewata at 2022-08-19T15:27:00-05:00
Replace TOMCAT_PIDFILE with direct substitution

- - - - -
405d1510 by Endi S. Dewata at 2022-08-19T15:27:00-05:00
Update PKIDeployer.export_admin_pkcs12()

The PKIDeployer.export_admin_pkcs12() has been updated to use
the absolute path of the PKCS #12 file to get its directory.

- - - - -
edafef3c by Endi S. Dewata at 2022-08-22T09:56:11-05:00
Add pki_systemd_service_create

The pki_systemd_service_create param has been added to support
installing PKI server without systemd service.

- - - - -
95978fe9 by Endi S. Dewata at 2022-08-22T09:56:11-05:00
Add basic CA container

The Dockerfile has been updated to define a basic container
image for CA with some limitations. The pki-ca-run has been
added to create a CA instance and run it in foreground.

- - - - -
3aaabfde by Endi S. Dewata at 2022-08-22T09:56:11-05:00
Add test for CA container

A new test has been added to create a CA container and perform
some basic operations.

- - - - -
49b53a75 by Fraser Tweedale at 2022-08-23T13:17:32+10:00
ExternalProcessConstraint: fix copy/paste mistake in initialisation

Initialsation of "timeout" config incorrectly references the
"executable" config.  This is the result of a copy/paste mistake.
Fix the behaviour to refer to the correct variable.

- - - - -
d6b743b3 by Endi S. Dewata at 2022-08-23T08:52:49-05:00
Update CA container to use existing certs and keys

The pki-ca-run has been modified to create the system certs
and admin cert first, then create the CA using these certs.

In the future the script will support using certs and keys
created outside of container as in pki-acme-run.

- - - - -
c32df519 by Rob Crittenden at 2022-08-23T09:22:16-05:00
Add user and group options for the NSSDatabase class

The user and group options were not used in the NSSDatabase class.
Call chown() for any files/directories created and use runuser
for any external commands if a user is defined.

This is important for filesystem permissions when managing
certificates and private keys inside a software PKCS#11 module
like softHSM.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
518a3e5c by Rob Crittenden at 2022-08-23T09:22:16-05:00
Use pki_sslserver_token if set for the sslserver cert

The installer was using pki_token_name for all certificates
regardless of whether a specific value for a certificate
was requested by the user.

This allows a user to not store the sslserver cert in the
PKCS#11 token but instead leave it in the NSS softokn.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
b8aa0339 by Rob Crittenden at 2022-08-23T09:22:16-05:00
Disable cli return value check when adding certificates

NSS trust is stored in its own token database which needs
to be authenticated to in order to modify trust. certutil has
a bug where tries over and over to authetnicate to a PKCS#11
token to set the trust which inevitably fails because that
isn't where trust needs to be written. So all attempts to
set trust will fail with SEC_ERROR_TOKEN_NOT_LOGGED_IN

Disable the return value check because when adding certs
the trust is ,, anyway so there is nothing to lose.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
fed6a96e by Endi S. Dewata at 2022-08-24T08:35:01-05:00
Make pki_hsm_modulename and pki_hsm_libfile optional

The pki_hsm_modulename and pki_hsm_libfile params have been
modified to become optional since they are not needed for
installation with SoftHSM.

- - - - -
795d577b by Endi S. Dewata at 2022-08-24T08:35:01-05:00
Add test for installing CA with HSM

A new GH job has been added to test CA installation with HSM. In
this case all system certs and keys will be created in HSM except
for the SSL server cert and key (needs further investigation). All
system certs will exist in the internal token as well, but only
the SSL server cert has a key. Certs that have a key in the same
token will have "u" trust flags.

- - - - -
7c6406db by Endi S. Dewata at 2022-08-24T18:26:25-05:00
Refactor TPSSubsystem.loadTokenStateTransitions()

The TPSSubsystem.loadTokenStateTransitions() has been modified
to take the param value instead of the ConfigStore object.

- - - - -
9e1440d2 by Endi S. Dewata at 2022-08-24T18:26:43-05:00
Rename TPSTokendb to TokenDB

- - - - -
696dbde1 by Endi S. Dewata at 2022-08-24T18:26:43-05:00
Add TokenDBConfig

The TokenDBConfig has been added to encapsulate the config
params for TokenDB.

- - - - -
61cfd7b8 by Endi S. Dewata at 2022-08-24T18:26:43-05:00
Clean up TPS test

- - - - -
e24b6166 by Endi S. Dewata at 2022-08-25T09:26:47-05:00
Update CA container to support existing certs

The pki-ca-run has been modified to import existing system and
admin certs if provided, otherwise it will create new ones.

The test for CA container has been updated to create the certs
first, then create the CA container with these certs.

- - - - -
25de8487 by Endi S. Dewata at 2022-08-25T13:02:40-05:00
Refactor RequestListByStatus to extend RequestList

- - - - -
21ade70f by Endi S. Dewata at 2022-08-25T13:02:48-05:00
Refactor SearchEnumeration to extend RequestList

- - - - -
1825fbf0 by Endi S. Dewata at 2022-08-25T13:02:54-05:00
Merge IRequestList into RequestList

- - - - -
dd0fb6cd by Endi S. Dewata at 2022-08-25T13:02:54-05:00
Merge IRequestScheduler into RequestScheduler

- - - - -
174c10ab by Endi S. Dewata at 2022-08-25T13:09:50-05:00
Merge IReqParser into ReqParser

- - - - -
c40715a9 by Endi S. Dewata at 2022-08-25T13:13:16-05:00
Merge IResender into Resender

- - - - -
451e76a6 by Endi S. Dewata at 2022-08-25T13:13:16-05:00
Rename DBVirtualList to LDAPVirtualList

- - - - -
6707cee1 by Endi S. Dewata at 2022-08-25T13:13:16-05:00
Fix typo in CA container test

- - - - -
3606cedd by Endi S. Dewata at 2022-08-25T13:13:16-05:00
Fix javadoc warning

- - - - -
29d56060 by Endi S. Dewata at 2022-08-25T18:18:50-05:00
Remove tokendb.hostport

The tokendb.hostport parameter in TPS's CS.cfg is no longer
used so it has been removed.

- - - - -
1cba0075 by Endi S. Dewata at 2022-08-25T19:54:50-05:00
Fix pkidestroy to support NSS database without password

- - - - -
8887c409 by Endi S. Dewata at 2022-08-26T08:42:47-05:00
Reorganize test for basic CA

- - - - -
33ae1920 by Endi S. Dewata at 2022-08-26T08:42:47-05:00
Reorganize test for CA with ECC

- - - - -
68e9f719 by Endi S. Dewata at 2022-08-26T08:42:47-05:00
Reorganize test for CA with RSA/PSS

- - - - -
b3f8aaaa by Endi S. Dewata at 2022-08-26T09:28:31-05:00
Add pki-server ca-cert-find --status

The pki-server ca-cert-find has been modified to provide an
option to search certs by status. Additional options may be
added later.

- - - - -
3502f32f by Endi S. Dewata at 2022-08-26T09:58:45-05:00
Add test for CA installation with existing NSS database

A new test has been added to create a PKI server, create an
NSS database, generate the system certs in it, then create
a CA using the certs already in the NSS database. This
process allows the admin to fully control how the keys and
certs are created.

- - - - -
2657127f by Endi S. Dewata at 2022-08-26T10:01:37-05:00
Update CA container to use existing NSS database

pki-ca's Dockerfile has been updated to create a PKI server and
an NSS database just like in pki-server's Dockerfile.

The pki-ca-run has been updated to import the system certs into
the server's NSS database (or generate the certs directly in it),
then create a CA with the certs already in the database just like
in pki-server-run.

- - - - -
d63a4fe2 by Endi S. Dewata at 2022-08-26T11:53:26-05:00
Refactor user deployment config creation

The code that creates the user deployment config in subsystem
registry folder has been moved from infrastructure_layout.py to
subsystem_layout.py.

- - - - -
8e928bfd by Endi S. Dewata at 2022-08-26T14:10:31-05:00
Add properties for subsystem folders

- - - - -
6bcab460 by Endi S. Dewata at 2022-08-26T14:10:36-05:00
Refactor subsystem folders creation

The code that creates subsystem folders has been moved into
PKISubsystem.create(), create_conf_dir(), and create_log_dirs().

- - - - -
acb4b27b by Endi S. Dewata at 2022-08-26T14:10:36-05:00
Refactor subsystem folders removal

The code that removes subsystem folders has been moved into
PKISubsystem.remove(), remove_conf_dir(), and remove_log_dirs().

- - - - -
913ef087 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move database.ldif to database/ds/config.ldif

- - - - -
447db775 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move schema.ldif to database/ds/schema.ldif

- - - - -
a9e29517 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move db-access-*.ldif to database/ds/db-access-*.ldif

- - - - -
b0cc3f45 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move db.ldif to database/ds/create.ldif

- - - - -
d884dd63 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move acl.ldif to database/ds/acl.dif

- - - - -
1a1a0270 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move index.ldif to database/ds/index.ldif

- - - - -
4a377ee5 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move indextasks.ldif to database/ds/indextasks.ldif

- - - - -
b17d0932 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move vlv.ldif to database/ds/vlv.ldif

- - - - -
c26bebc7 by Endi S. Dewata at 2022-08-26T17:49:57-05:00
Move vlvtasks.ldif to database/ds/vlvtasks.ldif

- - - - -
632fb85f by Endi S. Dewata at 2022-08-29T08:34:28-05:00
Reorganize test for basic sub-CA

- - - - -
4af415c6 by Endi S. Dewata at 2022-08-29T08:34:28-05:00
Reorganize test for sub-CA with CMC

- - - - -
0e085db9 by Endi S. Dewata at 2022-08-29T08:34:28-05:00
Reorganize test for sub-CA with external cert

- - - - -
fd19666e by Rob Crittenden at 2022-08-29T10:05:41-05:00
Fix HSM installation where the token password differs from internal

In some cases only one password will be passed. Send the the one
that NSS will most likely need.

If there is a token, in general provide the token password.

If modifying certificate trust, always provide the internal password
since that is where trust is stored.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
25d68dc2 by Rob Crittenden at 2022-08-29T10:05:41-05:00
Don't use JSS to add the system certificates to the NSS db

When use_uss=True the command pki nss-cert-import is called
which does not provide a password to the generated
certutil command. The end-user must provide it interatively
for the four service certificates during pki-spawn.

When use_jss=False set runas to True so that software-based
tokens (softhsm) will generate correct ownership.

Utilize the tmpdir provided by the class to remove the
try/finally block.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a115418c by Endi S. Dewata at 2022-08-29T10:17:58-05:00
Clean up test job names

- - - - -
0f04fcc1 by Endi S. Dewata at 2022-08-29T11:37:29-05:00
Add PKIDeployer.setup_database()

The code that sets up the database during installation has been
moved into PKIDeployer.setup_database().

- - - - -
df7b27b0 by Endi S. Dewata at 2022-08-30T08:30:21-05:00
Reorganize test for CA with existing certs

- - - - -
e0b953cc by Endi S. Dewata at 2022-08-30T08:30:21-05:00
Reorganize test for CA with existing NSS database

- - - - -
dc864f6a by Endi S. Dewata at 2022-08-30T08:30:21-05:00
Reorganize test for CA with shared token

- - - - -
7332dede by Endi S. Dewata at 2022-08-30T13:16:28-05:00
Add test for CA installation with existing DS

A new pki_ds_setup parameter has been added for setting up the
DS during installation (default: True).

A new test has been added to set up the DS before installing CA,
then install the CA without setting up the DS again.

- - - - -
99aabd41 by Endi S. Dewata at 2022-08-30T13:16:28-05:00
Update test for CA container to use existing DS

- - - - -
d4309640 by Endi S. Dewata at 2022-08-30T13:26:08-05:00
Clean up CA tests

- - - - -
320afd2b by Endi S. Dewata at 2022-08-30T15:30:28-05:00
Rename IDBVirtualList to DBVirtualList

- - - - -
69aced56 by Endi S. Dewata at 2022-08-30T15:34:41-05:00
Merge DBVirtualListDefaultStub into DBVirtualList

- - - - -
0eba1206 by Endi S. Dewata at 2022-08-30T15:43:25-05:00
Merge IPasswordCheck into PasswordChecker

- - - - -
6ec97894 by Endi S. Dewata at 2022-08-31T10:38:13-05:00
Reorganize test for CA with HSM

- - - - -
96d0f3e8 by Endi S. Dewata at 2022-08-31T10:38:13-05:00
Reorganize test for CA container

- - - - -
5d73f70c by Endi S. Dewata at 2022-08-31T10:38:13-05:00
Reorganize test for CA clone

- - - - -
ae28009e by Endi S. Dewata at 2022-08-31T10:38:13-05:00
Reorganize test for CA with secure DS

- - - - -
5375da8b by Endi S. Dewata at 2022-08-31T10:38:13-05:00
Reorganize test for CA clone with secure DS

- - - - -
66b441c1 by jmagne at 2022-08-31T09:47:50-07:00
Fix Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled (#4130)

This fix allows the "pki kra-key" cmds the ability to specify OAEP wrapping of the sesssion key before sending the request to the server.

    Ex:

    pki -d . -v -oaep -n  "PKI KRA Administrator for CA RSA" -h  test.host.com -p 19443   kra-key-archive --clientKeyID ID-1 --passphrase 1234

    This example will archive the key using oaep to wrap the session key before sending to the server. If the server / kra is configured to use oaep
    instead of pkcs1, the operation will be successful.

    There will be a similiar "-oaep" switch available fo the kra-key-retrieve cmd as well.
- - - - -
f4dece68 by Endi S. Dewata at 2022-08-31T13:51:58-05:00
Add docs for publishing config classes

- - - - -
80200a76 by Endi S. Dewata at 2022-08-31T13:52:04-05:00
Add PublishingConfig.isEnabled()

- - - - -
82615d08 by Endi S. Dewata at 2022-08-31T13:52:04-05:00
Add PublishingConfig.isCertEnabled()

- - - - -
9d7e7ab3 by Endi S. Dewata at 2022-08-31T13:52:04-05:00
Add PublishingConfig.isCRLEnabled()

- - - - -
e36cb857 by Endi S. Dewata at 2022-08-31T13:52:38-05:00
Display request IDs in hex

- - - - -
83ebbbd5 by Endi S. Dewata at 2022-08-31T16:03:34-05:00
Update log messages in CRL classes

- - - - -
3b420807 by Endi S. Dewata at 2022-08-31T16:03:34-05:00
Update log messages in publishing classes

- - - - -
c386888d by Endi S. Dewata at 2022-09-01T10:01:52-05:00
Add test for user cert publishing

A new test has been added to verify user cert publishing in CA.
When a new cert is issued, it will be added into the user entry
in LDAP. If the cert is revoked, it will be removed from the
user entry. If the cert is unrevoked, it will be restored into
the user entry.

- - - - -
fcbd231f by Endi S. Dewata at 2022-09-01T16:03:11-05:00
Fix artifacts gathering in CA container test

- - - - -
d4b3e178 by Endi S. Dewata at 2022-09-01T17:01:55-05:00
Update CA test names

- - - - -
9601b66a by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for CA with RSNv1

- - - - -
056b518f by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for CA with sequential serial numbers

- - - - -
b86e8cc0 by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for CA with CA cert publishing

- - - - -
22b00c4d by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for CA with file-based CRL publishing

- - - - -
d17308ef by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for CA with LDAP-based CRL publishing

- - - - -
86ad5909 by Endi S. Dewata at 2022-09-02T08:33:59-05:00
Reorganize test for SCEP responder

- - - - -
b3e193aa by Endi S. Dewata at 2022-09-02T10:25:43-05:00
Use ExcludeArch on older platforms

java_arches macro is only available on newer platforms, so
the spec file has been modified to use ExcludeArch on older
platforms.

The build dependency on redhat-rpm-config has been dropped
since it is installed automatically by the build system.

- - - - -
73688671 by Endi S. Dewata at 2022-09-02T10:43:48-05:00
Update CA container to support existing database user

The CA container test has been modified to set up a database
user before starting up the CA container. The pki-ca-run has
been modified to use the existing (i.e. shared) database user.

- - - - -
e9a7cbfd by Endi S. Dewata at 2022-09-02T15:52:08-05:00
Clean up installation summary

- - - - -
65827fd9 by Endi S. Dewata at 2022-09-02T15:52:11-05:00
Clean up CA test name

- - - - -
69fa10d6 by Endi S. Dewata at 2022-09-02T15:52:11-05:00
Consolidate PKISubsystem.configure_security_domain() calls

- - - - -
568d33d7 by Endi S. Dewata at 2022-09-02T18:21:24-05:00
Add pki-server sd-create --name option

The pki-server sd-create command has been modified to provide
an option to specify the security domain name.

- - - - -
a6bd0f7e by Endi S. Dewata at 2022-09-02T21:15:06-05:00
Add PKIDeployer.setup_security_domain_manager()

The code that sets up the security domain manager has been moved
to PKIDeployer.setup_security_domain_manager().

- - - - -
14a3c475 by Endi S. Dewata at 2022-09-02T21:15:13-05:00
Add PKIDeployer.setup_security_domain()

The code that sets up the security domain has been moved into
PKIDeployer.setup_security_domain().

- - - - -
56f607d0 by Endi S. Dewata at 2022-09-06T11:37:15-05:00
Update CA container to support existing admin user

A new pki_admin_setup parameter has been added to set up the
admin user during installation (default: True).

The CA container test has been updated to set up an admin user
before creating the CA container. The pki-ca-run has been
modified to use the existing admin user.

The test has also been updated to use the existing certs already
in the client container to ensure they can be used to access the
CA container.

- - - - -
0e25678e by Chris Kelley at 2022-09-07T14:53:04+01:00
Fix TPS UI elements broken by XML -> JSON migration

The field names were erroneously changed by not adding JSON tags to
rename the fields like the original XML implementation.

Some new code was introduced that depended on the new, incorrect name,
so that is also fixed.
- - - - -
e6c34621 by Endi S. Dewata at 2022-09-07T08:59:38-05:00
Fix Azure pipeline

Due to recent changes in Azure or Fedora it's no longer possible
to run tests with the standard Fedora image.

To fix the problem, the Dockerfile has been updated to define a
new Fedora image that provides a systemd service. The Azure job
has been updated to build the image, create a container with the
image, then run the tests with it. The job has also been updated
to test creating a server, starting it up, checking the status,
shutting it down, and removing the server.

- - - - -
3c9e278b by Endi S. Dewata at 2022-09-07T09:00:09-05:00
Update CA container to skip security domain setup

A new pki_security_domain_setup parameter has been added to
set up a security domain and create a subsystem user during
installation (default: True).

The CA container has been modified to skip security domain
setup and subsystem user creation since it's not needed for
container deployments.

- - - - -
dd97eb8c by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for basic KRA

- - - - -
714cd0a0 by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for KRA on separate instance

- - - - -
a642ce27 by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for KRA with external certs

- - - - -
3ddfcd7c by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for KRA with CMC

- - - - -
7e37e5e6 by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for KRA clone

- - - - -
98d95f1f by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for standalone KRA

- - - - -
f7f633c6 by Endi S. Dewata at 2022-09-07T12:40:16-05:00
Reorganize test for KRA with RSNv3

- - - - -
4e5da184 by Endi S. Dewata at 2022-09-07T12:40:43-05:00
Reorganize test for ACME with certbot

- - - - -
4db17b7e by Endi S. Dewata at 2022-09-07T12:40:43-05:00
Reorganize test for ACME server switchover

- - - - -
5b02f64f by Endi S. Dewata at 2022-09-07T12:40:43-05:00
Reorganize test for ACME container

- - - - -
18859d27 by Endi S. Dewata at 2022-09-07T20:33:22-05:00
Update log messages in EnrollProfile

- - - - -
d70ef172 by Endi S. Dewata at 2022-09-07T20:33:38-05:00
Update log messages in CAEnrollProfile

- - - - -
a5f074aa by Endi S. Dewata at 2022-09-07T20:33:54-05:00
Update log messages in EnrollServlet

- - - - -
b87b9897 by Endi S. Dewata at 2022-09-07T20:34:14-05:00
Update log messages in RevocationProcessor

- - - - -
7cc33dba by Endi S. Dewata at 2022-09-07T20:34:26-05:00
Update log messages in RevocationRequestListener

- - - - -
23e0bf61 by Endi S. Dewata at 2022-09-07T20:34:35-05:00
Update log messages in PublisherProcessor

- - - - -
081f99f7 by Endi S. Dewata at 2022-09-07T20:35:06-05:00
Update log messages in LdapEnrollmentListener

- - - - -
7a31eaf5 by Endi S. Dewata at 2022-09-07T20:35:38-05:00
Update log messages in RunListeners

- - - - -
5eee267f by Endi S. Dewata at 2022-09-07T20:39:08-05:00
Update log messages in RequestNotifier

- - - - -
6f5a07c0 by Endi S. Dewata at 2022-09-07T20:39:08-05:00
Update log messages in CertRequestService

- - - - -
7b922b6b by Endi S. Dewata at 2022-09-07T20:39:08-05:00
Update log messages in AccountService

- - - - -
1c30ccbd by Endi S. Dewata at 2022-09-08T18:48:19-05:00
Update CA container to skip system certs import

A new pki_import_system_certs parameter has been added
to import externally provided system certs into the LDAP
database during installation (default: True).

The CA container has been modified to skip importing the
provided system certs into LDAP database since they are
not needed for the CA to be functional. The system certs
will still be imported into the NSS database so the CA
can use them.

The CA container test has been updated to perform cert
enrollments to verify that it is functional without the
system certs in the LDAP database.

- - - - -
122165e3 by Endi S. Dewata at 2022-09-09T10:02:59-05:00
Fix Java home directory

Previously the build.sh would convert the Java home directory
provided by pki.spec into an absolute path which would point
to a specific OpenJDK release used to build the package. This
prevented PKI from running with other OpenJDK releases.

The build.sh has been modified to use the original Java home
directory provided by pki.spec which is a generic path that
will work across multiple OpenJDK releases.

- - - - -
09a0b705 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKICertImport

- - - - -
2bff2660 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI NSS CLI with RSA

- - - - -
7965f362 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI NSS CLI with ECC

- - - - -
a6451f19 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI NSS CLI with AES

- - - - -
5312ef8e by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI NSS CLI with HSM

- - - - -
ba8faa03 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI NSS CLI with Extensions

- - - - -
ffc56d22 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI PKCS7 CLI

- - - - -
b8d5bab3 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI PKCS11 CLI

- - - - -
438b5507 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for PKI PKCS12 CLI

- - - - -
abf23d38 by Endi S. Dewata at 2022-09-09T10:03:17-05:00
Reorganize test for rpminspect

- - - - -
42baad13 by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for basic server

- - - - -
a7c1d358 by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for HTTPS connector with PEM files

- - - - -
43fcb04c by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for HTTPS connector with JKS file

- - - - -
ae444b52 by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for HTTPS connector with PKCS #12 file

- - - - -
da537d42 by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for HTTPS connector with NSS database

- - - - -
fc2dcfbc by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for server upgrade

- - - - -
ab199e3a by Endi S. Dewata at 2022-09-09T10:03:33-05:00
Reorganize test for server container

- - - - -
df66fa77 by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for basic OCSP

- - - - -
f9c2bbd4 by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP on separate instance

- - - - -
e84cc7e0 by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP with external certs

- - - - -
3752a3fd by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP with CMC

- - - - -
6325588a by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP clone

- - - - -
c009ff54 by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP with direct CRL publishing

- - - - -
490a1a30 by Endi S. Dewata at 2022-09-09T10:03:53-05:00
Reorganize test for OCSP with LDAP-based CRL publishing

- - - - -
cf43337a by Endi S. Dewata at 2022-09-09T10:04:08-05:00
Reorganize test for basic TKS

- - - - -
58b8e360 by Endi S. Dewata at 2022-09-09T10:04:08-05:00
Reorganize test for TKS on separate instance

- - - - -
001b2459 by Endi S. Dewata at 2022-09-09T10:04:08-05:00
Reorganize test for TKS with external certs

- - - - -
011f587e by Endi S. Dewata at 2022-09-09T10:04:08-05:00
Reorganize test for TKS clone

- - - - -
e2741451 by Endi S. Dewata at 2022-09-09T10:04:23-05:00
Reorganize test for basic TPS

- - - - -
77f03392 by Endi S. Dewata at 2022-09-09T10:04:23-05:00
Reorganize test for TPS on separate instance

- - - - -
74db7315 by Endi S. Dewata at 2022-09-09T10:04:23-05:00
Reorganize test for TPS with external certs

- - - - -
685631a2 by Endi S. Dewata at 2022-09-09T10:04:23-05:00
Reorganize test for TPS clone

- - - - -
8838a92f by Endi S. Dewata at 2022-09-09T10:04:48-05:00
Reorganize test for basic IPA

- - - - -
f48cc554 by Endi S. Dewata at 2022-09-09T10:04:48-05:00
Reorganize test for IPA ACME

- - - - -
5ded8075 by Endi S. Dewata at 2022-09-09T10:04:48-05:00
Reorganize test for IPA clone

- - - - -
427ae28b by Endi S. Dewata at 2022-09-12T09:11:09-05:00
Update user cert publishing test

The test for user cert publishing has been updated to create a
short-lived user cert, then verify that the expired cert will
be unpublished (i.e. removed) from the user entry in LDAP.

- - - - -
adc2a870 by Endi S. Dewata at 2022-09-12T17:24:13-05:00
Update log messages in RequestInQListener and RequestInQueueJob

- - - - -
3da98a06 by Endi S. Dewata at 2022-09-13T09:23:28-05:00
Fix request in queue notifications

Previously the RequestInQListener was not initialized during
startup so the CA did not generate email notifications when
it received certificate requests.

To fix the problem the CAEngine.startupSubsystems() has been
updated to call initRequestInQueueListener() properly.

- - - - -
37a81ad4 by Endi S. Dewata at 2022-09-13T09:23:28-05:00
Update RequestInQListener to use hex request ID

The RequestInQListener has been modified to generate email
notifications with hexadecimal request IDs.

- - - - -
71453bd0 by Endi S. Dewata at 2022-09-13T09:23:28-05:00
Add test for CA with request notification

A new test has been added to verify the request in queue
notifications.

- - - - -
61e9b217 by Endi S. Dewata at 2022-09-13T13:25:07-05:00
Update Job.init() to take JobsScheduler param

- - - - -
0741c2be by Endi S. Dewata at 2022-09-13T13:25:07-05:00
Add JobsSchedulerConfig

The JobsSchedulerConfig has been added to encapsulate
jobsScheduler.* params in CS.cfg.

- - - - -
04ca623c by Endi S. Dewata at 2022-09-13T13:25:07-05:00
Add JobPluginsConfig

The JobPluginsConfig has been added to encapsulate
jobsScheduler.impl.* params in CS.cfg.

- - - - -
bd747633 by Endi S. Dewata at 2022-09-13T13:25:07-05:00
Add JobsConfig

The JobsConfig has been added to encapsulate jobsScheduler.job.*
params in CS.cfg.

- - - - -
c8dbd6e7 by Endi S. Dewata at 2022-09-13T14:14:04-05:00
Refactor ConfigStore.makeSubStore()

Similar to ConfigStore.getSubStore(), the makeSubStore() has
been updated to allow the caller to specify the class name of
the sub-store to be created.

- - - - -
b6c1ef80 by Endi S. Dewata at 2022-09-13T14:19:26-05:00
Add JobConfig

The JobConfig has been added to encapsulate
jobsScheduler.job.<id>.* params in CS.cfg.

- - - - -
66d3284f by Endi S. Dewata at 2022-09-13T14:22:09-05:00
Add JobsConfig.createJobConfig()

The JobsConfig.createJobConfig() has been added to create
jobsScheduler.job.<id>.* params in CS.cfg.

- - - - -
67bd4618 by Endi S. Dewata at 2022-09-13T14:32:17-05:00
Add JobsConfig.removeJobConfig()

The JobsConfig.removeJobConfig() has been added to remove
jobsScheduler.job.<id>.* params in CS.cfg.

- - - - -
5c1b03cc by Endi S. Dewata at 2022-09-14T12:53:16-05:00
Add JobConfig.isEnabled()

The JobConfig.isEnabled() has been added to encapsulate
jobsScheduler.job.<id>.enabled param in CS.cfg.

- - - - -
982b4998 by Endi S. Dewata at 2022-09-14T12:53:20-05:00
Add JobConfig.getPluginName() and setPluginName()

The JobConfig.getPluginName() and setPluginName() have been
added to encapsulate jobsScheduler.job.<id>.pluginName in
CS.cfg.

- - - - -
0ed3c4f8 by Endi S. Dewata at 2022-09-14T12:53:20-05:00
Add JobConfig.getCron()

The JobConfig.getCron() has been added to encapsulate
jobsScheduler.job.<id>.cron param in CS.cfg.

- - - - -
2455c56e by Endi S. Dewata at 2022-09-14T13:46:35-05:00
Clean up acl.properties

- - - - -
489cf5ac by Endi S. Dewata at 2022-09-14T14:58:24-05:00
Remove unused subsystem ROOT webapps

- - - - -
994c6452 by Endi S. Dewata at 2022-09-14T17:31:57-05:00
Remove redundant code in Job classes

- - - - -
aab7be72 by Endi S. Dewata at 2022-09-14T17:32:25-05:00
Update log messages in Job classes

- - - - -
b5a3fc6f by Rob Crittenden at 2022-09-15T09:25:11-05:00
Provide the token password when appropriate in nss-key-find

Only the internal password or password configuration would
be provided. If a token is provided then generate a temporary
file containing and pass that in with -C to the pki command.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
5cf58b55 by Endi S. Dewata at 2022-09-15T11:01:06-05:00
Enable role-based security for REST API

Generally the access to the REST API is controlled by the
legacy ACL defined in acl.ldif which is imported into the
LDAP database during installation. Since there is no
automatic database upgrade mechanism, it's not easy to
update the ACL in existing instances.

To avoid the issue, the web.xml files have been modified
to enable role-based security for REST API. This way the
ACL for new REST API can be defined using the standard
security annotations such as @RolesAllowed. The legacy ACL
will continue to work, but in the future they might be
migrated into role-based security as well.

- - - - -
aaa934f9 by Endi S. Dewata at 2022-09-15T11:01:06-05:00
Allow manual job execution

The Job classes have been modified to continue with the
initialization even if the cron param is not available.
This means that the job will not be scheduled and will
need to be run manually.

- - - - -
74762018 by Endi S. Dewata at 2022-09-15T11:01:06-05:00
Add pki <subsystem>-job-start

A new pki <subsystem>-job-start command has been added to run
a job manually in the background. This command is needed in a
to ensure that the job will only run once in the whole cluster.

This command will be handled by JobService.startJob(). This API
can only be invoked by the admin user.

The code in JobsScheduler.run() that creates a thread to run
the job has been moved into startJob() such that it can be
reused by JobService.startJob().

- - - - -
b844cb0c by Endi S. Dewata at 2022-09-15T11:01:06-05:00
Update test for user cert publishing

The test for user cert publishing has been updated to test
both automatic and manual unpublishing jobs. With automatic
job, the cert will be unpublished automatically after one
minute. With manual job, the cert will not be unpublished
unless the job is executed manually.

- - - - -
16ed23c3 by Endi S. Dewata at 2022-09-15T11:21:19-05:00
Fix pki pkcs12-key-del to show hex key ID

- - - - -
0c4427e2 by Endi S. Dewata at 2022-09-16T09:37:14-05:00
Replace pki-start-wait.sh with curl --retry

The pki-start-wait.sh has been replaced with curl --retry
to reduce the number of scripts to maintain.

- - - - -
9f3d4000 by Endi S. Dewata at 2022-09-16T09:54:02-05:00
Refactor CRLIssuingPoint.processRevokedCerts()

The code in CRLIssuingPoint.processRevokedCerts() that locks
CAEngine.certStatusUpdateTask object has been converted into
a synchronized method in CertStatusUpdateTask class.

- - - - -
6ab728f0 by Endi S. Dewata at 2022-09-16T10:00:03-05:00
Merge ICMSCRLExtensions into CMSCRLExtensions

- - - - -
6353e651 by Endi S. Dewata at 2022-09-16T10:07:55-05:00
Convert ICMSCRLExtension into CMSCRLExtension

- - - - -
fbcb79ed by Endi S. Dewata at 2022-09-16T10:28:03-05:00
Add LDAPAuthenticationConfig.getAuthType()

The LDAPAuthenticationConfig.getAuthType() has been added
to encapsulate <LDAP>.ldapauth.authtype param in CS.cfg.

- - - - -
57df8fbc by Endi S. Dewata at 2022-09-16T10:33:19-05:00
Add LDAPAuthenticationConfig.getClientCertNickname()

The LDAPAuthenticationConfig.getClientCertNickname() has been
added to encapsulate <LDAP>.ldapauth.clientCertNickname param
in CS.cfg.

- - - - -
cd19cee2 by Endi S. Dewata at 2022-09-16T10:33:23-05:00
Add LDAPAuthenticationConfig.getBindDN()

The LDAPAuthenticationConfig.getBindDN() has been added to
encapsulate <LDAP>.ldapauth.bindDN param in CS.cfg.

- - - - -
6144e533 by Endi S. Dewata at 2022-09-16T10:34:42-05:00
Add LDAPAuthenticationConfig.getBindPassword()

The LDAPAuthenticationConfig.getBindPassword() has been added
to encapsulate <LDAP>.ldapauth.bindPassword param in CS.cfg.

- - - - -
9572a362 by Endi S. Dewata at 2022-09-16T10:36:57-05:00
Add LDAPAuthenticationConfig.getBindPasswordPrompt()

The LDAPAuthenticationConfig.getBindPasswordPrompt() has been
added to encapsulate <LDAP>.ldapauth.bindPWPrompt param in
CS.cfg.

- - - - -
a1e69fbe by Endi S. Dewata at 2022-09-16T11:38:37-05:00
Replace PublisherAdminServlet.mAuth with publishingConfig

- - - - -
abe87588 by Endi S. Dewata at 2022-09-16T12:15:54-05:00
Add LoggingConfig

The LoggingConfig has been added to encapsulate log.* params
in CS.cfg.

- - - - -
04ff72bb by Endi S. Dewata at 2022-09-16T14:12:52-05:00
Add LoggerPluginsConfig

The LoggerPluginsConfig has been added to encapsulate
log.impl.* params in CS.cfg.

- - - - -
bf0c14b8 by Endi S. Dewata at 2022-09-16T14:18:52-05:00
Add LoggersConfig

The LoggersConfig has been added to encapsulate log.instance.*
params in CS.cfg.

- - - - -
917e6f2f by Endi S. Dewata at 2022-09-16T14:18:55-05:00
Add LoggerConfig

The LoggerConfig has been added to encapsulate
log.instance.<id>.* params in CS.cfg.

- - - - -
37522f9d by Endi S. Dewata at 2022-09-16T16:19:41-05:00
Merge ILogSubsystem into LogSubsystem

- - - - -
26337de1 by Endi S. Dewata at 2022-09-16T16:19:54-05:00
Rename LogFactory to LogEventFactory

- - - - -
9964588e by Endi S. Dewata at 2022-09-16T16:20:40-05:00
Merge ILogEventFactory into LogEventFactory

- - - - -
be323fcb by Endi S. Dewata at 2022-09-16T16:25:14-05:00
Convert ILogEventListener into LogEventListener

- - - - -
004862b1 by Endi S. Dewata at 2022-09-16T16:28:01-05:00
Merge ILogEvent to LogEvent

- - - - -
c0e6ea46 by Endi S. Dewata at 2022-09-16T17:05:43-05:00
Move Logger.mLogger to CMSEngine.mainLogger

- - - - -
19ed4950 by Endi S. Dewata at 2022-09-16T17:19:39-05:00
Move LogQueue.mLogQueue to CMSEngine.logQueue

- - - - -
47136a4c by Endi S. Dewata at 2022-09-19T10:12:43-05:00
Add single-stage CA Dockerfile

A new single-stage Dockerfile has been added for CA such that the
container can be built automatically in Quay.io. This is similar
to the single-stage Dockerfile for ACME in base/acme folder.

- - - - -
4ae3da51 by Endi S. Dewata at 2022-09-19T14:39:52-05:00
Rename CRLIssuingPointExtensionsConfig to CRLExtensionsConfig

- - - - -
2afb41ed by Endi S. Dewata at 2022-09-19T15:38:55-05:00
Add CRLExtensionConfig

The CRLExtensionConfig has been added to encapsulate CRL
extension config params in CS.cfg.

- - - - -
a1db634e by Endi S. Dewata at 2022-09-20T09:16:03-05:00
Add test for CA CRL database

A new test has been added to verify that the CRL database
in CA contains the correct CRL initially, after revocation,
and after unrevocation.

- - - - -
a3a73944 by Endi S. Dewata at 2022-09-21T10:30:10-05:00
Add pki-server <subsystem>-redeploy

The pki-server <subsystem>-redeploy command has been added to
undeploy then redeploy a subsystem.

The tests have been updated to use the new command.

- - - - -
c910b3ad by Endi S. Dewata at 2022-09-21T15:12:35-05:00
Clean up Dockerfiles

- - - - -
6828f492 by Endi S. Dewata at 2022-09-22T09:43:54-05:00
Rename container image tarballs

In the future the CI workflows might be merged so they can
reuse the same build to reduce redundancies. To prepare for
that, the image tarballs have been renamed to match the
actual image names so that they will be consistent across
different tests.

For now the cache keys will remain unique for each workflow
so that they will not conflict with other workflows. When
the workflows are merged in the future, they will need to
be renamed as well.

- - - - -
9de0b7ca by Chris Kelley at 2022-09-22T23:10:14+01:00
Remove pcre dependency

pcre is going to be dropped in Fedora, but we no longer need it

- - - - -
442f0b17 by Endi S. Dewata at 2022-09-22T20:09:25-05:00
Replace preop.subsystem.name with pki_subsystem_name

- - - - -
0c9fa354 by Endi S. Dewata at 2022-09-22T20:09:25-05:00
Remove unused preop params

- - - - -
ec871cc8 by Marco Fargetta at 2022-09-23T09:44:44+02:00
Move the realm developed for ACME to the server package (#4161)

ACME subsystem contains a set of realm working with the ProxyRealm and
allowing to configure different authentication models.
These realm are moved outside of ACME package so they can be used by
other subsystems (e.g. EST).
Additionally, these realm have been updated to extend the tomcat
RealmBase so they do not need to be wrapped to be used with the
ProxyRealm.

However, the configuration model is different from the container managed
realm so, at the moment, they cannot replace the tomcat realm to use at
container level.
- - - - -
9296222e by Endi S. Dewata at 2022-09-23T09:32:35-05:00
Fix RPM build warnings due to absolute symlinks

- - - - -
15aa3c89 by Endi S. Dewata at 2022-09-23T09:36:46-05:00
Add pki-builder image

The pki-builder image has been added to build the RPM packages.
The pki-runner image has been modified to use the RPM packages
built by pki-builder.

The CI workflows have been modified to no longer build the RPM
packages directly since it will be built automatically when
the pki-runner is built.

The rpminspect test has been modified to run the test inside
pki-builder container since it already contains the RPM packages
and the test scripts.

The .dockerignore has been added to prevent container image
tarballs from being included in subsequent builds.

- - - - -
ee0dbd9a by Marco Fargetta at 2022-09-23T16:39:52+02:00
Add roles configuration option to PKIInMemoryRealm (#4167)

Some subsystem could require a specific role in order to work.
Therefore, the in memory realm, which is mainly used for test, should
allow to configure the user and the role.
- - - - -
c02fe8c9 by Endi S. Dewata at 2022-09-23T12:20:45-05:00
Move CMSEngine.logQueue to LogQueue

The LogQueue singleton has been moved from CMSEngine to LogQueue
to remove dependency on CMSEngine.

- - - - -
93e296a3 by Endi S. Dewata at 2022-09-23T12:20:54-05:00
Rename ServerConfiguration to ServerConfig

- - - - -
083d81e9 by Endi S. Dewata at 2022-09-23T12:20:54-05:00
Replace pkicreate.secure_port with ServerConfig.get_secure_port()

- - - - -
26c758e3 by Endi S. Dewata at 2022-09-23T12:20:54-05:00
Move @RolesAllowed from JobService to JobResource

The @RolesAllowed has been moved from JobService into
JobResource so that it will work properly.

- - - - -
100d334d by Endi S. Dewata at 2022-09-23T13:32:27-05:00
Fix sonarcloud-pull.yml

- - - - -
17462514 by Endi S. Dewata at 2022-09-23T14:32:12-05:00
Fix sonarcloud-pull.yml (part 2)

The sonarcloud-pull.yml was broken due to recent changes.

- - - - -
83782555 by Endi S. Dewata at 2022-09-23T19:43:13-05:00
Move CMSEngine.mainLogger to SelfTestSubsystem

- - - - -
72d08b71 by Endi S. Dewata at 2022-09-23T20:13:55-05:00
Move serviceUnCert4Crl into separate file

- - - - -
fda429f3 by Endi S. Dewata at 2022-09-23T20:15:40-05:00
Move serviceCert4Crl into separate file

- - - - -
329a1e23 by Endi S. Dewata at 2022-09-23T20:17:11-05:00
Move serviceGetCertificates into separate file

- - - - -
58890494 by Endi S. Dewata at 2022-09-23T20:18:30-05:00
Move serviceGetRevocationInfo into separate file

- - - - -
feabd953 by Endi S. Dewata at 2022-09-23T20:20:19-05:00
Move serviceGetCRL into separate file

- - - - -
da7a3a0d by Endi S. Dewata at 2022-09-23T20:21:53-05:00
Move serviceGetCAChain into separate file

- - - - -
74e1d49c by Endi S. Dewata at 2022-09-23T20:23:37-05:00
Move serviceUnrevoke into separate file

- - - - -
1fab9dfe by Endi S. Dewata at 2022-09-23T20:24:53-05:00
Move serviceRevoke into separate file

- - - - -
163378d0 by Endi S. Dewata at 2022-09-23T20:26:16-05:00
Move serviceCheckChallenge into separate file

- - - - -
483db694 by Endi S. Dewata at 2022-09-23T20:27:55-05:00
Move getCertStatus into separate file

- - - - -
5ce9e47f by Endi S. Dewata at 2022-09-23T20:28:58-05:00
Move getCertsForChallenge into separate file

- - - - -
d5462448 by Endi S. Dewata at 2022-09-23T20:30:39-05:00
Move serviceRenewal into separate file

- - - - -
8810c36c by Endi S. Dewata at 2022-09-23T20:33:15-05:00
Move serviceIssue into separate file

- - - - -
5720dfed by Endi S. Dewata at 2022-09-23T20:35:07-05:00
Move IServant into separate file

- - - - -
a5a96795 by Endi S. Dewata at 2022-09-26T09:14:50-05:00
Move ipa-runner image into main Dockerfile

The ipa-runner image has been moved into the main Dockerfile
so that it can be built on top of pki-runner image. The IPA
tests have been modified to use the main Dockerfile.

- - - - -
d537f575 by Endi S. Dewata at 2022-09-26T09:17:23-05:00
Remove unused pkicreate, pkiremove, os params

The pkicreate.*, pkiremove.*, and os.* params are no longer
used so they have been removed. The upgrade script has been
updated to remove these params from existing instances.

- - - - -
8d82302e by Endi S. Dewata at 2022-09-26T11:28:16-05:00
Add pki <subsystem>-job-find

The pki <subsystem>-job-find command has been added to display
the jobs in a subsystem.

- - - - -
33fa359a by Endi S. Dewata at 2022-09-26T11:37:48-05:00
Add ConnectorsConfig

The ConnectorsConfig has been added to encapsulate
<subsystem>.connector.* params in CS.cfg.

- - - - -
73a04b89 by Endi S. Dewata at 2022-09-26T11:37:48-05:00
Add ConnectorConfig

The ConnectorConfig has been added to encapsulate
<subsystem>.connector.<id>.* params in CS.cfg.

- - - - -
a083b937 by Endi S. Dewata at 2022-09-27T19:43:23-05:00
Refactor ConfigStore.getSubStoreNames()

The ConfigStore.getSubStoreNames() has been modified to return
Vector instead of Enumeration.

- - - - -
412c64ba by Endi S. Dewata at 2022-09-27T19:43:25-05:00
Rename JobService.createJobData() to createJobInfo()

- - - - -
26907923 by Endi S. Dewata at 2022-09-27T19:44:14-05:00
Update JobsConfig.getJobConfig()

The JobsConfig.getJobConfig() has been updated to return null
if the job does not exist.

- - - - -
8378c5ed by Marco Fargetta at 2022-09-28T10:57:09+02:00
Limit the group membership add to existing users (#4171)

Fix the bug https://bugzilla.redhat.com/show_bug.cgi?id=2070335
- - - - -
9b2fd7a6 by Endi S. Dewata at 2022-09-28T09:42:12-05:00
Add pki-deps image

PKI build and runtime dependencies share a number of RPM
packages, but previously they had to be installed twice,
once in pki-builder image and once in pki-runner image.

A new pki-deps image has been added to provide the runtime
dependencies which can be reused by both pki-builder and
pki-runner. This will eliminate duplicate installation of
about 290 packages.

- - - - -
28010851 by Endi S. Dewata at 2022-09-28T09:43:39-05:00
Add pki <subsystem>-job-show

The pki <subsystem>-job-show command has been added to show
job details.

- - - - -
2c6c372f by Endi S. Dewata at 2022-10-04T19:40:12-05:00
Add ProfileInputsConfig

The ProfileInputsConfig has been added to encapsulate profile
inputs configuration.

- - - - -
e77398ca by Endi S. Dewata at 2022-10-04T19:44:18-05:00
Add ProfileInputConfig

The ProfileInputConfig has been added to encapsulate profile
input configuration.

- - - - -
870a82f3 by Endi S. Dewata at 2022-10-04T19:44:18-05:00
Add ProfileOutputsConfig

The ProfileOutputsConfig has been added to encapsulate profile
outputs configuration.

- - - - -
1aed9d68 by Endi S. Dewata at 2022-10-04T19:44:18-05:00
Add ProfileOutputConfig

The ProfileOutputConfig has been added to encapsulate profile
output configuration.

- - - - -
d539e23e by Endi S. Dewata at 2022-10-05T09:59:20-05:00
Update CRL test

The CRL test has been modified to enroll a cert, revoke it,
then wait until it expires. The cert should be removed
automatically from the CRL in the next CRL update.

- - - - -
043515bd by Endi S. Dewata at 2022-10-05T11:46:09-05:00
Remove unused system and transaction logs

The system log and transaction log had largely not been
used and mostly had been replaced with debug log and signed
audit log except in SelfTestSubsystem. The SelfTestSubsystem
was still using the transaction log as the default log in
case the selftest log was not enabled, and it's also used to
log failures in selftest logging in case it was enabled.

This code has now been updated to use the debug log instead.
The config params for the system and transaction logs in
CS.cfg have now been removed. The upgrade script has been
updated to remove these params from existing instances.

- - - - -
8f0fb16f by Endi S. Dewata at 2022-10-06T17:51:56-05:00
Add cache for pki-deps image

The CI build jobs have been modified to build pki-deps image
then store it in GH cache. In the next CI execution the image
will be loaded from the cache, so it could shorten the build
time by about 3 minutes. The cache will be invalidated if the
pki.spec (which defines the dependencies) is modified.

- - - - -
ed12f80d by Chris Kelley at 2022-10-24T13:49:46+01:00
Update to non-deprecated versions of CI build actions.

Support for node12 will be removed in mid-2023, so futureproof now.
- - - - -
dcebdc0e by Fraser Tweedale at 2022-10-24T10:56:49-05:00
ProxyRealm: setContainer() on RealmBase instances

Instances of RealmBase fail to initialise if the Container has not
been set.  It is hard (impossible?) to get the Container from the
servlet context.  But ProxyRealm instances have the Container set
(if it was initialised by Tomcat itself).

Update ProxyRealm to propagate the Container to proxied RealmBase
instances during registerRealm().

As a result, it is now possible to use "native" RealmBase instances
(e.g. MemoryRealm) with ProxyRealm, as long as they are registered
into the ProxyRealm prior to invoking their init() method.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
3db1650c by Chris Kelley at 2022-10-25T07:23:52+01:00
Update to non-deprecated versions of CI build actions.

Support for node12 will be removed in mid-2023, so futureproof now.

- - - - -
0bb91ede by Chris Kelley at 2022-10-25T07:23:52+01:00
Replace deprecated set-output with new $GITHUB_OUPUT variable.

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

- - - - -
712e1b28 by Endi S. Dewata at 2022-10-25T08:40:44-05:00
Update CRMFPopClient to display hex request ID

- - - - -
021457f5 by Endi S. Dewata at 2022-10-25T08:41:13-05:00
Merge common code into Job.init()

- - - - -
68de75c8 by Matthew Davis at 2022-10-25T15:08:18-05:00
Ticket 1496 Fixed imports of missing certs

Within the import_pkcs7 routine it is possible to attempt to
import a certificate when one does not exist.

This patch only attempts to add certificates when there are
certificates in the pkcs7 source file.

- - - - -
a2c59cbd by Matthew Davis at 2022-10-25T15:08:18-05:00
Corrected typo in a comment.

- - - - -
3a79ffd8 by Rob Crittenden at 2022-10-25T15:12:30-05:00
Provide all passwords to certutil when modifying certificate trust

The certutil -f option supports a password file in the form of
token:password.

It will seek out the correct password for a token when a login
is required. This works in conjunction with
https://bugzilla.mozilla.org/show_bug.cgi?id=1782980 so
trust can be added to a certificate that is only visible on a
token.

Certificate trust is stored in the softokn and not in a PKCS#11
token so both passwords may be necessary when modifying/adding trust.
One to find the certificate on the token and the other to write to
the NSS database.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a4c2f89b by Rob Crittenden at 2022-10-25T15:12:30-05:00
Add token to the NSS nickname when modifying certificate trust

The certificate may only be visible to to the token when standing
up a clone. In order for the trust to be set certutil must be
able to read it. Even though trust is stored in the softokn being
able to see that the certificate exists is enough to proceed.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
40e5b51c by Endi S. Dewata at 2022-10-26T10:52:05-05:00
Add job owner

The jobs have been modified to support an optional owner. An
owner can only access the jobs they own, while an admin can
access all jobs.

The JobResource has been modified to no longer use @RolesAllowed.
Instead, the JobService has been modified to validate the
authorization inside the method implementation.

- - - - -
e8b90506 by Endi S. Dewata at 2022-10-26T12:33:01-05:00
Update test-cert-key-archival.sh

The test-cert-key-archival.sh has been updated to check the
key request.

- - - - -
1c8d2ff2 by Marco Fargetta at 2022-10-27T12:26:50+02:00
PKI system with DS down (#4180)

* Allow minConns 0

When this value is set to 0 the connection pool is not used but
connetion are created and deleted on each request.

* Make the AuthotiryMonitor optional

* Modify the option name

enableAuthorityMonitor -> authorityMonitor.enable
- - - - -
6bc32dcd by Endi S. Dewata at 2022-10-27T07:54:28-05:00
Add pki-builder-deps

A new pki-builder-deps image has been added to store the
build dependencies. This image will be stored in GH cache
which can shorten the build time by about 2 minutes.

The cache ID, key, and path have been updated since now
the cache contains multiple images.

- - - - -
5b2f15d5 by Chris Kelley at 2022-10-27T14:14:07+01:00
Introduce new scripts to automate the build process

A new script update_version.sh is introduced, to start to reduce some
of the manual burden of building packages. Usage is as:

./update_version.sh <major> <minor> <update> <phase>

...where phase is optional.

In this first iteration, it does the following:

* Updates the spec version to the new version provided
* Commits that change
* Creates a tag based on the new version provided
* Creates a source tarball based on the new version provided

A companion script is also included to revert the version update, if
required.

- - - - -
53d87155 by Endi S. Dewata at 2022-10-27T12:21:31-05:00
Update pki ca-cert-request and kra-key-request

The CertRequestInfoFactory and KeyRequestDAO have been modified
to return the request creation and modification time attributes
to the client. The pki ca-cert-request and pki kra-key-request
commands have been updated to display these attributes.

- - - - -
5035542c by Endi S. Dewata at 2022-10-27T14:56:48-05:00
Update log messages in DateMapper

- - - - -
6916629c by Endi S. Dewata at 2022-10-27T14:56:50-05:00
Update log messages in LDAPSession

- - - - -
c23a259e by Endi S. Dewata at 2022-10-27T14:56:50-05:00
Update CertificateRepository.updateStatus() to take CertId

- - - - -
c612801c by Christina Fu at 2022-10-27T17:35:36-07:00
Bug2131010-dropping-DHE-ciphersuites

This patch drops the DHE ciphers not working with TLS connections.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2131010

- - - - -
e742e6d7 by Endi S. Dewata at 2022-10-28T08:02:41-05:00
Update REST API path for JobResource.startJob()

The REST API path for JobResource.startJob() has been moved
to /ca/rest/jobs/{id}/start to allow additional operations
(e.g. stop) to be added in the future.

- - - - -
51bb76ef by Endi S. Dewata at 2022-10-28T09:24:15-05:00
Add IDGenerator enum

A new enum has been added to define supported ID generators.

- - - - -
95210209 by Endi S. Dewata at 2022-10-28T13:12:55-05:00
Consolidate CI initialization jobs

- - - - -
7e05fa4a by Rob Crittenden at 2022-10-28T14:53:32-05:00
Generate a CSR in the owned temp directory and move to final location

The key generation needs to be done as pkiuser so generated key
permissions are correct. The final destination of the CSR may be
owned and managed by root. So execute the keygen as the pkiuser
in the NSSDatabase tmp directory and move to the final destination
when complete.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
67872a70 by Rob Crittenden at 2022-10-28T14:53:32-05:00
Pass in user/group when calling keygen so permissions are correct

Since pkispawn runs as root this ensures that any key generation
operations are run as the target user/group, if any, such that
permissions don't need to be changed afterward.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
ac3c6a98 by Endi S. Dewata at 2022-10-28T15:18:30-05:00
Use try-with-resource in FlatFileAuth

- - - - -
f31b8655 by Endi S. Dewata at 2022-10-28T17:16:21-05:00
Use try-with-resource in CRSEnrollment

- - - - -
03f03354 by Endi S. Dewata at 2022-10-31T09:06:28-05:00
Split SubsystemRangeCLI

The SubsystemRangeCLI has been split into CARangeCLI
and KRARangeCLI.

- - - - -
52c473ed by Endi S. Dewata at 2022-10-31T12:11:09-05:00
Add constants for default ID generators

- - - - -
47156f52 by Endi S. Dewata at 2022-10-31T12:16:08-05:00
Refactor SubsystemRangeUpdateCLI

The code in SubsystemRangeUpdateCLI that updates the serial
number and request ranges has been moved into separate methods.

- - - - -
dbf57170 by Endi S. Dewata at 2022-10-31T15:57:05-05:00
Add AuthzManagerConfig.getPluginName() and getRealmName()

The AuthzManagerConfig.getPluginName() and getRealmName() methods
have been added to encapsulate authz.instance.<name>.pluginName
and realm parameters.

- - - - -
19ba901b by Endi S. Dewata at 2022-10-31T16:03:58-05:00
Update log messages in CRLIssuingPoint

- - - - -
f50d3dbd by Endi S. Dewata at 2022-10-31T16:04:33-05:00
Update log messages in CRLRepository

- - - - -
b4626330 by Endi S. Dewata at 2022-10-31T16:05:15-05:00
Update log messages in CertRecordProcessor

- - - - -
ed4e702e by Endi S. Dewata at 2022-11-01T08:40:52-05:00
Update pki-server ca-profile-import

The pki-server ca-profile-import has been updated to create
an LDAP connection only if the CA is configured to use an
LDAPProfileSubsystem (e.g. in IPA environment). Normally the
CA is configured to use a file-based ProfileSubsystem so an
LDAP connection is not needed by default.

- - - - -
24e44aee by Endi S. Dewata at 2022-11-01T08:58:03-05:00
Add ProfilePoliciesConfig

The ProfilePoliciesConfig has been added to encapsulate
profile policies configuration.

- - - - -
746c43f0 by Endi S. Dewata at 2022-11-01T10:13:14-05:00
Add RequestRepository.removeRequest()

The RequestRepository.removeRequest() has been added to remove
a request record from the repository.

- - - - -
c1a1d846 by Endi S. Dewata at 2022-11-01T16:23:12-05:00
Remove unused COPR_REPO variables

- - - - -
8e7a6d8f by Endi S. Dewata at 2022-11-01T18:26:25-05:00
Fix ds-container-create.sh

The ds-container-create.sh has been modified not to publish
the DS ports to avoid conflicts with other containers.

- - - - -
cff43fed by Endi S. Dewata at 2022-11-01T20:59:51-05:00
Fix database image variables

- - - - -
8cdd794a by Endi S. Dewata at 2022-11-09T21:38:47-06:00
Split SubsystemRangeUpdateCLI

The SubsystemRangeUpdateCLI has been split into CARangeUpdateCLI
and KRARangeUpdateCLI to avoid unnecessarily updating ID ranges
if the server is configured with RSNv3.

The CARangeUpdateCLI.updateSerialNumberRange() will update the
cert ID range only if the CA is configured with a legacy cert ID
generator.

The KRARangeUpdateCLI.updateSerialNumberRange() will update the
key ID range only if the KRA is configured with a legacy key ID
generator.

The SubsystemRangeUpdateCLI.updateRequestNumberRange() will
update the cert/key request ID range only if the CA/KRA is
configured with a legacy request ID generator.

- - - - -
9e9b3033 by Endi S. Dewata at 2022-11-09T22:24:09-06:00
Add CA database pruning

A new job has been added to prune expired certs and incomplete
requests from CA database. A new test has been added to validate
the functionality.

- - - - -
c73247a1 by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in NSCCommentExt

- - - - -
d997574d by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in NuxwdogPasswordStore

- - - - -
30abd05d by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in NSSExtensionGenerator

- - - - -
f25de59c by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in GeneratePKIArchiveOptions

- - - - -
a32ca0b4 by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in CMSFile

- - - - -
67cab6c5 by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in CMSTemplate

- - - - -
8348fb68 by Endi S. Dewata at 2022-11-11T12:15:47-06:00
Use try-with-resource in AuthorityKeyExportCLI

- - - - -
1d2410da by Endi S. Dewata at 2022-11-14T11:03:29-06:00
Add search constraints for CA database pruning

New parameters have been added to specify the size and time
constraints for search operations executed during CA database
pruning.

- - - - -
062eb0c6 by Endi S. Dewata at 2022-11-14T11:04:18-06:00
Add test for installing KRA with HSM

A new test has been added to verify KRA installation with HSM.
In this case KRA system certs and keys will be created in HSM
except for the subsystem and SSL server certs which are already
created during CA installation. The KRA system certs will also
exist in the internal token but without the keys. Certs that
have a key in the same token can be identified by the "u" trust
flags.

- - - - -
f2223307 by Endi S. Dewata at 2022-11-16T08:53:29-06:00
Fix pylint failures on F37

/usr/share/pki/tests/pylintrc:1:0: E0015: Unrecognized option
found: files-output, bad-functions, max-branchs (unrecognized-option)

/usr/lib/python3.11/site-packages/pki/server/deployment/pkiparser.py:278:36:
W1512: Using deprecated class SafeConfigParser of module configparser (deprecated-class)

/usr/lib/python3.11/site-packages/pki/server/deployment/pkiparser.py:295:36:
W1512: Using deprecated class SafeConfigParser of module configparser (deprecated-class)

- - - - -
de013947 by Endi S. Dewata at 2022-11-16T10:32:07-06:00
Update ACME test to validate database

The ACME test has been updated to validate the content
of CA and ACME databases after various operations.

- - - - -
9b3cea9a by Endi S. Dewata at 2022-11-16T10:58:24-06:00
Fix Azure pipeline failures on F37

The Azure pipelines have been updated to use the proper
library path for the current Python version.

- - - - -
3d7864d7 by Endi S. Dewata at 2022-11-16T11:24:56-06:00
Add test for installing OCSP with HSM

A new test has been added to verify OCSP installation with HSM.
In this case OCSP system certs and keys will be created in HSM
except for the subsystem and SSL server certs which are already
created during CA installation. The OCSP system certs will also
exist in the internal token but without the keys. Certs that
have a key in the same token can be identified by the "u" trust
flags.

- - - - -
76a5b230 by Rob Crittenden at 2022-11-16T16:12:56-06:00
Test whether a PKCS#11 has already been added during deployment

Check whether the HSM shared library has already been added
rather than always attempting to add it. Adding one that
is already configured will fail.

This helps the IPA case where pki_hsm_libfile may be configured
in [DEFAULT] and the deployment failing because adding the module
in the second deployed service fails because it has already
been added.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
d3e2987c by Marco Fargetta at 2022-11-17T09:39:48+01:00
Disable not usable profiles (#4230)


- - - - -
38128046 by Chris Kelley at 2022-11-17T11:15:05+00:00
Prevent banner from being displayed during spawn of KRA/OCSP

Invoking pki commands using --ignore-banner was used to allow automated
deployment, but there were some places where it was not done.

- - - - -
781ccd94 by Endi S. Dewata at 2022-11-17T05:58:22-06:00
Add test for installing TKS with HSM

A new test has been added to verify TKS installation with HSM.
In this case TKS system certs and keys will be created in HSM
except for the subsystem and SSL server certs which are already
created during CA installation. The TKS system certs will also
exist in the internal token but without the keys. Certs that
have a key in the same token can be identified by the "u" trust
flags.

- - - - -
5d99d013 by Christina Fu at 2022-11-18T16:25:24-08:00
Bug2142909-clientCiphers-CS-actingAsClient-master

This patch syncs up the master branch with the latest v10.13
 in regards to Bug2142909.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2142909

- - - - -
3aef34df by Christina Fu at 2022-11-18T20:26:59-05:00
Bug2040525-pkiconsole-nssdb-path

This patch adds a command line option, '-d' to specific path for nssdb.
It also prints out the path to the nssdb when -v is specified.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2040525

- - - - -
4776ff0b by jmagne at 2022-11-18T20:27:37-05:00
Fix recent issue with using pkiconsole with a client auth certificate. (#3986)

Forward port to latest evaluation branch.

The purpose of this fix is to allow a "-n cert-nickname" option, which
gives the user the ability to pick the nickname of the client auth cert
to use when connecting to the server.

Here is an exmple on how to use this new simpl feature:

 pkiconsole -v https://test.host.com:18443/ca -d ~/.redhat-idm-console -n SubCA_AdminV

Note the -n options specifies the name of of the desired SSL client auth certificate to present
to the server.

If the option is not present , no server cert nickname will be presented to the server.
The tool will work as it did previously in this case.

- - - - -
a141b92d by Endi S. Dewata at 2022-11-21T18:17:46+07:00
Add test for installing TPS with HSM

A new test has been added to verify TPS installation with HSM.
In this case TPS system certs and keys will be created in HSM
except for the subsystem and SSL server certs which are already
created during CA installation. The TPS system certs will also
exist in the internal token but without the keys. Certs that
have a key in the same token can be identified by the "u" trust
flags.

- - - - -
634fd111 by Endi S. Dewata at 2022-11-22T10:58:47+07:00
Remove redundant assignments

- - - - -
0a8bbe39 by Endi S. Dewata at 2022-11-22T17:18:26+07:00
Fix temporary SSL server key removal

In the past pkispawn used the same nickname for the temporary
and the permanent SSL server certs. Initially it would create
the temporary cert and the key, then it would create the
permanent cert with the same key, then drop the temporary
cert while keeping the key.

Recently the code was changed to use separate nicknames to
simplify installation which would generate separate keys too.
It removed the temporary cert, but not the temporary key. Now
the code has been updated to remove the temporary key as well.

Some tests have been modified to check for orphaned keys after
installation.

Resolves: https://github.com/dogtagpki/pki/issues/4103

- - - - -
453dd684 by Endi S. Dewata at 2022-11-22T17:34:52+07:00
Use try-with-resource in AuditVerify

- - - - -
d03e6724 by Endi S. Dewata at 2022-11-22T17:34:52+07:00
Use try-with-resource in CMCRequest

- - - - -
8d7cdc34 by Endi S. Dewata at 2022-11-22T17:34:52+07:00
Use try-with-resource in CRMFPopClient

- - - - -
e4cb66da by Endi S. Dewata at 2022-11-22T18:03:34+07:00
Remove unused GetDomainXML

The legacy GetDomainXML servlet has long been replaced with
the REST API provided by SecurityDomainService.getDomainInfo()
so it can be safely removed.

- - - - -
6abe6d11 by Chris Kelley at 2022-11-22T19:12:30+00:00
Replace unnecessary else clauses with ternary operator.
- - - - -
095a1f6e by Endi S. Dewata at 2022-11-24T18:54:37+07:00
Update HSM password in tests and docs

The HSM password in the tests and docs has been changed to
show where it is used and that it can be different from the
internal NSS database password.

- - - - -
a7e0e207 by Endi S. Dewata at 2022-11-25T08:28:27+07:00
Clean up test for CA with existing certs

- - - - -
66bfbd81 by Endi S. Dewata at 2022-11-25T08:28:28+07:00
Clean up test for CA with existing NSS database

- - - - -
e1a09e5c by Endi S. Dewata at 2022-11-25T17:34:51+07:00
Replace actions/checkout at v2 with actions/checkout at v3

https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

- - - - -
aee67aa9 by Endi S. Dewata at 2022-11-25T19:09:30+07:00
Add test for CA with existing HSM

A new test has been added to install CA with certs and keys
already existing in HSM.

- - - - -
bee5ca6e by Endi S. Dewata at 2022-11-28T10:51:16+07:00
Update ipa-artifacts-save.sh to include ipaserver-kra-install.log

- - - - -
54dcdf16 by Endi S. Dewata at 2022-11-28T11:47:06+07:00
Remove redundant subsystem folder creation

- - - - -
b9a841f9 by Endi S. Dewata at 2022-11-28T14:30:34+07:00
Clean up infrastructure_layout.py (part 1)

The code that creates the folders belonging to a PKI instance
has been moved into instance_layout.py.

- - - - -
73cc0ae6 by Endi S. Dewata at 2022-11-28T14:30:34+07:00
Clean up infrastructure_layout.py (part 2)

The code that creates/removes the folder that stores the config
files for all PKI instances has been removed since the folder is
owned by the RPM package and not supposed to be customizable.

- - - - -
4afd5c2f by Endi S. Dewata at 2022-11-28T14:30:34+07:00
Clean up infrastructure_layout.py (part 3)

The code that creates/removes the folder that stores all PKI
instances has been removed since the folder is owned by the
RPM package and not supposed to be customizable.

- - - - -
4cadcac0 by Endi S. Dewata at 2022-11-28T19:37:17+07:00
Add test for sub CA with HSM

A new test has been added to verify sub CA installation with HSM.
In this case the sub CA system certs and keys will be created in
HSM except for the SSL server cert. The root CA signing cert and
all sub CA system certs will also exist in the internal token as
well, but only the SSL server cert will have a key.

- - - - -
23a625cc by Endi S. Dewata at 2022-11-28T20:59:11+07:00
Update HSM token name in docs for clarity

- - - - -
a85944a2 by Endi S. Dewata at 2022-11-29T00:23:59+07:00
Remove unused logAudit.* and logError.* params

The CS.cfg files have been modified to no longer provide
logAudit.* and logError.* params.

The upgrade script has been updated to remove these params
from existing instances.

- - - - -
7f866fc5 by Endi S. Dewata at 2022-11-29T07:40:09+07:00
Restore standalone OCSP installation test

Previously there was a standalone OCSP installation test, but
it was converted into CRL publishing tests.

In the future it might be important to test other installation-
related operations without the complexity of CRL publishing, so
the original test has now been restored.

- - - - -
ce50c253 by Chris Kelley at 2022-11-29T09:11:55+00:00
Use ternary operator in AuthorityKeyIdentifierExtDefault
- - - - -
7d13e88d by Endi S. Dewata at 2022-11-29T18:45:50+07:00
Remove redundant service.* params

The code that reads the service.* params has been modified to
get the value from somewhere else. The upgrade script has been
modified to remove these params.

- - - - -
dc300cab by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement EST frontend and integrated backend

Implement the EST service as an integrated part of the CA subsystem.
The various interfaces allow for it to be extracted as a separate
subsystem.  The only "big step" to do that is to implement an
alternative `ESTBackend` (i.e. the bits that actually issue
certificates and retrieve CA certificates)

This is a work in progress with the following caveats:

- No authentication of EST client

- No authorization of enrollment requests

- Hardcoded to use `caIPAserviceCert` profile

- Hardcoded `AuthToken` to issue the certificate as user `ipara`,
  with membership in the `Certificate Management Agents` group.

- Only the `/cacerts` and `/simpleenroll` endpoints have been
  implemented.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
3c36f54b by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: create 'est' subsystem

This commit extracts the EST service as a separate Dogtag subsystem,
called "est".  This commit gets the JAR and RPM building cleanly.
However, the following critical features are still to come:

- An "RA" backend unto the CA subsystem (for cert issuance)
- The ESTApplication class (i.e. the Tomcat application itself)
- Deployment capability (e.g. `pki-server est-deploy` command)

These will be provided in subsequent commits.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
6937d458 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: add ESTApplication (servlet application)

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
815e76d0 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement stub RA backend

Implement a stub RA backend that returns 404 (/cacerts) or 500
(/simpleenroll and /simplereenroll).  The behaviour to communicate
with Dogtag CA subsystem will be added in a later commit.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
db3f24cc by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: add pki-server est-* CLI commands (+ man page)

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
e1091f19 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: remove ProxyRealm from app Context (temporary?)

ProxyRealm seems to be causing issues (realm is null, resulting in
HTTP status 500).  Not yet sure why this is happening but disable it
for now.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
f95df455 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: add RewriteValve to server.xml

Add the RewriteValve to the <Host> configuration in server.xml, and
add a rule to send requests for /.well-known/est/... to the EST
service.

The rules are defined in Catalina/localhost/rewrite.config, which is
shipped as part of the pki-server package, rather than pki-est.
This is because the rewrite rules (as required for this application)
are top-level server configuration.  If the EST server is not
deployed, requests for /.well-known/est/... will still be rewritten,
but will result in 404.

This commit DOES NOT provide upgrade scripts to add the RewriteValue
and rewrite.config on existing deployments.  If it is necessary,
this will be added in a subsequent commit.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
a10c2a22 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: map exceptions to proper HTTP responses

Use PKIExceptionMapper to map the various web application exceptions
to the corresponding HTTP response types.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
10357a30 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: handle dubious Accept headers

At least one EST client is known to send requests with HTTP header
`Accept: text/plain`; see
https://github.com/thales-e-security/estclient/pull/5.

This behaviour is dubious.  It is problematic when communicating
with servers/frameworks that have rigid content negotiation
behaviour (such as JAX-RS).  Nevertheless, the EST protocol uses a
narrow range of media types.  The method and path are sufficient to
determine the request and response media types, regardless of
Content-Type and Accept header values.

To tolerate bogus Accept header values, define and apply a
ContainerRequestFilter that detects when the Accept header does not
match any of the response types used in the EST protocol.  If it
detects this condition it removes the Accept header from the
request.

NOTE: the JAX-RS spec is ambiguous as to whether our use of the API
is legal.  Per the spec,
`ContainerRequestContext.getAcceptableMediaTypes()` returns an
IMMUTABLE `List<MediaType>`.  However,
`ContainerRequestContext.getHeaders()` returns a MUTABLE map of
headers.  We are able to delete the Accept header via that map.  It
seems to be a RestEasy implementation detail that
`getAcceptableMediaTypes()` always reads the Accept header afresh
from the mutable map.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
bbac5f29 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement backend configuration

Read backend configuration from <instance-dir>/est/backend.conf.
This includes the "class" property which specifies the backend
implementation to use.  Other properties are loaded and made
available to the backend implementation.  In this way, different
implementations may recognise or require different configuration
properties.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
cacd597b by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement /cacerts in Dogtag RA backend

Implement the /cacerts method in the Dogtag RA backend.

The implementation includes a substantial amount of code to prepare
the configuration for the PKIClient.  Parameters are read from the
ESTBackendConfig following a similar pattern to the ACME PKIIssuer.

The code to actually retrieve the certificate chain from the CA
subsystem is quite succinct.  The AuthorityClient retrieves the
chain as a PEM-encoded PKCS #7 object.  We then parse the response
and extract the certificates.  Nevermind that the EST front-end will
then put those certificates in a new PKCS #7 object and serialise
it.  Fundamentally it is unnecessary work.  But the API is cleaner
and more understandable through the use of proper data types rather
than strings and byte arrays.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
47edb7fa by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: tighten exceptions thrown by ESTBackend

Restrict ESTBackend endpoint methods to throwing PKIException.
PKIExceptionMapper will turn PKIException (and its subclasses) into
proper HTTP responses.

Also remove the ESTEnrollResult class which is no longer required.
Enrollment failure details will be conveyed by throwing a [subclass
of] PKIException.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
e4dbda2a by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: extract ServletContextListener

The recent commit f4aeb60346d59d10d2ae3b213ba407b4df9dbeaa extracted
the ServletContextListener implementation from the "engine" class
for each existing subsystem.  This commit does likewise for the EST
subsystem.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
8f5f9974 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement /simple[re]enroll in DogtagRABackend

Following the pattern of the ACME PKIIssuer, implement the issuance
behaviour for the EST /simpleenroll and /simplereenroll endpoints.
The RA account credentials are taken from
<subsystem-dir>/backend.conf, for example:

    class=org.dogtagpki.est.DogtagRABackend
    url=https://f36-0.ipa.test:8443
    profile=estServerCert
    username=estra
    password=4me2Test

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
6c9652ed by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: improve logging/reporting of certificate encoding failures

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
76b7d637 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement /simplereenroll and labeled enrollment

In ESTFrontend, implement /{label}/simpleenroll, /simplereenroll,
and /{label}/simplereenroll.  Authentication and authorization
remain as TODOs and will be implemented in subsequent commits.

As part of this change, extract the CSR parsing and enrollment
response building to separate static methods.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
3c251a0e by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: tighten ESTBackend interface to JSS X509CertImpl

The ESTBackend issuing methods currently return a
java.security.cert.X509Certificate.  The ESTFrontend injects the
returned certificate into a JSS CertificateChain object.  Although
that type accepts an X509Certificate, in fact it will throw an
IOException if the value is not a JSS X509CertImpl (which implements
X509Certificate).

To avoid the possibility of a backend implementation returning an
incompatible value, modify the API to explicitly return values of
type X509CertImpl.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
143c4063 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: explain the simpleenroll vs simplereenroll correspondence

Add some commentary explaining explaining why DogtagRABackend has
the same behaviour for simpleenroll() and simplereenroll().  Or to
look at it another way, why there are two different methods, even
though this backend currently has the same behaviour for both
methods.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
b1462f3f by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: format Content-Type header for libest compatibility

The value of the response Content-Type header is derived from the
"@Produces" annotation on the service method.  For example:

    @Produces("application/pkcs7-mime; smime-type=certs-only")

The JAX-RS machinery then converts this into a value of type
javax.ws.rs.core.MediaType, and it is set as such in the
response headers (a MultivaluedMap<String, Object>).

When serialising the Response, header values are stringified via
types that implement the  RuntimeDelegate.HeaderDelegate<T>
interface, where T is the real type of the header value Object
(e.g. MediaType).  The HeaderDelegate implementations are
supplied by the JAX-RS implementation.  In our case that's
Resteasy, and the class in question:

    public class MediaTypeHeaderDelegate
        implements RuntimeDelegate.HeaderDelegate<MediaType>;

The toString(MediaType type) method provided by this class
prints the media type WITHOUT a space between the subtype
and the parameters.  In the example from the @Produces above,
it results in the header value:

    application/pkcs7-mime;smime-type=certs-only

This is a legal production in the HTTP grammar.  From the RFCs
7230 and 7231:

    media-type = type "/" subtype *( OWS ";" OWS parameter )
    OWS = *( SP / HTAB )

However, at least one EST client is unable to process this
value.  libest expects a SPACE after the ';'.  From
src/est/est_client_http.c:

    ...
    } else if (!strncmp(ct, "application/pkcs7-mime; smime-type=certs-only", 45)) {
    ...

The string libest expects is also a valid production.  But it is
not the one being sent from Tomcat/Resteasy.  As a consequence,
the enrollment operation fails.

To make our EST implementation compatible with libest, we need to
override how the MediaType gets stringified.  I was unable to
find a way in the JAX-RS to override the HeaderDelegate.  But we
can solve it in a case-by-case way via this response filter.

At the time response filters are applied, the Content-Type header
value is an object of type MediaType.  If the value is equal
(including parameters) to a value whose serialisation we need
to precisely control, we replace it with the exact String
required.  The String value will be used in the response "as is".
These substitutions are stored in a Map generated from the list
of all verbatim target headers.

If it emerges that different stringifications of the same
MediaType value are required for different client
implementations, we could inspect the request User-Agent header
to further refine the behaviour.  We could, for example, create a
Map for each User-Agent that requires header substitutions, or
change the key of the map to the User-Agent×MediaType pair.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
24e719a5 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: support issuing from specified LWCA

Update the DogtagRABackend to interpret the {label} path component,
if given, as an AuthorityID.  Issue the request to the nominated
authority (a.k.a. lightweight CA / LWCA).

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
98413dd7 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: require authenticated user for enrollment

Add security contraints to require an authenticated user for
enrollment requests.

This is implemented by requiring an authenticated user for all POST
requests.  It would have been preferable to use paths; unfortunately
we cannot.  In EST, paths such as
`.well-known/est/{label}/simpleenroll` are used, where {label} is
user-specified and interpreted by the server.  But Servlet
<url-pattern> can only match path prefixes.

So far, the set of resources we have implemented are such that all
POST requests require authentication, and all GET requests are
anonymous.  If this changes in the future, we will have to move
authentication down into the application itself.

The valid role name is "**" meaning any authenticated user will be
granted access.  The EST application performs its own authorization
checks (to be implemented in a subsequent commit).

The realm configuration is also left to the administator.  Future
commits may deal with providing alternative means of realm
configuration.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
c148c970 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: add authorization interface

Add the EST authorization interface.  Design sketch:

- abstract class ESTRequestAuthorizer defines the authorization
  interface.  Each enrollment method (currently: simpleenroll and
  simplereenroll) has its own authorization method.

- The arguments of the authorization methods are an
  ESTRequestAuthorizationData and the CSR.

- ESTRequestAuthorizationData contains common data used for making
  authorization decisions, including:

  - authenticated principal
  - client IP address
  - EST path label (if any)

- ESTEngine instantiates and initializes a concrete subclasses of
  ESTRequestAuthorizer according to configuration.

- ESTFrontend enrollment methods construct the
  ESTRequestAuthorization data, accesses the ESTRequestAuthorizer
  via the ESTEngine and invokes the relevant authorization method.

- (Next commit) ESTFrontend passes the Object returned by the
  authorization method to the ESTBackend enrollment method.  In this
  way, arbitrary data generated by the authorizer implementation can
  be consumed by the ESTBackend implementation.

Subsequent commits will implement the authorization result Object
propagation, and provide an authorizer implementation that invokes
an external process to compute the authorization result.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
372fd3c7 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: propagate authorizer output to backend

Propagate the output of the ESTRequestAuthorizer authorization
method to the ESTBackend issuance method.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
01ff6f08 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: implement ExternalProcessRequestAuthorizer

Implement the ExternalProcessRequestAuthorizer.  This implementation
executes the configured executable as a subprocess.  It pipes the
request authz data, CSR and label to the subprocess standard input
as a JSON object.  The request is authorized if the subprocess exits
normally (exit status 0).  If the subprocess does get created but
exits abnormally, throws ForbiddenException using the subprocess
standard output as the message.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
69a14119 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: provide client cert in request authz data

When the EST client uses TLS client certificate authentication,
provide the client certificate chain in the
ESTRequestAuthorizationData.

Also update the ExternalProcessRequestAuthorizer to put the
certificate chain in the JSON object provided to the subprocess
standard input.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
fadfe226 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: fix some incorrect visibilities

Some classes and fields had unsuitable visibility, which this commit
addresses.  Specifically:

- The `ESTBackend` `config` field had default (package) visibility,
  but needs to be visible to subclasses (which may be implemented by
  anyone).  Make it `protected`.

- The `ESTRequestAuthorizationData` class had default (package)
  visibility, but it needs to be visible to arbitrary subclasses of
  `ESTRequestAuthorizer`.  Make it `public`.

- The fields of `ESTRequestAuthorizationData` had default (package)
  visibility.  Make them `public` so as to be readable by arbitrary
  subclasses of `ESTRequestAuthorizer`.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
313822ff by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: improve DogtagRABackend compat with older CA versions

Older versions of Dogtag return CertRequestInfo without the
requestID field, resulting in NullPointerException.  Detect this
condition and fall back to .getRequestId(), which derives the
request ID from the requestURL field.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
9af493ca by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: set up rewrite.config when using `pki-server create`

When deploying via `pki-server create`, we fail to install the
`rewrite.config`.  Add this behaviour.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
361d2490 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: add RewriteValve to server.xml when using `pki-server create`

The `pki-server create` deployment regime copies and modifies
`/etc/tomcat/server.xml`, rather than copying the `server.xml`
shipped in the pki-server package.  This `server.xml` does not
include the RewriteValve, which we use to rewrite requests
`/.well-known/est` to the actual application path.

Update the deployment procedure to add RewriteValve to `<Host>`
elements in the `server.xml`.  The behaviour is encapsulated in the
`add_rewrite_valve(document)` staticmethod.  The operation is
idempotent - a no-op if RewriteValve is already present.  Therefore
this method may be useful in upgrade scripts too.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
60f85e7f by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: treat backend authnz failure as internal error

DogtagRABackend re-raises PKIException thrown by the CAClient.  If
something is misconfigured resulting in the CA subsystem responding
401 or 403, the EST responds the same way.  This is a bug.

Modify DogtagRABackend to inspect the int code of the caught
PKIException.  If  401 or 403, throw a new PKIException (status
500).  Otherwise re-raise, as previously.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
6b10dd21 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: compare CSR Subject and SAN to cert being renewed

RFC 7030 Section 4.2.2. "Simple Re-enrollment of Clients" states:

  A certificate request employs the same format as the "simpleenroll"
  request, using the same HTTP content-type.  The request Subject field
  and SubjectAltName extension MUST be identical to the corresponding
  fields in the certificate being renewed/rekeyed.

Implement this requirement.

Note that we really do check that the values are __identical__, by
comparing their DER.  StringPrep, caseIgnoreMatch and GeneralName
type-specific equality rules are not applied.  Nor do we consider
that equivalent SAN values could appear in different orders.

So, we indeed implement the RFC correctly.  But we should not be
surprised if this turns out to be too strict.  Real world scenarios
could necessitate relaxing the check from "identical" to
"equivalent".  But for now, we stay with the strict - and much
simpler! - behaviour.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
8f0e50d3 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: pkispawn: handle already-existing rewrite.config

Some deployment scenarios involve using `pki-server create` and then
running `pkispawn`.  For example, you can explicitly create the
server instance and NSSDB, then install the CA with the existing
database.

Such a scenario currently fails because both steps try to create the
`rewrite.config` symlink.  pkispawn fails with FileExistsError.
Update the code to gracefully handle this scenario.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
99574a22 by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: convey to-be-renewed cert to authorizer

In general (although not in our implementation - yet) the
to-be-renewed certificate is not necessarily the same as the client
certificate used to authenticate.  Add a parameter for the
to-be-renewed certificate to the
`ESTRequestAuthorizer.authorizeSimplereenroll()` method.

Also update the `ExternalProcessRequestAuthorizer` to include the
certificate in the `toBeRenewed` field of the JSON data sent to the
child process.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
ee1fa672 by Marco Fargetta at 2022-11-29T23:20:14+10:00
Adopt PKI ProxyRealm for authentication

- - - - -
4258cc2d by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: enable use of RealmBase realm subclasses

Enable the use of "native" Tomcat RealmBase subclasses (e.g.
MemoryRealm) with the EST subsystem.  The main aspects of this
change are:

- Invoke the LifecycleBase start()/stop() methods at the
  corresponding WebListener lifecycle changes.

- Register the realm with ProxyRealm *before* invoking start().
  ProxyRealm.registerRealm() invokes setContainer(), a prerequisite
  for start() to succeed.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
ea4b586c by Fraser Tweedale at 2022-11-29T23:20:14+10:00
EST: set properties of RealmBase subclass instances

Currently there is no way to configure instances of Tomcat "bundled"
realms.  For trivial implementations like `MemoryRealm` this is not
an issue.  But for other implementations (e.g. `JNDIRealm`,
`JAASRealm`, etc) a configuration mechanism is necessary.

Tomcat's own configuration mechanism uses introspection to propagate
attributes in the XML `<Realm>` element to the new `Realm` object.
It looks for a setter method whose name is the capitalisation of the
attribute name, prepended with `"set"`.

Update `ESTEngine` to do likewise for the properties in
`realm.conf`, when the realm is an instance of `RealmBase`.  The
`IntrospectionUtils.setProperty` helper method from Tomcat does the
heavy lifting.  We just need to iterate the properties and set each
one.

Properties that have no corresponding setter method or which throw
`IllegalArgumentException` result in a `RuntimeException` that
reports the bad property.  This behaviour forces administrators to
resolve or remove bad properties in `realm.conf`.

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
af7ddb31 by Marco Fargetta at 2022-11-29T23:20:14+10:00
Add CI test and doc for EST

- - - - -
997c6706 by Endi S. Dewata at 2022-11-30T08:24:49+07:00
Update version number to 11.3.0-beta1

- - - - -
135c9784 by Endi S. Dewata at 2022-11-30T13:42:14+07:00
Update dependencies in pki.spec

- - - - -
4c3ca8f2 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Add AES in SCEP protocol

Following the SCEP specs (https://www.rfc-editor.org/rfc/rfc8894.txt)
the AES support has been introduced for encrypting certificate massage.

Fix #3324

- - - - -
2a8e2182 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Add OAEP parameters

- - - - -
1d7827c3 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Tidyup CRSEnrollment

- - - - -
2ffc5e4d by Marco Fargetta at 2022-11-30T09:49:13+01:00
ADd rsaes_oaep among the key wrapping algorithms

- - - - -
0c6398ae by Marco Fargetta at 2022-11-30T09:49:13+01:00
Fix key length

- - - - -
31068a42 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Fix key length for padding algorithms

- - - - -
27acea80 by Marco Fargetta at 2022-11-30T09:49:13+01:00
In case of OAEP move the secret key instead of clone

- - - - -
38e36d27 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Move the symmetric key to wrap the reponse

- - - - -
042ca7a4 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Fix SonarCloud several code smell

- - - - -
0b2423f4 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Replace the SymKey clone with wrap and unwrap

- - - - -
e80920e7 by Marco Fargetta at 2022-11-30T09:49:13+01:00
Fix padding for the unwrap

- - - - -
ca90e323 by Endi S. Dewata at 2022-11-30T23:10:34+07:00
Fix pki.spec to allow optional theme

- - - - -
ed094625 by Endi S. Dewata at 2022-12-01T14:33:07+07:00
Update basic TPS test

The basic TPS test has been updated to run ldapadd in PKI
container instead of in DS container since the input files
are provided by PKI.

- - - - -
db21c5b8 by Endi S. Dewata at 2022-12-01T19:37:39+07:00
Use DS container in CI tests

The ds-container-create.sh has been modified such that most
tests will use a DS container which is about 30-60 seconds
faster to create than a regular DS server.

For now tests for secure DS connection will continue to use
a regular DS server, but in the future they may be updated
to use a DS container as well.

- - - - -
a5294ffc by Endi S. Dewata at 2022-12-05T09:14:08+07:00
Update cloning examples and tests

The cloning examples have been updated to no longer include the
PKCS #12 params by default such that they can be used with other
methods which do not use a PKCS #12 file. The cloning tests with
PKCS #12 file have been modified to provide the required params
for this method.

- - - - -
735f5916 by Endi S. Dewata at 2022-12-05T11:50:52+07:00
Update version number to 11.4.0-alpha1

- - - - -
bf8d7e11 by Endi S. Dewata at 2022-12-05T20:17:12+07:00
Add test for CA clone with HSM

A new test has been added to verify CA cloning with HSM.
In this case the HSM will be cloned first, then the CA
clone will be installed with the certs and keys already
existing in the HSM clone.

Currently there is a discrepancy between the primary CA
and the clones on number of certs in the internal token,
but it doesn't seem to be affecting the functionality.
This will require further investigation.

- - - - -
e4396d8e by Endi S. Dewata at 2022-12-06T13:43:50+07:00
Update pki-ca-authority to display hex serial number

- - - - -
fcaee459 by Pritam Singh at 2022-12-06T16:47:46+05:30
Add --owner option for kra-key-find (#4242)

Fixes: 2144467, 2045101

Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
ac699e6e by Endi S. Dewata at 2022-12-06T19:42:29+07:00
Add test for lightweight CA

A new test has been added to test basic lightweight CA
operations. The test will install a CA, then create a
lightweight CA, and perform an enrollment against it.
The issued cert should be signed by the lightweight CA.

- - - - -
517ee525 by Chris Kelley at 2022-12-06T14:37:07+00:00
Run Eclipse formatter against generate(Dual)CRMFRequest
- - - - -
5e3af6d4 by Chris Kelley at 2022-12-06T14:37:07+00:00
Use try-with-resources in generate(Dual)CRMFRequest
- - - - -
90647886 by Endi S. Dewata at 2022-12-07T22:37:58+07:00
Call apt-get update before apt-get install

Some tests were failing during apt-get install:

$ sudo apt-get -y install libxml2-utils
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  libxml2-utils
0 upgraded, 1 newly installed, 0 to remove and 9 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 206 kB of additional disk space will be used.
Ign:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
Err:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
  404  Not Found [IP: 52.147.219.192 80]
E: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.9.13%2bdfsg-1ubuntu0.1_amd64.deb  404  Not Found [IP: 52.147.219.192 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

The tests have been updated to call apt-get update first.

- - - - -
40c2720b by Endi S. Dewata at 2022-12-07T22:38:51+07:00
Clean up installation log messages

- - - - -
60bdf866 by Endi S. Dewata at 2022-12-08T14:20:19+07:00
Replace actions/upload-artifact at v2 with actions/upload-artifact at v3

https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

- - - - -
e1ca849d by Endi S. Dewata at 2022-12-08T17:52:26+07:00
Add test for lightweight CA with HSM

Lightweight CA currently does not support HSM, but there is
a plan to support it in the future:
https://github.com/dogtagpki/pki/issues/2412

A new test has been added to see how well lightweight CA
currently works with HSM. The test assumes that by default
the lightweight CA will be stored into the internal token
even though the host CA itself is stored in HSM. Since HSM
is not yet supported, there are failures and they are being
ignored for now. When the support is added in the future
this test will need to be updated.

The existing test for lightweight CA without HSM has also
been updated to validate the information stored in the LDAP
entries.

- - - - -
183a8e78 by Chris Kelley at 2022-12-09T08:41:14+00:00
Remove unnecessary Boolean literal
- - - - -
8e4f08d8 by Endi S. Dewata at 2022-12-10T00:50:58+07:00
Simplify KRA tests

- - - - -
920ce80b by Endi S. Dewata at 2022-12-10T00:51:02+07:00
Simplify TKS tests

- - - - -
904bcd1b by Endi S. Dewata at 2022-12-10T02:56:25+07:00
Update tests and docs to use pki pkcs12-import

The tests and docs have been updated to import PKCS #12 files
using pki pkcs12-import (which uses JSS) instead of using pki
client-cert-import (which uses pk12util).

- - - - -
33226828 by Marco Fargetta at 2022-12-14T05:25:42+10:00
Fix est documentation

The document was missing the roles for the PKIInMemoryRealm

- - - - -
5b76b8e2 by Fraser Tweedale at 2022-12-14T13:00:32+01:00
EST: add commentary to example profile config

Part of: https://github.com/dogtagpki/pki/issues/3297

- - - - -
8ec13143 by Endi S. Dewata at 2022-12-14T19:09:44+07:00
Consolidate build jobs

The build jobs in all workflows (except in sonarcloud-pull.yml)
have been consolidated into build.yml such that the build will be
created just once by the build workflow, and the test workflows
will use the same build once it's completed.

https://github.com/lewagon/wait-on-check-action

- - - - -
58891e68 by Endi S. Dewata at 2022-12-15T09:34:22+07:00
Fix Eclipse warning due to missing encoding

- - - - -
6cb2376c by Chris Kelley at 2022-12-16T14:58:15+00:00
Code cleanup in LdapAuthInfo

* Fix ordering of modifiers to match JLS
* Make logger final
* Simplify logic in authInfoOK with ternary operator
* Define variables on separate lines
* Remove exceptions that cannot be thrown
- - - - -
3e539b59 by Endi S. Dewata at 2022-12-16T23:48:08+07:00
Rename fedora-runner image to pki-base

- - - - -
ebf5e110 by Endi S. Dewata at 2022-12-16T23:50:21+07:00
Replace OS_VERSION variable with BASE_IMAGE

- - - - -
e8b19eea by Endi S. Dewata at 2022-12-20T06:44:35+07:00
Add publish job

A new job has been added to publish PKI images to GH Packages
after the build job in the master branch is complete.

- - - - -
0f098d4b by Endi S. Dewata at 2022-12-22T20:10:56+07:00
Drop default COPR repo

The CI has been modified to no longer use a COPR repo by default
and instead it will install SSCEP, libEST, JSS, Tomcat JSS, and
LDAP SDK from GitHub Packages.

The Azure Pipelines still have a dependency on COPR. It will be
removed separately later.

- - - - -
79361198 by Endi S. Dewata at 2023-01-03T16:28:06+07:00
Move ProfileAuthenticator.AUTHENTICATED_NAME into AuthManager

- - - - -
381fff20 by Endi S. Dewata at 2023-01-03T16:33:15+07:00
Move ProfileAuthenticator.init() into AuthManager

- - - - -
080efb39 by Endi S. Dewata at 2023-01-03T16:33:15+07:00
Move ProfileAuthenticator.getConfigStore() into AuthManager

- - - - -
3c252aeb by Endi S. Dewata at 2023-01-03T17:31:47+07:00
Move ProfileAuthenticator.getName() into AuthManager

- - - - -
8cca848e by Endi S. Dewata at 2023-01-03T17:37:33+07:00
Move ProfileAuthenticator.getText() into AuthManager

- - - - -
e300f80c by Endi S. Dewata at 2023-01-03T17:41:43+07:00
Move ProfileAuthenticator.getValueNames() into AuthManager

- - - - -
09eebb0e by Endi S. Dewata at 2023-01-03T17:47:45+07:00
Move ProfileAuthenticator.getValueDescriptor() into AuthManager

- - - - -
e4334fae by Endi S. Dewata at 2023-01-03T17:51:56+07:00
Move ProfileAuthenticator.isValueWriteable() into AuthManager

- - - - -
915f0a7b by Endi S. Dewata at 2023-01-03T17:55:26+07:00
Move ProfileAuthenticator.isSSLClientRequired() into AuthManager

- - - - -
3dcd7bdb by Endi S. Dewata at 2023-01-03T18:00:44+07:00
Move ProfileAuthenticator.populate() into AuthManager

- - - - -
bd729a6b by Endi S. Dewata at 2023-01-03T18:07:19+07:00
Merge ProfileAuthenticator into AuthManager

- - - - -
4d262c37 by Endi S. Dewata at 2023-01-03T20:41:25+07:00
Convert AuthManager into class

- - - - -
7f9657ae by Endi S. Dewata at 2023-01-03T21:08:14+07:00
Consolidate AuthManager.getName() implementations

- - - - -
01400f63 by Endi S. Dewata at 2023-01-03T21:14:42+07:00
Consolidate AuthManager.getImplName() implementations

- - - - -
e37fb2f7 by Endi S. Dewata at 2023-01-03T21:21:35+07:00
Consolidate AuthManager.getConfigStore() implementations

- - - - -
29acee6e by Endi S. Dewata at 2023-01-03T21:36:18+07:00
Consolidate AuthManager.getConfigParams() implementations

- - - - -
12b63118 by Endi S. Dewata at 2023-01-04T00:18:58+07:00
Consolidate AuthManager.getAuthenticationConfig() implementations

- - - - -
e710e5be by Endi S. Dewata at 2023-01-04T00:41:12+07:00
Refactor AuthManager.init()

The AuthManager.init() has been modified to take an
AuthenticationConfig object.

- - - - -
673a40d5 by Endi S. Dewata at 2023-01-04T19:35:48+07:00
Clean up exception handling in CMCAuth

- - - - -
8db7df0e by Endi S. Dewata at 2023-01-04T23:09:15+07:00
Relocate CMCAuth

Previously the CMCAuth plugin was distributed in pki-cms.jar
and an instance of the plugin was created by AuthSubsystem in
all subsystems.

Since the plugin is only used by CA, it has now been moved
into pki-ca.jar. The code that creates the instance in
AuthSubsystem has been removed. Instead, the CA config file
has been updated to create the instance.

The config files for KRA, OCSP, TKS, and TPS have been updated
to no longer register the plugin.

An upgrade script has been added to update existing server
instances.

- - - - -
f37c7abb by Endi S. Dewata at 2023-01-04T23:28:15+07:00
Fix ACME test failures due to certbot changes

In certbot 2.0 the default key type was changed to ECDSA, so
the ACME tests have been updated to use certbot with RSA keys
explicitly as a workaround. In the future the cert profiles
might need to be modified to support multiple key types.

https://github.com/certbot/certbot/releases/tag/v2.0.0

- - - - -
37163cf7 by Chris Kelley at 2023-01-04T16:52:22+00:00
Update Maven dependencies to Jackson v2.14.1

These deps are now available in various Maven repositories, so we
can use them. The compatibility has been tested already in the CI
and it is being used in Fedora already with no issues. This change
also resolves various security issues raised by dependabot.

- - - - -
d3df706d by Endi S. Dewata at 2023-01-05T09:17:18+07:00
Move CMSEngine.getSharedTokenClass() to CAEngine

- - - - -
8f1f401a by Endi S. Dewata at 2023-01-05T20:54:49+07:00
Replace BASE64_MATRIX with BASE64_OS

Previously the BASE64_MATRIX parameter provided a mechanism
to test against multiple Fedora versions at once. However,
since the test resources are limited and only one of the
versions is eventually published, the parameter has been
replaced with a new BASE64_OS parameter which only supports
a single Fedora version.

https://github.com/dogtagpki/pki/wiki/Configuring-Test-OS

- - - - -
8305f26f by Endi S. Dewata at 2023-01-05T21:56:57+07:00
Remove unused CMSServlet.mLogCategory

- - - - -
3eae0225 by Endi S. Dewata at 2023-01-05T21:56:57+07:00
Clean up UsrGrpAdminServlet.service()

The UsrGrpAdminServlet.service() has been modified to get the
subsystem ID from the servlet context.

- - - - -
e19d0b35 by Endi S. Dewata at 2023-01-05T22:02:21+07:00
Clean up IndexTemplateFiller.getTemplateParams()

The IndexTemplateFiller.getTemplateParams() has been modified
to get the subsystem ID from the servlet request.

- - - - -
a27460ef by Endi S. Dewata at 2023-01-05T22:06:53+07:00
Clean up ProcessCertReq.processX509()

The ProcessCertReq.processX509() has been modified to no longer
perform redundant check for local KRA.

- - - - -
03ed035f by Endi S. Dewata at 2023-01-06T07:42:20+07:00
Update CMCAuth to use CAEngine

- - - - -
7e7b45d3 by Endi S. Dewata at 2023-01-06T08:43:23+07:00
Merge IKeyRecoveryAuthority into KeyRecoveryAuthority

- - - - -
a611c3fa by Endi S. Dewata at 2023-01-06T10:12:02+07:00
Remove unused legacy IKeyArchivalPolicy

- - - - -
455c3b2e by Endi S. Dewata at 2023-01-06T10:21:24+07:00
Remove unused legacy IKeyRecoveryPolicy

- - - - -
f678a6fe by Endi S. Dewata at 2023-01-06T10:21:24+07:00
Remove unused legacy DefaultRevocation

- - - - -
e47c8501 by Endi S. Dewata at 2023-01-06T23:25:55+07:00
Update publish workflow

The publish workflow has been modified to wait for the build
using lewagon/wait-on-check-action instead of on.workflow_run
such that it can be customized to publish the images with the
proper tag for the branch.

- - - - -
29e3c64c by Endi S. Dewata at 2023-01-06T23:57:27+07:00
Remove unused CMC params

The cmc.* parameters in the CS.cfg of non-CA subsystems have
been removed since they are only used by CA or not used at all.

A new upgrade script has been added to update existing server
instances.

- - - - -
6f8b0918 by Endi S. Dewata at 2023-01-07T00:20:54+07:00
Move SharedSecret to pki-ca

- - - - -
efcd1b09 by Endi S. Dewata at 2023-01-09T09:56:36+07:00
Update SharedSecret to use CAEngine

- - - - -
abf5d948 by Endi S. Dewata at 2023-01-09T10:23:07+07:00
Replace CMSServlet.mAuthority in UpdateDir

- - - - -
13686daf by Endi S. Dewata at 2023-01-09T10:23:17+07:00
Replace CMSServlet.mAuthority in UpdateCRL

- - - - -
cd4f085b by Endi S. Dewata at 2023-01-09T10:23:21+07:00
Replace CMSServlet.mAuthority in SrchCerts

- - - - -
b01e6fe6 by Endi S. Dewata at 2023-01-09T10:23:25+07:00
Replace CMSServlet.mAuthority in ReasonToRevoke

- - - - -
7e7d76eb by Endi S. Dewata at 2023-01-09T10:23:29+07:00
Replace CMSServlet.mAuthority in Monitor

- - - - -
70f80b3d by Endi S. Dewata at 2023-01-09T10:23:37+07:00
Replace CMSServlet.mAuthority in ListCerts

- - - - -
2373043a by Endi S. Dewata at 2023-01-09T10:23:41+07:00
Replace CMSServlet.mAuthority in ProcessCertReq

- - - - -
0ed1182d by Endi S. Dewata at 2023-01-09T10:23:45+07:00
Replace CMSServlet.mAuthority in CheckRequest

- - - - -
44fbf2e3 by Endi S. Dewata at 2023-01-09T10:23:49+07:00
Replace CMSServlet.mAuthority in GetCertChain

- - - - -
21850bf3 by Endi S. Dewata at 2023-01-09T10:29:54+07:00
Replace CMSServlet.mAuthority in RevocationServlet

- - - - -
3105df12 by Endi S. Dewata at 2023-01-09T10:29:57+07:00
Replace CMSServlet.mAuthority in RenewalServlet

- - - - -
256b2ff7 by Endi S. Dewata at 2023-01-09T10:31:14+07:00
Replace CMSServlet.mAuthority in GetInfo

- - - - -
571779f1 by Endi S. Dewata at 2023-01-09T10:31:46+07:00
Replace CMSServlet.mAuthority in GetEnableStatus

- - - - -
1405ad03 by Endi S. Dewata at 2023-01-09T10:33:19+07:00
Replace CMSServlet.mAuthority in GetCRL

- - - - -
8d6e01ee by Endi S. Dewata at 2023-01-09T10:35:36+07:00
Replace CMSServlet.mAuthority in GetCAChain

- - - - -
0b83d24a by Endi S. Dewata at 2023-01-09T10:36:07+07:00
Replace CMSServlet.mAuthority in GetBySerial

- - - - -
1d9c8443 by Endi S. Dewata at 2023-01-09T10:36:35+07:00
Replace CMSServlet.mAuthority in DoUnrevokeTPS

- - - - -
26a51c53 by Endi S. Dewata at 2023-01-09T10:37:50+07:00
Replace CMSServlet.mAuthority in DoUnrevoke

- - - - -
c70b36cf by Endi S. Dewata at 2023-01-09T10:39:05+07:00
Replace CMSServlet.mAuthority in DoRevokeTPS

- - - - -
b09cd8c6 by Endi S. Dewata at 2023-01-09T10:41:05+07:00
Replace CMSServlet.mAuthority in DoRevoke

- - - - -
118f7f95 by Endi S. Dewata at 2023-01-09T10:41:35+07:00
Replace CMSServlet.mAuthority in DisplayCRL

- - - - -
e78a980e by Endi S. Dewata at 2023-01-09T10:42:52+07:00
Replace CMSServlet.mAuthority in DisplayBySerial

- - - - -
9da436c3 by Endi S. Dewata at 2023-01-09T10:45:46+07:00
Replace CMSServlet.mAuthority in CMCRevReqServlet

- - - - -
cba6312f by Endi S. Dewata at 2023-01-09T10:47:16+07:00
Replace CMSServlet.mAuthority in ChallengeRevocationServlet1

- - - - -
43b4a549 by Endi S. Dewata at 2023-01-09T12:13:23+07:00
Replace CMSServlet.mAuthority in KRA

- - - - -
fe9352eb by Endi S. Dewata at 2023-01-09T12:17:30+07:00
Replace CMSServlet.mAuthority in OCSP

- - - - -
02d4b28a by Endi S. Dewata at 2023-01-09T13:12:41+07:00
Remove redundant CMSServlet.certAuthority

- - - - -
b3c3e642 by Endi S. Dewata at 2023-01-09T13:19:52+07:00
Replace redundant CMSServlet.isCertFromCA()

- - - - -
0b2e40a9 by Endi S. Dewata at 2023-01-09T13:19:56+07:00
Replace redundant CMSServlet.getX509Certificate()

- - - - -
8dde116a by Chris Kelley at 2023-01-09T13:15:25+00:00
Tidy up logic CrossCertPairSubsystem

* Use ternary operators where appropriate
* Remove unnecessary Boolean literals
* Remove redundant jumps
* Remove unnecessary else clauses
* Remove null check that always evaluates false
- - - - -
c988cd9f by Endi S. Dewata at 2023-01-10T08:46:10+07:00
Clean up Dockerfile

- - - - -
05bfb935 by Endi S. Dewata at 2023-01-10T09:02:09+07:00
Move CA-specific methods to CAServlet

- - - - -
05e194ef by Jack Magne at 2023-01-10T09:24:31+01:00
Fix: Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled

The purpose of this patch is to continue the improvement of this bug in 2 ways:

1. Create a pikspawn variable to cause pkispawn to create a subsystem configured for oaep

pki_use_oaep_rsa_keywrap=True, the default is False.

2. Improve the rest calls for kra info and ca info to provide info on whether the ca or kra is using OAEP.

For the Ca, we print out oaep info for both the local CA config and the CA's corresponding KRA.

Ex:

KRA info:

https://localhost.localdomain:28443/kra/rest/info

<KRAInfo>
<Attributes/>
<ArchivalMechanism>keywrap</ArchivalMechanism>
<RecoveryMechanism>keywrap</RecoveryMechanism>
<EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
<WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
<RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
</KRAInfo>

Note the new value for RsaPublicKeyWrapAlgorithm.

CA info:

https://localhost.localdomain:8443/ca/rest/info

<CAInfo>
<Attributes/>
<ArchivalMechanism>keywrap</ArchivalMechanism>
<EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
<WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
<RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
<CaRsaPublicKeyWrapAlgorithm>RSA_OAEP</CaRsaPublicKeyWrapAlgorithm>
</CAInfo>

The value CARsaPublicKeyWrapAlgorithm simply relfects the CA's CS.cfg oaep value.
The value RsaPublicKeyWrapAlgorithm is part of the info obtained from this CS's KRA subsystem.

This info can be used by interested clients to see if OAEP is in use with the givne KRA or CA.

- - - - -
7b0e1430 by Marco Fargetta at 2023-01-10T09:24:31+01:00
Fix keyWrap.useOAEP configuration and other improvement

Complete the management of the 'OAEP' configuration in pkispawn and
solve several SonarClous issue

- - - - -
50b155d9 by Marco Fargetta at 2023-01-10T09:24:31+01:00
Add CI test for KRA started with OAEP

The new pkispawn parameter `pki_use_oaep_rsa_keywrap` allows to create
`CA` and `KRA` subsystems with `RSA_OAEP` padding enabled.

This CI test verify that OAEP is enabled according to the parameter and
additionally performs all the basic tests for `KRA` subsystem but with
`RSA_OAEP` enabled.

- - - - -
37fe9e0a by Marco Fargetta at 2023-01-10T09:24:31+01:00
Remove XML from CAInfo and KRAInfo, and move OAEP config to subsystem

- - - - -
77fcde13 by Chris Kelley at 2023-01-16T10:40:15+00:00
Modify csconfig.py checks to allow for N certs with same nickname

Currently the base64 blob from nssdb is directly compared with a
cert from the CA subsystem, this fails if their are multiple certs
with the same nickname. As this is an allowable state, the tests
are modified to break the base64 blob into individual certs.

- - - - -
fb2bdd78 by Endi S. Dewata at 2023-01-17T08:23:38-06:00
Clean up Dockerfile

- - - - -
9fd03b0c by Endi S. Dewata at 2023-01-17T10:06:41-06:00
Fix test for KRA with RSA OAEP

- - - - -
582685af by Endi S. Dewata at 2023-01-17T13:24:23-06:00
Refactor AuthSubsystem

The code that creates ChallengePhraseAuthentication and
SSLClientCertAuthentication in AuthSubsystem has been moved
into CAAuthSubsystem since they can only be used in CA.

- - - - -
bf9ed183 by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Move ChallengePhraseAuthentication to pki-ca

- - - - -
c2b75b8f by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Move SSLClientCertAuthentication to pki-ca

- - - - -
b1d9abd8 by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Remove obsolete RA code in ChallengePhraseAuthentication

- - - - -
03c254ca by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Remove obsolete RA code in SSLClientCertAuthentication

- - - - -
2c89f822 by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Clean up ChallengePhraseAuthentication

- - - - -
72aac544 by Endi S. Dewata at 2023-01-17T13:24:56-06:00
Clean up SSLClientCertAuthentication

- - - - -
f0838b05 by Endi S. Dewata at 2023-01-17T14:35:11-06:00
Add OCSPCMSAdminServlet

OCSP-specific code in CMSAdminServlet has been moved into
OCSPCMSAdminServlet.

- - - - -
f8246686 by Endi S. Dewata at 2023-01-17T14:35:20-06:00
Add TKSCMSAdminServlet

TKS-specific code in CMSAdminServlet has been moved into
TKSCMSAdminServlet.

- - - - -
9a18d75c by Endi S. Dewata at 2023-01-17T14:35:20-06:00
Merge IOCSPAuthority into OCSPAuthority

- - - - -
649ae806 by Endi S. Dewata at 2023-01-17T14:35:20-06:00
Remove unused ITKSAuthority

- - - - -
9fe72967 by Endi S. Dewata at 2023-01-17T14:44:36-06:00
Move AuthCredentials to pki-server

- - - - -
e4ef54e2 by Endi S. Dewata at 2023-01-17T15:28:29-06:00
Merge IArgBlock into ArgBlock

- - - - -
062cff46 by Endi S. Dewata at 2023-01-18T20:48:14+07:00
Add support for container registry configuration

The publish job has been modified to support container registry
configuration and will only run if the registry is configured.
The job will also no longer publish the runner image since it's
only used internally.

https://github.com/dogtagpki/pki/wiki/Configuring-Container-Registry

- - - - -
85e030c2 by Endi S. Dewata at 2023-01-18T08:51:43-06:00
Remove default container registry

- - - - -
7a9371d2 by Chris Kelley at 2023-01-19T09:42:08+00:00
Provide better error handling for missing CLI arguments

- - - - -
e0e53dc7 by Christina Fu at 2023-01-19T10:29:12+00:00
Add authorization to limit setTokenStatus to allowed admins

This patch adds authorization to limit setTokenStatus to admins
allowed for the token type in question.
If a token is not associated with a keyType/profile, then the admin
must have the ALL_PROFILES prvilege.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153
- - - - -
809a7e0f by Endi S. Dewata at 2023-01-19T21:02:43+07:00
Switch to Quay.io

- - - - -
94c99343 by Endi S. Dewata at 2023-01-20T22:09:04+07:00
Publish pki-ca and pki-acme images

The publish job has been modified to publish pki-ca and pki-acme
images to Quay.io.

- - - - -
9e9f2a39 by Endi S. Dewata at 2023-01-20T11:24:41-06:00
Clean up publish job

- - - - -
a0fd170a by Endi S. Dewata at 2023-01-20T15:32:19-06:00
Add CAIndexServlet

CA-specific code in IndexServlet has been moved into
CAIndexServlet.

- - - - -
44d31223 by Endi S. Dewata at 2023-01-20T15:32:20-06:00
Add CAGenPendingTemplateFiller

CA-specific code in GenPendingTemplateFiller has been moved
into CAGenPendingTemplateFiller.

- - - - -
e18bd486 by Endi S. Dewata at 2023-01-20T15:32:21-06:00
Move CloneRedirect to pki-ca

- - - - -
76bffc0b by Endi S. Dewata at 2023-01-20T15:32:23-06:00
Merge ICertificateAuthority into CertificateAuthority

- - - - -
1097266f by Endi S. Dewata at 2023-01-20T15:49:29-06:00
Move CertificateAuthority.getIssuanceProtPrivKey() to CAEngine

- - - - -
afbc36cf by Endi S. Dewata at 2023-01-20T15:56:10-06:00
Move CertificateAuthority.getStartSerial() to CAEngine

- - - - -
634fb224 by Endi S. Dewata at 2023-01-20T15:57:21-06:00
Move CertificateAuthority.setStartSerial() to CAEngine

- - - - -
027b5fac by Endi S. Dewata at 2023-01-20T16:02:28-06:00
Move CertificateAuthority.getMaxSerial() to CAEngine

- - - - -
c7079b28 by Endi S. Dewata at 2023-01-20T16:02:47-06:00
Move CertificateAuthority.setMaxSerial() to CAEngine

- - - - -
3e1d6374 by Endi S. Dewata at 2023-01-20T16:05:03-06:00
Move CertificateAuthority.getCertificateRepository() to CAEngine

- - - - -
02825991 by Endi S. Dewata at 2023-01-20T16:12:37-06:00
Move CertificateAuthority.getNonces() to CAEngine

- - - - -
bac10a87 by Marco Fargetta at 2023-01-23T15:51:00+01:00
Add fapolicy rules to allow execution of generated java code

When fapolicy daemon is running the default rules deny the execution of
java code from not trusted sources. This deny also the execution of some
code generated inside the instance `work` folder.

This is the case when FIPS is enabled and DISA STIG profile is applied.

To solve the problem a custom rule is applied during the installation.

Solve the  Bug 2091993

- - - - -
0afef895 by Endi S. Dewata at 2023-01-23T14:58:34-06:00
Move CertificateAuthority.ensureAuthorityDNAvailable() to CAEngine

- - - - -
71b2f25a by Endi S. Dewata at 2023-01-23T15:09:21-06:00
Remove unused CertificateAuthority fields

- - - - -
dc20877f by Endi S. Dewata at 2023-01-24T01:37:03-06:00
Fix installation warnings due to directory creation

- - - - -
f50916ed by Endi S. Dewata at 2023-01-24T01:37:03-06:00
Fix installation warnings due to file creation

- - - - -
57dfba10 by Endi S. Dewata at 2023-01-24T11:46:53-06:00
Update SCEP test to use SSCEP container

- - - - -
be4ae8c4 by Endi S. Dewata at 2023-01-24T18:04:17-06:00
Move Python lint test into separate workflow

- - - - -
fe06d384 by Endi S. Dewata at 2023-01-24T18:04:50-06:00
Fix installation warnings due to links creation

- - - - -
53a9362a by Endi S. Dewata at 2023-01-24T20:20:15-06:00
Replace PKI_SUBSYSTEM_TYPE with actual value

- - - - -
20067123 by Endi S. Dewata at 2023-01-25T09:11:20-06:00
Update EST test to use libEST container

- - - - -
6f637cb4 by Endi S. Dewata at 2023-01-25T09:14:53-06:00
Downgrade dependency to Jackson 2.10

The code has been modified to use Jackson 2.10 API since
the newer version may not be available on some platforms.

- - - - -
28182ad0 by Endi S. Dewata at 2023-01-25T14:23:52-06:00
Clean up TPSPhoneHome.getConfigPath()

- - - - -
faede98e by Endi S. Dewata at 2023-01-26T09:04:47-06:00
Remove instanceRoot in CS.cfg

The instanceRoot param in CS.cfg has been removed since the
value can be obtained from catalina.base system property.

An upgrade script has been added to remove the param from
existing instances.

- - - - -
74f6d1d0 by Chris Kelley at 2023-01-26T16:00:03+00:00
Fix certificate display in TPS web UI

The field names changed when in the XML -> JSON conversion, specify the
original names expected by the UI.
- - - - -
51dfc267 by Chris Kelley at 2023-01-26T16:00:03+00:00
Remove unnecessary inner classes from *Data classes

They were originally used to marshal XML for use in the JS front end,
but I am going to fix the front end to use the string maps that the rest
of the codebase utilises for simplicity.
- - - - -
04351382 by Chris Kelley at 2023-01-26T16:00:03+00:00
Update JS front end to use string map for properties

Also removes redundant methods to get Link objects that no longer exist
- - - - -
a39112ee by Endi S. Dewata at 2023-01-27T10:12:47-06:00
Consolidate container image cache

Previously each container image was stored in a separate cache
which in total consumed about 3 GB of space since they contain
duplicate layers. Since the quota is only 10 GB, cache eviction
happened quite often which slowed down the CI.

To reduce the problem the build job has been modified to store
all images into a single cache which saves about 1 GB of space.
The test and publish jobs have been modified to use this cache.

- - - - -
ee6adcac by Endi S. Dewata at 2023-01-27T12:34:19-06:00
Add server backup and restore test

A new test has been added to validate PKI server backup and
restore procedure. The current test does not validate the
backup and restore procedure for DS or HSM. They can be added
separately later.

https://github.com/dogtagpki/pki/wiki/Backing-Up-PKI-Server
https://github.com/dogtagpki/pki/wiki/Restoring-PKI-Server

- - - - -
86d42fe7 by Endi S. Dewata at 2023-01-27T19:16:50-06:00
Update build scripts

The build scripts has been modified to use Python macros
described in Fedora Packaging Guidelines.

https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/

- - - - -
a81ebcc4 by Endi S. Dewata at 2023-01-27T19:18:50-06:00
Remove configurationRoot in CS.cfg

The configurationRoot param in CS.cfg has been removed since
the value can be determined from other sources.

The upgrade script has been modified to remove the param from
existing instances.

- - - - -
5ab58b6e by Endi S. Dewata at 2023-01-30T09:56:24-06:00
Remove profile.*.config in CS.cfg

The profile.*.config params in CS.cfg have been removed since the
value can be determined from other sources.

The upgrade script has been modified to remove the params from
existing instances.

- - - - -
c76a909f by Endi S. Dewata at 2023-01-30T10:23:47-06:00
Downgrade dependency to Python 3.6

The code has been modified to use Python 3.6 API since the
newer version might not be available on some platforms.

- - - - -
343ed69a by Chris Kelley at 2023-01-31T15:36:16+00:00
Strip debug symbols from executables
- - - - -
dbdbe616 by Endi S. Dewata at 2023-01-31T10:25:47-06:00
Remove unused PKI_INSTANCE_ROOT slot

- - - - -
4463abfb by Endi S. Dewata at 2023-01-31T10:25:47-06:00
Merge Instance class into PKIDeployer

- - - - -
926eb221 by Marco Fargetta at 2023-01-31T18:26:58+01:00
Fix cert rest API with json

Rest APIs to enroll and revoke certificates using CLI and json format
were broken in several points.

For the enrollment the problem was with the policy `id`. It was not
included in the lis json sent to the client for review breaking the
client. It is now included.
For the revocation there was a name mismatch between client and server.

Additionally, two test files have been fixed. The one for the enrollment
has a new CSR because the old one made use of obsolete and not supported
algorithm and the other for the revocation has a fixed on the time
counter.

Fix https://bugzilla.redhat.com/show_bug.cgi?id=2053189

- - - - -
11462e08 by Endi S. Dewata at 2023-01-31T22:35:47-06:00
Update PKISubsystem.validate_system_cert()

The PKISubsystem.validate_system_cert() has been modified
to raise an exception if the cert is invalid.

- - - - -
94045cd9 by Endi S. Dewata at 2023-02-01T13:45:38-06:00
Convert pki_user_deployment_cfg_spawn_archive into variable

- - - - -
5d6d7195 by Endi S. Dewata at 2023-02-01T14:36:07-06:00
Convert pki_user_deployment_cfg_replica into variable

- - - - -
648be9fd by Endi S. Dewata at 2023-02-01T14:36:07-06:00
Convert pki_manifest_spawn_archive into variable

- - - - -
3453ef10 by Endi S. Dewata at 2023-02-01T14:36:07-06:00
Convert pki_manifest into variable

- - - - -
6e2b2262 by Endi S. Dewata at 2023-02-01T14:36:07-06:00
Remove single-use pki_default_deployment_cfg_replica

- - - - -
80cef321 by Endi S. Dewata at 2023-02-01T14:37:22-06:00
Remove unused pki_registry_initscript_command

- - - - -
a051b5fd by Endi S. Dewata at 2023-02-01T14:38:17-06:00
Remove unused pki_subsystem_configuration_password_conf_link

- - - - -
dfad1bf3 by Endi S. Dewata at 2023-02-01T14:41:25-06:00
Remove redundant pki_self_signed_subject

- - - - -
ed6deb98 by Endi S. Dewata at 2023-02-01T16:30:54-06:00
Remove redundant pki_shared_password_conf

- - - - -
ee9270fc by Endi S. Dewata at 2023-02-01T16:33:32-06:00
Convert pki_shared_pfile into variable

- - - - -
0e0c072c by Endi S. Dewata at 2023-02-01T17:49:07-06:00
Convert pki_target_phone_home_xml into variable

- - - - -
1e7eafb6 by Endi S. Dewata at 2023-02-01T17:51:36-06:00
Convert pki_target_registry_cfg into variable

- - - - -
8f67916e by Endi S. Dewata at 2023-02-01T17:53:26-06:00
Convert pki_source_registry_cfg into variable

- - - - -
ccb44ba5 by Endi S. Dewata at 2023-02-01T17:57:01-06:00
Convert pki_target_subsystemcert_profile into variable

- - - - -
6c7f5e2b by Endi S. Dewata at 2023-02-01T17:58:33-06:00
Convert pki_target_servercert_profile into variable

- - - - -
6db8dc8f by Endi S. Dewata at 2023-02-01T18:00:59-06:00
Convert pki_target_caocspcert_profile into variable

- - - - -
e649bdaf by Endi S. Dewata at 2023-02-01T18:02:20-06:00
Convert pki_target_cacert_profile into variable

- - - - -
20c441b5 by Endi S. Dewata at 2023-02-01T18:05:25-06:00
Convert pki_target_caauditsigningcert_profile into variable

- - - - -
54889f27 by Endi S. Dewata at 2023-02-01T18:05:45-06:00
Convert pki_target_admincert_profile into variable

- - - - -
51647b5e by Endi S. Dewata at 2023-02-01T18:07:09-06:00
Convert pki_target_proxy_conf into variable

- - - - -
4f2d0875 by Endi S. Dewata at 2023-02-01T18:08:21-06:00
Convert pki_target_flatfile_txt into variable

- - - - -
cfad1d8d by Endi S. Dewata at 2023-02-01T19:17:40-06:00
Remove unused params

- - - - -
d880c5d3 by Endi S. Dewata at 2023-02-01T19:17:40-06:00
Convert pki_target_server_xml into variable

- - - - -
59127699 by Chris Kelley at 2023-02-02T18:32:04+00:00
Add new --attributes option to <subsystem>-user-add

Originally, this was to set nsPagedSizeLimit=20000 on creation of users

Currently every entry is pulled by default which has been causing users
problems. There is an RFE to change this attribute dynamically based on
the size of the backend DB but for now set a reasonable default.

Instead of just adding this one attribute, a general method for adding
arbitrary single-valued attributes on user creation is introduced.

A new test is added

Resolves: #1959057

- - - - -
577a169a by Endi S. Dewata at 2023-02-02T14:43:44-06:00
Remove redundant pki_target_cs_cfg

- - - - -
6e2caffa by Endi S. Dewata at 2023-02-02T15:58:07-06:00
Remove redundant pki_target_tomcat_conf_instance_id

- - - - -
bd66cee7 by Endi S. Dewata at 2023-02-02T16:18:20-06:00
Remove unused slot variables

- - - - -
43041091 by Endi S. Dewata at 2023-02-02T16:19:29-06:00
Replace PKI_HOSTNAME with direct substitution

- - - - -
39cec189 by Endi S. Dewata at 2023-02-02T16:22:12-06:00
Replace PKI_UNSECURE_PORT with direct substitution

- - - - -
852e2e06 by Endi S. Dewata at 2023-02-02T16:22:32-06:00
Replace PKI_SECURE_PORT with direct substitution

- - - - -
cb21ddcc by Chris Kelley at 2023-02-03T14:08:18+00:00
Code cleanup in User.java

* Reorder modifiers to match the JLS
* Put array designators on types
* Replace Vector with Set
* Simplify equals() and hashCode() implementations
* Introduce constants for repeated strings.
* Remove unnecessary null on instantiation of non-primitive types
* Rename member fields

- - - - -
a3240c13 by Endi S. Dewata at 2023-02-03T12:25:39-06:00
Replace TOMCAT_SERVER_PORT with direct substitution

- - - - -
a7f197ab by Endi S. Dewata at 2023-02-03T12:27:00-06:00
Replace SERVER_KEYGEN with direct substitution

- - - - -
65657984 by Endi S. Dewata at 2023-02-03T12:28:43-06:00
Replace PKI_AJP_PORT with direct substitution

- - - - -
8e0777d3 by Endi S. Dewata at 2023-02-03T12:29:53-06:00
Replace PKI_AJP_SECRET with direct substitution

- - - - -
4b06db28 by Endi S. Dewata at 2023-02-03T12:31:30-06:00
Replace PKI_AJP_REDIRECT_PORT with direct substitution

- - - - -
5422aabd by Endi S. Dewata at 2023-02-03T12:34:56-06:00
Replace PKI_INSTANCE_PATH with direct substitution

- - - - -
53f5428a by Endi S. Dewata at 2023-02-03T12:37:55-06:00
Replace PKI_INSTANCE_NAME with direct substitution

- - - - -
5664d315 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Replace PKI_ENABLE_RANDOM_SERIAL_NUMBERS with direct substitution

- - - - -
6d09b676 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Replace PKI_DS_SECURE_CONNECTION with direct substitution

- - - - -
1a12da17 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Replace PKI_AJP_HOST_IPv6 with direct substitution

- - - - -
4da3f6d6 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Replace PKI_AJP_HOST_IPv4 with direct substitution

- - - - -
f59294c4 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Replace PKI_STANDALONE with direct substitution

- - - - -
374d8ed0 by Endi S. Dewata at 2023-02-03T16:41:14-06:00
Remove unused slot variables

- - - - -
761382fc by Endi S. Dewata at 2023-02-06T12:58:23-06:00
Add PKISubsystem.create_sysconfig() and remove_sysconfig()

The code that creates and removes subsystem sysconfig files
has been moved into PKISubsystem.create_sysconfig() and
remove_sysconfig().

- - - - -
4fd2dc17 by Endi S. Dewata at 2023-02-06T12:58:23-06:00
Update ServerConfig.get_listener()

The ServerConfig.get_listener() has been modified to return
None if the listener does not exist.

- - - - -
086ec9eb by Endi S. Dewata at 2023-02-06T19:49:13-06:00
Swap KRA basic and RSNv3 tests

KRA basic and RSNv3 tests have been swapped for consistency
with CA tests.

- - - - -
ac80457c by Chris Kelley at 2023-02-07T08:53:09+00:00
Fix rpminspect issues by adding some compiler flags

- - - - -
ec3fbe7d by Chris Kelley at 2023-02-07T10:51:04+00:00
Update pom.xml to latest Jackson/jaxb-api versions
- - - - -
60150b9b by Endi S. Dewata at 2023-02-07T14:09:51-06:00
Remove AJP connector slot variables

Previously AJP connectors were added by uncommenting a part
of server.xml template using slot variables. This method
requires keeping a server.xml template in the code which
could become outdated.

To reduce maintenance requirements, the installation tool has
been modified to add the AJP connectors using Pyton XML API
instead.

Eventually the installation tool should be able to modify the
standard server.xml provided by Tomcat directly, eliminating
the need to keep a template in the code.

- - - - -
a4a032c5 by Marian Koncek at 2023-02-07T18:28:35-06:00
Resolve jar paths using xmvn

- - - - -
d5bbea7e by Chris Kelley at 2023-02-08T16:06:36+00:00
Fix token status transition in TPS web UI

The XML adaptor was removed so additional work in the JS is
needed.

Resolves: #2165098

- - - - -
6643ebab by Endi S. Dewata at 2023-02-08T15:45:38-06:00
Add missing --ignore-banner options

- - - - -
d7adc8b1 by Endi S. Dewata at 2023-02-09T12:06:02-06:00
Remove access log slot variables

Previously access log was enabled/disabled by uncommenting
or commenting out a part of server.xml template using slot
variables. This method requires keeping a server.xml template
in the code which could become outdated.

To reduce maintenance requirements, the installation tool has
been modified to enable/disable the access log using Pyton XML
API instead. The part of server.xml template related to access
log has been updated to match the default server.xml provided
by Tomcat. One of the tests has also been modified to test
disabling the access log.

- - - - -
b6b6d0b2 by Endi S. Dewata at 2023-02-09T16:03:26-06:00
Fix pkidestroy failures

Previously in standalone and external cases pkidestroy failed
to deregister the subsystem since in those cases the subsystem
was (correctly) not registered in the first place, so there is
actually no need to deregister the subsystem. The code had been
suppressing these failures which could potentially suppress
other problems as well.

Now the code has been modified to skip deregistration in those
cases so it's no longer necessary to suppress any failures.

- - - - -
8c259176 by Endi S. Dewata at 2023-02-10T09:54:48-06:00
Remove HTTP proxy slot variables

Previously HTTP proxy parameters were configured by modifying
CS.cfg template using slot variables. To reduce the size of the
template, the installation code has been modified to add the
parameters only if HTTP proxy is enabled.

- - - - -
1d0cfa68 by Endi S. Dewata at 2023-02-10T16:10:15-06:00
Remove profile subsystem slot variable

Previously the profile subsystem in CA's CS.cfg was configured
using a slot variable. To simplify the config file, it has been
modified to use the ProfileSubsystem class by default, then it
can be replaced with LDAPProfileSubsystem class if needed.

- - - - -
56919247 by Marco Fargetta at 2023-02-13T17:40:30+01:00
Adopt HTTP 1.1 for http based connections

Communication between subsystem on separate instance uses HTTP1.0 in
some cases. Since this version of HTTP does not support the Host header,
reverse proxies in the communication flow do not work.

This commit uprate the `HttpConnection` to use HTTP1.1 for the
communication. Actually, it does not support the full HTTP1.1 protocol
but only what is needed for the current communication options.

Solve the bugzilla 2130250

- - - - -
d8e7c0fa by Endi S. Dewata at 2023-02-13T16:39:21-06:00
Add verbose/debug options for pki-server-nuxwdog

- - - - -
cd257a88 by Endi S. Dewata at 2023-02-14T09:04:25-06:00
Fix RPM build warnings

The following absolute links generated RPM build warnings:

/usr/share/pki/est/webapps/est/WEB-INF/lib/pki-certsrv.jar -> /usr/share/java/pki/pki-certsrv.jar
/usr/share/pki/est/webapps/est/WEB-INF/lib/pki-cms.jar -> /usr/share/java/pki/pki-cms.jar
/usr/share/pki/est/webapps/est/WEB-INF/lib/pki-est.jar -> /usr/share/java/pki/pki-est.jar
/usr/share/pki/est/webapps/est/WEB-INF/lib/slf4j-api.jar -> /usr/share/java/slf4j/slf4j-api.jar
/usr/share/pki/est/webapps/est/WEB-INF/lib/slf4j-jdk14.jar -> /usr/share/java/slf4j/slf4j-jdk14.jar

They have been replaced with relative links.

- - - - -
15c33c9a by Endi S. Dewata at 2023-02-14T16:54:10-06:00
Fix JAXB and JAF dependencies

- - - - -
00401281 by Endi S. Dewata at 2023-02-15T09:12:08-06:00
Relocate pki-certsrv.jar

In commit dce39143ef77de286a36c7a3ee1009af317d7571 the
pki-cmsutil.jar in common/lib was merged into pki-certsrv.jar
in webapp/WEB-INF/lib. This actually broke Nuxwdog since some
of the classes that it needed were no longer accessible.

To fix the problem the pki-certsrv.jar has been moved to
common/lib. No upgrade script is required since the file is
owned by the package. A test for Nuxwdog will be added later.

- - - - -
1160966e by Endi S. Dewata at 2023-02-15T09:49:12-06:00
Publish pki-server image

The publish job has been modified to publish the pki-server
image to Quay.io such that it can be used for development
and testing without the complexity of setting up an actual
PKI subsystem.

- - - - -
5190976f by Endi S. Dewata at 2023-02-16T08:54:57-06:00
Remove unused standalone slot variables

The slot variables for standalone subsystems are actually not used
because the web.xml files are static so they have been removed.

The pkislots.cfg is now empty so the file and the related code
have been removed as well.

- - - - -
ec4abf57 by Endi S. Dewata at 2023-02-16T09:22:32-06:00
pkidaemon improvements

The pkidaemon script has been modified to avoid a possible
permission issue and to remove a redundant find operation.

- - - - -
83e477ae by Endi S. Dewata at 2023-02-16T10:08:01-06:00
Add test for CA with Nuxwdog

A new job has been added to test CA with Nuxwdog by installing a
regular CA first, then enabling Nuxwdog, then reverting back to
regular CA.

Normally when Nuxwdog is enabled the pki-server-nuxwdog script
will ask for the passwords on the console (which can be difficult
to automate) then store them in keyring. To automate the testing
the script has been modified to try to get the passwords from the
keyring first if they already exist. This way the test can be run
without asking for the password on the console.

The Keyring.get_key_id() has been modified to return None if the
key does not exist in keyring.

- - - - -
fb92ec97 by Endi S. Dewata at 2023-02-16T10:08:38-06:00
Remove remaining slot-related code

- - - - -
bd7513b5 by Endi S. Dewata at 2023-02-16T10:08:38-06:00
Remove unused War class

- - - - -
52f97069 by Endi S. Dewata at 2023-02-16T10:08:38-06:00
Add PKIDeployer.create_server_xml()

The code that creates and configures the server.xml has been
moved into PKIDeployer.create_server_xml().

- - - - -
2497b700 by Endi S. Dewata at 2023-02-16T20:30:37-06:00
Add PKIDeployer.store_config() and store_manifest()

The code that stores the user config and installation manifest has
been moved into PKIDeployer.store_config() and store_manifest(),
respectively.

- - - - -
dae6d6d1 by Endi S. Dewata at 2023-02-16T20:30:37-06:00
Reorganize CA tests

The CA tests have been reorganized based on complexity.

- - - - -
8ccf7520 by Endi S. Dewata at 2023-02-16T20:30:37-06:00
Fix Eclipse classpath

- - - - -
9bcdaed4 by Endi S. Dewata at 2023-02-17T08:56:56-06:00
Move C flags definitions into RPM spec

Some C flags definitions have been moved from CMake file
into RPM spec file such that they can be customized for
different platforms.

The build.sh has been modified to provide a way for the
RPM spec file to specify the C flags for CMake.

- - - - -
81b550e4 by Endi S. Dewata at 2023-02-17T15:25:14-06:00
Add PKISubsystem.default_cfg

The PKISubsystem.default_cfg has been added to provide the
path to the default.cfg stored in subsystem registry.

- - - - -
fbf33acc by Endi S. Dewata at 2023-02-17T17:48:35-06:00
Add PKIInstance.create_registry() and remove_registry()

The code that creates and removes instance registry has
been consolidated into PKIInstance.create_registry() and
remove_registry().

- - - - -
a00c7b4b by Endi S. Dewata at 2023-02-17T17:48:35-06:00
Add PKISubsystem.create_registry() and remove_registry()

The code that creates and removes subsystem registry has
been consolidated into PKISubsystem.create_registry() and
remove_registry().

- - - - -
df22e19e by Endi S. Dewata at 2023-02-20T11:34:53-06:00
Fix pki.policy

The pki.policy has been updated such that it works on both
Fedora and RHEL. Some obsolete policies have been removed
as well.

- - - - -
373369ae by Endi S. Dewata at 2023-02-20T13:48:09-06:00
Rename pki-certsrv.jar to pki-common.jar

The pki-certsrv.jar has been renamed to pki-common.jar to
better reflect the content of the file which comes from
base/common.

- - - - -
a652ee01 by Endi S. Dewata at 2023-02-20T13:55:32-06:00
Fix pki-server run

To help troubleshooting, the pki-server run command has been
modified to run the same pki-server migrate command and use
the same class path as the systemd service.

- - - - -
60ae443d by Endi S. Dewata at 2023-02-21T08:37:09-06:00
Add test for CA installation with non-default user

A new job has been added to test CA installation with
non-default user and group. The server process should
be running as the non-default user.

- - - - -
0358f56f by Endi S. Dewata at 2023-02-22T10:23:32-06:00
Add pki securitydomain-leave

A new pki securitydomain-leave command has been added to
replace the sslget command used to deregister a subsystem
from the security domain. This will reduce the dependency
on native code and simplify the maintenance.

A new PKIDeployer.leave_security_domain() method has been
added to call the pki securitydomain-leave command. This
method replaces the SecurityDomain.deregister() that calls
sslget.

The SecurityDomain class is no longer used so it has been
removed.

- - - - -
a2f300b5 by Endi S. Dewata at 2023-02-23T12:14:32-06:00
Fix OCSP tests

The OCSP tests have been updated to remove the file names
and line numbers from the stderr so it can be compared
more reliably.

- - - - -
6f3401cb by Endi S. Dewata at 2023-02-27T10:00:34-06:00
Add pki_registry_enable

pkispawn uses a registry to keep track of all instances and
subsystems it installed to help future removal. However, in
containers it's not necessary to remove the instances and
subsystems, so a new pki_registry_enable param has been
added to disable the registry in a container.

- - - - -
b53c547f by Chris Kelley at 2023-02-27T18:16:07+00:00
Restore some codeBase permissions in pki.policy

These permissions are required at runtime to start the PKI server.

- - - - -
bd499c5b by Marco Fargetta at 2023-02-28T13:43:15+01:00
Add ACME tests with postgresql back-end

- - - - -
a925e708 by Endi S. Dewata at 2023-02-28T12:03:35-06:00
Update RESTEasy dependency

- - - - -
aa7d8ee1 by Endi S. Dewata at 2023-02-28T16:17:40-06:00
Remove non-customizable pki_tomcat_bin_link param

- - - - -
34b62646 by Endi S. Dewata at 2023-02-28T16:45:43-06:00
Remove non-customizable pki_instance_conf_link param

- - - - -
c4dc3097 by Endi S. Dewata at 2023-02-28T16:45:43-06:00
Remove non-customizable pki_instance_logs_link param

- - - - -
003a18b7 by Endi S. Dewata at 2023-02-28T16:45:43-06:00
Remove non-customizable pki_tomcat_tmpdir_path param

- - - - -
137eeb86 by Endi S. Dewata at 2023-02-28T16:45:43-06:00
Remove non-customizable pki_instance_database_link param

- - - - -
1e1b2de4 by Endi S. Dewata at 2023-02-28T16:45:43-06:00
Remove unused pki_subsystem_signed_audit_log_path param

- - - - -
81cea0b7 by Chris Kelley at 2023-03-01T14:14:24+00:00
Add -flto compiler flag

RPMInspect is failing as it cannot detect whether Link Time
Optimisation is being used by GCC. I can't see any reason to not
enable this option from reading docs about it, so I have added it
in. See: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html

- - - - -
466a210c by Chris Kelley at 2023-03-01T15:29:00+00:00
Change -flto to -fno-lto

We are unable to compile with -flto, it breaks GCC, so disable it

- - - - -
9ba858ed by Endi S. Dewata at 2023-03-01T09:49:18-06:00
Use Python XML to update Tomcat admin port

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
1e262c67 by Endi S. Dewata at 2023-03-01T10:07:26-06:00
Add PKIService.getCMSEngine()

Currently the CMSEngine object is stored in CMS.engine global
variable which makes it more complicated to maintain the code.
To reduce the problem, the PKIWebListener has been modified to
store the CMSEngine object as an attribute in the servlet
context (i.e. web application). The PKIService.getCMSEngine()
has been added to get the CMSEngine object from the servlet
context.

The code that depends on the CMS.engine will be incrementally
updated. Eventually the CMS.engine will no longer be used and
can be removed.

- - - - -
4a2ce948 by Endi S. Dewata at 2023-03-01T10:07:26-06:00
Update UserService to use PKIService.getCMSEngine()

- - - - -
f2289c0e by Endi S. Dewata at 2023-03-01T10:07:26-06:00
Update GroupService to use PKIService.getCMSEngine()

- - - - -
278f6872 by Endi S. Dewata at 2023-03-01T10:07:26-06:00
Update JobService to use PKIService.getCMSEngine()

- - - - -
968e56c2 by Endi S. Dewata at 2023-03-01T15:12:04-06:00
Rename pki-cms.jar to pki-server.jar

The pki-cms.jar has been renamed to pki-server.jar to
better reflect the content of the file which comes from
base/server.

- - - - -
9dd6c91f by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Update SelfTestService to use PKIService.getCMSEngine()

- - - - -
79fa00e6 by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Update FeatureService to use PKIService.getCMSEngine()

- - - - -
fcee50b8 by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Update AuditService to use PKIService.getCMSEngine()

- - - - -
8daeb2a1 by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Update KeyRequestService to use PKIService.getCMSEngine()

- - - - -
55731916 by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Update KeyService to use PKIService.getCMSEngine()

- - - - -
6005518d by Endi S. Dewata at 2023-03-01T15:32:14-06:00
Remove redundant attributes in CMSServlet

- - - - -
72caec4b by Endi S. Dewata at 2023-03-01T19:02:08-06:00
Remove unused ProfileSubsystem

The ProfileSubsystem for profiling the system (i.e. monitoring
memory and threads) is unused so it has been removed.

The ProfileSubsystem for managing cert profiles is still intact.

- - - - -
5d1a4735 by Endi S. Dewata at 2023-03-01T19:02:17-06:00
Update IPolicyProcessor.getAuthority() to return IAuthority

- - - - -
4fef741b by Endi S. Dewata at 2023-03-01T19:02:17-06:00
Merge IStatsSubsystem into StatsSubsystem

- - - - -
4690fddb by Endi S. Dewata at 2023-03-01T19:02:17-06:00
Drop ISubsystem from TransportKeyUnit

The ISubsystem implementation in TransportKeyUnit is not
providing useful functionality so it has been removed.

- - - - -
dcbe7db8 by Endi S. Dewata at 2023-03-01T19:02:17-06:00
Merge ITransportKeyUnit into TransportKeyUnit

- - - - -
6dcc74d8 by Endi S. Dewata at 2023-03-02T09:29:20-06:00
Use Python XML to remove default LockOutRealm

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
632411d9 by Endi S. Dewata at 2023-03-02T15:20:07-06:00
Use Python XML to configure listeners

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
569e61c3 by Endi S. Dewata at 2023-03-02T15:23:06-06:00
Convert CMSServlet.mUG into local variable

- - - - -
82692f1f by Endi S. Dewata at 2023-03-02T15:23:06-06:00
Convert AdminServlet.mUG into local variable

- - - - -
99c69518 by Endi S. Dewata at 2023-03-02T15:23:06-06:00
Move CMSServlet.generateSalt() into JssSubsystem

- - - - -
2cc92c58 by Chris Kelley at 2023-03-03T08:37:40+00:00
Make xmvn conditional on archs which support it

- - - - -
98f5fbe9 by Endi S. Dewata at 2023-03-03T09:28:21-06:00
Use Python XML to add RewriteValve

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
ad999c16 by Endi S. Dewata at 2023-03-06T09:05:04-06:00
Use Python XML to remove UserDatabase

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
6129855a by Endi S. Dewata at 2023-03-07T10:39:32-06:00
Add PKIClientAuthenticator

The PKIClientAuthenticator has been added to provide basic
authentication for PKI client using JAX-RS API. This will
reduce dependency on deprecated Apache HTTPComponents API.

- - - - -
d09ac523 by Endi S. Dewata at 2023-03-07T16:29:50-06:00
Fix index calculation in replace_params()

- - - - -
61653a08 by Endi S. Dewata at 2023-03-07T17:59:20-06:00
Add CMSServlet.getCMSEngine()

The CMSServlet.getCMSEngine() has been added to provide
the CMSEngine instance for subclasses of CMSServlet.

- - - - -
a693153c by Endi S. Dewata at 2023-03-07T17:59:24-06:00
Add AdminServlet.getCMSEngine()

The AdminServlet.getCMSEngine() has been added to provide
the CMSEngine instance for subclasses of AdminServlet.

- - - - -
3693cb2f by Endi S. Dewata at 2023-03-07T18:34:24-06:00
Convert DynamicVariablesServlet.mCrlurl into local variable

- - - - -
11d268fa by Endi S. Dewata at 2023-03-07T18:34:58-06:00
Update AdminServlet subclasses to use getCMSEngine()

- - - - -
3679cfbb by Endi S. Dewata at 2023-03-07T18:38:43-06:00
Update CMSServlet subclasses to use getCMSEngine()

- - - - -
06c4c740 by Endi S. Dewata at 2023-03-08T10:08:30-06:00
Use Python XML to configure unsecure connector

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
f3c6f3bc by Endi S. Dewata at 2023-03-08T17:20:07-06:00
Split IAuthority from ISubsystem

The IAuthority has been split from from ISubsystem since an
authority such as LWCA can have multiple instances whereas
a subsystem will only have one instance.

- - - - -
f39eb665 by Endi S. Dewata at 2023-03-08T18:09:13-06:00
Rename BaseSubsystem to Subsystem

- - - - -
42971455 by Endi S. Dewata at 2023-03-08T20:00:59-06:00
Merge ISubsystem into Subsystem

- - - - -
eab799aa by Endi S. Dewata at 2023-03-09T09:43:02-06:00
Use Python XML to add secure connector

This will reduce the difference between the server.xml template
in PKI and the default server.xml provided by Tomcat.

- - - - -
661b05cf by Endi S. Dewata at 2023-03-09T12:53:06-06:00
Drop server.xml template

The server.xml template is no longer needed since it is
identical to the default server.xml provided by Tomcat.

- - - - -
a45b3e1b by Endi S. Dewata at 2023-03-09T12:53:30-06:00
Move CMSAdminServlet.importXCert() into CACMSAdminServlet

- - - - -
64d59638 by Endi S. Dewata at 2023-03-09T12:53:30-06:00
Merge ICrossCertPairSubsystem into CrossCertPairSubsystem

- - - - -
14ff4712 by Endi S. Dewata at 2023-03-09T14:13:08-06:00
Remove unused methods in IAuthority

- - - - -
cbcd768c by Endi S. Dewata at 2023-03-09T18:42:51-06:00
Update Subsystem.init() for consistency

- - - - -
a37bfa1e by Endi S. Dewata at 2023-03-10T10:49:54-06:00
Fix CMSEngine.startupSubsystems()

The CMSEngine.startupSubsystems() has been updated to skip
starting up the SelfTestSubsystem during installation since
the certs might not be available yet at that point.

- - - - -
77a7c567 by Endi S. Dewata at 2023-03-10T15:25:28-06:00
Add Subsystem.engine

The Subsystem.engine field has been added to store the CMSEngine
instance such that the subsystem no longer needs to use a static
method such as CMS.getCMSEngine() or <engine>.getInstance() to
get the instance.

- - - - -
19258e17 by Endi S. Dewata at 2023-03-10T18:02:23-06:00
Move CertificateRepository to pki-ca

- - - - -
7b58094f by Endi S. Dewata at 2023-03-10T18:02:23-06:00
Rename RandomConfig to SecureRandomConfig

- - - - -
e8d28d29 by Endi S. Dewata at 2023-03-10T18:02:23-06:00
Add SecureRandomFactory

The code that creates a SecureRandom instance has been moved
into SecureRandomFactory.

- - - - -
0f7eb8c8 by Endi S. Dewata at 2023-03-10T18:02:23-06:00
Update RequestRepository

The RequestRepository has been updated to take a SecureRandom
instance instead of creating it during initialization.

- - - - -
ccedcd2e by Endi S. Dewata at 2023-03-10T18:53:54-06:00
Update KeyRepository

The KeyRepository has been updated to take a SecureRandom
instance instead of creating it during initialization.

- - - - -
b1038c5d by Endi S. Dewata at 2023-03-10T18:57:28-06:00
Update CertificateRepository

The CertificateRepository has been updated to take a SecureRandom
instance instead of creating it during initialization.

- - - - -
0f428f6d by Chris Kelley at 2023-03-13T11:50:42+00:00
Fix adding Profile/Profile Mapping in TPS UI

There were some naming mismatches and request format issues which are
now resolved.

In addition, there was a larger problem that JS arrays are not always
deserialised correctly, so a new StringHashMapValueDeserializer class is
introduced to assist with this.

Adding ProfileMappingData objects still did not work, as the Id and
ProfileMappingID were used interchangeably causing a null reference.
ProfileMappingData has been modified to be of the same format as
ProfileData.

- - - - -
025d009f by Chris Kelley at 2023-03-13T15:46:13+00:00
Merge TPSEngine classes into one class

Simplifies a lot of code. The TPSSubsystem no longer requires the engine
field, so it has been removed.

- - - - -
95b61a26 by Endi S. Dewata at 2023-03-14T09:37:36-05:00
Add AuthManager.engine

The AuthManager.engine field has been added to store the
CMSEngine instance such that the auth manager no longer
needs to use a static method such as CMS.getCMSEngine()
or <engine>.getInstance() to get the instance.

- - - - -
de26cac1 by Chris Kelley at 2023-03-14T14:46:51+00:00
Introduce pki-rpminspect profile for rpminspect

Allows more fine-grained control of checks than CLI arguments, which
allows us to run the javabytecode, runpath and annocheck jobs again
without disabling them completely.

The license job is disabled because of a bug in rpminspect itself.

The metadata job is still disabled, but we can probably now configure it
to pass using this profile.
- - - - -
3a1eb908 by Endi S. Dewata at 2023-03-14T13:44:47-05:00
Convert IAuthzManager into AuthzManager class

- - - - -
7bbe6f26 by Endi S. Dewata at 2023-03-14T13:51:16-05:00
Merge name fields into AuthzManager

- - - - -
6ba99e84 by Endi S. Dewata at 2023-03-14T13:51:24-05:00
Merge implName fields into AuthzManager

- - - - -
346848d1 by Endi S. Dewata at 2023-03-14T13:51:31-05:00
Merge config fields into AuthzManager

- - - - -
cb7963fb by Endi S. Dewata at 2023-03-14T13:55:00-05:00
Convert GroupMemberProcessor.userGroupManager into local variable

- - - - -
6e8594cf by Endi S. Dewata at 2023-03-14T13:56:08-05:00
Convert SecurityDomainProcessor.random into local variable

- - - - -
12d7f7c0 by Endi S. Dewata at 2023-03-14T16:25:15-05:00
Convert IAccessEvaluator into AccessEvaluator class

- - - - -
0bb2390c by Endi S. Dewata at 2023-03-14T16:25:17-05:00
Merge type fields into AccessEvaluator

- - - - -
8bbed3a7 by Endi S. Dewata at 2023-03-14T16:25:18-05:00
Merge description fields into AccessEvaluator

- - - - -
99143b82 by Endi S. Dewata at 2023-03-14T16:25:18-05:00
Convert GroupAccessEvaluator.mUG into local variable

- - - - -
daa864b8 by Endi S. Dewata at 2023-03-14T16:27:11-05:00
Remove unused SubsystemService.engine

- - - - -
a3da0d58 by Endi S. Dewata at 2023-03-14T16:42:26-05:00
Convert SystemConfigService.csState into local variable

- - - - -
ecbfcdde by Endi S. Dewata at 2023-03-14T16:42:26-05:00
Remove unused SystemConfigService

- - - - -
13a37cf9 by Endi S. Dewata at 2023-03-14T18:42:39-05:00
Rename SecurityDomainSessionTable to MemorySecurityDomainSessionTable

- - - - -
4945bcf6 by Endi S. Dewata at 2023-03-14T19:00:23-05:00
Convert ISecurityDomainSessionTable into SecurityDomainSessionTable class

- - - - -
e1b7c9c6 by Endi S. Dewata at 2023-03-14T19:09:45-05:00
Merge timeToLive fields into SecurityDomainSessionTable

- - - - -
4d4caec4 by Chris Kelley at 2023-03-15T08:43:00+00:00
Remove serialVersionUID from classes that don't implement Serializable

Most/all of this is from classes inheriting from LogEvent. In the past
LogEvent implemented an interface called ILogEvent, which in turn
extended Serializable. ILogEvent no longer exists, so none of these
classes are Serializable, so the field is not used and unnecessary.
- - - - -
186f936f by dependabot[bot] at 2023-03-15T11:13:06+00:00
Bump ansible from 2.9.13 to 7.0.0 in /tests/dogtag/pytest-ansible

Bumps [ansible](https://github.com/ansible/ansible) from 2.9.13 to 7.0.0.
- [Release notes](https://github.com/ansible/ansible/releases)
- [Commits](https://github.com/ansible/ansible/commits)

---
updated-dependencies:
- dependency-name: ansible
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
0ada6c8f by Chris Kelley at 2023-03-15T14:01:23+00:00
Code clean up in DisplayBySerial

* Replace BigInteger constructor
* Reorder modifiers to match JLS, make logger final
* Put array designator on the type
* Remove unnecessary semicolon/redundant jumps
* Remove unused engine variable
* Simplify logic in getSerialNumber()
* Use pattern matching instanceof
- - - - -
fc60e462 by Endi S. Dewata at 2023-03-15T11:57:38-05:00
Add PKIRealm.engine

The PKIRealm.engine field has been added to store the
CMSEngine instance such that the realm no longer needs
to use CMS.getCMSEngine() to get the instance.

- - - - -
3a4c7291 by Endi S. Dewata at 2023-03-15T12:08:35-05:00
Remove unused PKIRealm.getName()

- - - - -
6ab0fd97 by Endi S. Dewata at 2023-03-15T18:16:56-05:00
Merge IMailNotification into MailNotification

- - - - -
7102594c by Endi S. Dewata at 2023-03-16T09:45:47-05:00
Add AuthzManager.engine

- - - - -
e295ec39 by Endi S. Dewata at 2023-03-16T09:45:47-05:00
Add AccessEvaluator.engine

- - - - -
3d5297b8 by Endi S. Dewata at 2023-03-16T09:45:47-05:00
Add Processor.engine

- - - - -
44084f69 by Endi S. Dewata at 2023-03-16T09:45:47-05:00
Add LDAPSecurityDomainSessionTable.engine

- - - - -
e9851e1f by Endi S. Dewata at 2023-03-16T13:19:38-05:00
Update GroupAccessEvaluator to use AccessEvaluator.engine

- - - - -
941ffa76 by Endi S. Dewata at 2023-03-16T13:31:06-05:00
Move CMSRequestDAO.authz into KeyRequestDAO

- - - - -
c35d8380 by Endi S. Dewata at 2023-03-16T13:31:06-05:00
Add SystemInfoServlet.getCMSEngine()

- - - - -
efd9fdf5 by Endi S. Dewata at 2023-03-16T13:31:06-05:00
Add ACLInterceptor.getCMSEngine()

- - - - -
e5c4fa12 by Endi S. Dewata at 2023-03-16T15:20:28-05:00
Add Job.engine

- - - - -
a3018bb1 by Endi S. Dewata at 2023-03-16T15:22:37-05:00
Convert CertUserLocator into class

- - - - -
af086eb6 by Endi S. Dewata at 2023-03-16T15:28:02-05:00
Add CertUserLocator.engine

- - - - -
b403a135 by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Add DBSubsystem.engineConfig

- - - - -
ebb6e500 by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Move PWCBsdr to pki-ca

- - - - -
cdbda8a9 by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Add PWsdrCache.engineConfig

- - - - -
58551e15 by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Convert IRequestListener into RequestListener class

- - - - -
8bf953f0 by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Add RequestListener.engine

- - - - -
3f99d74d by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Add Connector.engine

- - - - -
b10d0d6c by Endi S. Dewata at 2023-03-16T17:06:29-05:00
Add Resender.engine

- - - - -
4ab7e88f by Chris Kelley at 2023-03-17T08:57:42+00:00
Fix token filtering in TPS UI

Only the filter created from input in the search bar was being
used to compose the ldapsearch query. The attributes were passed
across from the client and into the procesing method but were not
then passed on to the database.

Resolves #2178816

- - - - -
1f59fcc4 by Chris Kelley at 2023-03-17T14:44:46+00:00
Code cleanup in JssSubsystem

* Make logger final
* Remove unnecessary mId static variable
* Make mFormatter an instance variable
* Remove commented out old code
* Use try-with-resources
* Use pattern-matching instanceof
* Remove unnecessary boolean literals and control flow jumps
* Don't create variables just to return them
* Move array designator to the type
* Combine identical catch blocks
* Use isEmpty() to check for empty strings
- - - - -
74dbf86c by Endi S. Dewata at 2023-03-17T19:47:51-05:00
Clean up log messages in CMSServlet

- - - - -
1b37f87f by Endi S. Dewata at 2023-03-20T09:21:35-05:00
Store CMSEngine in Processor

All instances of Processor have been modified to store the
CMSEngine object such that it can be used by other objects
in the Processor.

- - - - -
8691682d by Endi S. Dewata at 2023-03-20T09:21:35-05:00
Refactor CMSGateway

Previously the CMSGateway used the static CMS.getCMSEngine()
which could potentially cause class loading issues. To avoid
the problem the static fields and methods in the class have
been converted into non-static, and a new engine field has
been added to store a reference to the CMSEngine instance
such that it no longer needs to rely on CMS.getCMSEngine().

- - - - -
df552406 by Chris Kelley at 2023-03-20T15:56:09+00:00
Tidy up in AVAPattern

* Tidy up vertical whitespace/indentation
* Use ternary operators
* Simplify some logic
* Use isEmpty() to check for an empty string.
* Remove empty statements and commented out old code
* Make logger final
- - - - -
09d7cc9d by Endi S. Dewata at 2023-03-21T08:24:53-05:00
Update CLIException.code

The code field in CLIException has been updated such that CLIs
that throw this exception will return a non-zero code by default.

- - - - -
77351fe7 by Endi S. Dewata at 2023-03-21T14:12:22-05:00
Update pki-server ca-cert help messages

- - - - -
65a11331 by Endi S. Dewata at 2023-03-21T20:01:53-05:00
Refactor MailNotification

The code that initializes the mHost field in MailNotification's
constructor has been moved to the caller.

- - - - -
6b5edd9f by Endi S. Dewata at 2023-03-21T20:14:12-05:00
Move RequestQueue.recover() into CMSEngine

- - - - -
5cfd0388 by Endi S. Dewata at 2023-03-21T20:14:16-05:00
Simplify CMSEngine.isExcludedLdapAttr()

- - - - -
756bb42c by Endi S. Dewata at 2023-03-21T20:14:16-05:00
Simplify CMSEngine.excludedLdapAttrsList

- - - - -
2b9f4ecb by Endi S. Dewata at 2023-03-21T20:14:16-05:00
Move ServletUtils.initializeAuthz() into CMSServlet

- - - - -
3d5fcc99 by Endi S. Dewata at 2023-03-22T10:08:14-05:00
Add pki-server <subsystem>-user-cert-find

The pki-server <subsystem>-user-cert-find command has been added
to list the certs assigned to a user.

https://github.com/dogtagpki/pki/wiki/PKI-Server-Subsystem-User-Certificate-CLI

- - - - -
3ddfa044 by Endi S. Dewata at 2023-03-22T10:08:14-05:00
Add pki-server ca-cert-request-import

The pki-server ca-cert-request-import has been added to import
a cert request into CA database. The CLI will call the existing
PKISubsystem.import_cert_request().

https://github.com/dogtagpki/pki/wiki/PKI-Server-CA-Certificate-Request-CLI

- - - - -
23b7460a by Endi S. Dewata at 2023-03-22T10:22:05-05:00
Add --subsystem param for pki-server sd-host-add

The pki-server sd-host-add command has been modified to require
a subsystem type.

- - - - -
5fd53286 by Endi S. Dewata at 2023-03-23T10:39:43-05:00
Rename pki-server sd-host-add to pki-server sd-subsystem-add

The pki-server sd-host-add command has been renamed into
pki-server sd-subsystem-add since it's used to manage subsystems
(which are identified by hostname, port, and subsystem type)
in the security domain instead of hosts.

The original CLI was only used for development and has never
been officially documented so it's not necessary to document
this change.

- - - - -
f98fc86b by Endi S. Dewata at 2023-03-23T10:39:43-05:00
Add pki-server sd-subsystem-find

The pki-server sd-subsystem-find has been added to display the
subsystems registered in the security domain.

- - - - -
81bdee54 by Endi S. Dewata at 2023-03-23T10:39:43-05:00
Add pki-server sd-subsystem-del

The pki-server sd-subsystem-del has been added to remove a
subsystem from the security domain.

- - - - -
35fd3c42 by Chris Kelley at 2023-03-24T09:27:50+00:00
Re-enable the licence check.

With the release of rpminspect-data-fedora-1.10-1.fc37 the bug in this
check is resolved, so we can run it again.
- - - - -
a5744ed7 by Chris Kelley at 2023-03-24T13:52:27+00:00
Remove unnecessary else clauses to tidy up logic

50 files, more to come, there is a lot of this.

I tried to only simplify the logic, but some classes needed formatting
applied because there mixes of spaces, tabs and weird indentation and it
was impossible to verify the changes without it.
- - - - -
9f8b3cc4 by Chris Kelley at 2023-03-24T14:04:01+00:00
Code cleanup in CRLIssuingPoint

* Remove unused mCertRepository member variable
* Tidy up logic/unnecessary else clauses/boolean literals
* Remove conditionals that always evaluate either true/false
* Use isEmpty()
* Use pattern matching instanceof
* Catch Exception instead of Throwable
* Tidy up formatting to match JLS
- - - - -
03ca8a30 by Chris Kelley at 2023-03-24T16:06:59+00:00
Remove unnecessary else clauses from 50 more classes.

Tidies up some more logic.
- - - - -
67ed64e6 by Endi S. Dewata at 2023-03-24T11:58:07-05:00
Add --member param for pki-server <subsystem>-group-find

The pki-server <subsystem>-group-find has been updated to provide
a way to find the groups that contain a user.

- - - - -
e84a2b1d by Endi S. Dewata at 2023-03-24T11:58:07-05:00
Add pki-server <subsystem>-group-member-del

The pki-server <subsystem>-group-member-del has been added to
remove a member from a group.

- - - - -
6aaa8fa4 by Chris Kelley at 2023-03-24T20:35:37+00:00
Fix unnecessary else clauses in 50 more classes
- - - - -
41d0ab23 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Update log messages in ProfileProcessServlet

- - - - -
eb6740e6 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Update log messages in UpdateDomainXML

- - - - -
579613e7 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Update log messages in PKIDeployer.leave_security_domain()

- - - - -
7676818b by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Move Auditor.auditor into CMSEngine

- - - - -
a20ecee1 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Add Auditor.engine

- - - - -
289963aa by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Add LogEventListener.engine

- - - - -
4709db36 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Add RequestNotifier.engine

- - - - -
60ca8006 by Endi S. Dewata at 2023-03-24T16:29:53-05:00
Add PKIServerSocketListener.engine

- - - - -
1fab98b7 by Endi S. Dewata at 2023-03-24T17:18:31-05:00
Update log messages in profile services

- - - - -
b30bad6b by Endi S. Dewata at 2023-03-24T18:43:54-05:00
Move Subsystem.engine initialization into CMSEngine.loadSubsystems()

- - - - -
cfedd6b3 by Endi S. Dewata at 2023-03-24T18:44:18-05:00
Add Processor.init()

The code that initializes a Processor has been moved into init().

- - - - -
b0d97309 by Endi S. Dewata at 2023-03-24T18:44:18-05:00
Add GenericPolicyProcessor.engine

- - - - -
3adfcf08 by Endi S. Dewata at 2023-03-24T18:44:18-05:00
Move ServletUtils.getACLMethod() to CAProcessor

- - - - -
69151c39 by Endi S. Dewata at 2023-03-24T18:44:18-05:00
Replace JssSubsystem.mInstance with CMSEngine.jssSubsystem

- - - - -
7215118f by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Add JssSubsystem.engine

- - - - -
afcb1753 by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Add SelfTest.engine

- - - - -
8e8ef043 by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Add PKIProcessor.engine

- - - - -
ee71e29f by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Move KeyCertUtil.signCert() to JssSubsystem

- - - - -
5771e253 by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Rename profileChangeMonitor to ProfileChangeMonitor

- - - - -
f431e9b8 by Endi S. Dewata at 2023-03-27T19:49:15-05:00
Rename KeyRetrieverRunner thread to KeyRetriever

- - - - -
41df6a95 by Endi S. Dewata at 2023-03-27T22:12:08-05:00
Move CertUtils.verifySystemCerts() into CMSEngine

- - - - -
73415a1c by Endi S. Dewata at 2023-03-27T22:12:08-05:00
Move CertUtils.verifySystemCertByTag() into CMSEngine

- - - - -
b96f7154 by Endi S. Dewata at 2023-03-27T22:12:08-05:00
Move CertUtils.parsePKCS10() into CAEngine

- - - - -
c4a36fe7 by Endi S. Dewata at 2023-03-27T22:18:39-05:00
Move KeyCertUtil.setAuthInfoAccess() into JssSubsystem

- - - - -
7a60e60c by Endi S. Dewata at 2023-03-27T22:18:39-05:00
Move RequestRepository.createRequestID(ephemeral) into KeyRequestDAO

- - - - -
7acba9d2 by Endi S. Dewata at 2023-03-28T12:32:11-05:00
Move CMSEngine.isExcludedLdapAttr() to DBSubsystem

- - - - -
d48bcaaf by Endi S. Dewata at 2023-03-28T12:36:18-05:00
Convert DBSubsystem.excludedLdapAttrs into Set

- - - - -
43ad9b3f by Endi S. Dewata at 2023-03-28T12:40:36-05:00
Convert DBSubsystem.isExcludedLdapAttr() into getExcludedLdapAttr()

The DBSubsystem.excludedLdapAttrsEnabled is no longer needed
so it has been removed.

- - - - -
6ef51010 by Endi S. Dewata at 2023-03-28T12:42:45-05:00
Refactor RequestRecord.loadExtDataFromRequest()

The RequestRecord.loadExtDataFromRequest() has been modified
to accept a set of excluded LDAP attribute names such that the
code no longer depends on CMSEngine.

- - - - -
ab5e108e by Endi S. Dewata at 2023-03-28T13:46:31-05:00
Remove CSCfgDatabase.engine

The CSCfgDatabase has been modified to no longer depend on
CMSEngine.

- - - - -
6b600a7e by Endi S. Dewata at 2023-03-28T14:04:51-05:00
Consolidate loggers in PKISocketFactory

- - - - -
8eb1fb57 by Endi S. Dewata at 2023-03-28T14:12:40-05:00
Add Repository.engine

- - - - -
04b5e500 by Endi S. Dewata at 2023-03-28T16:59:57-05:00
Move PKIClientSocketListener out of PKISocketFactory

The PKIClientSocketListener will only work properly inside PKI
server, so the PKISocketFactory has been modified to store a list
of socket listeners, then the PKIClientSocketListener will only
be added inside PKI server.

- - - - -
024391f1 by Endi S. Dewata at 2023-03-28T17:24:54-05:00
Add setter/getter for PKISocketFactory.clientCertNickname

- - - - -
e5158622 by Endi S. Dewata at 2023-03-28T17:24:54-05:00
Clean up Eclipse classpath

- - - - -
c656ef52 by Endi S. Dewata at 2023-03-28T19:28:52-05:00
Convert ILdapPublisher into Publisher class

- - - - -
563b18e1 by Endi S. Dewata at 2023-03-28T19:56:52-05:00
Convert ILdapMapper into Mapper class

- - - - -
e713c9e5 by Endi S. Dewata at 2023-03-28T19:56:52-05:00
Remove unused ILdapCertMapper

- - - - -
8d75965a by Endi S. Dewata at 2023-03-28T19:56:52-05:00
Remove unused ILdapCrlMapper

- - - - -
7a2fcf3a by Endi S. Dewata at 2023-03-29T10:17:43-05:00
Drop PKISocketFactory dependency on CMS.getCMSEngine()

The PKISocketFactory.init() has been modified to use the defaults
if there is no configuration provided. The "!external" expression
is supposed to indicate cases where the code is used within PKI
server, but in those cases the configuration is always provided,
so it's not necessary to use the expression anymore. This change
removes the dependency on CMS.getCMSEngine().

- - - - -
3b1bbe2b by Endi S. Dewata at 2023-03-29T14:22:37-05:00
Remove unused ILdapPluginImpl

- - - - -
05eaf098 by Endi S. Dewata at 2023-03-29T14:22:38-05:00
Remove unused ILdapPlugin

- - - - -
ffad7728 by Endi S. Dewata at 2023-03-29T14:22:40-05:00
Remove unused LdapCertMapResult

- - - - -
73f438b7 by Endi S. Dewata at 2023-03-29T14:22:42-05:00
Remove unused IPluginImpl

- - - - -
ff1d83ef by Endi S. Dewata at 2023-03-29T14:22:44-05:00
Convert ILdapConnFactory into LdapConnFactory class

- - - - -
3ec063eb by Endi S. Dewata at 2023-03-29T14:22:47-05:00
Merge ILdapConnModule into LdapConnModule

- - - - -
b836ec7b by Endi S. Dewata at 2023-03-29T14:22:50-05:00
Convert ILdapExpression into LdapExpression class

- - - - -
79adc250 by Endi S. Dewata at 2023-03-29T17:33:51-05:00
Convert IPasswordStore into PasswordStore class

- - - - -
d98829c6 by Endi S. Dewata at 2023-03-29T17:45:59-05:00
Consolidate PasswordStore.id

- - - - -
3e8378d1 by Endi S. Dewata at 2023-03-30T13:09:39-05:00
Add HttpConnFactory.init()

The code that initializes HttpConnFactory has been moved into
init().

- - - - -
9aa049c9 by Endi S. Dewata at 2023-03-30T13:09:51-05:00
Add HttpConnFactory.engine

- - - - -
ef158aec by Endi S. Dewata at 2023-03-30T13:09:57-05:00
Add HttpConnection.init()

The code that initializes HttpConnection has been moved into
init().

- - - - -
3a9318d3 by Endi S. Dewata at 2023-03-30T13:10:11-05:00
Add HttpConnection.engine

- - - - -
2dc4cbf6 by Endi S. Dewata at 2023-03-30T13:12:16-05:00
Add SessionTimer.engine

- - - - -
a295823d by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Move DBSubsystem constants into DatabaseConfig

Constants in DBSubsystem that are mostly used by DatabaseConfig
have been moved into DatabaseConfig.

- - - - -
7d70136e by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Remove unused references to o=NetscapeCertificateServer

- - - - -
531c67fc by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Remove unused RESTServlet

- - - - -
04881429 by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Add GetCertChainAdmin

The GetCertChainAdmin servlet has been added to provide a
separate class for each servlet in web.xml.

- - - - -
d34f868d by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Add GetAdminCertBySerial

The GetAdminCertBySerial servlet has been added to provide a
separate class for each servlet in web.xml.

- - - - -
33b64fc8 by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Add GetAdminBySerial

The GetAdminBySerial servlet has been added to provide a separate
class for each servlet in web.xml.

- - - - -
a7fddc30 by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Add GetAgentBySerial

The GetAgentBySerial servlet has been added to provide a separate
class for each servlet in web.xml.

- - - - -
f267747f by Endi S. Dewata at 2023-03-30T18:23:52-05:00
Add ProfileSubmitSSLClientServlet

The ProfileSubmitSSLClientServlet has been added to provide
a separate class for each servlet in web.xml.

- - - - -
969092e8 by Christina Fu at 2023-03-31T12:03:42+02:00
Bug2092522_StatusChange per config for revokeCert and revokeExpiredCert

This patch fixes "part 1" and "part 3" of Bug 2092522 where it is reported that
 1. if op.enroll.xxx.revokeCert=false, an error message is received at attempt to change token status. e.g.
"certificate revocation (serial 0x100024e) not enabled for tokenType: KeyGR, keyType: encryption, state: terminated"
 2. It also should addresses the request in comment#6 regarding expired cert.
  For that to work, one needs to enable:
"op.enroll." + tokenType + ".keyGen." + keyType + ".recovery." + tokenReason + ".revokeExpiredCerts"

fixes part 1&3 of https://bugzilla.redhat.com/show_bug.cgi?id=2092522

- - - - -
a76405ad by Christina Fu at 2023-03-31T12:03:42+02:00
Bug2176233_part2_StatusChange_holdRevocationUntilLastCredential

This patch requires the previous commit that addresses part 1&3 of the
    bug.  This previous commit for bug 2092522 must be applied first.

    This patch addresses "part 2" of the original Bug 2092522
    ("part 2" has been cloned to bug 2176233).
    The issue reported regards holdRevocationUntilLastCredential
    when if set, and if there are shared tokens existing, an error
    Exception is thrown.

    fixes part 2 of https://bugzilla.redhat.com/show_bug.cgi?id=2176233

- - - - -
9e04e4a5 by Endi S. Dewata at 2023-03-31T09:38:19-05:00
Update rpminspect test

The rpminspect test has been modified to use pki-runner image,
get the packages from pki-dist image, and get the test files
from pki-tests package instead of pki-builder image. This way
it's no longer necessary to store pki-builder image in GH cache
which reduces the cache size by around 420 MB.

- - - - -
587de3b1 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update CACMSAdminServlet to use @WebServlet

- - - - -
e784926d by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update CAUpdateNumberRange to use @WebServlet

- - - - -
b607d204 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetCertChainAdmin to use @WebServlet

- - - - -
fc561753 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetCertChain to use @WebServlet

- - - - -
4b77ca5f by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update CAPolicyAdminServlet to use @WebServlet

- - - - -
f13bcdc2 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetAgentBySerial to use @WebServlet

- - - - -
b1337d7e by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetAdminCertBySerial to use @WebServlet

- - - - -
5ea5b7b5 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetAdminBySerial to use @WebServlet

- - - - -
511cd1b5 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update GetBySerial to use @WebServlet

- - - - -
060c4cab by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update CAAdminServlet to use @WebServlet

- - - - -
ff5e5e4d by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update RegistryAdminServlet to use @WebServlet

- - - - -
6ca825f7 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update ProfileSubmitSSLClientServlet to use @WebServlet

- - - - -
36c6dc18 by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update ProfileSubmitServlet to use @WebServlet

- - - - -
2f1b7a3e by Endi S. Dewata at 2023-03-31T10:13:19-05:00
Update ProfileAdminServlet to use @WebServlet

- - - - -
0190eb01 by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Move CMSEngine.signedAuditLogger to Auditor

- - - - -
289ef1b7 by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update PKIRealm to use Auditor

- - - - -
5ee1a290 by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update PKIProcessor to use Auditor

- - - - -
fefc505f by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update SelfTestSubsystem to use Auditor

- - - - -
0b9a6655 by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update ACLInterceptor to use Auditor

- - - - -
49fc4210 by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update Processor to use Auditor

- - - - -
cf3c07ce by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Update SubsystemService to use Auditor

- - - - -
07da3add by Endi S. Dewata at 2023-03-31T10:29:38-05:00
Remove unused CertUtils.signedAuditLogger

- - - - -
d47354f9 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Fix Connector initialization in CAService.getConnector()

- - - - -
7b7cba5b by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Fix KRA test with sequential serial numbers

- - - - -
b058bc65 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Update log messages in EnrollDefault.getSigningCert()

- - - - -
8d658d9c by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Add CAHeaderServlet

The CAHeaderServlet has been added to provide a separate class
for each servlet in web.xml.

- - - - -
b7e11152 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Update PKISocketFactory to use Auditor

- - - - -
38daa6a1 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Update CMSServlet to use Auditor

- - - - -
d0ebdd34 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Update TPSProcessor to use Auditor

- - - - -
1d459320 by Endi S. Dewata at 2023-03-31T18:18:19-05:00
Update AdminServlet to use Auditor

- - - - -
9681b248 by Endi S. Dewata at 2023-03-31T19:16:21-05:00
Update SessionTimer to use Auditor

- - - - -
971c57bf by Endi S. Dewata at 2023-03-31T20:06:30-05:00
Add getters for ConnectorConfig

- - - - -
3886b184 by Endi S. Dewata at 2023-03-31T20:07:57-05:00
Add HttpConnector.init()

- - - - -
4b358d6c by Endi S. Dewata at 2023-03-31T20:07:57-05:00
Update HttpConnection to use Auditor

- - - - -
bf5135da by Endi S. Dewata at 2023-04-03T11:06:28-05:00
Remove CMS.engine

The static CMS.engine variable has been removed since it could
potentially create conflicts between subsystems. Instead, the
engine instances are now stored in the actual engine classes of
each subsystem.

- - - - -
9abddd7a by Endi S. Dewata at 2023-04-03T13:00:24-05:00
Add PKISocketFactory.engine

- - - - -
fcb81d3f by Endi S. Dewata at 2023-04-03T13:19:05-05:00
Add UGSubsystem.engine

- - - - -
fd2c66bd by Endi S. Dewata at 2023-04-03T13:26:05-05:00
Add DBSubsystem.engine

- - - - -
1f6c7e37 by Endi S. Dewata at 2023-04-03T14:13:09-05:00
Move LdapConnFactory to pki-server

- - - - -
f67ee012 by Endi S. Dewata at 2023-04-03T14:13:09-05:00
Add LdapConnFactory.engine

- - - - -
77df0196 by Endi S. Dewata at 2023-04-03T15:34:49-05:00
Initialize PKISocketFactory.engine

- - - - -
4b1384e3 by Endi S. Dewata at 2023-04-03T19:41:35-05:00
Add setter/getter for PKISocketFactory.secure

- - - - -
c7440339 by Endi S. Dewata at 2023-04-03T19:41:35-05:00
Add CMSEngine.testLDAPConnections()

The code that tests LDAP connections during server startup
has been moved into CMSEngine.testLDAPConnections().

- - - - -
4307c06f by Endi S. Dewata at 2023-04-03T20:49:15-05:00
Add CMSEngine.initServerSocketListener()

The code that initializes server socket listener has been moved
into CMSEngine.initServerSocketListener().

- - - - -
ba0eaed0 by Endi S. Dewata at 2023-04-03T20:53:27-05:00
Add CMSEngine.initClientSocketListener()

The code that initializes client socket listener has been moved
into CMSEngine.initClientSocketListener().

- - - - -
1e0828ab by Endi S. Dewata at 2023-04-03T20:53:29-05:00
Add PKIClientSocketListener.engine

- - - - -
bd8898a0 by Endi S. Dewata at 2023-04-03T20:53:29-05:00
Update PKIServerSocketListener to use Auditor

- - - - -
bb1c1d01 by Endi S. Dewata at 2023-04-03T20:53:29-05:00
Update PKIClientSocketListener to use Auditor

- - - - -
fda82472 by Endi S. Dewata at 2023-04-03T21:11:42-05:00
Update CA and KRA repositories to use PKISecureRandom

- - - - -
7ba9068b by Endi S. Dewata at 2023-04-03T21:11:42-05:00
Add PKISecureRandomSpi.engine

- - - - -
d938496c by Endi S. Dewata at 2023-04-03T21:11:42-05:00
Update PKISecureRandomSpi to use Auditor

- - - - -
2d6460f2 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update PublisherAdminServlet to use @WebServlet

- - - - -
59240392 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update CAIndexServlet to use @WebServlet

- - - - -
293e917a by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update ReasonToRevoke to use @WebServlet

- - - - -
b135bf7a by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update CertSearchReqs to use @WebServlet

- - - - -
e9b09d55 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update ProfileApproveServlet to use @WebServlet

- - - - -
0cb8e43d by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update ProfileReviewServlet to use @WebServlet

- - - - -
217edbd5 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update KRAConnectorServlet to use @WebServlet

- - - - -
7b19dbb9 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update CAHeaderServlet to use @WebServlet

- - - - -
3656afe5 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update CheckRequest to use @WebServlet

- - - - -
ed35c8e3 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update DoRevokeTPS to use @WebServlet

- - - - -
a359310c by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update CMCRevReqServlet to use @WebServlet

- - - - -
57d5fcfd by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update DoUnrevokeTPS to use @WebServlet

- - - - -
6f9ad1c8 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update RevocationServlet to use @WebServlet

- - - - -
22eb664f by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update GetSubsystemCert to use @WebServlet

- - - - -
49041a7d by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update ProfileProcessServlet to use @WebServlet

- - - - -
b25ef3b3 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update ProcessCertReq to use @WebServlet

- - - - -
765d83ac by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update UpdateCRL to use @WebServlet

- - - - -
f7c87366 by Endi S. Dewata at 2023-04-04T11:11:29-05:00
Update DisplayCRL to use @WebServlet

- - - - -
64964441 by Endi S. Dewata at 2023-04-04T15:49:04-05:00
Add CAMainPageServlet

The CAMainPageServlet has been added to provide a separate
class for each servlet in web.xml.

- - - - -
8e76fcc6 by Endi S. Dewata at 2023-04-04T15:53:52-05:00
Add CAACLAdminServlet

The CAACLAdminServlet has been added to provide a separate class
for each servlet in web.xml.

- - - - -
6ef476bf by Endi S. Dewata at 2023-04-04T15:58:01-05:00
Add CAUsrGrpAdminServlet

The CAUsrGrpAdminServlet has been added to provide a separate
class for each servlet in web.xml.

- - - - -
0b70e462 by Endi S. Dewata at 2023-04-04T16:02:53-05:00
Add CALogAdminServlet

The CALogAdminServlet has been added to provide a separate class
for each servlet in web.xml.

- - - - -
c7ab9327 by Endi S. Dewata at 2023-04-04T16:12:17-05:00
Add RASCEPServlet

The RASCEPServlet has been added to provide a separate class for
each servlet in web.xml.

- - - - -
973b6757 by Endi S. Dewata at 2023-04-04T16:12:17-05:00
Add DynamicProfileSCEPServlet

The DynamicProfileSCEPServlet has been added to provide a separate
class for each servlet in web.xml.

- - - - -
f82d269c by Endi S. Dewata at 2023-04-04T18:25:32-05:00
Update pki.spec

The meta package contains only a README file, so it has been
converted into a noarch.

The package description has been updated to include the EST
Responder.

- - - - -
19fdb876 by Endi S. Dewata at 2023-04-04T18:46:25-05:00
Initialize Auditor before LogSubsystem

- - - - -
d9f53927 by Endi S. Dewata at 2023-04-04T18:46:26-05:00
Update LogEventListener to use Auditor

- - - - -
42f01b2e by Endi S. Dewata at 2023-04-04T18:46:28-05:00
Update RollingLogFile to use Auditor

- - - - -
0737f5db by Endi S. Dewata at 2023-04-04T19:55:09-05:00
Update CertificateAuthority to use Auditor

- - - - -
78cd92ca by Endi S. Dewata at 2023-04-04T19:58:02-05:00
Update AuthManager to use Auditor

- - - - -
b39f58c1 by Endi S. Dewata at 2023-04-04T21:05:53-05:00
Update CMCUserSignedAuth to use Auditor

- - - - -
674e7b2a by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update ProfileSubmitCMCServlet to use Auditor

- - - - -
d1aeca73 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update CAService to use Auditor

- - - - -
b31056fc by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update CRLIssuingPoint to use Auditor

- - - - -
3a4f9949 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update EnrollProfile to use Auditor

- - - - -
7be2a773 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update CAEnrollProfile to use Auditor

- - - - -
34c41b30 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update EnrollInput to use Auditor

- - - - -
c58379db by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update SubsystemGroupUpdater to use Auditor

- - - - -
14e05ce5 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update CRSEnrollment to use Auditor

- - - - -
3cef3591 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update CMCOutputTemplate to use Auditor

- - - - -
f4a6f7e1 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update AsymKeyGenService to use Auditor

- - - - -
e9d7df31 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update EnrollmentService to use Auditor

- - - - -
1d0e6ea5 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update NetkeyKeygenService to use Auditor

- - - - -
d34818be by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update SecurityDataProcessor to use Auditor

- - - - -
508a9cf8 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update SecurityDataRecoveryService to use Auditor

- - - - -
c7e334b4 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update SymKeyGenService to use Auditor

- - - - -
6de9b17f by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update TokenKeyRecoveryService to use Auditor

- - - - -
e5d34f91 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update KeyRecoveryAuthority to use Auditor

- - - - -
2a70bd29 by Endi S. Dewata at 2023-04-04T21:05:56-05:00
Update OCSPAuthority to use Auditor

- - - - -
37709e80 by Endi S. Dewata at 2023-04-04T21:05:57-05:00
Move SignedAuditLogger.INSTANCE into Auditor

- - - - -
8eb06ba0 by Marco Fargetta at 2023-04-05T11:08:02+02:00
Fix pkispawn error with custom SKI

The `hex()` method separation parameter is available only in python > 3.8 but RHEL8 comes with 3.6.

The paramter has been removed and an additional step to add the
separation is introduced.

Fix 2184288

- - - - -
a620e40a by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update DoUnrevoke to use @WebServlet

- - - - -
ff122def by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CertProcessReq to use @WebServlet

- - - - -
63cd61fe by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update RenewalServlet to use @WebServlet

- - - - -
b32aaaea by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CertQueryReq to use @WebServlet

- - - - -
2a1c61f0 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update GetCRL to use @WebServlet

- - - - -
5a924921 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update GetCAChain to use @WebServlet

- - - - -
9abbaa69 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update UpdateOCSPConfig to use @WebServlet

- - - - -
9acd9be6 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CAMainPageServlet to use @WebServlet

- - - - -
541c2e11 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CAACLAdminServlet to use @WebServlet

- - - - -
a3e4e3b5 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CAUsrGrpAdminServlet to use @WebServlet

- - - - -
0dddbe99 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CALogAdminServlet to use @WebServlet

- - - - -
9b460224 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update RASCEPServlet to use @WebServlet

- - - - -
72ef6378 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update DynamicProfileSCEPServlet to use @WebServlet

- - - - -
ca9f8876 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update CRSEnrollment to use @WebServlet

- - - - -
da293ba2 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update UpdateConnector to use @WebServlet

- - - - -
113930e7 by Endi S. Dewata at 2023-04-05T10:20:38-05:00
Update Monitor to use @WebServlet

- - - - -
8ae1ce1f by Endi S. Dewata at 2023-04-05T16:44:06-05:00
Add CARegisterUser

The CARegisterUser has been added to provide a separate class
for each servlet in web.xml.

- - - - -
fce91181 by Endi S. Dewata at 2023-04-05T16:44:06-05:00
Add RARegisterUser

The RARegisterUser has been added to provide a separate class
for each servlet in web.xml.

- - - - -
8d52cd39 by Endi S. Dewata at 2023-04-05T16:44:16-05:00
Add CAUpdateDomainXML

The CAUpdateDomainXML has been added to provide a separate class
for each servlet in web.xml.

- - - - -
b607c312 by Endi S. Dewata at 2023-04-05T16:52:00-05:00
Add CAAdminUpdateDomainXML

The CAAdminUpdateDomainXML has been added to provide a separate
class for each servlet in web.xml.

- - - - -
0f64c00b by Endi S. Dewata at 2023-04-05T17:00:28-05:00
Add CADownloadPKCS12

The CADownloadPKCS12 has been added to provide a separate class
for each servlet in web.xml.

- - - - -
3083b585 by Endi S. Dewata at 2023-04-05T17:10:37-05:00
Add CAGetStatus

The CAGetStatus has been added to provide a separate class for
each servlet in web.xml.

- - - - -
14b8fe77 by Endi S. Dewata at 2023-04-05T17:15:36-05:00
Add CAGetConfigEntries

The CAGetConfigEntries has been added to provide a separate class
for each servlet in web.xml.

- - - - -
03b2312f by Endi S. Dewata at 2023-04-05T17:21:21-05:00
Add CAAuthAdminServlet

The CAAuthAdminServlet has been added to provide a separate class
for each servlet in web.xml.

- - - - -
d7945255 by Chris Kelley at 2023-04-06T10:19:45+01:00
Allow graceful handling of CADogtagCertsConfigCheck with no certs

Currently if no cert is returned from the nssdb with the requested
nickname the test tries to process the NoneType cert and throws a
TypeError, check explicitly if the cert is not None before proceeding
with the rest of the test.

Resolves #2182990

- - - - -
7101141b by Endi S. Dewata at 2023-04-06T10:35:03-05:00
Update pki-server http-connector-find

The pki-server http-connector-find has been modified to display
additional params for AJP connectors.

- - - - -
fc8f6911 by Endi S. Dewata at 2023-04-06T10:35:03-05:00
Remove hard-coded port in pki-healthcheck

The DogtagCACertsConnectivityCheck and DogtagKRAConnectivityCheck
have been modified to get the secure port from server.xml.

- - - - -
983c69ec by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CARegisterUser to use @WebServlet

- - - - -
62d54a27 by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update RARegisterUser to use @WebServlet

- - - - -
7e997dad by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CAUpdateDomainXML to use @WebServlet

- - - - -
128944ce by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CAAdminUpdateDomainXML to use @WebServlet

- - - - -
5130a26b by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CADownloadPKCS12 to use @WebServlet

- - - - -
9760a099 by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CAGetStatus to use @WebServlet

- - - - -
b72b9bf4 by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CAGetConfigEntries to use @WebServlet

- - - - -
985b1c30 by Endi S. Dewata at 2023-04-06T11:12:35-05:00
Update CAAuthAdminServlet to use @WebServlet

- - - - -
48246d53 by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove JobsScheduler singleton

- - - - -
07bcdf64 by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove AuthzSubsystem singleton

- - - - -
e18da9be by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove X500NameSubsystem singleton

- - - - -
dc124803 by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove OidLoaderSubsystem singleton

- - - - -
fc9c479b by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove LogSubsystem singleton

- - - - -
cdc084f4 by Endi S. Dewata at 2023-04-06T13:10:13-05:00
Remove CMSExtensionsMap singleton

- - - - -
262cdeb6 by Marco Fargetta at 2023-04-06T20:35:06+02:00
Fix audit log

Requests and certificate identifiers are now written in hex format in the
output and in the log. CA signed audit log was still using the decimal
format making difficult to mach the requests. Audit logs are converted
to the hex format.

- - - - -
248694ab by Endi S. Dewata at 2023-04-06T19:12:56-05:00
Update version numbers in pom.xml and azure-pipelines.yml

- - - - -
6a2ab37d by Endi S. Dewata at 2023-04-10T09:09:45-05:00
Update pki.spec to use Maven dependencies

The RPM dependencies for Java in pki.spec has been replaced with
Maven dependencies as defined in pom.xml. For now the version
numbers are not included since there are minor differences on
different platforms.

Note: When the RPM is built/installed it will get the dependencies
from other RPM packages instead of downloading from external Maven
repository.

The dependency on jpackage-utils has been dropped since it will be
automatically added:
https://docs.fedoraproject.org/en-US/java-packaging-howto/packaging_maven_project/

The duplicate BuildRequires: python3-lxml has been removed.

- - - - -
c9d3bd26 by Endi S. Dewata at 2023-04-11T15:52:22-05:00
Simplify TPS installation config examples

The tps.cfg and tps-clone.cfg have been modified to no longer
set pki_enable_server_side_keygen to True such that it can be
used to install a simple TPS system without KRA.

The current TPS tests have been modified to set the parameter
using pkispawn command line option such that the tests will
continue to work with KRA.

- - - - -
02917022 by Endi S. Dewata at 2023-04-11T20:18:26-05:00
Update LogEventListener.init() to take LoggerConfig

- - - - -
3a0c9dda by Endi S. Dewata at 2023-04-11T20:27:28-05:00
Add getters for LoggerConfig

- - - - -
adc87222 by Endi S. Dewata at 2023-04-11T22:40:59-05:00
Move LogFile constants to LoggerConfig

- - - - -
8552cd83 by Chris Kelley at 2023-04-12T16:08:09+01:00
Remove unnecessary else clauses from 50 more classes

- - - - -
1915f3b4 by Endi S. Dewata at 2023-04-12T17:39:51-05:00
Add new servlets for CA

Some new servlets have been added to provide a separate class
for each servlet in CA's web.xml.

- - - - -
03c15fe4 by Endi S. Dewata at 2023-04-13T08:28:46-05:00
Update IPA tests

The IPA test workflow has been modified to build ipa-runner
image separately from the main build workflow. This way the
non-IPA test workflows can start the test earlier because
they don't need to wait for ipa-runner to be built anymore.

- - - - -
abc290a2 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update CAJobsAdminServlet to use @WebServlet

- - - - -
504c3cde by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update AdminEnrollServlet to use @WebServlet

- - - - -
2d264a68 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update BulkIssuanceServlet to use @WebServlet

- - - - -
8b66b717 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update CertBasedEnrollServlet to use @WebServlet

- - - - -
357b6728 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update EnrollServlet to use @WebServlet

- - - - -
2b0248e0 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update CAGetOCSPInfo to use @WebServlet

- - - - -
788f65b7 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update UpdateDir to use @WebServlet

- - - - -
b73c6113 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update DisplayCertFromRequestAgent to use @WebServlet

- - - - -
ba6df570 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update DisplayCertFromRequest to use @WebServlet

- - - - -
9ebe43bc by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update GetCertFromRequestAgent to use @WebServlet

- - - - -
d508088f by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update GetCertFromRequest to use @WebServlet

- - - - -
751d9206 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update ProfileSelectAgentServlet to use @WebServlet

- - - - -
6b9c014e by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update ProfileSelectServlet to use @WebServlet

- - - - -
b714a90a by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update CAGetStats to use @WebServlet

- - - - -
5095dfaf by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update SrchCertsAgent to use @WebServlet

- - - - -
ce8d0f8d by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update SrchCerts to use @WebServlet

- - - - -
7d6e23f6 by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update ListCertsAgent to use @WebServlet

- - - - -
af67477e by Endi S. Dewata at 2023-04-13T08:55:58-05:00
Update ListCerts to use @WebServlet

- - - - -
7b9c3ad9 by Endi S. Dewata at 2023-04-13T12:51:14-05:00
Remove obsolete references to pki-symkey

- - - - -
65d2796d by Endi S. Dewata at 2023-04-13T17:04:56-05:00
Remove obsolete references to jss-symkey.jar

The jss-symkey.jar has been merged into jss.jar in JSS 5.4
so all references to the file needs to be removed.

- - - - -
0270f3aa by Marco Fargetta at 2023-04-14T12:19:21+02:00
Fix maven compile

The commit incluide:
- update JSS version
- modify the tomcatjss dependecy to the correct module
- add flatten plugin to fix the installation phase using the `revision`
  property

If the dependency are installed (**jss**, **tomcatjss** and
**ldap-sdk**) with `mvn install` then `pki` can be compiled with maven.

The only problem is that the test are not correctly configured so for
now the compile has been executed with the option `mvn package
-Dmaven.test.skip=true`.

- - - - -
3517d4d5 by Chris Kelley at 2023-04-17T16:01:14+01:00
Remove code in web UI to retrieve Links from requests

Some time ago we removed the Link objects from server-side classes.
Therefore, there is nothing to retrieve so these redundant methods can
also be removed.
- - - - -
eff9bfe6 by Chris Kelley at 2023-04-17T16:15:32+01:00
Code clean up in CryptoUtil

* Access static method in a static fashion
* Hide implicit public constructor
* Combine identical catch blocks
* Use try-with-resources where appropriate
* Don't create variables just to return them
* Put array designator on the type
* Remove unnecessary boolean literal and logical jumps
* Reorder modifiers to match the JLS
* Remove double-brace initialization
- - - - -
f84e4449 by Endi S. Dewata at 2023-04-18T17:35:17-05:00
Add AuthzSubsystem.addACLInfo()

The code that adds ACL info into authorization manager has been
merged into AuthzSubsystem.addACLInfo().

- - - - -
6b2f3c9a by Endi S. Dewata at 2023-04-18T17:35:31-05:00
Add AuthorizationConfig.getSourceType()

The code that returns authz.sourceType config param has been
merged into AuthorizationConfig.getSourceType().

- - - - -
7a5ace60 by Endi S. Dewata at 2023-04-18T17:40:54-05:00
Merge ServletUtils into CAProcessor

- - - - -
b85bcc47 by Endi S. Dewata at 2023-04-18T17:54:17-05:00
Update AuthzManager.getACLs() to return Collection

- - - - -
84939271 by Endi S. Dewata at 2023-04-18T17:57:14-05:00
Update AAclAuthz.getTargetNames() to return Set

- - - - -
b22f12e9 by Endi S. Dewata at 2023-04-18T18:00:11-05:00
Replace AAclAuthz.aclResElements() with getACLs()

- - - - -
da188dc2 by Endi S. Dewata at 2023-04-18T18:01:56-05:00
Convert AAclAuthz.mACLs into Map

- - - - -
b6a9338f by Endi S. Dewata at 2023-04-18T18:04:18-05:00
Add DirAclAuthz.loadACLs()

The code that loads ACL resources from LDAP into memory
in DirAclAuthz has been moved into loadACLs().

- - - - -
ad927437 by Chris Kelley at 2023-04-19T15:42:26+01:00
Restore certificate search functionality to the TPS UI

With bug #2008162 the newly enforced token profile separation breaks the
Home -> Certificates page as it does not provide a tokenID to the
server.

Now, if the server receives no tokenID, we return all certs that match
the search filter that are allowed for the authorised profiles.

Resolves: #2049901

- - - - -
123f0cd9 by Chris Kelley at 2023-04-19T16:21:22+01:00
Fix adding user in TPS UI

Various things were not displaying correctly as well due to incorrect
JSON mappings, so that is fixed too.

Resolves: #2027712

- - - - -
1c49e998 by Endi S. Dewata at 2023-04-19T16:20:07-05:00
Publish to GitHub Maven registry

A new job has been added to build PKI with Maven and publish
the artifacts to GitHub Maven registry. Currently the tests
have to be disabled due to missing JSS shared libraries. The
group ID and artifact ID have been renamed to follow a more
commonly used pattern.

- - - - -
58730a52 by Chris Kelley at 2023-04-19T22:31:53+01:00
Updating version to v11.4.0

- - - - -
415d7b67 by Chris Kelley at 2023-04-27T14:55:58+01:00
Make use of xmvn-resolve conditional on it being installed

Drops the distro-specific code and relies only on whether xmvn is
present. The spec is updated to explicitly BuildRequires: xmvn-tools so
xmvn-resolve is there at build time for JAR resolution.

Resolves: #2188716

- - - - -
fd405cb4 by Chris Kelley at 2023-04-27T14:56:08+01:00
Only BuildRequires xmvn-tools on distros that have it

- - - - -
e2776070 by Chris Kelley at 2023-04-27T14:58:17+01:00
Update paths for jaxb and jakarta-activation JARs

- - - - -
2217bf66 by Chris Kelley at 2023-04-28T21:48:22+01:00
Fix pylint failures in upstream CI.

The new version of pylint (pylint-2.17.2-1.fc38) in F38 causes failures
due to containing a configuration setting that will become invalid in
pylint 3. The pylintrc file is future-proofed to work with pylint 3.

overgeneral-exceptions now causes test failure rather than a warning, it
has been disabled for now as there are many failures and it could take
some time to go through them all individually and catch less general
exceptions.
- - - - -
44185469 by Chris Kelley at 2023-04-28T22:20:17+01:00
Updating version to v11.4.1

- - - - -
bcffbf80 by Christina Fu at 2023-05-11T16:47:36+02:00
Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages

This patch fixes the following issue:
It appears that the following parameter in ca's CS.cfg is set to true
by default:
ca.publish.rule.instance.ocsprule-ccrsa-1-rhcs10-example-com-32443.enable
which triggers the CA to attempt publishing of its CRLs directly
from CA->OCSP and causing the following SEVERE error messages:

SEVERE: CRL issuing point CN=CA Signing Certificate, nott found.

The CA->OCSP direct push of CRLs appears to not be working.
CA->ldap publishing (and ocsp pulling from ldap) is working and
 should be used instead.

In addition, this patch also fixes it so that the following will no
longer appear (it has no reason to. See bug description for explanation):
[CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2190283

- - - - -
e6066a59 by Marco Fargetta at 2023-05-11T17:33:50+02:00
Disable OCSP direct pushing during upgrade

The direct publishing to OCSP is not working properly and a previous
commit has change the default value for the `ca.publish.rule.instance.ocsprule-<instance-<port>.enable` attribute to false. This commit add the upgrade script to set false for the existing instances during the upgrade.

There are no problems with existing instances because the communication
with OCSP was not properly working and other mechanism were in place.

Close the issue: RHCS-4085

- - - - -
228b98b6 by Marco Fargetta at 2023-05-11T17:45:47+02:00
Fix upgrade script version

- - - - -
c4f03fcc by Marco Fargetta at 2023-05-15T11:30:39+02:00
Revert "Disable OCSP direct pushing during upgrade"

This revert commit e6066a59bd7c2cff4108ace2c73177615ace4bd9.

- - - - -
4b2fe930 by Chris Kelley at 2023-05-15T11:31:17+02:00
Revert "Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages"

This reverts commit bcffbf80a13d020f3c2edbf012855275be0bca6b.

- - - - -
e5a606a4 by Christina Fu at 2023-05-29T11:12:41+02:00
Bug2190283-part2_LdapSimpleMap_Invalid_cast_warning

This patch was part of the patch that was taken out earlier.
It fixes a frivilous WARNING message:

[CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate
It did not attribute to the CI break so I'm putting it back.

fixes (part2) https://bugzilla.redhat.com/show_bug.cgi?id=2190283

- - - - -
eda90d5f by Chris Kelley at 2023-06-05T10:54:17+01:00
Updating version to v11.4.2

- - - - -
d7656b8b by Chris Kelley at 2023-06-05T11:23:15+01:00
Upstream some spec file changes to reduce diff

- - - - -
7ce96c1f by Chris Kelley at 2023-06-16T13:49:54+01:00
Introduce Packit config and upstream some spec updates

- - - - -
0982e230 by Chris Kelley at 2023-06-16T13:50:18+01:00
Updating version to v11.4.3

- - - - -


15 changed files:

- .classpath
- .copr/Makefile
- + .dockerignore
- + .github/workflows/PKICertImport-test.yml
- + .github/workflows/acme-certbot-test.yml
- + .github/workflows/acme-container-test.yml
- + .github/workflows/acme-postgresql-test.yml
- + .github/workflows/acme-switchover-test.yml
- .github/workflows/acme-tests.yml
- + .github/workflows/build.yml
- + .github/workflows/ca-basic-test.yml
- + .github/workflows/ca-clone-hsm-test.yml
- + .github/workflows/ca-clone-secure-ds-test.yml
- + .github/workflows/ca-clone-test.yml
- + .github/workflows/ca-container-test.yml


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/6beb1bd260c14868f6c5b761185016d0d6826e1a...0982e23079279131794ecbb67475c4a8bd18cc6b

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/6beb1bd260c14868f6c5b761185016d0d6826e1a...0982e23079279131794ecbb67475c4a8bd18cc6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230810/b32590ff/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list